{"id":18959,"date":"2025-01-08T15:30:48","date_gmt":"2025-01-08T15:30:48","guid":{"rendered":"https:\/\/www.dionach.com\/?p=18959"},"modified":"2025-01-08T15:33:46","modified_gmt":"2025-01-08T15:33:46","slug":"pci-dss-4-requirements-becoming-mandatory-end-of-march-2025","status":"publish","type":"post","link":"https:\/\/dionach.com\/nl\/pci-dss-4-requirements-becoming-mandatory-end-of-march-2025\/","title":{"rendered":"PCI DSS 4 Requirements Becoming Mandatory End of March 2025"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-post\" data-elementor-id=\"18959\" class=\"elementor elementor-18959\" data-elementor-post-type=\"post\">\n\t\t\t\t<div class=\"elementor-element elementor-element-c5f0246 e-flex e-con-boxed e-con e-parent\" data-id=\"c5f0246\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-ad2cc31 elementor-widget elementor-widget-heading\" data-id=\"ad2cc31\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Overview<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-fb22ae2 elementor-widget elementor-widget-text-editor\" data-id=\"fb22ae2\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>The 51 future-dated requirements in PCI DSS 4 are becoming mandatory on 31<sup>st<\/sup> March 2025. Some of these requirements only apply to service providers and some may not apply to all entities, especially those using specific Self-Assessment Questionnaires (SAQs).<\/p><p>\u00a0<\/p><p>Although some of these requirements may already be in place at an entity, some may not and may require significant work. The key new requirements, which each have their own detailed requirements, are as follows:<\/p><p>\u00a0<\/p><ul><li>Inventories of certificates and keys (4.2.1.1), bespoke software and software components (6.3.2), and cryptographic cipher suites (12.3.3)<\/li><li>Web Application Firewall on public facing web applications (6.4.2)<\/li><li>Payment page script management and change detection (6.4.3 and 11.6.1)<\/li><li>Management, review and password requirements for application and system accounts (7.2.5, 7.2.5.1, 8.6.1, and 8.6.3)<\/li><li>Additional MFA requirements (8.4.2, 8.5.1)<\/li><li>No hard coded passwords in scripts or configuration files (8.6.2)<\/li><li>Automated audit log reviews (10.4.1.1)<\/li><li>Detection of and response to failures of critical security control systems (10.7.1 and 10.7.3)<\/li><li>Authenticated internal vulnerability scans (11.3.1.2)<\/li><li>Targeted Risk Analysis (TRA) for several requirements (12.3.1)<\/li><li>Security awareness program includes phishing, social engineering and acceptable use of technologies, and the program is reviewed annually (12.6.2, 12.6.3.1, and 12.6.3.2)<\/li><\/ul><p>\u00a0<\/p><p>You can of course take the Customized Approach for most of the requirements, however that still requires significant work.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-06a1d10 elementor-widget elementor-widget-heading\" data-id=\"06a1d10\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">List of Future Dated PCI DSS 4 Requirements<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-c8d7156 elementor-widget elementor-widget-text-editor\" data-id=\"c8d7156\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Specific future-dated requirements are listed as follows. Please read the guidance column and applicability notes for each requirement in PCI DSS 4, which provide more context. The future dated requirements for Appendix A are not included in the following list of requirements, as they do not apply to most entities.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-210711f elementor-widget elementor-widget-heading\" data-id=\"210711f\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">3.3.2 Encrypt SAD Stored Prior to Authorization<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-7210c10 elementor-widget elementor-widget-text-editor\" data-id=\"7210c10\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Sensitive Authentication Data (SAD) that is stored electronically prior to completion of authorization is encrypted using strong cryptography.<\/p><p>\u00a0<\/p><p>This also applies to issuers who may store SAD (requirement 3.3.3).<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-79acb02 elementor-widget elementor-widget-heading\" data-id=\"79acb02\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">3.4.2 Prevent Copying of PANs via Remote Access<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-f806b45 elementor-widget elementor-widget-text-editor\" data-id=\"f806b45\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>When using remote-access technologies, technical controls prevent copy and\/or relocation of PAN for all personnel, except for those with documented, explicit authorization and a legitimate, defined business need.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-c598ec3 elementor-widget elementor-widget-heading\" data-id=\"c598ec3\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">3.5.1.1 Keyed Hashes of PANs<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-f31481f e-flex e-con-boxed e-con e-parent\" data-id=\"f31481f\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-5737539 elementor-widget elementor-widget-text-editor\" data-id=\"5737539\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Hashes used to render PAN unreadable (per the first bullet of Requirement 3.5.1) are keyed cryptographic hashes of the entire PAN, with associated key-management processes and procedures in accordance with Requirements 3.6 and 3.7.<\/p><p>\u00a0<\/p><p>Any hashed PANs must now use randomly generated secret keys using an appropriate keyed cryptographic hashing algorithms including but are not limited to HMAC, CMAC, and GMAC, with an effective cryptographic strength of at least 128-bits.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-3455dc2 elementor-widget elementor-widget-heading\" data-id=\"3455dc2\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">3.5.1.2 No Reliance on Disk Encryption for Non-Removable Disks<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-4bee23e elementor-widget elementor-widget-text-editor\" data-id=\"4bee23e\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>If disk-level or partition-level encryption (rather than file-, column-, or field-level database encryption) is used to render PAN unreadable, it is implemented only as follows: on removable electronic media or if used for non-removable electronic media, PAN is also rendered unreadable via another mechanism that meets Requirement 3.5.1.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-ed38559 elementor-widget elementor-widget-heading\" data-id=\"ed38559\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">3.6.1.1 Prevent Use of Same Cryptographic Keys in Production and Test Environments.