\n| \n Stipulations for Compliance<\/strong><\/p>\n<\/td>\n| \n Best Practices<\/strong><\/p>\n<\/td>\n<\/tr>\n\n| \n Network security controls (NSCs) are configured and maintained.<\/strong><\/p>\n<\/td>\n| \n Validate network security configurations before deployment and use configuration management to track changes and prevent configuration drift.<\/span><\/p>\n<\/td>\n<\/tr>\n\n| \n Network access to and from the cardholder data environment (CDE) is restricted.<\/strong><\/p>\n<\/td>\n| \n Monitor all inbound traffic to the CDE, even from trusted networks, and, when possible, use explicit \u201cdeny all\u201d firewall rules to prevent accidental gaps.<\/span><\/p>\n<\/td>\n<\/tr>\n\n| \n Network connections between trusted and untrusted networks are controlled.<\/strong><\/p>\n<\/td>\n| \n Implement a DMZ that manages connections between untrusted networks and public-facing resources on the trusted network.<\/span><\/p>\n<\/td>\n<\/tr>\n\n| \n Risks to the CDE from computing devices that can connect to both untrusted networks and the CDE are mitigated.<\/strong><\/p>\n<\/td>\n| \n Use security controls like endpoint protection and firewalls to protect devices from Internet-based attacks and zero-trust and network segmentation to prevent lateral movement to CDEs.<\/span><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n[\/et_pb_text][et_pb_text admin_label=”Requirement #2-3″ _builder_version=”4.25.0″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n Requirement 2: Apply secure configurations to all system components<\/h4>\nAttackers often compromise systems using known default passwords or old, forgotten services. PCI DSS 4.0 requires organizations to properly configure system security settings and reduce the attack surface by turning off unnecessary software, services, and accounts.<\/p>\n \n \n\n\n <\/colgroup>\n\n\n| \n Stipulations for Compliance<\/strong><\/p>\n<\/td>\n| \n Best Practices<\/strong><\/p>\n<\/td>\n<\/tr>\n\n| \n System components are configured and managed securely.<\/strong><\/p>\n<\/td>\n| \n Continuously check for vendor-default user accounts and security configurations and ensure all administrative access is encrypted using strong cryptographic protocols.<\/span><\/p>\n<\/td>\n<\/tr>\n\n| \n Wireless environments are configured and managed securely.<\/strong><\/p>\n<\/td>\n| \n Apply the same security standards consistently across wired and wireless environments, and change wireless encryption keys whenever someone leaves the organization.<\/span><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\nProtect account data<\/h3>\nRequirement 3: Protect stored account data<\/h4>\nAny payment account data an organization stores must be protected by methods such as encryption and hashing. Organizations should also limit account data storage unless it\u2019s necessary and, when possible, truncate cardholder data.<\/p>\n \n \n\n\n <\/colgroup>\n\n\n| \n Stipulations for Compliance<\/strong><\/p>\n<\/td>\n| \n Best Practices<\/strong><\/p>\n<\/td>\n<\/tr>\n\n| \n Storage of account data is kept to a minimum.<\/strong><\/p>\n<\/td>\n| \n Use data retention and disposal policies to configure an automated, programmatic procedure to locate and remove unnecessary account data.<\/span><\/p>\n<\/td>\n<\/tr>\n\n| \n Sensitive authentication data (SAD) is not stored after authorization.<\/strong><\/p>\n<\/td>\n| \n Review data sources to ensure that the full contents of any track, card verification code, and PIN\/PIN blocks are not retained after the authorization process is completed.<\/span><\/p>\n<\/td>\n<\/tr>\n\n| \n Access to displays of full primary account number (PAN) and ability to copy cardholder data are restricted.<\/strong><\/p>\n<\/td>\n| \n Use role-based access control (RBAC) to limit PAN access to individuals with a defined need and use the masking approach to display only the number of digits needed for a specific function.<\/span><\/p>\n<\/td>\n<\/tr>\n\n| \n PAN is secured wherever it is stored.<\/strong><\/p>\n<\/td>\n| \n Render PAN unreadable using one-way hashing with a randomly generated secret key, truncation, index tokens, and strong cryptography with secure key management.<\/span><\/p>\n<\/td>\n<\/tr>\n\n| \n Cryptographic keys used to protect stored account data are secured.<\/strong><\/p>\n<\/td>\n| \n Manage cryptographic keys with a centralized key management system that\u2019s PCI DSS 4.0 compliant to restrict access to key-encrypting keys and store them separately from data-encrypting keys.<\/span><\/p>\n<\/td>\n<\/tr>\n\n| \n Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented.