SlideShare a Scribd company logo

PCI v4.0.1 Future Dated Requirements Webinar - ControlCase

A
AmyPoblete3

The document provides an overview of the new PCI DSS v4.0.1 requirements effective from March 2025, including key updates, future-dated requirements, and a timeline for implementation. It outlines ControlCase's role in facilitating compliance through proprietary software and services while detailing significant changes like enhanced encryption, multi-factor authentication, and automated log reviews. Additionally, it encourages involvement in upcoming events and provides contact information for further engagement.

Technology
Related topics:
Data Security
1 of 27
Downloaded 335 times
1
2
3
4
5
6
7
8
9
10
Most read
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Most read
27
Most read
March 2025 Requirements PCI DSS v4.0.1 Future-Dated “Best Practices” November, 2024
2 Agenda © ControlCase. All Rights Reserved.  Welcome & About ControlCase  About the v4.0.1 Update  About the New Requirements and Timeline  Get Involved! PCI DSS v4.0.1 March 2025 Requirements 01 02 03 04
Presenters: Sandeep Joshi VP Business Development Yew Kuann Cheng Regional Vice President PCI Security Standards Council Chad Leedy Director, Strategic Accounts – Retail, ControlCase Pramod Deshmane Sr. Vice President Americas Certification, ControlCase
About ControlCase © ControlCase. All Rights Reserved.
© ControlCase. All Rights Reserved. 5 ControlCase Overview Best-in-Class Compliance Platform  ControlCase is revolutionizing the way enterprises and organizations deal with the numerous and frequently changing IT compliance and regulatory requirements  Proprietarysoftware, including appliance and SaaS solutions, that enable CaaS (GRC and Data Discovery)  Compelling proprietary offering combining proprietary software, certification/audits, and managed services on a single platform.  One AuditTM enables our clientele to Assess once: Comply to Many  Leadershippositions in the PCI DSS, SOC 2, ISO 27001, HIPAA, HITRUST, FedRAMP and CMMC domains  Serving over 1,000 customers  Global footprint with offices in the U.S., LATAM, Europe, Australia, India, Canada, and UAE  Leverages an offshore delivery infrastructure for competitive advantage  IT compliance manager for multiple industry segments including banking, service providers, retail, hospitality, and telecom Global Vision & Solutions Enhancement Provider of Compliance as a Service (CaaS) subscription-based offering bundling proprietary GRC software and managed services Founded in 2004 Headquartered in Fairfax, VA Offices in U.S., Canada, Australia, India 250+ employees
ControlCase Snapshot © ControlCase. All Rights Reserved. 6 CERTIFICATION AND CONTINUOUS COMPLIANCE SERVICES Go beyond the auditor’s checklist to: Dramatically reduce the time, cost, and burden of maintaining IT compliance and becoming certified. Demonstrate compliance more efficiently and cost effectively (cost certainty) Free up your internal resources to focus on other priorities Offload much of the compliance burden to a trusted compliance partner Improve efficiencies by doing more with less resources and gain compliance peace of mind 1,000+ CLIENTS 10,000+ IT SECURITY CERTIFICATIONS 275+ SECURITY EXPERTS
ControlCase Snapshot – Solution © ControlCase. All Rights Reserved. 7 Certification and Continuous Compliance Services Partnership Approach Compliance HUB + = IT Certification Services Continuous Compliance Services &
Certification Services One Audit Assess Once. Comply to Many. © ControlCase. All Rights Reserved. 8 PCI DSS ISO 27001 & 27002 SOC 1,2,3 & SOC for Cybersecurity HIPAA MARS-E PCI P2PE GDPR NIST 800-53 PCI PIN PCI SSF/SLC CSA STAR HITRUST CSF
Our Team © 2023 ControlCase. All Rights Reserved. 9 Headquartered in Fairfax, VA, ControlCase operates in 16 countries to service our global clientele. Employees: Full-Time Employees: 379 ControlCase Team Locations: Australia Bangladesh Belgium Canada Colombia Egypt India Indonesia Jordan Philippines Saudi Arabia Senegal Tunisia United Kingdom United States Vietnam Languages Spoken: English is our main delivery language. Additionally, our team communicates in Spanish, French, German, Arabic, Marathi, Hindi, Vietnamese, Indonesian and more.