<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-df9704a elementor-widget elementor-widget-text-editor\" data-id=\"df9704a\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Additional requirement for service providers only: \u00a0A documented description of the cryptographic architecture is maintained that includes [\u2026] preventing the use of the same cryptographic keys in production and test environments [\u2026].<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-62067d9 elementor-widget elementor-widget-heading\" data-id=\"62067d9\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">4.2.1 Certificates on Public Networks are Valid and Not Expired or Revoked<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-b22c662 elementor-widget elementor-widget-text-editor\" data-id=\"b22c662\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Strong cryptography and security protocols are implemented as follows to safeguard PAN during transmission over open, public networks: [\u2026] certificates used to safeguard PAN during transmission over open, public networks are confirmed as valid and are not expired or revoked [\u2026].<\/p><p>\u00a0<\/p><p>This requires that certificates that are not valid are rejected, as per the Certificate Revocation List (CRL) and the Online Certificate Status Protocol (OCSP).<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-d717f96 elementor-widget elementor-widget-heading\" data-id=\"d717f96\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">4.2.1.1 Inventory of Keys and Certificates<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-7abb9b7 elementor-widget elementor-widget-text-editor\" data-id=\"7abb9b7\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>An inventory of the entity\u2019s trusted keys and certificates used to protect PAN during transmission is maintained.<\/p><p>\u00a0<\/p><p>The guidance states that an inventory of trusted keys helps the entity keep track of the algorithms, protocols, key strength, key custodians, and key expiry dates.<\/p><p>\u00a0<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-13b5b79 elementor-widget elementor-widget-heading\" data-id=\"13b5b79\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">5.2.3.1 Targeted Risk Analysis for System Components Not at Risk of Malware<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-3f9335d elementor-widget elementor-widget-text-editor\" data-id=\"3f9335d\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>The frequency of periodic evaluations of system components identified as not at risk for malware is defined in the entity\u2019s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-86c1f73 elementor-widget elementor-widget-heading\" data-id=\"86c1f73\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">5.3.2.1 Targeted Risk Analysis for Frequency of Malware Scans<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-18387bd elementor-widget elementor-widget-text-editor\" data-id=\"18387bd\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>If periodic malware scans are performed to meet Requirement 5.3.2, the frequency of scans is defined in the entity\u2019s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-e3ef625 elementor-widget elementor-widget-heading\" data-id=\"e3ef625\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">5.3.3 Malware scans or analysis on Removable Electronic Media<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-a80e08e elementor-widget elementor-widget-text-editor\" data-id=\"a80e08e\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>For removable electronic media, the anti-malware solution(s): performs automatic scans of when the media is inserted, connected, or logically mounted, or performs continuous behavioural analysis of systems or processes when the media is inserted, connected, or logically mounted.<\/p><p>\u00a0<\/p><p>This applies to removable media, so an effective control can be to prevent removable media from being used through an enforced technical control.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-b54cd75 elementor-widget elementor-widget-heading\" data-id=\"b54cd75\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">5.4.1 Protection Against Phishing Attacks<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-5d21b0f elementor-widget elementor-widget-text-editor\" data-id=\"5d21b0f\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Processes and automated mechanisms are in place to detect and protect personnel against phishing attacks.<\/p><p>\u00a0<\/p><p>The mechanisms may include technical controls on the entity\u2019s email system and phishing protection as part of anti-malware.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-a565396 elementor-widget elementor-widget-heading\" data-id=\"a565396\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">6.3.2 Inventory of Bespoke and Custom Software and Software Components<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-a970ec0 elementor-widget elementor-widget-text-editor\" data-id=\"a970ec0\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>An inventory of bespoke and custom software, and third-party software components incorporated into bespoke and custom software is maintained to facilitate vulnerability and patch management.<\/p><p>\u00a0<\/p><p>This can be facilitated by using third-party software component management tools that are commonly used to identify and update third-party software components.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-d986e6c elementor-widget elementor-widget-heading\" data-id=\"d986e6c\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">6.4.2 Protect Public-Facing Web Applications with WAF<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-a2c96b6 elementor-widget elementor-widget-text-editor\" data-id=\"a2c96b6\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>For public-facing web applications, an automated technical solution is deployed that continually detects and prevents web-based attacks, with at least the following: is installed in front of public-facing web applications and is configured to detect and prevent web-based attacks; actively running and up to date as applicable; generating audit logs; configured to either block web-based attacks or generate an alert that is immediately investigated.<\/p><p>\u00a0<\/p><p>In practice this is commonly a web application firewall (WAF). The 6.4.1 choice of an application vulnerability scan is no longer an option.