Overview
New controls:
2.1.2 about the roles and responsibilities for this requirement
2.3.2 clarifying when the wireless encryption keys shall be changed.
Amendments:
2.3.1 wireless vendor defaults are changed at installation or are confirmed to be secure
2.2.1 Configuration standards are developed, implemented, and maintained, be updated as new vulnerability issues are identified, be applied when new systems are configured and verified as in place before or immediately after a system component is connected to a production environment.
2.2.5 If any insecure services, protocols, or daemons are present:
• Business justification is documented.
• Additional security features are documented and implemented that reduce the risk of using insecure services, protocols, or daemons.
Moved:
3.2.1 - 2.4 Maintain an inventory of system components that are in scope for PCI DSS -> 4.0 - 12.5.1 An inventory of system components that are in scope for PCI DSS, including a description of function/use, is maintained and kept current.
Removed:
3.2.1 - 2.6 Shared hosting providers must protect each entity’s hosted environment and cardholder data. These providers must meet specific requirements as detailed in Appendix A: Additional PCI DSS Requirements for Shared Hosting Providers.
Detailed Analysis
3.2.1 - Do not use vendor-supplied defaults for system passwords and other security parameters
4.0 - Apply Secure Configurations to all system components
Change: Reformulation + Clarification
4.0 - 2.2.2 Vendor default accounts are managed as follows:
• If the vendor default account(s) will be used, the default password is changed per Requirement 8.3.6.
• If the vendor default account(s) will not be used, the account is removed or disabled.
Change: Reformulation + Clarification + Amendement
4.0 - 2.3.1 For wireless environments connected to the CDE or transmitting account data, all wireless vendor defaults are changed at installation or are confirmed to be secure, including but not limited to:
• Default wireless encryption keys.
• Passwords on wireless access points.
• SNMP defaults.
• Any other security-related wireless vendor defaults.
Change : New + Clarification
4.0 - 2.3.2 For wireless environments connected to the CDE or transmitting account data, wireless encryption keys are changed as follows:
• Whenever personnel with knowledge of the key leave the company or the role for which the knowledge was necessary.
• Whenever a key is suspected of or known to be compromised.
Change: Reformulation + Amendments
4.0 - 2.2.1 Configuration standards are developed, implemented, and maintained to:
• Cover all system components.
• Address all known security vulnerabilities.
• Be consistent with industry-accepted system hardening standards or vendor hardening recommendations.
• Be updated as new vulnerability issues are identified, as defined in Requirement 6.3.1.
• Be applied when new systems are configured and verified as in place before or immediately after a system component is connected to a production environment.
Change: Reformulation + Clarification
4.0 - 2.2.3 Primary functions requiring different security levels are managed as follows:
• Only one primary function exists on a system component,
OR
• Primary functions with differing security levels that exist on the same system component are isolated from each other,
OR
• Primary functions with differing security levels on the same system component are all secured to the level required by the function with the highest security need.
Change: Reformulation + Removal (due to redundancy)
4.0 - 2.2.4 Only necessary services, protocols, daemons, and functions are enabled, and all unnecessary functionality is removed or disabled.
Change: Reformulation + Amendement
4.0 - 2.2.5 If any insecure services, protocols, or daemons are present:
• Business justification is documented.
• Additional security features are documented and implemented that reduce the risk of using insecure services, protocols, or daemons.
Change: Reformulation
4.0 - 2.2.6 System security parameters are configured to prevent misuse.
Change: Bundle
2.2.4 Only necessary services, protocols, daemons, and functions are enabled, and all unnecessary functionality is removed or disabled.
Change: Reformulation
4.0 - 2.2.7 All non-console administrative access is encrypted using strong cryptography.
Change: Moved to Section 12
12.5.1 An inventory of system components that are in scope for PCI DSS, including a description of function/use, is maintained and kept current.
Change: Reformulation
4.0- 2.1.1 All security policies and operational procedures that are identified in Requirement 2 are:
• Documented.
• Kept up to date.
• In use.
• Known to all affected parties.
Change: Removed
Change: NEW
4.0 - 2.1.2 Roles and responsibilities for performing activities in Requirement 2 are documented, assigned, and understood.