PCI DSS 4.0 Requirements

Stipulations for Compliance

Best Practices

Network security controls (NSCs) are configured and maintained.

Validate network security configurations before deployment and use configuration management to track changes and prevent configuration drift.

Network access to and from the cardholder data environment (CDE) is restricted.

Monitor all inbound traffic to the CDE, even from trusted networks, and, when possible, use explicit “deny all” firewall rules to prevent accidental gaps.

Network connections between trusted and untrusted networks are controlled.

Implement a DMZ that manages connections between untrusted networks and public-facing resources on the trusted network.

Risks to the CDE from computing devices that can connect to both untrusted networks and the CDE are mitigated.

Use security controls like endpoint protection and firewalls to protect devices from Internet-based attacks and zero-trust and network segmentation to prevent lateral movement to CDEs.

Stipulations for Compliance

Best Practices

System components are configured and managed securely.

Continuously check for vendor-default user accounts and security configurations and ensure all administrative access is encrypted using strong cryptographic protocols.

Wireless environments are configured and managed securely.

Apply the same security standards consistently across wired and wireless environments, and change wireless encryption keys whenever someone leaves the organization.

Stipulations for Compliance

Best Practices

Storage of account data is kept to a minimum.

Use data retention and disposal policies to configure an automated, programmatic procedure to locate and remove unnecessary account data.

Sensitive authentication data (SAD) is not stored after authorization.

Review data sources to ensure that the full contents of any track, card verification code, and PIN/PIN blocks are not retained after the authorization process is completed.

Access to displays of full primary account number (PAN) and ability to copy cardholder data are restricted.

Use role-based access control (RBAC) to limit PAN access to individuals with a defined need and use the masking approach to display only the number of digits needed for a specific function.

PAN is secured wherever it is stored.

Render PAN unreadable using one-way hashing with a randomly generated secret key, truncation, index tokens, and strong cryptography with secure key management.

Cryptographic keys used to protect stored account data are secured.

Manage cryptographic keys with a centralized key management system that’s PCI DSS 4.0 compliant to restrict access to key-encrypting keys and store them separately from data-encrypting keys.

Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented.

Use a key management solution that simplifies or automates key replacement for old or compromised keys.

Stipulations for Compliance

Best Practices

PAN is protected with strong cryptography during transmission.

Encrypt PAN over both public and internal networks and apply strong cryptography at both the data level and the session level.

Stipulations for Compliance

Best Practices

Malware is prevented, or detected and addressed.

Use a combination of network-based controls, host-based controls, and endpoint security solutions; supplement signature-based tools with AI/ML-powered detection.

Anti-malware mechanisms and processes are active, maintained, and monitored.

Update tools and signature databases as soon as possible and prevent end-users from disabling or altering anti-malware controls.

Anti-phishing mechanisms protect users against phishing attacks.

Use a combination of anti-phishing approaches, including anti-spoofing controls, link scrubbers, and server-side anti-malware.

Stipulations for Compliance

Best Practices

Bespoke and custom software are developed securely.

Use manual or automatic code reviews to search for undocumented features, validate that third-party libraries are used securely, analyze insecure code structures, and check for logical vulnerabilities.

Security vulnerabilities are identified and addressed.

Use a centralized patch management solution to automatically notify teams of known vulnerabilities and pending updates.

Public-facing web applications are protected against attacks.

Use automatic vulnerability security assessment tools that include specialized web scanners that analyze web application protection.

Changes to all system components are managed securely.

Use a centralized source code version management solution to track, approve, and roll back changes.

Stipulations for Compliance

Best Practices

Access to system components and data is appropriately defined and assigned.

Use RBAC to provide accounts with access privileges based on their job functions (e.g., ‘customer service agent’ or ‘warehouse manager’) rather than on an individual basis.

Access to system components and data is managed via an access control system.

Use a centralized identity and access management (IAM) system to manage access across the enterprise, including branches, edge computing sites, and the cloud.

Stipulations for Compliance

Best Practices

User identification and related accounts for users and administrators are strictly managed throughout an account’s lifecycle.

Use an account lifecycle management solution to streamline account discovery, provisioning, monitoring, and deactivation.

Strong authentication for users and administrators is established and managed.

Replace relatively weak passwords/passphrases with stronger authentication factors like hardware tokens or biometrics.

Multi-factor authentication (MFA) is implemented to secure access into the CDE.

MFA should also protect access to management interfaces on isolated management infrastructure (IMI) to prevent attackers from controlling the CDE.

MFA systems are configured to prevent misuse.

Secure the MFA system itself with strong authentication and validate MFA configurations before deployment to ensure it requires two different forms of authentication and does not allow any access without a second factor.

