Skip to content
NGTEdu Logo

NGTEdu

A PRODUCT OF NGTECH.CO.IN

NGTEdu Logo

NGTEdu

  • Home
  • Cyber Attacks
  • Malware
  • Vulnerabilities
  • Data Breach
  • Home
  • Data Breach
  • What you need to know about PCI 4.0: Requirements 5, 6, 7, 8 and 9
  • Data Breach
  • Malware
  • Vulnerabilities

What you need to know about PCI 4.0: Requirements 5, 6, 7, 8 and 9

4 years ago David Bruce
What you need to know about PCI 4.0: Requirements 5, 6, 7, 8 and 9

In Part 1 of this series, we reviewed the first four sections of the new PCI standards. As we continue our examination of PCI DSS version 4.0, we will consider what organizations will need to do in order to successfully transition and satisfy this update.

Requirements 5 through 9 are organized under two categories:

Maintain a Vulnerability Management Program

Requirement 5: Protect All Systems and Networks from Malicious Software

Requirement 6: Develop and Maintain Secure Systems and Software

Implement Strong Access Control Measures

Requirement 7: Restrict Access to System Components and Cardholder Data by Business Need to Know

Requirement 8: Identify Users and Authenticate Access to System Components

Requirement 9: Restrict Physical Access to Cardholder Data

Requirement 5 – Painting with a Broader Brush

The general heading that precedes Requirement 5 has been updated. As described in the comparative guide:

Updated principal requirement title to reflect the focus on protecting all systems and networks from malicious software. Replaced “anti-virus” with “anti-malware” throughout to support a broader range of technologies used to meet the security objectives traditionally met by anti-virus software.

This information falls under the category of maintaining a vulnerability management program. As a whole, this category is similar to PCI 3.2.1. However, there are some notable updates and a thematic change for Requirements 5 and 6 that this is going to represent a potential change in scope for many organizations.

Requirement 5 is now aimed towards protecting all systems and networks from malicious software. The PCI Security Standards Council recognizes that they intentionally changed this wording because they want to place more focus on the organizational level, and to a larger, broader swath of the network. The goal there is making sure that anything that might involve the Cardholder Data Environment (CDE) needs to be protected.

The potential impact of this compulsory scope change is that organizations will need to reevaluate their entire environments. This could significantly increase—or even decrease in some cases—an organization’s scope. There is also the possibility that an organization may have to explain why their scope has remained the same. Obviously, that is going to be very specific to each environment. The best approach for any organization as they prepare for their first PCI 4.0 audit is to have accurate documentation to justify the scope of their CDE under the new guidance, with specific detail to the new wording.

All auditors will receive training in the new standard, so it’s likely that we’re going to see some additional guidance from the PCI Security Standards Council around this. They might publish some opinion articles to help guide people into what the changes mean, but this change of wording is the most notable change on Requirement 5, and it is something that all organizations will need to address.

Also in Requirement 5, the word “anti-virus” has been updated to “anti-malware.” This will probably not have a major impact on most organizations, as anti-virus is not only old terminology, but it is also an outdated technology, from which most products have improved beyond that singular protection mechanism. The important part to remember about this aspect of Requirement 5 is that it must be undertaken with specific attention to the edict against default configurations from Requirement 2.

Requirement 6 – Application Development Graduates to Software Development

In the earlier PCI Standard, the concentration was on application security. In PCI 4.0, the attention has expanded to maintaining secure systems and software. Along with that, the language also changed from “internal and external” applications, to “bespoke and custom” software. “Bespoke” is not exactly a word that speaks to the common person, so that is an interesting, albeit appropriate, choice. To clarify, something that is customized is generally a modification to an existing product, whereas, bespoke indicates a product that is built to a customer’s specifications. A subtle difference, but worth noting.

Along with the new vocabulary, this represents a scope change for many organizations, similar to Requirement 5. For example, when you say “applications,” many people think of heavy software, with a centralized server, requiring an installation process. However, when you say software, the perception gets a little bit more broad. Again, I anticipate that we will probably see some further guidance about this, especially over the next year, but organizations need to think about the effect of this requirement. Perhaps you purchased a tool for your environment, or you’re a software company, and you’re developing a new product. These are probably in scope under PCI 4.0.

It is conceivable that these software products probably should have been in scope before, at least if your auditor was diligent about interpreting the earlier requirement. The potential depends on your organization’s business process. For instance, if your organization is an insurance company that accepts credit card payments through your website, you could have reasoned that under PCI 3.2.1 the only thing that was needed to monitor for an application was the backend processing of that credit card data. However, if we contemplate this new requirement in conjunction with Requirement 3, that credit card processing software now qualifies under the term “account data.” Given this interpretation, it’s very possible that we’re going to see a change in scope, where instead of just strictly requiring you to monitor and prove that your development of that credit card processing on your website is secure and has good protections, the scope could span from user log in to log out. Everything that operates on your website is now part of this system, because now it is part of the account data.

For that hypothetical insurance company, they might have had a really strong development pipeline for that script that literally just takes that credit card data and funnels it off to the payment processor—and that was the only thing they had to care about. But now, they might also have to think about the entire authentication system; they might have to think about their web servers a little differently. So, when we talk about secure systems and software, it’s a little bit more broad, with a more general scope.

This requirement change is more than simply placing more items in scope. Thematically, everything in PCI 4.0 is designed around a mindset. Auditors are going to start thinking more holistically about the CDE, and what’s in it. What is important throughout the new version, is the interplay between the requirements.

