Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
qualysblogBill ReedQUALYSBLOG:5A67C1800CFFA43EDDA32D4BAFDC58CF
HistoryJun 03, 2024 - 5:41 p.m.

PCI DSS 4.0: Get Audit-Ready for the New Requirements

2024-06-0317:41:45
Bill Reed
blog.qualys.com
2
payment card industry data security standard
pci dss 4.0
global payment industry
security compliance
risk-based approach
continuous monitoring
vulnerability scanning
cloud security
security training
wireless networking
reporting
software devops
encryption
scanning frequency
custom software requirements

7.6 High

AI Score

Confidence

Low

JSON

The Payment Card Industry Data Security Standard (PCI DSS) originated in 2004 and is managed by the PCI Security Standards Council to ensure security for the global payment industry. This mandate applies to all entities worldwide that store, process, or transmit payment cardholder data or sensitive authentication data or could impact the security of the cardholder data environment (CDE). PCI DSS version 4.0 was announced in March 2022 and has 64 new requirements that organizations must meet.

The requirements are divided into two phases, with 13 requirements becoming mandatory on March 31, 2024, and the remaining 51 becoming mandatory on March 31, 2025. Regardless of whether your credit card provider uses transaction tokenization, you must still comply with many of these requirements.

In this blog, we’ll assume you have some familiarity with PCI DSS, and our aim is to summarize the new requirements and how Qualys can help ensure compliance. Download our latest PCI DSS 4.0 whitepaper for more details.

New Requirements in PCI DSS 4.0

A key difference between PCI DSS 3.2.1 and 4.0 is a greater emphasis on continuous monitoring and a shift to a more flexible framework that allows for greater customization and the ability to align security measures with true risks and business priorities. This allows organizations to implement more effective controls based on real-world scenarios. For example, a firm with a large cloud infrastructure can adopt more cloud-native solutions to ensure efficiency while also maintaining compliance.

PCI DSS 4.0 also emphasizes taking a more risk-based approach to cybersecurity implementation. Firms should now understand and focus more on true risks based on robust threat intelligence to prioritize and remediate vulnerabilities and threats. This allows more efficient resource allocation and ensures faster resolution for more critical issues.

Below are a few primary differences between the previous and current PCI versions:

Area of Focus PCI DSS 3.2.1 PCI 4.0
Emphasis More static and prescriptive, more rigidly defined requirements. More flexible and customizable, risk-based with continuous monitoring. Risk-based prioritization

How Qualys Can Help

Below are a few examples of specific new PCI DSS 4.0 requirements with details about what they mean and how Qualys solutions can help ensure compliance.

PCI DSS 4.0 New Requirement What it Means? How Qualys Helps?
5.3.2.1: The frequency of periodic malware scans is based on the entity’s targeted risk analysis per Requirement 12.3.1. Each PCI DSS requirement that provides flexibility for how frequently it is performed must be supported by a targeted risk analysis that is documented and includes threat identification, threat factors, risk priorities, etc. The Qualys Enterprise TruRisk™ Platform lets you prioritize risk by overall business impact and remediate efficiently with risk-based patching, AI-powered adaptive mitigation, and an integrated workflow across teams. Several Qualys apps also detect and protect against malware. Req 6.3.2: An inventory of bespoke or custom software and open source or third-party components incorporated into software is maintained to facilitate vulnerability and patch management.

Executive Audit-Ready Dashboard for PCI DSS 4.0 Provided by Qualys Enterprise TruRisk Platform

Qualys Enterprise TruRisk Platform Apps for PCI DSS 4.0

The Qualys Enterprise TruRisk Platform includes more than a dozen apps that can help ensure audit-ready compliance with PCI DSS 4.0.

Qualys App PCI DSS 4.0 Benefits
**Qualys Policy Compliance (**PC) Enables continuous assessment of the cardholder data environment. Qualys PC provides a ready-to-use mandate-based template for PCI DSS 4.0 consisting of security checks that automate the assessment of in-scope PCI assets. These checks automatically scan technical secure configuration assessment requirements. Qualys Security Assessment Questionnaire(SAQ)

Learn How the Qualys Platform Helps You Pass PCI DSS 4.0 Audits

PCI DSS 4.0 covers a broad range of requirements, and many of these elements represent standard best practices for implementing and maintaining a comprehensive enterprise cybersecurity program. With various integrated Qualys security applications, such as VMDR, Web Application Scanning, Policy Compliance, FIM, Patch Management, CAR and several others, the Qualys Enterprise TruRisk Platform can play a key role to help drive your PCI DSS 4.0 compliance process.

Qualys experts have created a whitepaper to help you better understand PCI DSS 4.0, what’s new, and which Qualys applications should be used (and how) to address PCI DSS 4.0 requirements.

Download the PCI DSS 4.0 whitepaper

7.6 High

AI Score

Confidence

Low

JSON