The impact of the new PCI 4.0 on the 3.2.1 requirement 1 are in the form of Reformulation, Clarification, Splitting / bundling, Scope extension and Removal.
The scope extension expresses itself through terminology changes, namely:
The scope extension expresses itself through terminology changes, namely:
- Firewall(s) and router(s) are replaced by the notion of "Network Security Control(s) (NSG)". This is related to use of virtualization technologies as well as usage of cloud technologies.
- Internet is replaced by the term more general notion of "Untrusted network"
- Cardholder data environment is enlarged to the notion of "Trusted network".
- Cardholder data is replaced by "account data"
Overview
The following diagram gives an overview of the changes and mapping between 3.2.1 and 4.0
PCI 4.0 Compliance Dashboard
Get your PCI 4.0 COMPLIANCE DASHBOARD TOOL . Fully aligned with PCI DSS V4.0. It includes the defined approach requirements, the customized approach, applicability notes, purpose, good practices & further information, definition, example and defined testing procedures and prioritization approach. It also provides templates to register your compensating controls, controls met with remediations but also to register your customized Controls, the outcome of the customized approach risk assessments and the risk assessments for the definition of frequency periods as well as to register execution of vulnerability scans and penetration tests.
Detailed analysis per requirement
It all starts with the Title
3.2.1 - INSTALL AND MAINTAIN A FIREWALL CONFIGURATION TO PROTECT CARDHOLDER DATA
Becomes
4.0 - INSTALL AND MAINTAIN NETWORK SECURITY CONTROLS
3.2.1 - INSTALL AND MAINTAIN A FIREWALL CONFIGURATION TO PROTECT CARDHOLDER DATA
Becomes
4.0 - INSTALL AND MAINTAIN NETWORK SECURITY CONTROLS
3.2.1 - 1.1 Establish firewall and router configuration standards.
Change: Reformulation + Scope
4.0 - 1.2.1 Configuration standards for Network Security Controls (NSC) rulesets are:
• Defined.
• Implemented.
• Maintained.
Change: Reformulation + Scope
4.0 - 1.2.1 Configuration standards for Network Security Controls (NSC) rulesets are:
• Defined.
• Implemented.
• Maintained.
3.2.1 - 1.1.1 A formal process for approving and testing all network connections and changes to the firewall and router configurations
Change: Reformulation + clarification + Scope
4.0 - 1.2.2 All changes to network connections and to configurations of NSCs are approved and managed in accordance with the change control process defined at Requirement 6.5.1.
Change: Reformulation + clarification + Scope
4.0 - 1.2.2 All changes to network connections and to configurations of NSCs are approved and managed in accordance with the change control process defined at Requirement 6.5.1.
3.2.1 - 1.1.2 Current network diagram that identifies all connections between the cardholder data environment and other networks, including any wireless networks.
Change: Reformulation
4.0 - 1.2.3 An accurate network diagram(s) is maintained that shows all connections between the CDE and other networks, including any wireless networks.
Change: Reformulation
4.0 - 1.2.3 An accurate network diagram(s) is maintained that shows all connections between the CDE and other networks, including any wireless networks.
3.2.1 - 1.1.3 Current diagram that shows all cardholder data flows across systems and networks
Change: Reformulation + Clarification
4.0 - 1.2.4 An accurate data-flow diagram(s) is maintained that meets the following:
• Shows all account data flows across systems and networks.
• Updated as needed upon changes to the environment.
Change: Reformulation + Clarification
4.0 - 1.2.4 An accurate data-flow diagram(s) is maintained that meets the following:
• Shows all account data flows across systems and networks.
• Updated as needed upon changes to the environment.
3.2.1 - 1.1.4 Requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone
Change: Removal due to Redundancy
Change: Removal due to Redundancy
3.2 1 - 1.1.5 Description of groups, roles, and responsibilities for logical management of network components
Change: Reformulation + clarification
4.0 - 1.1.2 Roles and responsibilities for performing activities in Requirement 1 are documented, assigned, and understood.
Change: Reformulation + clarification
4.0 - 1.1.2 Roles and responsibilities for performing activities in Requirement 1 are documented, assigned, and understood.
