Visa Europe revealed important stats about the usage of Contactless Cards. Poland, Spain and the UK use this payment methd the most, with UK usage growing by 300% year over year.
Visa Europe revealed important stats about the usage of Contactless Cards. Poland, Spain and the UK use this payment methd the most, with UK usage growing by 300% year over year.
Here's the latest addition to our ongoing PCI DSS v4.0 analysis series, which looks at requirements 10 and 11. These requirements are part of group 5. Regularly Monitor and Test Networks, which continues with the same name as version 3.2.1 of the standard.
The purpose of these two requirements is to ensure traceability in the compliance environment in order to detect malicious patterns. They also serve as a basis in the event of a forensic investigation and validate that the security levels of the environment continue to be acceptable over time.
Requirement 10 defines the security controls required to record the activities that affect the system components of the environment and cardholder data in order to identify any suspicious event proactively and to be able to conduct a post-incident investigation. The critical elements that are part of this requirement are the event/audit records (or logs) and their time synchronization, to ensure the correct correlation of activities of all assets involved in a particular event.
It is imperative to clarify that PCI DSS version 4.0 explicitly excludes activities performed by cardholders from this requirement. Instead, it includes actions performed by employees, contractors, consultants, internal and external vendors, and any other entity that has access to or may affect the security of the environment.
In general terms, this requirement had no relevant changes beyond a reorganization of controls and the addition of some clarifications:
Event log management:
All other log-related controls (types of actions to be logged, details of each event, log centralization and protection, retention times, etc.) remain unchanged in this new version.
Time synchronization:
Response to failures in critical security systems:
These controls subtly introduce the concept of availability into the PCI DSS controls, traditionally oriented towards confidentiality and integrity protection.
In general terms, throughout the PCI DSS, the actions associated with the lifecycle of security controls for payment card data protection are listed: asset categorization, selection, and implementation (requirements 1, 2, 3, 4, 5, 6, 7, 8 and 9), monitoring (requirement 10) and assessment (requirement 11). The objective of the controls assessment phase is to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the requirements of the standard. All of these actions are covered in PCI DSS Requirement 11.
As a result of the evolution in attack techniques and software vulnerabilities, as well as the massification in the use of cloud platforms, requirement 11 has included a series of updates that allow optimizing the activities oriented towards the evaluation of security controls required by the standard, among which are:
Wireless networks:
Internal vulnerability scans:
External vulnerability scans:
Internal and external penetration tests:
Testing from inside the network (or "internal penetration testing") means testing from inside the CDE and to the CDE from trusted and untrusted internal networks
Tests from outside the network (or "external penetration tests") are those performed at the exposed external perimeter of trusted networks and to critical systems connected or accessible to public networks
Penetration test reports must be stored for at least 12 months
Exploitable vulnerabilities identified in this exercise must be corrected according to the risk levels defined by the organization (req. 11.4.4)
In the case of multi-tenant providers, these providers shall provide evidence to their customers that their infrastructure penetration tests have been successfully executed and facilitate their customers to execute their own tests (req. 11.4.7). This control is applicable as of 31 March 2025
Intrusion detection/prevention systems (IDS/IPS):
Protection against unauthorized changes to payment pages:
This control (11.6.1) complements control 6.4.3 of PCI DSS v4.0 which requires verification of scripts loaded by payment forms.
Column Header Text | Column Header Text | Column Header Text |
Their work should have not stopped there because achieving compliance is an occasional result that doesn't ensure a continual protection. |
Their work should have not stopped there because achieving compliance is an occasional result that doesn't ensure a continual protection. |
|
Their work should have not stopped there because achieving compliance is an occasional result that doesn't ensure a continual protection. |
Their work should have not stopped there because achieving compliance is an occasional result that doesn't ensure a continual protection. |
Their work should have not stopped there because achieving compliance is an occasional result that doesn't ensure a continual protection. |
Performing a review of the media inventories at least annually |
Performing a review of the media inventories at least annually |
Performing a review of the media inventories at least annually |
Row Header Text |
Lorem ipsum dolor sit |
Lorem ipsum dolor sit |
23 |
Row Header Text |
Lorem ipsum dolor sit |
Lorem ipsum dolor sit |
23 |
Row Header Text |
Lorem ipsum dolor sit |
Lorem ipsum dolor sit |
23 |
Row Header Text |
Lorem ipsum dolor sit |
Lorem ipsum dolor sit |
23 |
Row Header Text |
Lorem ipsum dolor sit |
Lorem ipsum dolor sit |
23 |
Row Header Text |
Lorem ipsum dolor sit |
Lorem ipsum dolor sit |
23 |
Row Header Text |
Lorem ipsum dolor sit |
Lorem ipsum dolor sit |
23 |
Row Header Text |
Lorem ipsum dolor sit |
Lorem ipsum dolor sit |
23 |
I am the Senior Security Consultant in Advantio. I have more than 15 years of experience, working both in South America and Europe. My information security background includes consultancy and audit, training, implementation of security technologies and design and policy development among others.
Certifications: CISSP, CISM, CISA, CRISC, CEH, CHFI, PCI QSA, QSA (P2PE), 3DS Assessor
Comments