In Part 1 of this series, we reviewed the first four sections of the new PCI standards. As we continue our examination of PCI DSS version 4.0, we will consider what organizations will need to do in order to successfully transition and satisfy this update.
Requirements 5 through 9 are organized under two categories:
Maintain a Vulnerability Management Program
Requirement 5: Protect All Systems and Networks from Malicious Software
Requirement 6: Develop and Maintain Secure Systems and Software
Implement Strong Access Control Measures
Requirement 7: Restrict Access to System Components and Cardholder Data by Business Need to Know
Requirement 8: Identify Users and Authenticate Access to System Components
Requirement 9: Restrict Physical Access to Cardholder Data
Requirement 5 – Painting with a Broader Brush
The general heading that precedes Requirement 5 has been updated. As described in the comparative guide:
Updated principal requirement title to reflect the focus on protecting all systems and networks from malicious software. Replaced “anti-virus” with “anti-malware” throughout to support a broader range of technologies used to meet the security objectives traditionally met by anti-virus software.
This information falls under the category of maintaining a vulnerability management program. As a whole, this category is similar to PCI 3.2.1. However, there are some notable updates and a thematic change for Requirements 5 and 6 that this is going to represent a potential change in scope for many organizations.
Requirement 5 is now aimed towards protecting all systems and networks from malicious software. The PCI Security Standards Council recognizes that they intentionally changed this wording because they want to place more focus on the organizational level, and to a larger, broader swath of the network. The goal there is making sure that anything that might involve the Cardholder Data Environment (CDE) needs to (Read more...)
*** This is a Security Bloggers Network syndicated blog from The State of Security authored by David Bruce. Read the original post at: https://www.tripwire.com/state-of-security/regulatory-compliance/pci/what-you-need-to-know-about-pci-requirements-5-6-7-8-9/