组织需要了解PCI DSS v4的哪些信息.0?
我们发表了我们的总结 支付卡行业数据安全标准(PCI DSS) v4中的关键变化.0 两年前.
现在, 各实体准备根据新标准进行首次评估, we want to share some key lessons we’ve learned while helping our clients prepare to meet the new and changed requirements.
什么是PCI DSS?
The PCI DSS is a globally recognized framework that sets technical and operational standards for safeguarding account data.
2022年3月31日,PCI安全标准委员会(PCI SSC)发布了版本 4.PCI DSS为0,有三年的过渡期来取代以前的版本(3.2.1). 此更新旨在解决新出现的威胁, 适应不断发展的技术,采用创新的方法来应对新的风险.
PCI DSS v4的主要目标是什么.0?
继续满足行业需求: 新版本旨在满足支付行业不断发展的安全需求. 它认识到安全是一个持续的过程,并相应地进行调整.
作为一个持续的过程促进安全: PCI DSS v4.0强调安全不是一次性事件,而是一个持续努力的过程. 组织必须保持警惕,适应不断变化的威胁.
增强灵活性: The standard provides flexibility for organizations by introducing additional methods to achieve their security goals. 它承认不同的方法可以有效地维持支付.
改善付款确认方法和程序: PCI DSS v4.0增强验证方法, 确保组织能够有效地评估和验证其遵从性.
PCI DSS v4的过渡期和时间表是什么.0?
过渡时期: 从2022年3月到2024年3月31日,组织可以在PCI DSS v3下运行.2.1和v4.0. 这使得组织有时间熟悉这些变化, 更新报告模板并实施必要的调整.
v3的退役.2.1: 截至2024年3月31日,PCI DSS v3.2.1已退役,v4已退役.0将是唯一的活动版本. 确保您的评估员已经完成了强制性的v4.在开始下一次评估前进行0次培训.
PCI DSS v4的主要变化是什么.0?
在接下来的一个月, our team will share insights on some of the more detailed requirement updates and changes to PCI DSS for v4.0,其中包括:
要求1 – Install and Maintain Network Security Controls: The terminology related to firewalls has been revised to encompass a broader range of network security controls. This change supports various technologies used to achieve security objectives traditionally associated with firewalls.
要求2 – Apply Secure Configurations to All System Components: There have been several updates designed to clarify the scope and intent of the requirements around securing asset configurations within the cardholder data environment (CDE).
要求3 – Protect Stored Account Data: New restrictions have been placed around the storage of sensitive authentication data (SAD), 和额外的密码控制必须实施,以保护持卡人的数据(CHD).
要求4 -保护持卡人的数据与强大的加密传输期间开放, 公共网络:现在必须正式列出受信任的密钥和证书.
要求5 – Protect All Systems and Networks from Malicious Software: Malware scanning now must cover removable media, 所有实体都必须部署反网络钓鱼控制.
要求6 – Develop and Maintain Secure Systems and Software: Custom software and client-side scripts used on payment pages must be inventoried, and additional technical controls need to be implemented to protect web-based payment pages.
要求7 – Restrict Access to System Components and Cardholder Data by Business Need to Know: User access reviews must be performed at least every six months for all user accounts within the CDE.
要求8 – Identify Users and Authenticate Access to System Components: PCI DSS now mandates the implementation of MFA for all access into the cardholder data environment and finally increases minimum password length to 12 characters.
要求9 – Restrict Physical Access to Cardholder Data: Only minor changes were made to the restrictions on physical access, 两者都与附加文档有关.
要求10 – Log and Monitor All Access to System Components and Cardholder Data: Emphasis is now placed on the use of automation to detect security events, 包括所有关键安全组件的任何故障.
要求11 – Test Security of Systems and Networks Regularly: Vulnerability remediation plans must address all severity ratings (not just those considered “high-risk”), 内部漏洞扫描需要身份验证模式.
要求12 – Support Information Security with Organizational Policies and Programs: While additional requirements for documenting responsibilities have been added to Requirements 1-11, 需要执行全面的风险评估(使用NIST), 倍频程, 等.)已被“针对性风险分析”所取代.
了解PCI DSS v4中的自定义方法.0:不同于“补偿控制”的概念(现在仍然存在), the Customized Approach is only available to entities undergoing an assessment resulting in a Report on Compliance (ROC).
了解PCI DSS v4中的针对性风险分析.0:而目标风险分析一般简化了风险评估过程, 所有实体都应该了解必要的考虑, especially if incorporating their PCI risk assessment into a broader risk management strategy.
New Requirements for Service Providers: Third-party service providers must satisfy additional requirements intended to protect their customers’ PCI environments. Understanding these obligations is equally important to TPSPs and merchants relying on their services.
一定要回来看看我们的 PCI DSS解决方案页 当我们提供额外的指导和资源时.
施耐德倒下有何帮助?
作为认证合格保安评核员(QSA), bet9游戏平台 is equipped to assist clients with their PCI compliance requirements by providing scalable, 有效的解决方案,以满足PCI合规的严格要求.
如果您对PCI DSS v4有任何疑问.请随时与施耐德唐斯团队联系 contactsd@faithfulwebdesign.net 或浏览我们的 PCI DSS解决方案网站.
相关资源
PCI DSS资源中心
PCI PSS DSS v4.0资料简介
关于施耐德唐斯风险咨询
Our team of experienced risk advisory professionals focus on collaborating with your organization to identify and effectively mitigate risks. Our goal is not only to understand the risks related to potential loss to the organization, but to drive solutions that add value to your organization and advise on opportunities to ensure minimal disruption to your business.
探索我们的全部 风险咨询bet9平台游戏 提供或与团队联系 contactsd@faithfulwebdesign.net.