PCI DSS Requirement 4 – Changes from v3.2.1 to v4.0 Explained

Welcome back to our ongoing series on the Payment Card Industry Data Security Standard (PCI DSS). In our previous posts, we’ve covered the various requirements of this critical security standard. Today, we’re going to delve into Requirement 4, which focuses on protecting cardholder data with strong cryptography during transmission over open, public networks. So, let’s get started! To learn more about the other requirements of PCI DSS, check out our comprehensive guide on the “12 requirements of PCI DSS.”

Understanding Requirement 4 

PCI DSS Requirement 4 emphasizes the use of robust cryptography to safeguard data confidentiality, integrity, and non-repudiation, especially when transmitting Primary Account Number (PAN) over accessible networks, including untrusted and public ones. 

Malicious individuals often exploit misconfigured wireless networks and vulnerabilities in outdated encryption and authentication protocols to gain access to cardholder data environments (CDE). Networks that store, process, or transmit cardholder data naturally fall within the PCI DSS scope and must be assessed accordingly. 

Also Read : PCI DSS Requirement 3

 

Requirement 4 pertains to PAN transmissions unless otherwise specified. Protection can be achieved by encrypting the data prior to transmission, the session during transmission, or both. Although not mandatory, it is advisable to apply robust cryptography at both the data and session levels. 

[table id=38 /]

 

You can also watch the video on PCI DSS Requirement 4:

Conclusion: 

We trust that this blog has provided you with comprehensive and technical insights into the changes in PCI DSS v4.0, specifically Requirement 4. We invite you to explore our website for more in-depth knowledge about PCI DSS v4.0. At VISTA InfoSec, we have been committed to delivering profound knowledge in the field of Cyber Security for over three decades. Our reputation as a trusted Cyber Security consultancy is a testament to our dedication and expertise.

In our commitment to continuous learning and sharing, we are excited to announce that we will be publishing more technical blogs focusing on Requirement 5 and other upcoming changes in PCI DSS v4.0. Stay tuned for these updates as we continue to delve deeper into the intricacies of Cyber Security standards. Thank you for choosing us as your guide in this journey of learning.

Lets us help you

Need help navigating PCI DSS v4.0? We have been active in the PCI DSS space since 2008 and even certify payment brand. Our PCI DSS services provide assurance on card security controls, with offerings for both product platform and backend services attestation.

We have a dedicated team of auditors and a separate team for consulting/advisory assignments to even help our esteemed clients to define processes and achieve compliance.

We have completed multiple PCI DSS 4.0 certifications too right from scoping to Readiness Assessment, Advisory and Final Certification.

We are vendor neutral and have a strict no-outsourcing policy. We can also assist you with the technical assessments needed for PCI DSS Compliance – Vulnerability Assessment, Penetration Testing, Network Segmentation Testing, Network Architecture Review, Firewall Assessment, Secure Configuration Assessment, Web and Mobile Application Security Assessment, and Secure Code Review.

Narendra Sahoo

Author

Narendra Sahoo (PCI QPA, PCI QSA, PCI SSF ASSESSOR, CISSP, CISA, CRISC, 27001 LA) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2 Compliance & Audit, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.