© ControlCase. All Rights Reserved. About the v4.0.1 Update
PCI DSS v4.0.1 Implementation Timeline* 2022 Q1 Q2 Q3 Q4 31 March 2024 PCI DSS v3.2.1 retired 31 March 2025 Future-dated new requirements become effective 2024 2025 * All dates based on current projections and subject to change Transition period from PCI DSS v3.2.1 to v4.0 Official Release: PCI DSS v4.0 with validation documents ISA/QSA training and supporting documents 2023 Transition period from PCI DSS v3.2.1 to v4.0 Implementation of future-dated new requirements Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 June 2024 PCI DSS v4.0.1 published
Highlights © ControlCase. All Rights Reserved. 12 PCI DSS v4.0.1 has been released; v4.0 will be retired on 31 Dec 2024. There are no new requirements in PCI DSS v4.0.1; review the Summary of Changes. Future dated requirements will have to be adopted from 1 April 2025.
PCI DSS v4.0.1 Revision – Key Updates Summary © ControlCase. All Rights Reserved. 13 • Clarifications and Typos: • The new release corrected typographical and other minor errors (including formatting errors, missing headers, etc.) from PCI DSS v4.0. • The new release also clarifies the focus and intent of some of the requirements and guidance. • Requirement 3 • Clarified Applicability Notes for issuers and companies that support issuing services. • Added a Customized Approach Objective and clarified applicability for organizations using keyed cryptographic hashes to render Primary Account Numbers (PAN) unreadable. • Requirement 6 • Reverted to PCI DSS v3.2.1 language that installing patches/updates within 30 days applies only for “critical vulnerabilities.” • Added Applicability Notes to clarify how the requirement for managing payment page scripts applies.
PCI DSS v4.0.1 Revision – Key Updates Summary © ControlCase. All Rights Reserved. 14 • Requirement 8 • Added an Applicability Note that multi-factor authentication for all (non-administrative) access into the CDE does not apply to user accounts that are only authenticated with phishing-resistant authentication factors. • Requirement 12 • Updated Applicability Notes to clarify several points about relationships between customers and third- party service providers (TPSPs).
© ControlCase. All Rights Reserved. PCI DSS Future-Dated New Requirements
PCI DSS – Key Future-Dated New Requirements ControlCase. All Rights Reserved. 16 • Encryption of Sensitive Authentication Data (SAD) – Req 3.2.1 & 3.3.2 • All sensitive authentication data, if store before authorization, must be stored encrypted using strong cryptography. This requirement applies to all storage of SAD, even if no PAN is present in the environment. • Disk-level or partition-level encryption only acceptable for removable media – Req 3.5.1.2 • Disk-level or partition-level encryption can only be used for removable media (e.g., a USB drive, an external SSD). Organizations can not use it anymore on any kind of non-removable media. • Phishing Attack Protection – Req. 5.4.1 • Organizations are required to implement an automated phishing protection mechanism to detect and protect personnel against phishing attacks. This measure supports the defenses against social engineering threats, reducing potential vectors for malware and ransomware attacks.
PCI DSS – Key Future-Dated New Requirements © ControlCase. All Rights Reserved. 17 • Automation Technical Solution for Web Applications Security – Req 6.4.2 • Organizations must implement an automated technical solution for public-facing Web applications that continually detects and prevents web-based attacks, and the manual application review will no longer be allowed. • Managing Payment Page Scripts – Req 6.4.3 • Organizations must maintain an inventory of all scripts on their e-commerce payment pages. This includes ensuring the integrity of each script to prevent unauthorized modifications and verifying their authorization and execution. • Expanded Use of Multi-Factor Authentication (MFA) - Req. 8.4.2 • PCI DSS v4.0 expands the requirement for multi-factor authentication (MFA). In earlier versions, MFA was required only for administrators accessing the cardholder data environment (CDE) remotely. Now, MFA is required for all access to the CDE, including access by internal users. • Password Length Requirements – Req 8.3.6 • To strengthen passwords the minimum password length is moved from 7 to 12 alpha and numeric characters OR a minimum 8 characters, if the system does not support 12 characters. • Application and System Accounts Management – Req 8.6.1, 8.6.2, 8.6.3 • PCI DSS v4.0 introduced security controls for interactive / non-interactive application & systems accounts management and secure handling of passwords/passphrases for such accounts.
