In Part 1 of this series, we reviewed the first four sections of the new PCI standards. As we continue our examination of PCI DSS version 4.0, we will consider what organizations will need to do in order to successfully transition and satisfy this update.

Requirements 5 through 9 are organized under two categories:

Maintain a Vulnerability Management Program

Requirement 5: Protect All Systems and Networks from Malicious Software

Requirement 6: Develop and Maintain Secure Systems and Software

Implement Strong Access Control Measures

Requirement 7: Restrict Access to System Components and Cardholder Data by Business Need to Know

Requirement 8: Identify Users and Authenticate Access to System Components

Requirement 9: Restrict Physical Access to Cardholder Data

Requirement 5 – Painting with a Broader Brush

The general heading that precedes Requirement 5 has been updated. As described in the comparative guide:

Updated principal requirement title to reflect the focus on protecting all systems and networks from malicious software. Replaced “anti-virus” with “anti-malware” throughout to support a broader range of technologies used to meet the security objectives traditionally met by anti-virus software.

This information falls under the category of maintaining a vulnerability management program. As a whole, this category is similar to PCI 3.2.1. However, there are some notable updates and a thematic change for Requirements 5 and 6 that this is going to represent a potential change in scope for many organizations.

Requirement 5 is now aimed towards protecting all systems and networks from malicious software. The PCI Security Standards Council recognizes that they intentionally changed this wording because they want to place more focus on the organizational level, and to a larger, broader swath of the network. The goal there is making sure that anything that might involve the Cardholder Data Environment (CDE) needs to (Read more...)