PCI DSS 4.0 Requirements – Network Security Controls and Secure Configuration
We have officially entered the 12-month countdown to the enactment of the new Payment Card Industry Data Security Standard (PCI DSS). The new version, 4.0, set to go into effect on April 1, 2024, contains some interesting and notable changes. Is your organization ready to meet the new requirements? In this 6-part series, we spoke with specialists who help to break down the changes to make your transition to the new Standard as easy as possible.
Jeff Man, a Qualified Security Assessor (QSA) at Online Business Systems who focuses on PCI advisory services, notes how something as subtle as the language change in Requirement 1 can make a big difference in the way an organization scopes the Cardholder Data Environment (CDE). In the prior version of the Standard, Requirement 1 was titled “Install and maintain a firewall configuration to protect cardholder data.” This is now labelled, “Install and Maintain Network Security Controls.” This broader wording addresses modern networking architectures and practices, while preserving the security goals found in this requirement.
The wording of the requirement eliminates references to legacy network devices, acknowledging the all-in-one capabilities of many of the new hardware in most environments. This makes the requirement more comprehensive, which could pose a challenge to any organization that has not previously contemplated these assets as within the purview of the requirement. It also makes it clear that cloud environments are also part of the new Standard.
Jeff emphasizes that Requirement 1 makes it clear that the best way to start is with an up-to-date network diagram. Both the physical and logical data paths need to be accounted for, and these must be updated any time any part of the environment changes. The best part to remember about this revised requirement is that the rules are not really new, they are merely more explicitly comprehensive to assure that you build and maintain a secure network.
Jeff sees the big challenge of Requirement 1 as “making sure you are knowledgeable about whatever network security controls you are utilizing. Adhering to the requirements and making sure you are properly applying the protections to your CDE from even your own internal network, and not just the internet, is of utmost importance. In this way, you can truly declare the rest of your network as ‘untrusted’ from the perspective of PCI.”
Similar to Requirement 1, the language in Requirement 2 is also updated. Requirement 2, titled “Apply Secure Configurations to All System Components,” shifts the focus away from updating vendor default settings, to defining and implementing secure configurations for all assets in the CDE. Anthony Israel-Davis, Manager of Product Security at Fortra, points out the way to satisfy this requirement is by ensuring that you have a way to show the configurations in your running environment conform to the policies that you have in place. Ideally, this is something that can be done on a regular basis to add certainty that there hasn’t been any configuration drift or manual changes to the environment. Anthony has broad experience in compliance, operations, and security for cloud offerings, ensuring successful audits for SOC 2 and PCI DSS in Azure and AWS environments.
Anthony makes the pragmatic observation that every port, service, and process has to have a legitimate purpose, and that purpose must be documented and supported with its business justification. While it is easy to document all necessary components, it is probably more important to justify the need for those elements that fall outside the normal range of what is considered essential.
One of the recurring themes that flows through the Standard is that roles and responsibilities must be documented, assigned, and understood. Anthony points out that an important part of achieving PCI DSS compliance includes the ability to prove what is documented is in use and known to team members responsible for implementation.
For Anthony, efficiency is the key to success with the new PCI Standard. “Making compliance as efficient as possible reduces the burden on system owners and allows them to focus on delivering value. While compliance is intended to help ensure security, the primary audit difficulty comes down to the evidence gathering task. It’s not enough to adhere to a requirement; you must prove it, and the easier you make that, the easier and quicker audits will be.”
The new Standard still maintains its 12-heading form, but the new additions and changes bring new requirements for keeping the CDE secure. In the next part of this series, we will examine requirements 3 and 4 of PCI DSS version 4.0. To learn even more about the new Standard, as told by other experts in the field, download our eBook.