PCI DSS – Key Future-Dated New Requirements ControlCase. All Rights Reserved. 18 • Automated Log Reviews – Req 10.4.1.1 • Organizations must implement automated mechanisms to perform audit log reviews and manual reviews are no longer permitted. Organizations are expected to consider event log analyzers, and security information and event management (SIEM) solutions to support the automated log review process. • Authenticated Vulnerability scanning – Req 11.3.1.2 • Quarterly internal vulnerability scans must be performed via authenticated scanning for all in-scope systems except for system components that cannot accept credentials for scanning. Also, the credentials used for these scans should be considered highly privileged and should be protected and controlled. • Detect changes of HTTP headers & Payment Pages – Req 11.6.1 • Organizations must implement change and tamper detection mechanism for payment pages to protect against the ecommerce skimming attacks. The control requires alerting unauthorized modification (including indicators of compromise, changes, additions, and deletions) to the security-impacting HTTP headers and the script contents of payment pages
PCI DSS – Key Future-Dated New Requirements © ControlCase. All Rights Reserved. 19 • Targeted Risk Analysis - Req. 12.3.1 • PCI DSS v4.0 introduces a focus on targeted risk analysis for specific security controls. This means organizations are required to perform a risk analysis for certain requirements, which allows for flexibility in how they implement the controls based on their specific risk environment. • Semi-annual Scoping Review (For Service Provider Organizations) – Req 12.5.2.1 • Service providers are now required to perform the scoping documentation review at least every 6 months and upon significant change to the in-scope environment. • Security awareness program annual review to include new threats and vulnerabilities – Req 12.6.2, 12.6.3.1 • Organizations are required to update their Security awareness program annually to address any new threats and vulnerabilities that may impact the security of their CDE and include topics such as phishing and related attacks and social engineering
© ControlCase. All Rights Reserved. ControlCase – PCI DSS Assessment Options
Option 1 – PCI DSS v4.0.1 New Requirements Assessment 21 • The client environment will be assessed only for applicable PCI DSS v4.0.1 future-dated new requirements. • For New Requirements Assessment, ControlCase Compliance Hub will have a total of 37 questions which only cover the future-dated new requirements. • The assessment will take only few weeks to complete the review. Deliverables • PCI DSS v4.0.1 New Requirements Assessment Report with an update on: • Status of Future Dated Controls readiness • remediation guidance for not- in-place requirements
Option 2 – PCI DSS v4.0.1 Assessment 22 • The client environment will be assessed against PCI DSS v4.0.1 for a full GAP or Certification assessment. • For PCI v4.0.1 assessment, the Compliance Hub will have a total of 100 or 105 questions (based on the entity type). Deliverables • PCI DSS v4.0.1 Full Gap Assessment Report OR • PCI DSS v4.0.1 ROC, AOC, COC
© ControlCase. All Rights Reserved. Get Involved
Participating Organization Program © ControlCase. All Rights Reserved. 24 Individual Anyone Can Be a Member Associate Expanding Principal Influence LEVELS
2024 Events © ControlCase. All Rights Reserved. 25 North America 10-12 September Boston, Massachusetts Europe Asia-Pacific 8 -10 October Barcelona, Spain 20-21 November Hanoi, Vietnam
© ControlCase. All Rights Reserved. Q&A
THANK YOU Contact Info: Yew Kuann Cheng ycheng@pcisecuritystandards.org Pramod Deshmane pdeshmane@controlcase.com Chad Leedy cleedy@controlcase.com Sandeep Joshi sajoshi@controlcase.com