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-8a0a928 elementor-widget elementor-widget-heading\" data-id=\"8a0a928\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">6.4.3 Payment Page Scripts Management\n<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-7dc5017 elementor-widget elementor-widget-text-editor\" data-id=\"7dc5017\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>\u00a0All payment page scripts that are loaded and executed in the consumer\u2019s browser are managed as follows: a method is implemented to confirm that each script is authorized; a method is implemented to assure the integrity of each script; an inventory of all scripts is maintained with written business or technical justification as to why each is necessary.<\/p><p>\u00a0<\/p><p>This requirement is discussed in more detail in another Dionach blog: <a href=\"https:\/\/www.dionach.com\/pci-dss-4-requirements-for-code-and-payment-pages\/\">https:\/\/www.dionach.com\/pci-dss-4-requirements-for-code-and-payment-pages\/<\/a>.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-10aae6d elementor-widget elementor-widget-heading\" data-id=\"10aae6d\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">7.2.4 User Account Access Reviews Every 6 Months<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-bb95088 elementor-widget elementor-widget-text-editor\" data-id=\"bb95088\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>All user accounts and related access privileges, including third-party\/vendor accounts, are reviewed as follows: at least once every six months; to ensure user accounts and access remain appropriate based on job function; any inappropriate access is addressed; management acknowledges that access remains appropriate.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-c00df88 elementor-widget elementor-widget-heading\" data-id=\"c00df88\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">7.2.5 Application and System Accounts are Managed<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-ae80a8c elementor-widget elementor-widget-text-editor\" data-id=\"ae80a8c\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>All application and system accounts and related access privileges are assigned and managed as follows: based on the least privileges necessary for the operability of the system or application; access is limited to the systems, applications, or processes that specifically require their use.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-6994574 elementor-widget elementor-widget-heading\" data-id=\"6994574\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">7.2.5.1 Application and System Accounts are Periodically Reviewed<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-731df69 elementor-widget elementor-widget-text-editor\" data-id=\"731df69\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>All access by application and system accounts and related access privileges are reviewed as follows: periodically (at the frequency defined in the entity\u2019s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1); the application\/system access remains appropriate for the function being performed; any inappropriate access is addressed; management acknowledges that access remains appropriate.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-337b1a8 elementor-widget elementor-widget-heading\" data-id=\"337b1a8\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">8.3.6 Passwords Must Have Minimum Length of 12 Characters<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-fcb7a81 elementor-widget elementor-widget-text-editor\" data-id=\"fcb7a81\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>If passwords\/passphrases are used as authentication factors to meet Requirement 8.3.1, they meet the following minimum level of complexity: a minimum length of 12 characters (or IF the system does not support 12 characters, a minimum length of eight characters); contain both numeric and alphabetic characters.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-af99e8e elementor-widget elementor-widget-heading\" data-id=\"af99e8e\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">8.3.10.1 Customers of Service Providers with Single Factor Passwords Change Passwords Every 90 Days<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-73a708d elementor-widget elementor-widget-text-editor\" data-id=\"73a708d\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Additional requirement for service providers only: If passwords\/passphrases are used as the only authentication factor for customer user access (i.e., in any single-factor authentication implementation) then either: passwords\/passphrases are changed at least once every 90 days, or the security posture of accounts is dynamically analysed, and real-time access to resources is automatically determined accordingly.<\/p><p>\u00a0<\/p><p>It may be better to enforce MFA on customer accounts.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-957a13b elementor-widget elementor-widget-heading\" data-id=\"957a13b\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">8.4.2 MFA for Non-Console CDE Access<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-65dfa1b elementor-widget elementor-widget-text-editor\" data-id=\"65dfa1b\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>MFA is implemented for all non-console access into the Cardholder Data Environment (CDE).<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-249b1d2 elementor-widget elementor-widget-heading\" data-id=\"249b1d2\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">8.5.1 MFA System Requirements Prevent Replay and Bypass<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-9d9aef1 elementor-widget elementor-widget-text-editor\" data-id=\"9d9aef1\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>MFA systems are implemented as follows: the MFA system is not susceptible to replay attacks; MFA systems cannot be bypassed by any users, including administrative users unless specifically documented, and authorized by management on an exception basis, for a limited time period; at least two different types of authentication factors are used; success of all authentication factors is required before access is granted.<\/p><p>\u00a0<\/p><p>Commonly used MFA systems such as YubiKeys and TOTP with authenticator apps should support these requirements.