Visa Europe revealed important stats about the usage of Contactless Cards. Poland, Spain and the UK use this payment methd the most, with UK usage growing by 300% year over year.
Visa Europe revealed important stats about the usage of Contactless Cards. Poland, Spain and the UK use this payment methd the most, with UK usage growing by 300% year over year.
Our fifth article in the PCI DSS v4.0 analysis series examines the changes made to requirements 7, 8, and 9 of the standard.
In group 4 "Implement Strong Access Control Measures," these requirements focus on implementing and monitoring physical and logical controls to identify, authenticate, authorize, and manage privileges throughout the system and are part of the PCI DSS compliance environment to prevent unauthorized access, control the confidentiality, integrity, and availability of assets and enable the relationship between an entity (a person or a computer system) and the actions that entity performs in the environment.
As we analyze the changes applied to these requirements, it is important to remember the definitions of some terms used throughout the standard:
The relationship between these three important concepts is simple:
The management of these three concepts is called "Identity and Access Management" (IAM) and its implementation rules are evaluated in the controls of these three PCI DSS requirements.
Requirement 7 defines the criteria for authorization and privilege management. This requirement has traditionally been the requirement with fewer controls in the PCI DSS and has continued to be so in version 4.0 of the standard.
The changes implemented in this version are minimal and are mainly focused on clarifications and expansion of its applicability.
The controls associated with the existence of an access control system for the environment configured to "deny all" by default continue without major changes in this new version of the standard.
As a complement to the management of authorization processes described in requirement 7, requirement 8 establishes the criteria for the identification and authentication of users, systems, and/or applications.
Among the most relevant changes to this requirement are the following:
Regarding the use of multi-factor authentication (MFA), the changes included in version 4.0 are as follows:
In this sense, it is very important to highlight the concept of "MFA chains" or multiple authentications using MFA depending on where the connection starts and where it ends. There may be cases in which an administrator connects from outside the corporate network to a network that may impact the CDE (first use of MFA) and, once there, requires a network connection to the CDE (second use of MFA). In these cases, MFA is required twice.
Finally, the controls that must be applied to any system or application account are also described:
Unlike the other requirements in PCI DSS v4.0, this is the only requirement whose name is unchanged from version 3.2.1.
However, multiple clarifications were added to facilitate the implementation of the controls, including:
Regarding the safety of points of interaction (POI), the following clarifications were added:
Column Header Text | Column Header Text | Column Header Text |
Their work should have not stopped there because achieving compliance is an occasional result that doesn't ensure a continual protection. |
Their work should have not stopped there because achieving compliance is an occasional result that doesn't ensure a continual protection. |
|
Their work should have not stopped there because achieving compliance is an occasional result that doesn't ensure a continual protection. |
Their work should have not stopped there because achieving compliance is an occasional result that doesn't ensure a continual protection. |
Their work should have not stopped there because achieving compliance is an occasional result that doesn't ensure a continual protection. |
Performing a review of the media inventories at least annually |
Performing a review of the media inventories at least annually |
Performing a review of the media inventories at least annually |
Row Header Text |
Lorem ipsum dolor sit |
Lorem ipsum dolor sit |
23 |
Row Header Text |
Lorem ipsum dolor sit |
Lorem ipsum dolor sit |
23 |
Row Header Text |
Lorem ipsum dolor sit |
Lorem ipsum dolor sit |
23 |
Row Header Text |
Lorem ipsum dolor sit |
Lorem ipsum dolor sit |
23 |
Row Header Text |
Lorem ipsum dolor sit |
Lorem ipsum dolor sit |
23 |
Row Header Text |
Lorem ipsum dolor sit |
Lorem ipsum dolor sit |
23 |
Row Header Text |
Lorem ipsum dolor sit |
Lorem ipsum dolor sit |
23 |
Row Header Text |
Lorem ipsum dolor sit |
Lorem ipsum dolor sit |
23 |
I am the Senior Security Consultant in Advantio. I have more than 15 years of experience, working both in South America and Europe. My information security background includes consultancy and audit, training, implementation of security technologies and design and policy development among others.
Certifications: CISSP, CISM, CISA, CRISC, CEH, CHFI, PCI QSA, QSA (P2PE), 3DS Assessor
Comments