More Related Content

PDF
Penetration Testing Basics Webinar ControlCase
ControlCase
 
PPTX
PCI DSS 4.0 Webinar Final.pptx
ControlCase
 
PDF
Navigating Compliance for MSPs From First Audit to Monetization
ControlCase
 
PDF
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
PDF
PCI DSS v4 - ControlCase Update Webinar Final.pdf
ControlCase
 
PPTX
ISO 27001 In The Age Of Privacy
ControlCase
 
PDF
French PCI DSS v4.0 Webinaire.pdf
ControlCase
 
PPTX
PCI PIN Security & Key Management Compliance
ControlCase
 
Penetration Testing Basics Webinar ControlCase
ControlCase
 
PCI DSS 4.0 Webinar Final.pptx
ControlCase
 
Navigating Compliance for MSPs From First Audit to Monetization
ControlCase
 
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
PCI DSS v4 - ControlCase Update Webinar Final.pdf
ControlCase
 
ISO 27001 In The Age Of Privacy
ControlCase
 
French PCI DSS v4.0 Webinaire.pdf
ControlCase
 
PCI PIN Security & Key Management Compliance
ControlCase
 

What's hot (20)

PPT
CVSS
Christian Heinrich
 
PPTX
Large Scale Graph Analytics with JanusGraph
DataWorks Summit
 
PDF
Road to NODES - Handling Neo4j Data with Apache Hop
Neo4j
 
PPTX
Knowledge Graphs and Generative AI_GraphSummit Minneapolis Sept 20.pptx
Neo4j
 
PPTX
Trucks on a Graph: How JB Hunt Uses Neo4j
Neo4j
 
PPTX
Elsevier’s Healthcare Knowledge Graph
Paul Groth
 
PPTX
LASCON 2017: SAML v. OpenID v. Oauth
Mike Schwartz
 
PDF
Neo4j Generative AI workshop at GraphSummit London 14 Nov 2023.pdf
Neo4j
 
PPTX
Healthcare and Cyber security
Brian Matteson, CISSP CISA
 
PDF
Security for oauth 2.0 - @topavankumarj
Pavan Kumar J
 
PPT
Network Security & Cryptography
Dr. Himanshu Gupta
 
PDF
Cisco cybersecurity essentials chapter - 2
Mukesh Chinta
 
PDF
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
 
PDF
Healthcare fraud detection
Mahdi Esmailoghli
 
PPTX
Road to NODES - Healthcare Analytics
Neo4j
 
PPTX
Oracle Enterprise Manager
PebbleIT Solutions
 
PDF
FIDO2 & Microsoft
FIDO Alliance
 
PPT
Locking And Concurrency
sqlserver.co.il
 
PDF
Neo4j: The path to success with Graph Database and Graph Data Science
Neo4j
 
PDF
OAuth 2.0
Uwe Friedrichsen
 
CVSS
Christian Heinrich
 
Large Scale Graph Analytics with JanusGraph
DataWorks Summit
 
Road to NODES - Handling Neo4j Data with Apache Hop
Neo4j
 
Knowledge Graphs and Generative AI_GraphSummit Minneapolis Sept 20.pptx
Neo4j
 
Trucks on a Graph: How JB Hunt Uses Neo4j
Neo4j
 
Elsevier’s Healthcare Knowledge Graph
Paul Groth
 
LASCON 2017: SAML v. OpenID v. Oauth
Mike Schwartz
 
Neo4j Generative AI workshop at GraphSummit London 14 Nov 2023.pdf
Neo4j
 
Healthcare and Cyber security
Brian Matteson, CISSP CISA
 
Security for oauth 2.0 - @topavankumarj
Pavan Kumar J
 
Network Security & Cryptography
Dr. Himanshu Gupta
 
Cisco cybersecurity essentials chapter - 2
Mukesh Chinta
 
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
 
Healthcare fraud detection
Mahdi Esmailoghli
 
Road to NODES - Healthcare Analytics
Neo4j
 
Oracle Enterprise Manager
PebbleIT Solutions
 
FIDO2 & Microsoft
FIDO Alliance
 
Locking And Concurrency
sqlserver.co.il
 
Neo4j: The path to success with Graph Database and Graph Data Science
Neo4j
 
OAuth 2.0
Uwe Friedrichsen
 
Ad

Similar to PCI v4.0.1 Future Dated Requirements Webinar - ControlCase (20)