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-80f5364 elementor-widget elementor-widget-heading\" data-id=\"80f5364\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">8.6.1 System or Application Accounts Limit Interactive Login<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-d8bc49d elementor-widget elementor-widget-text-editor\" data-id=\"d8bc49d\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>8.6.1 If accounts used by systems or applications can be used for interactive login, they are managed as follows: interactive use is prevented unless needed for an exceptional circumstance; interactive use is limited to the time needed for the exceptional circumstance; business justification for interactive use is documented; interactive use is explicitly approved by management; individual user identity is confirmed before access to account is granted; every action taken is attributable to an individual user.<\/p><p>\u00a0<\/p><p>If possible, ensure that any systems or application accounts cannot be logged in interactively.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-5a94796 elementor-widget elementor-widget-heading\" data-id=\"5a94796\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">8.6.2 No Hard Coded Passwords in Scripts or Configuration Files<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-8af84d5 elementor-widget elementor-widget-text-editor\" data-id=\"8af84d5\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Passwords\/passphrases for any application and system accounts that can be used for interactive login are not hard coded in scripts, configuration\/property files, or bespoke and custom source code.<\/p><p>\u00a0<\/p><p>There are source code repository tools that can identify potential hard coded passwords in files.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-72f290c elementor-widget elementor-widget-heading\" data-id=\"72f290c\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">8.6.3 Passwords are Changed Periodically for Application and System Accounts <\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-9f97865 elementor-widget elementor-widget-text-editor\" data-id=\"9f97865\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Passwords\/passphrases for any application and system accounts are protected against misuse as follows: passwords\/passphrases are changed periodically (at the frequency defined in the entity\u2019s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1) and upon suspicion or confirmation of compromise; passwords\/passphrases are constructed with sufficient complexity appropriate for how frequently the entity changes the passwords\/passphrases.<\/p><p>\u00a0<\/p><p>If you use cloud service providers, then use of built-in or service accounts from cloud service providers, where passwords are never known or controlled by the entity, may help with this requirement.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-02d4063 elementor-widget elementor-widget-heading\" data-id=\"02d4063\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">9.5.1.2.1 Targeted Risk Analysis for Periodic POI Device Inspections<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-29560c5 elementor-widget elementor-widget-text-editor\" data-id=\"29560c5\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>The frequency of periodic POI device inspections and the type of inspections performed is defined in the entity\u2019s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-1c576e6 elementor-widget elementor-widget-heading\" data-id=\"1c576e6\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">10.4.1.1 Automated Audit Log Reviews<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-f049a9d elementor-widget elementor-widget-text-editor\" data-id=\"f049a9d\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Automated mechanisms are used to perform audit log reviews.<\/p><p>\u00a0<\/p><p>Audit log reviews can no longer be just a manual process.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-66fe833 elementor-widget elementor-widget-heading\" data-id=\"66fe833\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">10.4.2.1 Targeted Risk Analysis for Periodic Log Reviews for All Other System Components<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-aa68788 e-flex e-con-boxed e-con e-parent\" data-id=\"aa68788\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-e30f70d elementor-widget elementor-widget-text-editor\" data-id=\"e30f70d\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>The frequency of periodic log reviews for all other system components (not defined in Requirement 10.4.1) is defined in the entity\u2019s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-618add3 elementor-widget elementor-widget-heading\" data-id=\"618add3\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">10.7.2 Detection of Failures of Critical Security Control Systems<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-d193555 elementor-widget elementor-widget-text-editor\" data-id=\"d193555\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Failures of critical security control systems are detected, alerted, and addressed promptly, including but not limited to failure of the following critical security control systems: network security controls; IDS\/IPS; change-detection mechanisms; anti-malware solutions; physical access controls; logical access controls; audit logging mechanisms; segmentation controls (if used); audit log review mechanisms; automated security testing tools (if used).<\/p><p>\u00a0<\/p><p>As with 10.7.3, this is now a requirement for all entities, not just service providers.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-252c0e9 elementor-widget elementor-widget-heading\" data-id=\"252c0e9\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">10.7.3 Response to Failures of Critical Security Control Systems<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-626d138 elementor-widget elementor-widget-text-editor\" data-id=\"626d138\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Failures of any critical security control systems are responded to promptly, including but not limited to: restoring security functions; identifying and documenting the duration (date and time from start to end) of the security failure; identifying and documenting the cause(s) of failure and documenting required remediation; identifying and addressing any security issues that arose during the failure; determining whether further actions are required as a result of the security failure; implementing controls to prevent the cause of failure from reoccurring; resuming monitoring of security controls.<\/p><p>\u00a0<\/p><p>As with 10.7.2, this is now a requirement for all entities, not just service providers.