The scope extension expresses itself through terminology changes, namely:
- Firewall(s) and router(s) are replaced by the notion of "Network Security Control(s) (NSG)". This is related to use of virtualization technologies as well as usage of cloud technologies.
- Internet is replaced by the term more general notion of "Untrusted network"
- Cardholder data environment is enlarged to the notion of "Trusted network".
- Cardholder data is replaced by "account data"
Overview
PCI 4.0 Compliance Dashboard
Detailed analysis per requirement
3.2.1 - INSTALL AND MAINTAIN A FIREWALL CONFIGURATION TO PROTECT CARDHOLDER DATA
Becomes
4.0 - INSTALL AND MAINTAIN NETWORK SECURITY CONTROLS
Change: Reformulation + Scope
4.0 - 1.2.1 Configuration standards for Network Security Controls (NSC) rulesets are:
• Defined.
• Implemented.
• Maintained.
Change: Reformulation + clarification + Scope
4.0 - 1.2.2 All changes to network connections and to configurations of NSCs are approved and managed in accordance with the change control process defined at Requirement 6.5.1.
Change: Reformulation
4.0 - 1.2.3 An accurate network diagram(s) is maintained that shows all connections between the CDE and other networks, including any wireless networks.
Change: Reformulation + Clarification
4.0 - 1.2.4 An accurate data-flow diagram(s) is maintained that meets the following:
• Shows all account data flows across systems and networks.
• Updated as needed upon changes to the environment.
Change: Removal due to Redundancy
Change: Reformulation + clarification
4.0 - 1.1.2 Roles and responsibilities for performing activities in Requirement 1 are documented, assigned, and understood.
Change: Reformulation + Split
4.0 - 1.2.5 All services, protocols, and ports allowed are identified, approved, and have a defined business need.
+
4.0 - 1.2.6 Security features are defined and implemented for all services, protocols, and ports that are in use and considered to be insecure, such that the risk is mitigated.
Change: Reformulation + Scope
4.0 - 1.2.7 Configurations of NSCs are reviewed at least once every six months to confirm they are relevant and effective.
Change: Removal due to Redundancy
+
3.2.1 - 1.3.4 Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet.
Change: Reformulation, Split and Clarification
3.2.1 - 4.0 - 1.3.1 Inbound traffic to the CDE is restricted as follows:
• To only traffic that is necessary.
• All other traffic is specifically denied.
+
4.0 - 1.3.2 Outbound traffic from the CDE is restricted as follows:
• To only traffic that is necessary.
• All other traffic is specifically denied.
Change: Reformulation + Clarification
4.0 - 1.2.8 Configuration files for NSCs are:
• Secured from unauthorized access.
• Kept consistent with active network configurations.
Change: Reformulation + Clarification + scope
4.0 - 1.3.3 NSCs are installed between all wireless networks and the CDE, regardless of whether the wireless network is a CDE, such that:
• All wireless traffic from wireless networks into the CDE is denied by default.
• Only wireless traffic with an authorized business purpose is allowed into the CDE.
Change: Reformulation and scope
4.0 - 1.4.1 NSCs are implemented between trusted and untrusted networks.
+
3.2.1 - 1.3.2 Limit inbound Internet traffic to IP addresses within the DMZ.
Change: Reformulation + Bundle + Scope
4.0 - 1.4.2 Inbound traffic from untrusted networks to trusted networks is restricted to:
• Communications with system components that are authorized to provide publicly accessible services, protocols, and ports.
• Stateful responses to communications initiated by system components in a trusted network.
• All other traffic is denied.
Change: Reformulation
4.0 - 1.4.3 Anti-spoofing measures are implemented to detect and block forged source IP addresses from entering the trusted network.
Change: Reformulation + Clarification
4.0 - 1.3.2 Outbound traffic from the CDE is restricted as follows:
• To only traffic that is necessary.
• All other traffic is specifically denied.
Change: Reformulation
4.0 - 1.4.2 Inbound traffic from untrusted networks to trusted networks is restricted to:
• Communications with system components that are authorized to provide publicly accessible services, protocols, and ports.
• Stateful responses to communications initiated by system components in a trusted network.
• All other traffic is denied.
Change: Reformation
4.0 - 1.4.4 System components that store cardholder data are not directly accessible from untrusted networks.
Change: Reformation + clarification
4.0 - 1.4.5 The disclosure of internal IP addresses and routing information is limited to only authorized parties.
Change: Reformation + clarification + Scope
4.0 - 1.5.1 Security controls are implemented on any computing devices, including company- and employee-owned devices, that connect to both untrusted networks (including the Internet) and the CDE as follows:
• Specific configuration settings are defined to prevent threats being introduced into the entity’s network.
• Security controls are actively running.
• Security controls are not alterable by users of the computing devices unless specifically documented and authorized by management on a case-by-case basis for a limited period
Change: Reformulation + Scope + clarification
4.0 - 1.1.1 All security policies and operational procedures that are identified in Requirement 1 are:
• Documented.
• Kept up to date.
• In use.
• Known to all affected parties.