PDF
ControlCase PCI v4.0.1 Webinar Future Dates Requirements
AmyPoblete3
 
PDF
PCI DSS and PA DSS Version 3.0 Changes
ControlCase
 
PPTX
PCI DSS 3.2
Kimberly Simon MBA
 
PPTX
PCI DSS and Other Related Updates
ControlCase
 
PPTX
PCI DSS & PA DSS Version 3.0 Changes Webinar
ControlCase
 
PPTX
PCI DSS Business as Usual
ControlCase
 
PPTX
PCI DSS & PA DSS Version 3.0
ControlCase
 
PPTX
PCI DSS Business as Usual (BAU)
ControlCase
 
PPTX
PCI DSS Business as Usual (BAU)
Kimberly Simon MBA
 
PPTX
PCI DSS 3.2 - Business as Usual
Kimberly Simon MBA
 
PPTX
The emerging pci dss and nist standards
Ulf Mattsson
 
PDF
Key New Requirements Added to PCI DSS 3.0
Brown Smith Wallace
 
DOCX
PCI DSS Requirement 10: Key Changes in Logging & Monitoring from v3.2.1 to v4.0
rajverma416485
 
PDF
Looking Forward to PCI DSS v4.0
Kriangkrai Chumsaktrakul
 
PPTX
Performing PCI DSS Assessments Using Zero Trust Principles
ControlCase
 
PPTX
Managing Multiple Assessments Using Zero Trust Principles
ControlCase
 
PPTX
Securing Your Customers' Credit Card Information
Skoda Minotti
 
PPTX
Looking Forward: What to Expect With PCI 4.0
SureCloud
 
PPTX
Continuous Compliance Monitoring
ControlCase
 
PPTX
PCI 3.0 – What You Need to Know
Terra Verde
 
ControlCase PCI v4.0.1 Webinar Future Dates Requirements
AmyPoblete3
 
PCI DSS and PA DSS Version 3.0 Changes
ControlCase
 
PCI DSS 3.2
Kimberly Simon MBA
 
PCI DSS and Other Related Updates
ControlCase
 
PCI DSS & PA DSS Version 3.0 Changes Webinar
ControlCase
 
PCI DSS Business as Usual
ControlCase
 
PCI DSS & PA DSS Version 3.0
ControlCase
 
PCI DSS Business as Usual (BAU)
ControlCase
 
PCI DSS Business as Usual (BAU)
Kimberly Simon MBA
 
PCI DSS 3.2 - Business as Usual
Kimberly Simon MBA
 
The emerging pci dss and nist standards
Ulf Mattsson
 
Key New Requirements Added to PCI DSS 3.0
Brown Smith Wallace
 
PCI DSS Requirement 10: Key Changes in Logging & Monitoring from v3.2.1 to v4.0
rajverma416485
 
Looking Forward to PCI DSS v4.0
Kriangkrai Chumsaktrakul
 
Performing PCI DSS Assessments Using Zero Trust Principles
ControlCase
 
Managing Multiple Assessments Using Zero Trust Principles
ControlCase
 
Securing Your Customers' Credit Card Information
Skoda Minotti
 
Looking Forward: What to Expect With PCI 4.0
SureCloud
 
Continuous Compliance Monitoring
ControlCase
 
PCI 3.0 – What You Need to Know
Terra Verde
 
Ad

More from AmyPoblete3 (8)

PDF
Data Protection & Resilience in Focus.pdf
AmyPoblete3
 
PPTX
Demystifying CMMC: Real-World Insights from ControlCase Experts
AmyPoblete3
 
PPTX
HITRUST Overview and AI Assessments Webinar.pptx
AmyPoblete3
 
PDF
Penetration Testing Basics Spanish Webinar.pdf
AmyPoblete3
 
PDF
ControlCase CMMC Basics Deck Final.pdf
AmyPoblete3
 
PDF
ISO Update Webinar_Spanish1.20.2023.pdf
AmyPoblete3
 
PDF
CSA STAR Webinar (FINAL).pdf
AmyPoblete3
 
PDF
Compliance 101 HITRUST Update.pdf
AmyPoblete3
 
Data Protection & Resilience in Focus.pdf
AmyPoblete3
 
Demystifying CMMC: Real-World Insights from ControlCase Experts
AmyPoblete3
 
HITRUST Overview and AI Assessments Webinar.pptx
AmyPoblete3
 
Penetration Testing Basics Spanish Webinar.pdf
AmyPoblete3
 
ControlCase CMMC Basics Deck Final.pdf
AmyPoblete3
 
ISO Update Webinar_Spanish1.20.2023.pdf
AmyPoblete3
 
CSA STAR Webinar (FINAL).pdf
AmyPoblete3
 
Compliance 101 HITRUST Update.pdf
AmyPoblete3
 

Recently uploaded (20)

PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
KodekX | Application Modernization Development
KodekX
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
KodekX | Application Modernization Development
KodekX
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Cloud computing and distributed systems.
kkkkkhan
 
Encapsulation theory and applications.pdf
gurumoop
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 

PCI v4.0.1 Future Dated Requirements Webinar - ControlCase

  • 1. March 2025 Requirements PCI DSS v4.0.1 Future-Dated “Best Practices” November, 2024
  • 2. 2 Agenda © ControlCase. All Rights Reserved.  Welcome & About ControlCase  About the v4.0.1 Update  About the New Requirements and Timeline  Get Involved! PCI DSS v4.0.1 March 2025 Requirements 01 02 03 04
  • 3. Presenters: Sandeep Joshi VP Business Development Yew Kuann Cheng Regional Vice President PCI Security Standards Council Chad Leedy Director, Strategic Accounts – Retail, ControlCase Pramod Deshmane Sr. Vice President Americas Certification, ControlCase
  • 5. © ControlCase. All Rights Reserved. 5 ControlCase Overview Best-in-Class Compliance Platform  ControlCase is revolutionizing the way enterprises and organizations deal with the numerous and frequently changing IT compliance and regulatory requirements  Proprietarysoftware, including appliance and SaaS solutions, that enable CaaS (GRC and Data Discovery)  Compelling proprietary offering combining proprietary software, certification/audits, and managed services on a single platform.  One AuditTM enables our clientele to Assess once: Comply to Many  Leadershippositions in the PCI DSS, SOC 2, ISO 27001, HIPAA, HITRUST, FedRAMP and CMMC domains  Serving over 1,000 customers  Global footprint with offices in the U.S., LATAM, Europe, Australia, India, Canada, and UAE  Leverages an offshore delivery infrastructure for competitive advantage  IT compliance manager for multiple industry segments including banking, service providers, retail, hospitality, and telecom Global Vision & Solutions Enhancement Provider of Compliance as a Service (CaaS) subscription-based offering bundling proprietary GRC software and managed services Founded in 2004 Headquartered in Fairfax, VA Offices in U.S., Canada, Australia, India 250+ employees
  • 6. ControlCase Snapshot © ControlCase. All Rights Reserved. 6 CERTIFICATION AND CONTINUOUS COMPLIANCE SERVICES Go beyond the auditor’s checklist to: Dramatically reduce the time, cost, and burden of maintaining IT compliance and becoming certified. Demonstrate compliance more efficiently and cost effectively (cost certainty) Free up your internal resources to focus on other priorities Offload much of the compliance burden to a trusted compliance partner Improve efficiencies by doing more with less resources and gain compliance peace of mind 1,000+ CLIENTS 10,000+ IT SECURITY CERTIFICATIONS 275+ SECURITY EXPERTS
  • 7. ControlCase Snapshot – Solution © ControlCase. All Rights Reserved. 7 Certification and Continuous Compliance Services Partnership Approach Compliance HUB + = IT Certification Services Continuous Compliance Services &
  • 8. Certification Services One Audit Assess Once. Comply to Many. © ControlCase. All Rights Reserved. 8 PCI DSS ISO 27001 & 27002 SOC 1,2,3 & SOC for Cybersecurity HIPAA MARS-E PCI P2PE GDPR NIST 800-53 PCI PIN PCI SSF/SLC CSA STAR HITRUST CSF
  • 9. Our Team © 2023 ControlCase. All Rights Reserved. 9 Headquartered in Fairfax, VA, ControlCase operates in 16 countries to service our global clientele. Employees: Full-Time Employees: 379 ControlCase Team Locations: Australia Bangladesh Belgium Canada Colombia Egypt India Indonesia Jordan Philippines Saudi Arabia Senegal Tunisia United Kingdom United States Vietnam Languages Spoken: English is our main delivery language. Additionally, our team communicates in Spanish, French, German, Arabic, Marathi, Hindi, Vietnamese, Indonesian and more.
  • 10. © ControlCase. All Rights Reserved. About the v4.0.1 Update
  • 11. PCI DSS v4.0.1 Implementation Timeline* 2022 Q1 Q2 Q3 Q4 31 March 2024 PCI DSS v3.2.1 retired 31 March 2025 Future-dated new requirements become effective 2024 2025 * All dates based on current projections and subject to change Transition period from PCI DSS v3.2.1 to v4.0 Official Release: PCI DSS v4.0 with validation documents ISA/QSA training and supporting documents 2023 Transition period from PCI DSS v3.2.1 to v4.0 Implementation of future-dated new requirements Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 June 2024 PCI DSS v4.0.1 published
  • 12. Highlights © ControlCase. All Rights Reserved. 12 PCI DSS v4.0.1 has been released; v4.0 will be retired on 31 Dec 2024. There are no new requirements in PCI DSS v4.0.1; review the Summary of Changes. Future dated requirements will have to be adopted from 1 April 2025.
  • 13. PCI DSS v4.0.1 Revision – Key Updates Summary © ControlCase. All Rights Reserved. 13 • Clarifications and Typos: • The new release corrected typographical and other minor errors (including formatting errors, missing headers, etc.) from PCI DSS v4.0. • The new release also clarifies the focus and intent of some of the requirements and guidance. • Requirement 3 • Clarified Applicability Notes for issuers and companies that support issuing services. • Added a Customized Approach Objective and clarified applicability for organizations using keyed cryptographic hashes to render Primary Account Numbers (PAN) unreadable. • Requirement 6 • Reverted to PCI DSS v3.2.1 language that installing patches/updates within 30 days applies only for “critical vulnerabilities.” • Added Applicability Notes to clarify how the requirement for managing payment page scripts applies.
  • 14. PCI DSS v4.0.1 Revision – Key Updates Summary © ControlCase. All Rights Reserved. 14 • Requirement 8 • Added an Applicability Note that multi-factor authentication for all (non-administrative) access into the CDE does not apply to user accounts that are only authenticated with phishing-resistant authentication factors. • Requirement 12 • Updated Applicability Notes to clarify several points about relationships between customers and third- party service providers (TPSPs).
  • 15. © ControlCase. All Rights Reserved. PCI DSS Future-Dated New Requirements
  • 16. PCI DSS – Key Future-Dated New Requirements ControlCase. All Rights Reserved. 16 • Encryption of Sensitive Authentication Data (SAD) – Req 3.2.1 & 3.3.2 • All sensitive authentication data, if store before authorization, must be stored encrypted using strong cryptography. This requirement applies to all storage of SAD, even if no PAN is present in the environment. • Disk-level or partition-level encryption only acceptable for removable media – Req 3.5.1.2 • Disk-level or partition-level encryption can only be used for removable media (e.g., a USB drive, an external SSD). Organizations can not use it anymore on any kind of non-removable media. • Phishing Attack Protection – Req. 5.4.1 • Organizations are required to implement an automated phishing protection mechanism to detect and protect personnel against phishing attacks. This measure supports the defenses against social engineering threats, reducing potential vectors for malware and ransomware attacks.
  • 17. PCI DSS – Key Future-Dated New Requirements © ControlCase. All Rights Reserved. 17 • Automation Technical Solution for Web Applications Security – Req 6.4.2 • Organizations must implement an automated technical solution for public-facing Web applications that continually detects and prevents web-based attacks, and the manual application review will no longer be allowed. • Managing Payment Page Scripts – Req 6.4.3 • Organizations must maintain an inventory of all scripts on their e-commerce payment pages. This includes ensuring the integrity of each script to prevent unauthorized modifications and verifying their authorization and execution. • Expanded Use of Multi-Factor Authentication (MFA) - Req. 8.4.2 • PCI DSS v4.0 expands the requirement for multi-factor authentication (MFA). In earlier versions, MFA was required only for administrators accessing the cardholder data environment (CDE) remotely. Now, MFA is required for all access to the CDE, including access by internal users. • Password Length Requirements – Req 8.3.6 • To strengthen passwords the minimum password length is moved from 7 to 12 alpha and numeric characters OR a minimum 8 characters, if the system does not support 12 characters. • Application and System Accounts Management – Req 8.6.1, 8.6.2, 8.6.3 • PCI DSS v4.0 introduced security controls for interactive / non-interactive application & systems accounts management and secure handling of passwords/passphrases for such accounts.
