As a continuation to our previous articles discussing the impact of PCI DSS 4.0 on PCI DSS 3.2.1, we here below cover Requirement 4.
Overview
Terminology: In this requirement,
"cardholder data" is replaced by "PAN's"
"cardholder environment" is replaced by "CDE"
New controls:
2 controls have been amended to this requirement to:
Requirement 3.2.1 - 4.1 on the use of strong cryptography and security protocols for the transmission of PAN's has been amended to stress that the certificates used for this purpose be valid, not expired nor revoked. Note: When the sending and receiving parties are different (e.g. merchants and Processors) it is unclear if this control apply also to the sending party. If it is the case, this control may be a bit of a challenge as it the sending party has to validate a certificate on the connection endpoint. Potentially, specific codes will have be to be integrated in applications to do so and invalidate the connection should non-valide certificate be presented by the receiving party.
Moved:
None
Removed:
None
Attention point:
Also consider in the scope of Req 4 the following NEW control of Req 3: 3.7.9 Additional requirement for service providers only: Where a service provider shares cryptographic keys with its customers for transmission or storage of account data, guidance on secure transmission, storage and updating of such keys is documented and distributed to the service provider’s customers.
"cardholder data" is replaced by "PAN's"
"cardholder environment" is replaced by "CDE"
New controls:
2 controls have been amended to this requirement to:
- Require assignment and documentation of the Roles and responsibilities for performing activities in Requirement 4 (Req 4.1.2)
- Require an up to date inventory of the keys and certificates used to protect PAN during transmission. Note: this implies that organizations have a clear view of all certificates and keys used and that they can maintained this inventory whenever certificates and keys are rotated and changes. For some organizations this could be quite cumbersome.
Requirement 3.2.1 - 4.1 on the use of strong cryptography and security protocols for the transmission of PAN's has been amended to stress that the certificates used for this purpose be valid, not expired nor revoked. Note: When the sending and receiving parties are different (e.g. merchants and Processors) it is unclear if this control apply also to the sending party. If it is the case, this control may be a bit of a challenge as it the sending party has to validate a certificate on the connection endpoint. Potentially, specific codes will have be to be integrated in applications to do so and invalidate the connection should non-valide certificate be presented by the receiving party.
Moved:
None
Removed:
None
Attention point:
Also consider in the scope of Req 4 the following NEW control of Req 3: 3.7.9 Additional requirement for service providers only: Where a service provider shares cryptographic keys with its customers for transmission or storage of account data, guidance on secure transmission, storage and updating of such keys is documented and distributed to the service provider’s customers.
PCI 4.0 Compliance Dashboard
Get your PCI 4.0 COMPLIANCE DASHBOARD TOOL . Fully aligned with PCI DSS V4.0. It includes the defined approach requirements, the customized approach, applicability notes, purpose, good practices & further information, definition, example and defined testing procedures and prioritization approach. It also provides templates to register your compensating controls, controls met with remediations but also to register your customized Controls, the outcome of the customized approach risk assessments and the risk assessments for the definition of frequency periods as well as to register execution of vulnerability scans and penetration tests.
Details Analysis
Title
3.2.1 - Encrypt transmission of cardholder data across open, public networks
4.0 - Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks
3.2.1 - Encrypt transmission of cardholder data across open, public networks
4.0 - Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks
3.2.1 - 4.1Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks, including the following:
4.0 - 4.2.1Strong cryptography and security protocols are implemented as follows to safeguard PAN during transmission over open, public networks:
- Only trusted keys and certificates are accepted.
- The protocol in use only supports secure versions or configurations.
- The encryption strength is appropriate for the encryption methodology in use.
4.0 - 4.2.1Strong cryptography and security protocols are implemented as follows to safeguard PAN during transmission over open, public networks:
- Only trusted keys and certificates are accepted.
- Certificates used to safeguard PAN during transmission over open, public networks are confirmed as valid and are not expired or revoked.
- The protocol in use supports only secure versions or configurations and does not support fallback to, or use of insecure versions, algorithms, key sizes, or implementations.
- The encryption strength is appropriate for the encryption methodology in use.
3.2.1 - 4.1.1Ensure wireless networks transmitting cardholder data or connected to the cardholder data environment, use industry best practices to implement strong encryption for authentication and transmission.
Change: Reformulation
4.0 - 4.2.1.2 Wireless networks transmitting PAN or connected to the CDE use industry best practices to implement strong cryptography for authentication and transmission.
Change: Reformulation
4.0 - 4.2.1.2 Wireless networks transmitting PAN or connected to the CDE use industry best practices to implement strong cryptography for authentication and transmission.
3.2.1 - 4.2Never send unprotected PANs by end- user messaging technologies (for example, e- mail, instant messaging, SMS, chat, etc.).
Change: Reformulation
4.0 - 4.2.2 PAN is secured with strong cryptography whenever it is sent via end-user messaging technologies.
Change: Reformulation
4.0 - 4.2.2 PAN is secured with strong cryptography whenever it is sent via end-user messaging technologies.
3.2.1 - 4.3 Ensure that security policies and operational procedures for encrypting transmissions of cardholder data are documented, in use, and known to all affected parties.
Change: Reformulation
4.0 - 4.1.1 All security policies and operational procedures that are identified in Requirement 4 are:
• Documented.
Change: Reformulation
4.0 - 4.1.1 All security policies and operational procedures that are identified in Requirement 4 are:
• Documented.
- Kept up to date.
- In use.
- Known to all affected parties.
3.2.1 - None
Change: NEW
4.0 - 4.1.2 Roles and responsibilities for performing activities in Requirement 4 are documented, assigned, and understood.
Change: NEW
4.0 - 4.1.2 Roles and responsibilities for performing activities in Requirement 4 are documented, assigned, and understood.
3.2.1 - None
Change: NEW
4.2.1.1 An inventory of the entity’s trusted keys and certificates used to protect PAN during transmission is maintained
Change: NEW
4.2.1.1 An inventory of the entity’s trusted keys and certificates used to protect PAN during transmission is maintained