Use of application and system accounts and associated authentication factors is strictly managed.

Whenever possible, disable interactive login on system and application accounts to prevent malicious actors from logging in with them.

Stipulations for Compliance

Best Practices

Physical access controls manage entry into facilities and systems containing cardholder data.

Use logical or physical controls to prevent unauthorized users from connecting to network jacks and wireless access points within the CDE facility.

Physical access for personnel and visitors is authorized and managed.

Require visitor badges and an authorized escort for any third parties accessing the CDE facility, and keep an accurate log of when they enter and exit the building.

Media with cardholder data is securely stored, accessed, distributed, and destroyed.

Do not allow portable media containing cardholder data to leave the secure facility unless absolutely necessary.

Point of interaction (POI) devices are protected from tampering and unauthorized substitution.

Use a centralized, vendor-neutral asset management system to automatically discover and track all POI devices in use across the organization.

Use of application and system accounts and associated authentication factors is strictly managed.

Whenever possible, disable interactive login on system and application accounts to prevent malicious actors from logging in with them.

Stipulations for Compliance

Best Practices

Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.

Use a user and entity behavior analytics (UEBA) solution to monitor user activity and detect suspicious behavior with machine learning algorithms.

Audit logs are protected from destruction and unauthorized modifications.

Never store audit logs in public-accessible locations; use strong RBAC and least-privilege policies to limit access.

Audit logs are reviewed to identify anomalies or suspicious activity.

Use an AIOps tool to analyze audit logs, detect anomalous activity, and automatically triage and notify teams of issues.

Audit log history is retained and available for analysis.

Retain audit logs for at least 12 months in a secure storage location; keep the last three months of logs immediately accessible to aid in breach resolution.

Time-synchronization mechanisms support consistent time settings across all systems.

Use NTP to synchronize clocks across all systems to help with breach mitigation and post-incident forensics.

Failures of critical security control systems are detected, reported, and responded to promptly.

Use AIOps to automatically detect, triage, and respond to security incidents. AIOps also provides automatic root-cause analysis (RCA) for faster incident resolution.

Stipulations for Compliance

Best Practices

Wireless access points are identified and monitored, and unauthorized wireless access points are addressed.

Use a wireless analyzer to detect rogue access points.

External and internal vulnerabilities are regularly identified, prioritized, and addressed.

PCI DSS 4.0 requires internal and external vulnerability scans at least once every three months, but performing them more often is encouraged if your network is complex or changes frequently.

External and internal penetration testing is regularly performed, and exploitable vulnerabilities and security weaknesses are corrected.

Work with a PCI DSS-approved vendor to perform external and internal penetration testing; conduct pen testing on network segmentation controls.

Network intrusions and unexpected file changes are detected and responded to.

Use AI-powered, next-generation firewalls (NGFWs) with enhanced detection algorithms and automatic incident response capabilities.

Unauthorized changes on payment pages are detected and responded to.

Use anti-skimming technology like file integrity monitoring (FIM) to detect unauthorized payment page changes; ensure alerts are monitored.

Stipulations for Compliance

Best Practices

Acceptable use policies for end-user technologies are defined and implemented.

Enforce usage policies with technical controls capable of locking users out of systems, applications, or devices if they violate these policies.

Risks to the cardholder data and environment are formally identified, evaluated, and managed.

Use a centralized patch management system to monitor firmware and software versions, detect changes that may increase risk, and deploy updates to fix vulnerabilities.

PCI DSS compliance is managed.

Service providers must assign executive responsibility for managing PCI DSS 4.0 compliance.

PCI DSS scope is documented and validated.

Frequently validate PCI DSS scope by evaluating the CDE and all connected systems to determine if coverage should be expanded.

Security awareness education is an ongoing activity.

Require all users to take security awareness training upon hire and every year afterwards; it’s also recommended to provide refresher training when someone transfers into a role with more access to sensitive data.

Personnel are screened to reduce risks from insider threats.

In addition to screening new hires, conduct additional screening when someone moves into a role with greater access to the CDE.

Risk to information assets associated with third-party service provider (TPSP) relationships is managed.

Thoroughly analyze the risk of working with third-parties based on their reporting practices, breach history, incident response procedures, and PCI DSS validation.

Third-party service providers (TPSPs) support their customers’ PCI DSS compliance.

Require TPSPs to provide their PCI DSS Attestation of Compliance (AOC) to demonstrate their compliance status.

Suspected and confirmed security incidents that could impact the CDE are responded to immediately.

Create a comprehensive incident response plan that designates roles to key stakeholders.