PCI DSS 4.0 was designed 20 years ago to help reduce the risk of major breaches of card data at financial services firms, retailers and others that store, process and transmit this information. As the emergence of AI tooling and a sophisticated cybercrime supply chain tilt the advantage in threat actors’ favor, the best practice security steps mandated by the standard are more relevant today than ever. Yet compliance can take significant time and effort.
To help organizations understand where to start, we put together this three-part blog series, outlining the six control objectives and 12 requirements of PCI DSS 4.0. In the final part, we highlight Requirements 10-12, and show how comforte can help:
Perimeter defences are one thing. But increasingly, threat actors are able to infiltrate networks quite easily en route to card data. This is where logging and monitoring come in, alerting security teams to suspicious activity before malicious actors can cause any damage. PCI DSS mandates the presence of system activity logs on all system components and in the cardholder data environment (CDE). It should apply to all relevant employee, contractor, consultant, and internal/external vendor activities, as well as those of other third parties.
The number of vulnerabilities (CVEs) discovered and published each year continues to break all records. Last year, it reached nearly 29,000. That’s not to mention those discovered by threat actors that have yet to be shared with vendors. That’s why PCI DSS requires system components, processes and custom software to be tested frequently to ensure security controls remain effective.
Policy matters. It is the unsung hero of information security which effectively articulates the security culture of the entire organization. It informs employees what they are expected to do and how they are expected to act from a cybersecurity perspective. This final PCI DSS 4.0 requirement mandates that all employees are aware of the sensitivity of payment account data and their responsibilities to protect it. It extends to any relevant full-, part-time and temporary employees, contractors and consultants. That means anyone with responsibility for protecting card data or anyone whose role may impact the security of data.
No technology can magically enable PCI DSS 4.0 compliance. However, the comforte SecureDPS solution offers organizations a helping hand which could enable them to reduce the time, cost and effort associated with the process. At a high level, it’s an enterprise-grade data protection platform that delivers:
An independent analysis of the SecureDPS solution by Coalfire confirms that it supports PCI DSS 4.0 compliance in the following ways:
Requirement 10:
10.2 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.
10.3 Audit logs are protected from destruction and unauthorized modifications.
10.5 Audit log history is retained and available for analysis.
Requirement 12:
12.3 Targeted risks to the cardholder data environment are formally identified, evaluated and managed.
12.5 PCI DSS scope is documented and validated.
Comforte SecureDPS is already helping some of the world’s largest and most demanding financial institutions streamline their PCI DSS 4.0 compliance programs.