International
PCI DSS 4.0.1
PCI DSS 4.0.1 (Payment Card Industry Data Security Standard)
4.0.1
66 controls · 14 domains
Mandatory for: Contractual (card brands / acquirers)
About this framework
PCI DSS is the security standard for any business that handles payment card data. Set by the major card brands, it lays out requirements for protecting cardholder information across networks, systems, and processes.
Who needs this
Mandatory for any business that stores, processes, or transmits payment card data.
Cross-framework coverage
Controls in PCI DSS 4.0.1 also cover:
NIST CSF 14 shared
CIS Controls 14 shared
NCA ECC-2 14 shared
Qatar NIA 14 shared
UAE IA 14 shared
See how PCI DSS 4.0.1 connects to the rest → the Security Universe
Control domains
1 · Install and Maintain Network Security Controls 5
1.1
Processes and mechanisms for installing and maintaining network security controls are defined and understood.
1.2
Network security controls (NSCs) are configured and maintained.
1.3
Network access to and from the cardholder data environment is restricted.
1.4
Network connections between trusted and untrusted networks are controlled.
1.5
Risks to the CDE from computing devices that are able to connect to both untrusted networks and the CDE are mitigated.
2 · Apply Secure Configurations to All System Components 3
2.1
Processes and mechanisms for applying secure configurations to all system components are defined and understood.
2.2
System components are configured and managed securely.
2.3
Wireless environments are configured and managed securely.
3 · Protect Stored Account Data 7
3.1
Processes and mechanisms for performing activities in Requirement 3 are defined and understood.
3.2
Storage of account data is kept to a minimum.
3.3
Sensitive authentication data is not stored after authorization.
3.4
Access to displays of full PAN and ability to copy PAN are restricted.
3.5
PAN is secured wherever it is stored.
3.6
Cryptographic keys used to protect stored account data are secured.
3.7
Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented.
4 · Protect Cardholder Data with Strong Cryptography During Transmission 2
4.1
Processes and mechanisms for performing activities in Requirement 4 are defined and understood.
4.2
PAN is protected with strong cryptography during transmission.
5 · Protect All Systems and Networks from Malicious Software 4
5.1
Processes and mechanisms for protecting all systems and networks from malicious software are defined and understood.
5.2
Malicious software (malware) is prevented, or detected and addressed.
5.3
Anti-malware mechanisms and processes are active, maintained, and monitored.
5.4
Anti-phishing mechanisms protect users against phishing attacks.
6 · Develop and Maintain Secure Systems and Software 5
6.1
Processes and mechanisms for developing and maintaining secure systems and software are defined and understood.
6.2
Bespoke and custom software is developed securely.
6.3
Security vulnerabilities are identified and addressed.
6.4
Public-facing web applications are protected against attacks.
6.5
Changes to all system components are managed securely.
7 · Restrict Access to System Components and Cardholder Data by Business Need to Know 3
7.1
Processes and mechanisms for restricting access to system components and cardholder data by business need to know are defined and understood.
7.3
Logical access to system components and data is managed via an access control system(s).
7.2
7.2
8 · Identify Users and Authenticate Access to System Components 6
8.2
User identification and related accounts for users and administrators are strictly managed throughout an account’s lifecycle.
8.3
Strong authentication for users and administrators is established and managed.
8.4
Multi-factor authentication (MFA) systems are configured to prevent misuse.
8.5
Multi-factor authentication is implemented to secure access to the CDE.
8.6
Use of application and system accounts and associated authentication factors are strictly managed.
8.1
8.1
9 · Restrict Physical Access to Cardholder Data 5
9.1
Processes and mechanisms for performing activities in Requirement 9 are defined and understood.
9.2
Physical access controls manage entry into the cardholder data environment.
9.3
Physical access to the cardholder data environment for personnel and visitors is authorized and managed.
9.4
Media with cardholder data is securely stored, accessed, distributed, and destroyed.
9.5
Point-of-interaction (POI) devices are protected from tampering and unauthorized substitution.
10 · Log and Monitor All Access to System Components and Cardholder Data 7
10.1
Processes and mechanisms for performing activities in Requirement 10 are defined and understood.
10.2
Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.
10.3
Audit logs are protected from destruction and unauthorized modifications.
10.4
Audit logs are reviewed to identify anomalies or suspicious activity.
10.5
Audit log history is retained and available for analysis.
10.6
Time-synchronization mechanisms support consistent time settings across all systems.
10.7
Failures of critical security control systems are detected, reported, and responded to promptly.
11 · Test Security of Systems and Networks Regularly 6
11.1
Processes and mechanisms for performing activities in Requirement 11 are defined and understood.
11.2
Wireless access points are identified and monitored, and unauthorized wireless access points are addressed.
11.3
External and internal vulnerabilities are regularly identified, prioritized, and addressed.
11.4
External and internal penetration testing is regularly performed, and exploitable vulnerabilities and security weaknesses are corrected.
11.5
Network intrusions and unexpected file changes are detected and responded to.
11.6
Unauthorized changes on payment pages are detected and responded to.
12 · Support information security with organizational policies and programs 10
12.1
A comprehensive information security policy that governs and provides direction for protection of the entity’s information assets is known and current.
12.2
Acceptable use policies for end-user technologies are defined and implemented.
12.3
Targeted risks to the cardholder data environment are formally identified, evaluated, and managed.
12.4
PCI DSS compliance is managed.
12.5
PCI DSS scope is documented and validated.
12.6
Security awareness education is an ongoing activity
12.7
Personnel are screened to reduce risks from insider threats.
12.8
Risk to information assets associated with third-party service provider (TPSP) relationships is managed.
12.9
Third-party service providers (TPSPs) support their customers’ PCI DSS compliance.
12.10
Suspected and confirmed security incidents that could impact the CDE are responded to immediately.
A1 · Additional PCI DSS Requirements for Multi-Tenant Service Providers 2
A1.1
Multi-tenant service providers protect and segregate all customer environments and data.
A1.2
Multi-tenant service providers facilitate logging and incident response for all customers.
A2 · Additional PCI DSS Requirements for Entities using SSL/Early TLS for Card-Present POS POI Terminal Connections 1
A2.1
A2.1
Ready to assess against PCI DSS 4.0.1?
Start free trial →