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-36a53ea elementor-widget elementor-widget-heading\" data-id=\"36a53ea\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">11.3.1.1 Targeted Risk Analysis for Vulnerabilities Not Ranked as Higher Risk<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-3653f3c elementor-widget elementor-widget-text-editor\" data-id=\"3653f3c\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>All other applicable vulnerabilities (those not ranked as high-risk vulnerabilities or critical vulnerabilities according to the entity\u2019s vulnerability risk rankings defined at Requirement 6.3.1) are managed as follows: addressed based on the risk defined in the entity\u2019s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1; rescans are conducted as needed.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-19219ac elementor-widget elementor-widget-heading\" data-id=\"19219ac\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">11.3.1.2 Authenticated Internal Vulnerability Scans<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-c12352b elementor-widget elementor-widget-text-editor\" data-id=\"c12352b\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Internal vulnerability scans are performed via authenticated scanning as follows: systems that are unable to accept credentials for authenticated scanning are documented; sufficient privileges are used for those systems that accept credentials for scanning; if accounts used for authenticated scanning can be used for interactive login, they are managed in accordance with Requirement 8.2.2.<\/p><p>\u00a0<\/p><p>This is commonly addressed using scanning agents installed on each system component where the operating systems support scanning agents.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-92a60cf elementor-widget elementor-widget-heading\" data-id=\"92a60cf\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">11.4.7 Multi-Tenant Service Providers Allow External Penetration Tests<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-31fc937 elementor-widget elementor-widget-text-editor\" data-id=\"31fc937\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Additional requirement for multi-tenant service providers only: Multi-tenant service providers support their customers for external penetration testing as per requirements 11.4.3 and 11.4.4.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-872626c elementor-widget elementor-widget-heading\" data-id=\"872626c\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">11.5.1.1 IDS\/IPS for Service Providers Detect Covert Malware Communication Channels<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-c13771f elementor-widget elementor-widget-text-editor\" data-id=\"c13771f\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Additional requirement for service providers only: Intrusion-detection and\/or intrusion-prevention techniques detect, alert on\/prevent, and address covert malware communication channels.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-728ea82 elementor-widget elementor-widget-heading\" data-id=\"728ea82\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">11.6.1 Payment Pages Change- and Tamper-Detection Mechanism<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-f2a568d elementor-widget elementor-widget-text-editor\" data-id=\"f2a568d\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>A change- and tamper-detection mechanism is deployed as follows: to alert personnel to unauthorized modification (including indicators of compromise, changes, additions, and deletions) to the security-impacting HTTP headers and the script contents of payment pages as received by the consumer browser; the mechanism is configured to evaluate the received HTTP headers and payment pages; the mechanism functions are performed as follows: at least weekly or periodically (at the frequency defined in the entity\u2019s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1).<\/p><p>\u00a0<\/p><p>This requirement is discussed in more detail in another Dionach blog: <a href=\"https:\/\/www.dionach.com\/pci-dss-4-requirements-for-code-and-payment-pages\/\">https:\/\/www.dionach.com\/pci-dss-4-requirements-for-code-and-payment-pages\/<\/a>.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-ad208bc elementor-widget elementor-widget-heading\" data-id=\"ad208bc\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">12.3.1 Targeted Risk Analysis for Applicable Requirements<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-1805e66 elementor-widget elementor-widget-text-editor\" data-id=\"1805e66\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>For each PCI DSS requirement that specifies completion of a targeted risk analysis, the analysis is documented and includes: identification of the assets being protected; identification of the threat(s) that the requirement is protecting against; \u00a0identification of factors that contribute to the likelihood and\/or impact of a threat being realized; resulting analysis that determines, and includes justification for, how the frequency or processes defined by the entity to meet the requirement minimize the likelihood and\/or impact of the threat being realized; review of each targeted risk analysis at least once every 12 months to determine whether the results are still valid or if an updated risk analysis is needed; performance of updated risk analyses when needed, as determined by the annual review.<\/p><p>\u00a0<\/p><p>Refer to the following documents on the PCI SSC website: Information Supplement: TRA Guidance; Sample Template: TRA for Activity Frequency.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-a48066f elementor-widget elementor-widget-heading\" data-id=\"a48066f\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">12.3.3 Inventory of All Cryptographic Cipher Suites and Protocols in Use<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-76d04b4 elementor-widget elementor-widget-text-editor\" data-id=\"76d04b4\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Cryptographic cipher suites and protocols in use are documented and reviewed at least once every 12 months, including at least the following: an up-to-date inventory of all cryptographic cipher suites and protocols in use, including purpose and where used; active monitoring of industry trends regarding continued viability of all cryptographic cipher suites and protocols in use; documentation of a plan, to respond to anticipated changes in cryptographic vulnerabilities.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-ea3b7fc elementor-widget elementor-widget-heading\" data-id=\"ea3b7fc\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">12.3.4 Plan for End-of-Life Hardware and Software<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-378b527 elementor-widget elementor-widget-text-editor\" data-id=\"378b527\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Hardware and software technologies in use are reviewed at least once every 12 months, including at least the following; analysis that the technologies continue to receive security fixes from vendors promptly; analysis that the technologies continue to support (and do not preclude) the entity\u2019s PCI DSS compliance; documentation of any industry announcements or trends related to a technology, such as when a vendor has announced \u201cend of life\u201d plans for a technology; documentation of a plan, approved by senior management, to remediate outdated technologies, including those for which vendors have announced \u201cend of life\u201d plans.