Penetration Testing - What's New in the PCI DSS v4.0

The Payment Card Industry (PCI) operates within the financial sector and oversees all electronic payments, including those made through debit, credit, ATM, POS, prepaid, and e-purse systems. Since facilitating these types of payments requires transmitting sensitive payment information, it is essential to implement stringent security measures to safeguard all users engaged in digital transactions.

In 2006, members of American Express, Discover, JCB International, MasterCard and Visa Inc. established the Payment Card Industry Security Standards Council (PCI SSC) for the purpose of developing and overseeing digital security measures within the payment card industry. The PCI SSC operates as an autonomous entity separate from financial brands. The council's objective is to protect cardholders by implementing and enforcing rigorous digital security standards for merchants and providers of payment-processing solutions.

What Is the PCI DSS?

Credit and debit cards are essential drivers of global commerce, providing unparalleled convenience and accessibility to users worldwide. However, these ubiquitous financial tools are also prime targets for cybercriminals looking to exploit technological weaknesses and commit fraud.

To protect sensitive payment card information, it’s crucial for merchants and vendors to comply with the Payment Card Industry Data Security Standards (PCI DSS). With this comprehensive framework, the PCI SSC outlines a baseline level of security for organizations involved in the storage, processing, or transmission of payment card data. By adhering to this set of digital payment security standards, businesses can ensure that they have essential safeguards in place to protect against potential breaches and preserve the integrity of electronic payment transactions.

What Is the PCI DSS v 4.0?

PCI DSS version 4.0 is an updated version of PCI DSS version 3.2.1 that makes a series of alterations and improvements to the established payment card industry security standards. Affected parties have until March 31, 2024 to fully comply with the new set of requirements.

How Does PCI DSS v4.0 Impact Penetration Testing?

The changes regarding penetration testing that PCI DSS v4.0 introduces can be found within the 11th requirement, which stipulates that “external and internal penetration testing is regularly performed, and exploitable vulnerabilities and security weaknesses are corrected.” More specifically, affected organizations must maintain and document a penetration testing strategy that includes the following elements:

• Industry-accepted approaches to conducting penetration testing
• Coverage for all critical systems, as well as the entire Cardholder Data Environment (CDE) perimeter
• Both application-layer and network-layer penetration testing
• Both internal and external penetration testing, as well as testing for the purpose of validating segmentation and scope reduction controls
• Comprehensive analysis and documentation of all threats detected within the last twelve months
• A documented methodology for defending against any weaknesses discovered during penetration testing, as well as a record of all testing results from the past twelve months

Notably, PCI DSS v4.0 updates requirement 11.4 with a new requirement, 11.4.7, which states that multi-tenant service providers must support their customers’ external penetration testing activities.

What Changes Does the New PCI DSS v4.0 Introduce?

PCI DSS v4.0 updates a number of PCI DSS requirements, including but not limited to those that relate to penetration testing. Here’s an overview of everything your organization needs to do to remain compliant with PCI DSS v4.0:

1. To safeguard your cardholder data, employ firewalls that serve to prevent incoming and outgoing network traffic from untrusted networks.
2. Alter the default passwords and configurations provided by vendors, as these default settings are accessible online and can be easily exploited by malicious hackers.
3. Use robust encryption, hashes, or other techniques that align with widely-recognized industry best practices to secure stored cardholder data.
4. Use reliable techniques like encryption, secure keys, and digital certificates to safeguard cardholder data while it’s in transit.
5. Employ anti-virus and anti-malware software to ensure all systems maintain the highest possible levels of protection against potential threats, and keep the security software updated at all times with the latest patches.
6. Develop a systematic approach for promptly detecting vulnerabilities in both systems and applications, and implementing the necessary remedial actions to mitigate such issues.
7. For maximum protection, limit access to all cardholder data according to the principles of least privilege and "need-to-know."
8. To ensure complete accountability of system and application access, provide each individual who requires access with a unique login identification.
9. Employ a combination of security measures such as electronic access keys, surveillance systems, and other appropriate tools to limit physical access to both cardholder data and the systems that store and process cardholder data.
10. Set up a system for monitoring all access attempts and tracking all user activity pertaining to cardholder data or cardholder network resources, and keep a log of this information.
11. Conduct comprehensive risk assessments, annual penetration tests, and quarterly vulnerability scans within the cardholder data environment.
12. Develop a thorough data security policy, distribute it throughout your organization to the relevant individuals and teams, and update the policy each time a change in technological operations occurs.

Who Is Affected By the New PCI DSS v4.0 Requirements?

PCI DSS v4.0 requirements apply to every organization that handles payment card information. It’s crucial to comply with this important set of payment data security standards in order to maintain a functioning and reputable business. If your organization does not comply with PCI DSS requirements, major debit and credit card companies may not authorize you to process their customers’ cards, making it much more difficult for your organization to do business.

Furthermore, serious non-compliance with PCI DSS version 4.0 could result in your organization being fined. To prevent frustrating repercussions such as fines or loss of trust with major card providers, it’s essential for all organizations that handle payment card information in any capacity to implement measures to comply with PCI DSS standards.

Is Your Organization Prepared for PCI DSS v4.0?

You need to be certain your organization is prepared for full PCI DSS v4.0. One of the best ways to verify that your organization’s data security practices are up to the most current standards is to enlist the help of a cybersecurity company with certified data compliance experts, such as a PCI QSA (Qualified Security Assessor). Our professionals at ERMProtect have the experience and expertise to perform a comprehensive gap analysis and warn you of any PCI DSS compliance issues in your system so you can be sure that you’re ready for PCI DSS version 4.0.

For more information click here. To reach out for a free quote, email jmiller@ermprotect.com.