<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview
[{$pagename}] ([PCI DSS])  is a proprietary information security standard for organizations that handle branded [Payment Cards] from the [Payment Card Industry] members.


[{$pagename}] is mandated by the card brands and administered by the [Payment Card Industry Security Standards Council]. 

[{$pagename}] was created to increase controls around [Cardholder Data] to reduce [credit card fraud|Payment Card Fraud]. 

Validation of compliance is performed periodically, either by an external [Qualified Security Assessor] ([QSA]) that creates a [Report on Compliance] ([ROC]) for organizations handling large volumes of transactions, or by [Self-Assessment Questionnaire] ([SAQ]) for companies handling smaller volumes.

!! PCI DSS 4.0 
The 12 core ([PCI DSS]) requirements did not fundamentally changed and they remain the critical foundation for securing payment card data. However, the requirements have been redesigned to focus on security objectives to guide how security controls should be implemented.


PCI DSS 4.0 aligns with the [NIST.SP.800-63B] for [authentication] and life cycle management. As the payments industry has gradually moved to the cloud, stronger authentication standards to payment and control access logins are necessary. '=

PCI DSS 4.0 considers:

* [Multi-Factor Authentication] ([MFA]) usage for all accounts that have access to the [Cardholder Data], not just administrators accessing the cardholder data environment.
* Passwords for accounts used by applications and systems must be changed at least every 12 months and upon suspicion of compromise.
* Use of strong passwords for accounts used by applications and systems, which must contain at least 15 characters, including numeric and alphabetic characters. PCI DSS requires that the prospective passwords be compared against the list of known bad passwords.
* Access privileges must be reviewed at least once every six months.
* Vendor or [Third-party] accounts may be enabled only as needed and monitored when in use.

The PCI DSS 4.0 standard is built with a [Zero Trust] mindset, permitting organizations to build their own unique, pluggable authentication solutions to meet the data security regulatory requirements. At the same time, authentication methods can scale to fit the company’s transaction objectives and risk environment. 

Finally, PCI SSC has partnered with [Europay], [MasterCard], and [VISA] to implement the use of the [3DS Core Security Standard|https://blog.pcisecuritystandards.org/what-to-know-about-the-new-pci-3ds-core-security-standard] during transaction authorization.

!! [{$pagename}] Requirements
[{$pagename}] specifies twelve requirements for [compliance], organized into six logically related groups called &quot;control objectives&quot;.

Each version of [{$pagename}] has divided these twelve requirements into a number of sub-requirements differently, but the twelve high-level requirements have not changed since the inception of the standard.

!! Control objectives [PCI DSS] requirements
! Build and Maintain a Secure Network and Systems
* 1. Install and maintain a firewall configuration to protect cardholder data
* 2. Do __NOT__ use vendor-supplied defaults for system passwords and other security parameters Protect [Cardholder Data] 
* 3. Protect stored [Cardholder Data] 
* 4. [Encrypt] transmission of [Cardholder Data] across open, [public networks|Internet]

! Maintain a Vulnerability Management Program
* 5. Protect all systems against [malware] and regularly update antivirus software or programs
* 6. Develop and maintain secure systems and applications

! Implement Strong [Access Control] Measures
* 7. Restrict access to [Cardholder Data] by business [need to know]
* 8. [Identify and Authenticate access to system components]
* 9. Restrict physical access to [Cardholder Data]

! Regularly Monitor and Test [Networks]
* 10. Track and [monitor|Monitoring] all [access] to network [resources] and [Cardholder Data]
* 11. Regularly test security systems and processes

! Maintain an [Information security] [Policy]
* 12. Maintain a [policy] that addresses [information security] for all personnel


!! Many Versions
* [PCI Data Security Standard v3.1] - Jan [2015|Year 2015]
* [PCI Data Security Standard v3.2] - Apr [2016|Year 2016]
* [PCI Data Security Standard v3.2.1] - Apr [2018|Year 2018]

!! &quot;Secure Version of [TLS]&quot;
&quot;Secure Version of [TLS]&quot; is used in several of their documents which has been clarified &quot;as defined by [NIST.SP.800-52]&quot;

!! [Multi-Factor Authentication][2]
[{$pagename}] requirement 8.3, requires the use of [Multi-Factor Authentication] for all remote network access that originates from outside the network to a [Cardholder Data Environment] ([CDE]).

Beginning with PCI-DSS version 3.2, the use of [Multi-Factor Authentication] is also required for all __administrative access__ to the [Card Data Environment|Cardholder Data Environment] ([CDE]), even if the user is within a trusted network.

Some clarification on [{$pagename}] and [Multi-Factor Authentication]

Troy Leach, [Payment Card Industry Data Security Standard]'s Chief Technology Officer clarifies this further by stating,[3]
{{{
[A] significant change in PCI DSS 3.2 adds multi-factor authentication as a requirement for any personnel with administrative access into the cardholder data environment, so that a password alone is not enough to verify the user’s identity 
and grant access to sensitive information, even if they are within a trusted network…
The most important point is that the change to the requirement is intended for all administrative access into the cardholder data environment, even from within a company’s own network. 
This applies to any administrator, whether it be a third party or internal, that has the ability to change systems and other credentials within that network to potentially compromise the security of the environment.
}}}

!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [Payment_Card_Industry_Data_Security_Standard|Wikipedia:Payment_Card_Industry_Data_Security_Standard/|target='_blank'] - based on information obtained 2016-07-15- 
* [#2] - [Multi-factor_authentication|Wikipedia:Multi-factor_authentication|target='_blank'] - based on information obtained 2017-03-19
* [#3] - [For PCI Multi-Factor Authentication is Now Required for Everyone…and You Better Hurry|http://blog.centrify.com/pci-multi-factor-authentication-mfa/|target='_blank'] - based on information obtained 2017-03-19
* [#4] - [!!! What You Need to Know About PCI DSS 4.0's New Requirements|https://www.darkreading.com/edge-articles/what-s-new-in-pci-dss-4-0-for-authentication-requirements-|target='_blank'] - based on information obtained 2022-04-03 
</pre>