3.2.1 - 1.1.6 Documentation of business justification and approval for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure.
Change: Reformulation + Split
4.0 - 1.2.5 All services, protocols, and ports allowed are identified, approved, and have a defined business need.
+
4.0 - 1.2.6 Security features are defined and implemented for all services, protocols, and ports that are in use and considered to be insecure, such that the risk is mitigated.
Change: Reformulation + Split
4.0 - 1.2.5 All services, protocols, and ports allowed are identified, approved, and have a defined business need.
+
4.0 - 1.2.6 Security features are defined and implemented for all services, protocols, and ports that are in use and considered to be insecure, such that the risk is mitigated.
3.2.1 - 1.1.7 Requirement to review firewall and router rule sets at least every six months
Change: Reformulation + Scope
4.0 - 1.2.7 Configurations of NSCs are reviewed at least once every six months to confirm they are relevant and effective.
Change: Reformulation + Scope
4.0 - 1.2.7 Configurations of NSCs are reviewed at least once every six months to confirm they are relevant and effective.
3.2.1 - 1.2 Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment.
Change: Removal due to Redundancy
Change: Removal due to Redundancy
3.2.1 - 1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment.
+
3.2.1 - 1.3.4 Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet.
Change: Reformulation, Split and Clarification
3.2.1 - 4.0 - 1.3.1 Inbound traffic to the CDE is restricted as follows:
• To only traffic that is necessary.
• All other traffic is specifically denied.
+
4.0 - 1.3.2 Outbound traffic from the CDE is restricted as follows:
• To only traffic that is necessary.
• All other traffic is specifically denied.
+
3.2.1 - 1.3.4 Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet.
Change: Reformulation, Split and Clarification
3.2.1 - 4.0 - 1.3.1 Inbound traffic to the CDE is restricted as follows:
• To only traffic that is necessary.
• All other traffic is specifically denied.
+
4.0 - 1.3.2 Outbound traffic from the CDE is restricted as follows:
• To only traffic that is necessary.
• All other traffic is specifically denied.
3.2.1 - 1.2.2 Secure and synchronize router configuration files.
Change: Reformulation + Clarification
4.0 - 1.2.8 Configuration files for NSCs are:
• Secured from unauthorized access.
• Kept consistent with active network configurations.
Change: Reformulation + Clarification
4.0 - 1.2.8 Configuration files for NSCs are:
• Secured from unauthorized access.
• Kept consistent with active network configurations.
3.2.1 - 1.2.3 Install perimeter firewalls between any wireless networks and the cardholder data environment, and configure these firewalls to deny or control (if such traffic is necessary for business purposes) any traffic from the wireless environment into the cardholder data environment.
Change: Reformulation + Clarification + scope
4.0 - 1.3.3 NSCs are installed between all wireless networks and the CDE, regardless of whether the wireless network is a CDE, such that:
• All wireless traffic from wireless networks into the CDE is denied by default.
• Only wireless traffic with an authorized business purpose is allowed into the CDE.
Change: Reformulation + Clarification + scope
4.0 - 1.3.3 NSCs are installed between all wireless networks and the CDE, regardless of whether the wireless network is a CDE, such that:
• All wireless traffic from wireless networks into the CDE is denied by default.
• Only wireless traffic with an authorized business purpose is allowed into the CDE.
3.2.1 - 1.3 Prohibit direct public access between the Internet and any system component in the cardholder data environment.
Change: Reformulation and scope
4.0 - 1.4.1 NSCs are implemented between trusted and untrusted networks.
Change: Reformulation and scope
4.0 - 1.4.1 NSCs are implemented between trusted and untrusted networks.
3.2.1 - 1.3.1 Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports.
+
3.2.1 - 1.3.2 Limit inbound Internet traffic to IP addresses within the DMZ.
Change: Reformulation + Bundle + Scope
4.0 - 1.4.2 Inbound traffic from untrusted networks to trusted networks is restricted to:
• Communications with system components that are authorized to provide publicly accessible services, protocols, and ports.
• Stateful responses to communications initiated by system components in a trusted network.
• All other traffic is denied.