<\/strong><\/p>\n<\/td>\n| \n Use a key management solution that simplifies or automates key replacement for old or compromised keys.<\/span><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n[\/et_pb_text][et_pb_text admin_label=”Requirement #4-5″ _builder_version=”4.25.0″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n Requirement 4: Protect cardholder data with strong cryptography during transmission over open, public networks<\/h4>\nWhile requirement 3 applies to stored card data, requirement 4 outlines stipulations for protecting cardholder data in transit.<\/p>\n \n \n\n\n <\/colgroup>\n\n\n| \n Stipulations for Compliance<\/strong><\/p>\n<\/td>\n| \n Best Practices<\/strong><\/p>\n<\/td>\n<\/tr>\n\n| \n PAN is protected with strong cryptography during transmission.<\/strong><\/p>\n<\/td>\n| \n Encrypt PAN over both public and internal networks and apply strong cryptography at both the data level and the session level.<\/span><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\nMaintain a vulnerability management program<\/h3>\nRequirement 5: Protect all systems and networks from malicious software<\/h4>\nOrganizations must take steps to prevent malicious software (a.k.a., malware) from infecting the network and potentially exposing cardholder data.<\/p>\n \n \n\n\n <\/colgroup>\n\n\n| \n Stipulations for Compliance<\/strong><\/p>\n<\/td>\n| \n Best Practices<\/strong><\/p>\n<\/td>\n<\/tr>\n\n| \n Malware is prevented, or detected and addressed.<\/strong><\/p>\n<\/td>\n| \n Use a combination of network-based controls, host-based controls, and endpoint security solutions; supplement signature-based tools with AI\/ML-powered detection.<\/span><\/p>\n<\/td>\n<\/tr>\n\n| \n Anti-malware mechanisms and processes are active, maintained, and monitored.<\/strong><\/p>\n<\/td>\n| \n Update tools and signature databases as soon as possible and prevent end-users from disabling or altering anti-malware controls.<\/span><\/p>\n<\/td>\n<\/tr>\n\n| \n Anti-phishing mechanisms protect users against phishing attacks.<\/strong><\/p>\n<\/td>\n| \n Use a combination of anti-phishing approaches, including anti-spoofing controls, link scrubbers, and server-side anti-malware.<\/span><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n[\/et_pb_text][et_pb_text admin_label=”Requirement #6-7″ _builder_version=”4.25.0″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n Requirement 6: Develop and maintain secure systems and software<\/h4>\nDevelopment teams should follow PCI-compliant processes when writing and validating code. Additionally, install all appropriate security patches immediately to prevent malicious actors from exploiting known vulnerabilities in systems and software.<\/p>\n \n \n\n\n <\/colgroup>\n\n\n| \n Stipulations for Compliance<\/strong><\/p>\n<\/td>\n| \n Best Practices<\/strong><\/p>\n<\/td>\n<\/tr>\n\n| \n Bespoke and custom software are developed securely.<\/strong><\/p>\n<\/td>\n| \n Use manual or automatic code reviews to search for undocumented features, validate that third-party libraries are used securely, analyze insecure code structures, and check for logical vulnerabilities.<\/span><\/p>\n<\/td>\n<\/tr>\n\n| \n Security vulnerabilities are identified and addressed.<\/strong><\/p>\n<\/td>\n| \n Use a centralized patch management solution to automatically notify teams of known vulnerabilities and pending updates.<\/span><\/p>\n<\/td>\n<\/tr>\n\n| \n Public-facing web applications are protected against attacks.<\/strong><\/p>\n<\/td>\n| \n Use automatic vulnerability security assessment tools that include specialized web scanners that analyze web application protection.<\/span><\/p>\n<\/td>\n<\/tr>\n\n| \n Changes to all system components are managed securely.<\/strong><\/p>\n<\/td>\n| \n Use a centralized source code version management solution to track, approve, and roll back changes.<\/span><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\nImplement strong access control measures<\/h3>\nRequirement 7: Restrict access to system components and cardholder data by business need-to-know<\/h4>\nThis PCI DSS 4.0 requirement aims to limit who and what has access to sensitive cardholder data and CDEs to prevent malicious actors from gaining access through a compromised, over-provisioned account. \u201cNeed to know\u201d means that only accounts with a specific need should have access to sensitive resources; it\u2019s often applied using the \u201cleast-privilege\u201d approach, which means only granting accounts the specific privileges needed to perform a job role.<\/p>\n \n \n\n\n <\/colgroup>\n\n\n| \n | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |