Visa Europe revealed important stats about the usage of Contactless Cards. Poland, Spain and the UK use this payment methd the most, with UK usage growing by 300% year over year.
Visa Europe revealed important stats about the usage of Contactless Cards. Poland, Spain and the UK use this payment methd the most, with UK usage growing by 300% year over year.
The second part of our PCI DSS v4.0 Analysis series will look at requirements 1 and 2 of the standard, which is a part of the "Build and Maintain a Secure Network and Systems" group, focused on the monitoring and control of incoming and outgoing network traffic, as well as the configuration of system components or hardening.
Click here to read Analysis of PCI DSS v4.0 Part I: Introduction
As pointed out in the part 1 Introduction analysis, these requirements have been renamed in version 4.0 to adapt to technological changes in security controls and to broaden the scope of their applicability.
Requirement 1: Install and Maintain Network Security Controls
The widespread use of virtualization technologies (including Software Defined Networks or SDN) and containers, as well as network infrastructures provided by cloud service providers, have had a significant impact on the first PCI DSS requirement. In fact, this change is evident in the renaming of the requirement and the removal of the term "firewall", which has been in the standard since its inception.
This change came as no surprise since the PCI SSC had already advanced some of these in its Information Supplement - Cloud Computing Guidelines, published in April 2018. This document examined a range of technical security considerations in multi-tenant cloud environments and emerging architectures such as the Internet of Things (IoT) or Fog Computing, as well as technologies such as Software Defined Networking (SND), containers, and Virtual Desktop Infrastructure (VDI). These technological changes are accompanied by new threats and new risks that were not managed correctly or were not fully adapted to the criteria of PCI DSS version 3.2.1.
This is why in PCI DSS version 4.0 the traditional concept of "firewall" has been replaced by Network Security Controls (NSCs), a much broader concept that encompasses not only the firewalls mentioned above but also any other network technology that enables network traffic to be controlled between two or more logical or physical network segments to be controlled according to predefined rules or policies.
This requirement retains the same organization of controls as PCI DSS v3.2.1, but some of them have been modified to fit the concept of NSCs. The most significant changes include:
Changes to network connections and NSC’s configurations (1.2.2) must be implemented following the PCI DSS change management methodology specified in Requirement 6
Likewise, the terminology of the network segments to be protected has been clarified, aligning it with the criteria described in the document Information Supplement - Guidance for PCI DSS Scoping and Network Segmentation. The intention is to deploy a Network Security Control (NSC) between environments with different levels of trust (including internal networks). Based on this perspective, there are two main components of a network:
This being so, the traffic filtering rules to be implemented by the NSCs should follow the following criteria:
An interesting issue in this version of the standard is that the requirement to implement a Demilitarized Network (DMZ) as a network segment to limit inbound traffic access (1.3.1 in PCI DSS 3.2.1) has disappeared, although it is now recommended as a best practice. However, if a DMZ is implemented and this segment processes or transmits payment card data, it should then be considered as part of the CDE.
Requirement 2: Apply Secure Configurations to All System Components
This requirement was renamed to make the applicability of secure configuration controls more flexible, emphasizing that not only default values must be changed, but also unnecessary software, functions, and accounts must be removed, and unnecessary services must be disabled or removed. It is also emphasized that this requirement applies not only to "traditional" systems but to any other system accessed through a cloud subscription service.
Among the changes applied to this requirement are the following:
Missed reading the Introduction to PCI DSS v4.0? Click here to read now. Also, stay tuned for the next part in this series.
References
Column Header Text | Column Header Text | Column Header Text |
Their work should have not stopped there because achieving compliance is an occasional result that doesn't ensure a continual protection. |
Their work should have not stopped there because achieving compliance is an occasional result that doesn't ensure a continual protection. |
|
Their work should have not stopped there because achieving compliance is an occasional result that doesn't ensure a continual protection. |
Their work should have not stopped there because achieving compliance is an occasional result that doesn't ensure a continual protection. |
Their work should have not stopped there because achieving compliance is an occasional result that doesn't ensure a continual protection. |
Performing a review of the media inventories at least annually |
Performing a review of the media inventories at least annually |
Performing a review of the media inventories at least annually |
Row Header Text |
Lorem ipsum dolor sit |
Lorem ipsum dolor sit |
23 |
Row Header Text |
Lorem ipsum dolor sit |
Lorem ipsum dolor sit |
23 |
Row Header Text |
Lorem ipsum dolor sit |
Lorem ipsum dolor sit |
23 |
Row Header Text |
Lorem ipsum dolor sit |
Lorem ipsum dolor sit |
23 |
Row Header Text |
Lorem ipsum dolor sit |
Lorem ipsum dolor sit |
23 |
Row Header Text |
Lorem ipsum dolor sit |
Lorem ipsum dolor sit |
23 |
Row Header Text |
Lorem ipsum dolor sit |
Lorem ipsum dolor sit |
23 |
Row Header Text |
Lorem ipsum dolor sit |
Lorem ipsum dolor sit |
23 |
I am the Senior Security Consultant in Advantio. I have more than 15 years of experience, working both in South America and Europe. My information security background includes consultancy and audit, training, implementation of security technologies and design and policy development among others.
Certifications: CISSP, CISM, CISA, CRISC, CEH, CHFI, PCI QSA, QSA (P2PE), 3DS Assessor
Comments