Requirement 7 – No “All Access” Passes Allowed

The proclamation of Requirement 7 is very straightforward: Restrict Access to System Components and Cardholder Data by Business Need to Know. However, there is some confusing language that follows. The text says “cardholder data,” but the overall tone of version 4.0 is around “account data.” One has to wonder if this is just about cardholder data, or is this going to be broadened to mean account data? This may require a formal clarification in a future version of the standard.

Aside from that puzzling section of language, Requirement 7 is about access controls: Grant access to only those people who need it for their business function and deny access to everyone else. This is an old cybersecurity practice. This requirement can also create a scope change, because it now pertains to all systems. If an organization was compliant in PCI 3.2.1, this new version applies the control more generally, with a very specific interpretation. That interpretation is that it’s no longer sufficient to classify a system as a whole, and only look at access control lists at the system level. Now you have to understand the component level and how those components flow through the organization.

In PCI 4.0, it’s going to be really important that organizations home in on all of their access controls, and to fully document and justify who has access to these components.

Requirement 8 – Harbinger of a Zero Trust World

Requirement 8 is a direct extension of Requirement 7. It is still in this theme of strong access controls. If we think of Requirement 7 as “make sure the right people have access to the right systems and components,” Requirement 8 is “make sure that you’re identifying those users and you’re actually authenticating their access.” This is not vastly different from the previous version. The sections are reordered, but the big change here is in a couple of terminologies.

Overall, if an organization was compliant with 3.2.1, it might actually still be compliant here. The important part is making sure that there are processes for identifying and authenticating all those who are on those systems. When you take both Requirement 7 and Requirement 8 as a whole, you can hear murmurings of a move toward zero trust architecture. PCI 4.0 doesn’t mention it, but the theme is, changes have broad implications. It is not unreasonable to make the logical leap that zero trust is certainly on the mind of the Security Standards Council.

An organization should use this as a harbinger, and an opportunity to start thinking about how everything in their environment is structured and how they can move towards that future zero trust.

Requirement 9 – The Physical Environment is Also an Asset

Requirement 9 is the physical access requirement. It is safe to say that any organization that was compliant with the earlier version is also going to be compliant with version 4.0. Other than the “Roles and Responsibilities” directive, which flows throughout the entire standard, the only unique “evolving” section in Requirement 9 is to “define the frequency of periodic Point Of Interaction” (POI) device inspections based on the entity’s targeted risk analysis.” Additionally, this requirement is only a best practice until 2025, giving organizations ample time to incorporate this into their compliance activities.

The important part to remember—as with all parts of the standards that reference any asset— is to maintain secure configurations of those assets. In the physical realm, this would now include all the mechanisms that allow access to secure areas, including badge readers, door systems, and even camera systems that monitor those secure areas.

As our examination of the new PCI Data Security Standard unfolds, we see that it is important to adhere to each requirement individually, and to also keep a keen eye on how all of the requirements relate to one another. In the next part of this series, we will complete the overview of the new standard, setting the full stage for organizations to anticipate and maintain adherence with the updated requirements.

The post ” What you need to know about PCI 4.0: Requirements 5, 6, 7, 8 and 9″ appeared first on TripWire

Source:TripWire – David Bruce

Tags: Malware, TripWire

Continue Reading

Previous Researchers Uncover Ways to Break the Encryption of ‘MEGA’ Cloud Storage Service
Next Critical PHP Vulnerability Exposes QNAP NAS Devices to Remote Attacks

More Stories

  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

China-Linked DKnife AitM Framework Targets Routers for Traffic Hijacking, Malware Delivery

8 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Vulnerabilities

CISA Orders Removal of Unsupported Edge Devices to Reduce Federal Network Risk

9 hours ago [email protected] (The Hacker News)
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Asian State-Backed Group TGR-STA-1030 Breaches 70 Government, Infrastructure Entities

11 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach

How Samsung Knox Helps Stop Your Network Security Breach

13 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Compromised dYdX npm and PyPI Packages Deliver Wallet Stealers and RAT Malware

15 hours ago [email protected] (The Hacker News)
  • Critical Vulnerability
  • Data Breach
  • Vulnerabilities

Claude Opus 4.6 Finds 500+ High-Severity Flaws Across Major Open-Source Libraries

17 hours ago [email protected] (The Hacker News)

Recent Posts

  • China-Linked DKnife AitM Framework Targets Routers for Traffic Hijacking, Malware Delivery
  • CISA Orders Removal of Unsupported Edge Devices to Reduce Federal Network Risk
  • Asian State-Backed Group TGR-STA-1030 Breaches 70 Government, Infrastructure Entities
  • How Samsung Knox Helps Stop Your Network Security Breach
  • Compromised dYdX npm and PyPI Packages Deliver Wallet Stealers and RAT Malware

Tags

Android APT Bug CERT Cloud Compliance Coronavirus COVID-19 Critical Severity Encryption Exploit Facebook Finance Google Google Chrome Goverment Hacker Hacker News High Severity Instagram iPhone Java Linux Low Severity Malware Medium Severity Microsoft Moderate Severity Mozzila Firefox Oracle Patch Tuesday Phishing Privacy QuickHeal Ransomware RAT Sim The Hacker News Threatpost TikTok TripWire VMWARE Vulnerability Whatsapp Zoom
Copyright © 2020 All rights reserved | NGTEdu.com
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Read More here.Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT