Justin Bonk, CISSP, PCI-QSA, CIA, CISA, CIPP/US
Senior Manager, Freed Maxick Risk Advisory Services
As organizations gear up for the implementation of PCI DSS 4.0, a host of new PCI changes and requirements are on the horizon. To ensure compliance, organizations must undertake thorough research, understanding, and implementation. While these changes may involve adopting new technologies and designing new processes, one critical aspect is the update of policies and procedures. Your Qualified Security Assessor (QSA) will inspect your policies to ensure they align with the necessary information. This blog will highlight the key policy areas that require material updates and provide valuable insights to help you navigate these changes effectively.
PCI DSS 4.0: Data Storage and Destruction Policies
To comply with PCI DSS 4.0, your organization needs to address the storage and destruction of Sensitive Account Data (SAD) in its policies. Update your Data Storage Policy to include details such as where the data will be stored, who can access it, and the necessary security measures to protect it. Additionally, your Data Destruction Policy should outline the procedure for removing SAD once authorization is complete and the data is no longer required for the transaction.
PCI DSS 4.0: Access Policy
Several new requirements in PCI DSS 4.0 call for updates to your Access Policy. First, comply with REQ 7.2.4 by incorporating user account and privilege reviews every six months. This review should encompass all users, including third-party and vendor accounts, to ensure appropriate access based on job functions. Clearly state the level of management responsible for conducting the review and the required frequency.
Next, address REQ 7.2.5, which emphasizes application and system account management. Update your Access Policy to adhere to the principle of least privilege, granting access only to systems, applications, or processes that necessitate it. Additionally, incorporate REQ 220.127.116.11, which mandates access reviews. Document the review frequency based on targeted risk assessments, specify the level of management conducting the review, and outline the documentation needed to evidence completion.
PCI DSS 4.0: Password Policy
Under REQ 8.6.3 in PCI DSS 4.0, password changes play a vital role. Update your organization's Password Policy to reflect periodic password changes based on targeted risk assessments. Furthermore, include provisions for changing passwords upon suspicion or confirmation of compromise. PCI 4.0 allows password policies to relate rotation frequency to complexity, so consider implementing more complex configurations for less frequent rotations.
PCI DSS 4.0: Change Management Policy
For service providers, your Change Management Policy should account for PCI impacts resulting from significant changes. For 4.0, PCI has updated its definition of “significant changes,” and you should update your Change Management policy to be in alignment with this clarification.
PCI DSS 4.0: Vulnerability Management Policies
There are two new requirements in PCI DSS 4.0 relating to internal vulnerability scanning that should be reflected in your Vulnerability Management Policies. First, comply with Requirement 18.104.22.168 by managing all vulnerabilities found on internal scans. Previously, the policy only needed to address critical and high-ranked vulnerabilities. Your policy should be updated to include vulnerabilities identified with lower rankings. Second, you should update the policy to reflect the new requirement to include authenticated internal scans (22.214.171.124).
PCI DSS 4.0: Incident Response Plan
To comply with REQ 12.10.5, update your Incident Response Plan to include the processes used to identify, communicate, and resolve suspected tampering with payment pages. This should encompass the deployment of change and tamper detection mechanisms in your eCommerce environment.
Additionally, address REQ 12.10.7 by updating your Incident Response Plan to detail the response process when Primary Account Numbers (PANs) are discovered outside the Cardholder Data Environment (CDE). PANs outside the CDE are a serious concern, so establish policies for retrieval, secure deletion, or migration of PANs back into the CDE. Outline procedures to determine the root cause, locate all leaked data and execute necessary remediation activities.
PCI DSS 4.0: General Information Security Policies
In line with REQ 4.2.1, update your information security policies to cover certificate validation if certificates are used to safeguard PAN during transmission over open public networks. Document the steps taken to verify the validity of certificates, including checking if they are issued by legitimate Certificate Authorities (CAs) and reviewing Certificate Revocation Lists
Updating your policies to meet the requirements and PCI DSS 4.0 changes is crucial for maintaining the security and compliance of your organization. By addressing key areas such as data storage and destruction, access controls, password management, change management, incident response, and general information security, you can confidently navigate the changes brought by PCI 4.0. For expert guidance and assistance in implementing these policy updates, don't hesitate to reach out to Justin Bonk with Freed Maxick Risk Advisory Services at firstname.lastname@example.org. Secure your organization's future by ensuring adherence to PCI standards and safeguarding sensitive data.