+
3.2.1 - 1.3.2 Limit inbound Internet traffic to IP addresses within the DMZ.
Change: Reformulation + Bundle + Scope
4.0 - 1.4.2 Inbound traffic from untrusted networks to trusted networks is restricted to:
• Communications with system components that are authorized to provide publicly accessible services, protocols, and ports.
• Stateful responses to communications initiated by system components in a trusted network.
• All other traffic is denied.
3.2.1 - 1.3.3 Implement anti-spoofing measures to detect and block forged source IP addresses from entering the network.
Change: Reformulation
4.0 - 1.4.3 Anti-spoofing measures are implemented to detect and block forged source IP addresses from entering the trusted network.
Change: Reformulation
4.0 - 1.4.3 Anti-spoofing measures are implemented to detect and block forged source IP addresses from entering the trusted network.
3.2.1 - 1.3.4 Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet.
Change: Reformulation + Clarification
4.0 - 1.3.2 Outbound traffic from the CDE is restricted as follows:
• To only traffic that is necessary.
• All other traffic is specifically denied.
Change: Reformulation + Clarification
4.0 - 1.3.2 Outbound traffic from the CDE is restricted as follows:
• To only traffic that is necessary.
• All other traffic is specifically denied.
3.2.1 - 1.3.5 Permit only “established” connections into the network.
Change: Reformulation
4.0 - 1.4.2 Inbound traffic from untrusted networks to trusted networks is restricted to:
• Communications with system components that are authorized to provide publicly accessible services, protocols, and ports.
• Stateful responses to communications initiated by system components in a trusted network.
• All other traffic is denied.
Change: Reformulation
4.0 - 1.4.2 Inbound traffic from untrusted networks to trusted networks is restricted to:
• Communications with system components that are authorized to provide publicly accessible services, protocols, and ports.
• Stateful responses to communications initiated by system components in a trusted network.
• All other traffic is denied.
3.2.1 - 1.3.6 Place system components that store cardholder data (such as a database) in an internal network zone, segregated from the DMZ and other untrusted networks
Change: Reformation
4.0 - 1.4.4 System components that store cardholder data are not directly accessible from untrusted networks.
Change: Reformation
4.0 - 1.4.4 System components that store cardholder data are not directly accessible from untrusted networks.
3.2.1 - 1.3.7 Do not disclose private IP addresses and routing information to unauthorized parties.
Change: Reformation + clarification
4.0 - 1.4.5 The disclosure of internal IP addresses and routing information is limited to only authorized parties.
Change: Reformation + clarification
4.0 - 1.4.5 The disclosure of internal IP addresses and routing information is limited to only authorized parties.
3.2.1 - 1.4 Install personal firewall software or equivalent functionality on any portable computing devices (including company and/or employee-owned) that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the CDE.
Change: Reformation + clarification + Scope
4.0 - 1.5.1 Security controls are implemented on any computing devices, including company- and employee-owned devices, that connect to both untrusted networks (including the Internet) and the CDE as follows:
• Specific configuration settings are defined to prevent threats being introduced into the entity’s network.
• Security controls are actively running.
• Security controls are not alterable by users of the computing devices unless specifically documented and authorized by management on a case-by-case basis for a limited period
Change: Reformation + clarification + Scope
4.0 - 1.5.1 Security controls are implemented on any computing devices, including company- and employee-owned devices, that connect to both untrusted networks (including the Internet) and the CDE as follows:
• Specific configuration settings are defined to prevent threats being introduced into the entity’s network.
• Security controls are actively running.
• Security controls are not alterable by users of the computing devices unless specifically documented and authorized by management on a case-by-case basis for a limited period
3.2.1 - 1.5 Ensure that security policies and operational procedures for managing firewalls are documented, in use, and known to all affected parties.
Change: Reformulation + Scope + clarification
4.0 - 1.1.1 All security policies and operational procedures that are identified in Requirement 1 are:
• Documented.
• Kept up to date.
• In use.
• Known to all affected parties.
Change: Reformulation + Scope + clarification
4.0 - 1.1.1 All security policies and operational procedures that are identified in Requirement 1 are:
• Documented.
• Kept up to date.
• In use.
• Known to all affected parties.