PCI DSS v4.0: Network Security Controls

Alastair Stewart
|
Senior Consultant at URM
|
PUBLISHED on
11 Apr
2024

Following the release of version 4 of the Payment Card Industry Data Security Standard (PCI DSS) in 2022, and v4.0 becoming mandatory for new assessments in April 2024, there has been a great deal of content written about the changes that this version introduced.  Most of this content has focused on the big headline changes such as customised validations, multi-factor authentication (MFA), payment page security and others (for more information about these changes, read our blog on What are the Key New Requirements with PCI DSS v4.0).  

However, there have been many hundreds of changes introduced in the new version and some of these, whilst perhaps not as headline grabbing as others, are no less important to securing cardholder data.

Ensuring the security of networks is crucial in today's digital age, especially for organisations that handle sensitive financial information. An entire requirement of the PCI DSS is dedicated to network security, namely Requirement 1, which has been subject to a number of changes, and also included a seemingly innocuous wording change.

In v3.2.1 of the PCI DSS, Requirement 1 was titled ‘Install and maintain a firewall configuration to protect cardholder data’, meanwhile under v4.0, this has been changed to ‘Install and maintain network security controls’.  This change is present throughout all of the sub-requirements; every mention of a firewall or router from the previous version has been replaced with the term ‘network security control (NSC)’, which raises two questions that this blog will address.  Firstly, how does the PCI DSS define an NSC? And secondly, why did it change the wording?

What is a network security control in PCI DSS v4.0?

The PCI DSS defines network security controls as ‘network policy enforcement points that typically control network traffic between two or more logical or physical network segments (or subnets) based on pre-defined policies or rules.’  This means that the PCI DSS considers NSCs to be something that analyses all network traffic at a certain point within or between networks/segments and, based on the defined rules, determines whether the traffic is allowed through or not.

That may sound a lot like the definition of a firewall, and in fact a firewall would fit that definition. But crucially, due to advancements in technology and services, there are many other devices and systems that could provide the same functionality such as virtual firewalls, cloud access controls, containerisation systems, virtual private clouds (VPCs), software defined networking, app-service security groups, access control lists, core routing tables, and many more.

Why has Requirement 1 of PCI DSS been reworded for v4.0?

By understanding the definition of an NSC and how it differs from a firewall, we can also detect the reasoning for the change; the PCI Security Standards Council (SSC) wanted to ensure that organisations are adequately controlling network traffic without being restricted to a specific device.  To that end, the more generic term of ‘network security control’ provides much greater flexibility for organisations to meet the requirements of the Standard.

How do you select the right network security controls for PCI DSS compliance?

With all that in mind, what should you use as your NSCs?  This will very much depend on your environment and organisation, as well as budget, expertise, and experience.  A firewall will often be the obvious solution, but it is important to remember that there are many other options available and as long as they meet the PCI DSS requirements, they will be perfectly acceptable.

The critical aspect is to ensure that your chosen NSC is capable of providing all the key functionality that the PCI DSS mandates for NSCs. Functionality such as providing segmentation to isolate devices and networks from each other, enforcing the use of secure network protocols to encrypt data transmissions (for example, transport layer security), maintenance and updating of its configuration to protect cardholder data from potential threats, intrusion detection or prevention systems (IDS/IPS), anti-spoofing measures, stateful packet inspection, and others.

Where should you position your NSCs within your network for PCI DSS compliance?

Finally, you should carefully consider where to position your NSCs within your network.  Whilst firewalls are traditionally placed at network perimeters and internal boundaries between networks, other types of NSC may be better positioned elsewhere.  For example, you may use NSCs to control the traffic to each individual device irrespective of actual network boundaries, which is otherwise known as micro-segmentation. In containerised cloud systems, the NSCs will be better placed between the containers and, if you are using serverless cloud applications, then the NSCs will be positioned between the app-services to control data flow between them.  As is often the case with the PCI DSS, the solution that is best suited to any given organisation will be heavily dependent on what the environment looks like.

Closing thoughts

In conclusion, whilst this change might seem like a simple wording change, in actual fact it introduces significant flexibility to the PCI DSS as well as providing a certain level of future proofing, as the definition of NSC will no doubt apply to newer technologies and systems as they are developed over the coming years.  This flexibility and future-proofing is a running theme with the changes seen in v4.0, as it was the key consideration and motivation for the new version.

How URM can help?

If your organisation would benefit from support in understanding and meeting any of the hundreds of new requirements in PCI DSS v4.0, or with any other aspect of PCI DSS compliance, URM can leverage the knowledge and expertise we have gained as a PCI Qualified Security Assessor Company (PCI QSAC) to provide your organisation with reliable and effective guidance.  Our PCI DSS consultants can provide you with a range of services to help you prepare for assessment; we can offer a scoping service to help you define the most appropriate and streamlined certification scope, conduct a gap analysis against the requirements of the Standard to identify any areas of noncompliance, and assist with any remediation or implementation activities necessary.

URM can also offer a variety of PCI DSS audit services, including a pre-audit readiness assessment of your in-scope environment to establish its level of compliance with the Standard and identify any issues, providing you with an opportunity to remediate these prior to the formal assessment.  Once you feel ready to assess, a URM PCI DSS consultant can deliver a full PCI assessment audit, culminating in the production of a QSA-led Report on Compliance (RoC) which will verify your organisation’s compliance with the Standard.  Meanwhile, if your organisation needs to complete a self-assessment questionnaire (SAQ) to certify, URM can work with your organisation to deliver a QSA-led SAQ, providing you with a completed Attestation of Compliance (AOC) form for submission.  Or, if you would prefer a lighter-touch approach, we can advise and consult you on the level of evidence you would need to obtain as you complete your own SAQ.

Alastair Stewart
Senior Consultant at URM
Alastair is one of the most experienced and proficient Payment Card Industry Qualified Security Assessors (PCI QSAs) in the UK. He has completed in excess of one hundred successful reports on compliance (RoCs) against different PCI DSS versions along with supporting the completion of self-assessment questionnaires (SAQs).
Read more

Are you looking for a PCI QSA?

As a long-established PCI QSA, URM is able to deliver a full PCI QSA-led audit and produce a report on compliance (RoC) as well as deliver a full QSA-led self-assessment questionnaire (SAQ)
Thumbnail of the Blog Illustration
Information Security
Published on
11/4/2024
PCI DSS v4.0: Network Security Controls

URM’s blog explains the wording changes in Requirement of the PCI DSS v4.0, offering advice on how organisations can select and use the most appropriate NSCs.

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
8/8/2022
Preparing for a Report on Compliance (ROC)

There’s no getting away from the fact that preparing for a PCI DSS ROC can be a bit of a trial....

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
14/11/2023
What are the Key New Requirements with PCI DSS 4.0

Everything you need to know about PCI DSS v4.0: With a particular focus on some of the more challenging requirements such as MFA and payment page scripts.

Read more
We cannot thank URM enough for their help in ensuring our business is GDPR compliant. Both the gap analysis conducted and the in-depth assistance with the ROPA were made much easier and understandable with URM’s help. I would like to give particular thanks to URM's Consultant for providing us with the best guidance and making a famously complex topic comprehensive, and to our Account Manager for helping make sure all our needs were covered.
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.