Following the release of version 4 of the Payment Card Industry Data Security Standard (PCI DSS) in 2022, and v4.0 becoming mandatory for new assessments in April 2024, there has been a great deal of content written about the changes that this version introduced. Most of this content has focused on the big headline changes such as customised validations, multi-factor authentication (MFA), payment page security and others (for more information about these changes, read our blog on What are the Key New Requirements with PCI DSS v4.0).
However, there have been many hundreds of changes introduced in the new version and some of these, whilst perhaps not as headline grabbing as others, are no less important to securing cardholder data.
Ensuring the security of networks is crucial in today's digital age, especially for organisations that handle sensitive financial information. An entire requirement of the PCI DSS is dedicated to network security, namely Requirement 1, which has been subject to a number of changes, and also included a seemingly innocuous wording change.
In v3.2.1 of the PCI DSS, Requirement 1 was titled ‘Install and maintain a firewall configuration to protect cardholder data’, meanwhile under v4.0, this has been changed to ‘Install and maintain network security controls’. This change is present throughout all of the sub-requirements; every mention of a firewall or router from the previous version has been replaced with the term ‘network security control (NSC)’, which raises two questions that this blog will address. Firstly, how does the PCI DSS define an NSC? And secondly, why did it change the wording?
What is a network security control in PCI DSS v4.0?
The PCI DSS defines network security controls as ‘network policy enforcement points that typically control network traffic between two or more logical or physical network segments (or subnets) based on pre-defined policies or rules.’ This means that the PCI DSS considers NSCs to be something that analyses all network traffic at a certain point within or between networks/segments and, based on the defined rules, determines whether the traffic is allowed through or not.
That may sound a lot like the definition of a firewall, and in fact a firewall would fit that definition. But crucially, due to advancements in technology and services, there are many other devices and systems that could provide the same functionality such as virtual firewalls, cloud access controls, containerisation systems, virtual private clouds (VPCs), software defined networking, app-service security groups, access control lists, core routing tables, and many more.
Why has Requirement 1 of PCI DSS been reworded for v4.0?
By understanding the definition of an NSC and how it differs from a firewall, we can also detect the reasoning for the change; the PCI Security Standards Council (SSC) wanted to ensure that organisations are adequately controlling network traffic without being restricted to a specific device. To that end, the more generic term of ‘network security control’ provides much greater flexibility for organisations to meet the requirements of the Standard.
How do you select the right network security controls for PCI DSS compliance?
With all that in mind, what should you use as your NSCs? This will very much depend on your environment and organisation, as well as budget, expertise, and experience. A firewall will often be the obvious solution, but it is important to remember that there are many other options available and as long as they meet the PCI DSS requirements, they will be perfectly acceptable.
The critical aspect is to ensure that your chosen NSC is capable of providing all the key functionality that the PCI DSS mandates for NSCs. Functionality such as providing segmentation to isolate devices and networks from each other, enforcing the use of secure network protocols to encrypt data transmissions (for example, transport layer security), maintenance and updating of its configuration to protect cardholder data from potential threats, intrusion detection or prevention systems (IDS/IPS), anti-spoofing measures, stateful packet inspection, and others.
Where should you position your NSCs within your network for PCI DSS compliance?
Finally, you should carefully consider where to position your NSCs within your network. Whilst firewalls are traditionally placed at network perimeters and internal boundaries between networks, other types of NSC may be better positioned elsewhere. For example, you may use NSCs to control the traffic to each individual device irrespective of actual network boundaries, which is otherwise known as micro-segmentation. In containerised cloud systems, the NSCs will be better placed between the containers and, if you are using serverless cloud applications, then the NSCs will be positioned between the app-services to control data flow between them. As is often the case with the PCI DSS, the solution that is best suited to any given organisation will be heavily dependent on what the environment looks like.
Closing thoughts
In conclusion, whilst this change might seem like a simple wording change, in actual fact it introduces significant flexibility to the PCI DSS as well as providing a certain level of future proofing, as the definition of NSC will no doubt apply to newer technologies and systems as they are developed over the coming years. This flexibility and future-proofing is a running theme with the changes seen in v4.0, as it was the key consideration and motivation for the new version.
How URM can help?
If your organisation would benefit from support in understanding and meeting any of the hundreds of new requirements in PCI DSS v4.0, or with any other aspect of PCI DSS compliance, URM can leverage the knowledge and expertise we have gained as a PCI Qualified Security Assessor Company (PCI QSAC) to provide your organisation with reliable and effective guidance. Our PCI DSS consultants can provide you with a range of services to help you prepare for assessment; we can offer a scoping service to help you define the most appropriate and streamlined certification scope, conduct a gap analysis against the requirements of the Standard to identify any areas of noncompliance, and assist with any remediation or implementation activities necessary.
URM can also offer a variety of PCI DSS audit services, including a pre-audit readiness assessment of your in-scope environment to establish its level of compliance with the Standard and identify any issues, providing you with an opportunity to remediate these prior to the formal assessment. Once you feel ready to assess, a URM PCI DSS consultant can deliver a full PCI assessment audit, culminating in the production of a QSA-led Report on Compliance (RoC) which will verify your organisation’s compliance with the Standard. Meanwhile, if your organisation needs to complete a self-assessment questionnaire (SAQ) to certify, URM can work with your organisation to deliver a QSA-led SAQ, providing you with a completed Attestation of Compliance (AOC) form for submission. Or, if you would prefer a lighter-touch approach, we can advise and consult you on the level of evidence you would need to obtain as you complete your own SAQ.
If your organisation has received a request for a SOC 2 report and is looking to meet all the necessary requirements, URM can offer you informed guidance and practical support.
URM can help you achieve ISO 27001 certification
URM can provide a range of ISO 27002:2022 transition services including conducting a gap analysis, supporting you with risk assessment and treatment activities as well as delivering a 2-day transition training course.
Meeting the new payment page requirements in PCI DSS v4.0 may seem tricky. URM provides detailed guidance on implementation and effective payment page security.
In this blog, we address one of the big questions facing organisations which accept payment cards....
We address a number of key questions: What are the Main Contents? What Led to it Being Published? And others.