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-1ab1bb7 elementor-widget elementor-widget-heading\" data-id=\"1ab1bb7\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">12.5.2.1 Service Providers Must Validate PCI DSS scope Every 6 Months<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-a92134a elementor-widget elementor-widget-text-editor\" data-id=\"a92134a\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Additional requirement for service providers only: PCI DSS scope is documented and confirmed by the entity at least once every six months and upon significant change to the in-scope environment. At a minimum, the scoping validation includes all the elements specified in Requirement 12.5.2.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-21f96bd elementor-widget elementor-widget-heading\" data-id=\"21f96bd\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">12.5.3 Service Providers Must Review Impact of Significant Changes<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-69ab0d0 elementor-widget elementor-widget-text-editor\" data-id=\"69ab0d0\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Additional requirement for service providers only: significant changes to organizational structure result in a documented (internal) review of the impact to PCI DSS scope and applicability of controls, with results communicated to executive management.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-1a69498 elementor-widget elementor-widget-heading\" data-id=\"1a69498\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">12.6.2 Annual Review of Security Awareness Program<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-8c52c05 elementor-widget elementor-widget-text-editor\" data-id=\"8c52c05\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>The security awareness program is reviewed at least once every 12 months, and updated as needed to address any new threats and vulnerabilities that may impact the security of the entity\u2019s cardholder data and\/or sensitive authentication data, or the information provided to personnel about their role in protecting cardholder data.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-530a702 elementor-widget elementor-widget-heading\" data-id=\"530a702\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">12.6.3.1 Security Awareness Training Includes Phishing and Social Engineering Training<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-f505b6c elementor-widget elementor-widget-text-editor\" data-id=\"f505b6c\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Security awareness training includes awareness of threats and vulnerabilities that could impact the security of cardholder data and\/or sensitive authentication data, including but not limited to phishing and related attacks, and social engineering.<\/p><p>\u00a0<\/p><p>Most organisations already have these types of training in their security awareness program.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-2d3374d elementor-widget elementor-widget-heading\" data-id=\"2d3374d\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">12.6.3.2 Security Awareness Training Includes Acceptable Use of End-User Technologies<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-a4c150e elementor-widget elementor-widget-text-editor\" data-id=\"a4c150e\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Security awareness training includes awareness about the acceptable use of end-user technologies in accordance with Requirement 12.2.1.<\/p><p>\u00a0<\/p><p>Most organizations have an acceptable use policy, however specific security awareness training content needs to include this requirement.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-d7990dd elementor-widget elementor-widget-heading\" data-id=\"d7990dd\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">12.10.4.1 Targeted Risk Analysis for Periodic Training for Incident Response<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-2d21e2a elementor-widget elementor-widget-text-editor\" data-id=\"2d21e2a\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>The frequency of periodic training for incident response personnel is defined in the entity\u2019s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-5a27b49 elementor-widget elementor-widget-heading\" data-id=\"5a27b49\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">12.10.5 Security Incident Response Plan Includes Change-And Tamper-Detection Mechanism for Payment Pages<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-dc91a36 elementor-widget elementor-widget-text-editor\" data-id=\"dc91a36\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>The security incident response plan includes monitoring and responding to alerts from security monitoring systems, including but not limited to: [\u2026] The change-and tamper-detection mechanism for payment pages. [\u2026].<\/p><p>\u00a0<\/p><p>This relates to requirement 11.6.1.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-51a72ad elementor-widget elementor-widget-heading\" data-id=\"51a72ad\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">12.10.7 Incident Response Procedures for Unexpected PAN Storage<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-3cd60b0 elementor-widget elementor-widget-text-editor\" data-id=\"3cd60b0\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Incident response procedures are in place, to be initiated upon the detection of stored PAN anywhere it is not expected, and include: determining what to do if PAN is discovered outside the CDE, including its retrieval, secure deletion, and\/or migration into the currently defined CDE, as applicable; identifying whether sensitive authentication data is stored with PAN; determining where the account data came from and how it ended up where it was not expected; remediating data leaks or process gaps that resulted in the account data being where it was not expected.