The Payment Card Industry Data Security Standard (PCI DSS) sets forth 12 core requirements that organizations must follow to protect cardholder data and ensure secure payment processing environments. These requirements have been updated under PCI DSS 4.0, which introduces new mandates effective from March or April 2025[1][3][7].
- Install and maintain network security controls (firewalls): Firewalls must protect the cardholder data environment (CDE) from unauthorized access and all networked devices must be included[2][4][8].
- Change default vendor settings: All default passwords and settings on devices and software supplied by vendors must be altered before deployment to prevent hacker exploitation[4][6].
- Protect cardholder data: Organizations must identify, monitor, and secure all cardholder data, encrypt data at rest, minimize data retention, and securely delete it when no longer needed[2][4].
- Protect cardholder data during transmission: Use strong cryptography when transmitting cardholder data over public or open networks. With PCI DSS 4.0, organizations must also inventory all SSL/TLS certificates and verify their security and validity[3].
- Protect all systems and networks from malware: Implement anti-malware solutions and ensure regular updates and scans to detect and remove malicious software[2].
- Develop and maintain secure systems and software: Regularly patch and update systems and conduct vulnerability management to address emerging threats[2][6].
- Restrict access to system components and cardholder data by business need-to-know: Limit data and system access only to personnel whose jobs require it[2].
- Identify and authenticate access to system components: Ensure all users are uniquely identified and authenticated when accessing system components. PCI DSS 4.0 mandates multi-factor authentication (MFA) for all access to the CDE[1].
- Restrict physical access to cardholder data: Cardholder data must be physically protected and access must be tightly controlled and monitored[2][4].
- Log and monitor all access to network resources and cardholder data: Ensure logging mechanisms are in place to track access and changes for audit and investigative purposes[2].
- Test security systems and networks regularly: Conduct regular vulnerability scans and penetration testing to maintain ongoing security[2][6].
- Maintain an information security policy: An organization-wide policy covering security responsibilities, policies, training, and procedures must support ongoing compliance[2].
In addition to these requirements, PCI DSS 4.0 introduces several key updates:
- Multi-factor authentication is now mandatory for all access to the CDE, not just administrative access[1].
- Disk-level encryption is only allowed for removable media, and not for general workstations or servers[3].
- New requirements for cryptographic hash methods: Only keyed cryptographic hash functions (like HMAC, CMAC, or GMAC) with at least 128-bit strength are permitted if hashing is used for card data protection[3].
Transition deadlines for implementing these new requirements are effective March/April 2025. Organizations failing to comply risk fines, penalties, and loss of payment processing privileges[5][7].
References
- [1] PCI 4.0 in 2025: What best practices are becoming requirements?
- [2] Complete PCI DSS Compliance Checklist: Navigate the 12 Requirements
- [3] Key PCI DSS 4.0 Requirement Updates
- [4] PCI-DSS compliance checklist: is your business compliant?
- [5] Now is the Time for Organizations to Adopt the Future-Dated Requirements of PCI DSS v4.x
- [6] What Is PCI Compliance? The 12 Requirements
- [7] New PCI DSS 4.0 Credit Card Requirements Effective April 1, 2025
- [8] The Ultimate PCI DSS Compliance Checklist
Leave a Reply