  • 18. PCI DSS – Key Future-Dated New Requirements ControlCase. All Rights Reserved. 18 • Automated Log Reviews – Req 10.4.1.1 • Organizations must implement automated mechanisms to perform audit log reviews and manual reviews are no longer permitted. Organizations are expected to consider event log analyzers, and security information and event management (SIEM) solutions to support the automated log review process. • Authenticated Vulnerability scanning – Req 11.3.1.2 • Quarterly internal vulnerability scans must be performed via authenticated scanning for all in-scope systems except for system components that cannot accept credentials for scanning. Also, the credentials used for these scans should be considered highly privileged and should be protected and controlled. • Detect changes of HTTP headers & Payment Pages – Req 11.6.1 • Organizations must implement change and tamper detection mechanism for payment pages to protect against the ecommerce skimming attacks. The control requires alerting unauthorized modification (including indicators of compromise, changes, additions, and deletions) to the security-impacting HTTP headers and the script contents of payment pages
  • 19. PCI DSS – Key Future-Dated New Requirements © ControlCase. All Rights Reserved. 19 • Targeted Risk Analysis - Req. 12.3.1 • PCI DSS v4.0 introduces a focus on targeted risk analysis for specific security controls. This means organizations are required to perform a risk analysis for certain requirements, which allows for flexibility in how they implement the controls based on their specific risk environment. • Semi-annual Scoping Review (For Service Provider Organizations) – Req 12.5.2.1 • Service providers are now required to perform the scoping documentation review at least every 6 months and upon significant change to the in-scope environment. • Security awareness program annual review to include new threats and vulnerabilities – Req 12.6.2, 12.6.3.1 • Organizations are required to update their Security awareness program annually to address any new threats and vulnerabilities that may impact the security of their CDE and include topics such as phishing and related attacks and social engineering
  • 20. © ControlCase. All Rights Reserved. ControlCase – PCI DSS Assessment Options
  • 21. Option 1 – PCI DSS v4.0.1 New Requirements Assessment 21 • The client environment will be assessed only for applicable PCI DSS v4.0.1 future-dated new requirements. • For New Requirements Assessment, ControlCase Compliance Hub will have a total of 37 questions which only cover the future-dated new requirements. • The assessment will take only few weeks to complete the review. Deliverables • PCI DSS v4.0.1 New Requirements Assessment Report with an update on: • Status of Future Dated Controls readiness • remediation guidance for not- in-place requirements
  • 22. Option 2 – PCI DSS v4.0.1 Assessment 22 • The client environment will be assessed against PCI DSS v4.0.1 for a full GAP or Certification assessment. • For PCI v4.0.1 assessment, the Compliance Hub will have a total of 100 or 105 questions (based on the entity type). Deliverables • PCI DSS v4.0.1 Full Gap Assessment Report OR • PCI DSS v4.0.1 ROC, AOC, COC
  • 23. © ControlCase. All Rights Reserved. Get Involved
  • 24. Participating Organization Program © ControlCase. All Rights Reserved. 24 Individual Anyone Can Be a Member Associate Expanding Principal Influence LEVELS
  • 25. 2024 Events © ControlCase. All Rights Reserved. 25 North America 10-12 September Boston, Massachusetts Europe Asia-Pacific 8 -10 October Barcelona, Spain 20-21 November Hanoi, Vietnam
  • 26. © ControlCase. All Rights Reserved. Q&A
  • 27. THANK YOU Contact Info: Yew Kuann Cheng ycheng@pcisecuritystandards.org Pramod Deshmane pdeshmane@controlcase.com Chad Leedy cleedy@controlcase.com Sandeep Joshi sajoshi@controlcase.com