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-0bfb3ce elementor-widget elementor-widget-heading\" data-id=\"0bfb3ce\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Summary<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-3b71023 elementor-widget elementor-widget-text-editor\" data-id=\"3b71023\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Some of the future-dated requirements need further policies, procedures and records, which may be more straightforward than the requirements needing further technical controls. The technical controls may require significant work, and so entities should focus on those.<\/p><p>\u00a0<\/p><p>For assistance and advice with becoming compliant with the new controls, contact Dionach. Dionach have QSAs that can provide expert help.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>Overview The 51 future-dated requirements in PCI DSS 4 are becoming mandatory on 31st March 2025. Some of these requirements only apply to service providers and some may not apply to all entities, especially those using specific Self-Assessment Questionnaires (SAQs). \u00a0 Although some of these requirements may already be in place at an entity, some [&hellip;]<\/p>\n","protected":false},"author":12,"featured_media":18968,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"content-type":"","_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-18959","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-researchblog","wpbf-post"],"contentshake_article_id":"","yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.2 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>PCI DSS 4 Requirements Becoming Mandatory End of March 2025<\/title>\n<meta name=\"description\" content=\"Overview The 51 future-dated requirements in PCI DSS 4 are becoming mandatory on 31st March 2025. Some of these requirements only apply to service\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/dionach.com\/nl\/pci-dss-4-requirements-becoming-mandatory-end-of-march-2025\/\" \/>\n<meta property=\"og:locale\" content=\"nl_NL\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"PCI DSS 4 Requirements Becoming Mandatory End of March 2025\" \/>\n<meta property=\"og:description\" content=\"Overview The 51 future-dated requirements in PCI DSS 4 are becoming mandatory on 31st March 2025. Some of these requirements only apply to service\" \/>\n<meta property=\"og:url\" content=\"https:\/\/dionach.com\/nl\/pci-dss-4-requirements-becoming-mandatory-end-of-march-2025\/\" \/>\n<meta property=\"og:site_name\" content=\"Dionach\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/dionachcyber\" \/>\n<meta property=\"article:published_time\" content=\"2025-01-08T15:30:48+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-01-08T15:33:46+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/i0.wp.com\/dionach.com\/wp-content\/uploads\/2025\/01\/AdobeStock_999134919.jpeg?fit=2048%2C1365&ssl=1\" \/>\n\t<meta property=\"og:image:width\" content=\"2048\" \/>\n\t<meta property=\"og:image:height\" content=\"1365\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Dionach by Nomios\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@dionachcyber\" \/>\n<meta name=\"twitter:site\" content=\"@dionachcyber\" \/>\n<meta name=\"twitter:label1\" content=\"Geschreven door\" \/>\n\t<meta name=\"twitter:data1\" content=\"Dionach by Nomios\" \/>\n\t<meta name=\"twitter:label2\" content=\"Geschatte leestijd\" \/>\n\t<meta name=\"twitter:data2\" content=\"16 minuten\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/dionach.com\/nl\/pci-dss-4-requirements-becoming-mandatory-end-of-march-2025\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/dionach.com\/nl\/pci-dss-4-requirements-becoming-mandatory-end-of-march-2025\/\"},\"author\":{\"name\":\"Dionach by Nomios\",\"@id\":\"https:\/\/dionach.com\/nl\/#\/schema\/person\/cda8ad8b5715b4d431547564ed6a9ca9\"},\"headline\":\"PCI DSS 4 Requirements Becoming Mandatory End of March 2025\",\"datePublished\":\"2025-01-08T15:30:48+00:00\",\"dateModified\":\"2025-01-08T15:33:46+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/dionach.com\/nl\/pci-dss-4-requirements-becoming-mandatory-end-of-march-2025\/\"},\"wordCount\":3110,\"publisher\":{\"@id\":\"https:\/\/dionach.com\/nl\/#organization\"},\"image\":{\"@id\":\"https:\/\/dionach.com\/nl\/pci-dss-4-requirements-becoming-mandatory-end-of-march-2025\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/i0.wp.com\/dionach.com\/wp-content\/uploads\/2025\/01\/AdobeStock_999134919.jpeg?fit=2048%2C1365&ssl=1\",\"articleSection\":[\"researchblog\"],\"inLanguage\":\"nl-NL\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/dionach.com\/nl\/pci-dss-4-requirements-becoming-mandatory-end-of-march-2025\/\",\"url\":\"https:\/\/dionach.com\/nl\/pci-dss-4-requirements-becoming-mandatory-end-of-march-2025\/\",\"name\":\"PCI DSS 4 Requirements Becoming Mandatory End of March 2025\",\"isPartOf\":{\"@id\":\"https:\/\/dionach.com\/nl\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/dionach.com\/nl\/pci-dss-4-requirements-becoming-mandatory-end-of-march-2025\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/dionach.com\/nl\/pci-dss-4-requirements-becoming-mandatory-end-of-march-2025\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/i0.wp.com\/dionach.com\/wp-content\/uploads\/2025\/01\/AdobeStock_999134919.jpeg?fit=2048%2C1365&ssl=1\",\"datePublished\":\"2025-01-08T15:30:48+00:00\",\"dateModified\":\"2025-01-08T15:33:46+00:00\",\"description\":\"Overview The 51 future-dated requirements in PCI DSS 4 are becoming mandatory on 31st March 2025. Some of these requirements only apply to service\",\"breadcrumb\":{\"@id\":\"https:\/\/dionach.com\/nl\/pci-dss-4-requirements-becoming-mandatory-end-of-march-2025\/#breadcrumb\"},\"inLanguage\":\"nl-NL\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/dionach.com\/nl\/pci-dss-4-requirements-becoming-mandatory-end-of-march-2025\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"nl-NL\",\"@id\":\"https:\/\/dionach.com\/nl\/pci-dss-4-requirements-becoming-mandatory-end-of-march-2025\/#primaryimage\",\"url\":\"https:\/\/i0.wp.com\/dionach.com\/wp-content\/uploads\/2025\/01\/AdobeStock_999134919.jpeg?fit=2048%2C1365&ssl=1\",\"contentUrl\":\"https:\/\/i0.wp.com\/dionach.com\/wp-content\/uploads\/2025\/01\/AdobeStock_999134919.jpeg?fit=2048%2C1365&ssl=1\",\"width\":2048,\"height\":1365},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/dionach.com\/nl\/pci-dss-4-requirements-becoming-mandatory-end-of-march-2025\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/dionach.com\/nl\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"PCI DSS 4 Requirements Becoming Mandatory End of March 2025\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/dionach.com\/nl\/#website\",\"url\":\"https:\/\/dionach.com\/nl\/\",\"name\":\"Dionach\",\"description\":\"Real Security in a Virtual World\",\"publisher\":{\"@id\":\"https:\/\/dionach.com\/nl\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/dionach.com\/nl\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"nl-NL\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/dionach.com\/nl\/#organization\",\"name\":\"Dionach\",\"url\":\"https:\/\/dionach.com\/nl\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"nl-NL\",\"@id\":\"https:\/\/dionach.com\/nl\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.dionach.com\/wp-content\/uploads\/2025\/02\/cropped-Dionach-vertical-col-yel-nomios-black-1.jpg\",\"contentUrl\":\"https:\/\/www.dionach.com\/wp-content\/uploads\/2025\/02\/cropped-Dionach-vertical-col-yel-nomios-black-1.jpg\",\"width\":512,\"height\":512,\"caption\":\"Dionach\"},\"image\":{\"@id\":\"https:\/\/dionach.com\/nl\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/dionachcyber\",\"https:\/\/x.com\/dionachcyber\",\"https:\/\/uk.linkedin.com\/company\/dionach-ltd\",\"https:\/\/www.instagram.com\/dionachcyber\/\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/dionach.com\/nl\/#\/schema\/person\/cda8ad8b5715b4d431547564ed6a9ca9\",\"name\":\"Dionach by Nomios\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"nl-NL\",\"@id\":\"https:\/\/secure.gravatar.com\/avatar\/175b11c7f601b43fdf197d3d5c39805acf0e97b19ca7a4c4aa333ac557e98a09?s=96&d=mm&r=g\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/175b11c7f601b43fdf197d3d5c39805acf0e97b19ca7a4c4aa333ac557e98a09?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/175b11c7f601b43fdf197d3d5c39805acf0e97b19ca7a4c4aa333ac557e98a09?s=96&d=mm&r=g\",\"caption\":\"Dionach by Nomios\"},\"sameAs\":[\"http:\/\/Dionach\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"PCI DSS 4 Requirements Becoming Mandatory End of March 2025","description":"Overview The 51 future-dated requirements in PCI DSS 4 are becoming mandatory on 31st March 2025. Some of these requirements only apply to service","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/dionach.com\/nl\/pci-dss-4-requirements-becoming-mandatory-end-of-march-2025\/","og_locale":"nl_NL","og_type":"article","og_title":"PCI DSS 4 Requirements Becoming Mandatory End of March 2025","og_description":"Overview The 51 future-dated requirements in PCI DSS 4 are becoming mandatory on 31st March 2025. Some of these requirements only apply to service","og_url":"https:\/\/dionach.com\/nl\/pci-dss-4-requirements-becoming-mandatory-end-of-march-2025\/","og_site_name":"Dionach","article_publisher":"https:\/\/www.facebook.com\/dionachcyber","article_published_time":"2025-01-08T15:30:48+00:00","article_modified_time":"2025-01-08T15:33:46+00:00","og_image":[{"width":2048,"height":1365,"url":"https:\/\/i0.wp.com\/dionach.com\/wp-content\/uploads\/2025\/01\/AdobeStock_999134919.jpeg?fit=2048%2C1365&ssl=1","type":"image\/jpeg"}],"author":"Dionach by Nomios","twitter_card":"summary_large_image","twitter_creator":"@dionachcyber","twitter_site":"@dionachcyber","twitter_misc":{"Geschreven door":"Dionach by Nomios","Geschatte leestijd":"16 minuten"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/dionach.com\/nl\/pci-dss-4-requirements-becoming-mandatory-end-of-march-2025\/#article","isPartOf":{"@id":"https:\/\/dionach.com\/nl\/pci-dss-4-requirements-becoming-mandatory-end-of-march-2025\/"},"author":{"name":"Dionach by Nomios","@id":"https:\/\/dionach.com\/nl\/#\/schema\/person\/cda8ad8b5715b4d431547564ed6a9ca9"},"headline":"PCI DSS 4 Requirements Becoming Mandatory End of March 2025","datePublished":"2025-01-08T15:30:48+00:00","dateModified":"2025-01-08T15:33:46+00:00","mainEntityOfPage":{"@id":"https:\/\/dionach.com\/nl\/pci-dss-4-requirements-becoming-mandatory-end-of-march-2025\/"},"wordCount":3110,"publisher":{"@id":"https:\/\/dionach.com\/nl\/#organization"},"image":{"@id":"https:\/\/dionach.com\/nl\/pci-dss-4-requirements-becoming-mandatory-end-of-march-2025\/#primaryimage"},"thumbnailUrl":"https:\/\/i0.wp.com\/dionach.com\/wp-content\/uploads\/2025\/01\/AdobeStock_999134919.jpeg?fit=2048%2C1365&ssl=1","articleSection":["researchblog"],"inLanguage":"nl-NL"},{"@type":"WebPage","@id":"https:\/\/dionach.com\/nl\/pci-dss-4-requirements-becoming-mandatory-end-of-march-2025\/","url":"https:\/\/dionach.com\/nl\/pci-dss-4-requirements-becoming-mandatory-end-of-march-2025\/","name":"PCI DSS 4 Requirements Becoming Mandatory End of March 2025","isPartOf":{"@id":"https:\/\/dionach.com\/nl\/#website"},"primaryImageOfPage":{"@id":"https:\/\/dionach.com\/nl\/pci-dss-4-requirements-becoming-mandatory-end-of-march-2025\/#primaryimage"},"image":{"@id":"https:\/\/dionach.com\/nl\/pci-dss-4-requirements-becoming-mandatory-end-of-march-2025\/#primaryimage"},"thumbnailUrl":"https:\/\/i0.wp.com\/dionach.com\/wp-content\/uploads\/2025\/01\/AdobeStock_999134919.jpeg?fit=2048%2C1365&ssl=1","datePublished":"2025-01-08T15:30:48+00:00","dateModified":"2025-01-08T15:33:46+00:00","description":"Overview The 51 future-dated requirements in PCI DSS 4 are becoming mandatory on 31st March 2025. Some of these requirements only apply to service","breadcrumb":{"@id":"https:\/\/dionach.com\/nl\/pci-dss-4-requirements-becoming-mandatory-end-of-march-2025\/#breadcrumb"},"inLanguage":"nl-NL","potentialAction":[{"@type":"ReadAction","target":["https:\/\/dionach.com\/nl\/pci-dss-4-requirements-becoming-mandatory-end-of-march-2025\/"]}]},{"@type":"ImageObject","inLanguage":"nl-NL","@id":"https:\/\/dionach.com\/nl\/pci-dss-4-requirements-becoming-mandatory-end-of-march-2025\/#primaryimage","url":"https:\/\/i0.wp.com\/dionach.com\/wp-content\/uploads\/2025\/01\/AdobeStock_999134919.jpeg?fit=2048%2C1365&ssl=1","contentUrl":"https:\/\/i0.wp.com\/dionach.com\/wp-content\/uploads\/2025\/01\/AdobeStock_999134919.jpeg?fit=2048%2C1365&ssl=1","width":2048,"height":1365},{"@type":"BreadcrumbList","@id":"https:\/\/dionach.com\/nl\/pci-dss-4-requirements-becoming-mandatory-end-of-march-2025\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/dionach.com\/nl\/"},{"@type":"ListItem","position":2,"name":"PCI DSS 4 Requirements Becoming Mandatory End of March 2025"}]},{"@type":"WebSite","@id":"https:\/\/dionach.com\/nl\/#website","url":"https:\/\/dionach.com\/nl\/","name":"Dionach","description":"Real Security in a Virtual World","publisher":{"@id":"https:\/\/dionach.com\/nl\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/dionach.com\/nl\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"nl-NL"},{"@type":"Organization","@id":"https:\/\/dionach.com\/nl\/#organization","name":"Dionach","url":"https:\/\/dionach.com\/nl\/","logo":{"@type":"ImageObject","inLanguage":"nl-NL","@id":"https:\/\/dionach.com\/nl\/#\/schema\/logo\/image\/","url":"https:\/\/www.dionach.com\/wp-content\/uploads\/2025\/02\/cropped-Dionach-vertical-col-yel-nomios-black-1.jpg","contentUrl":"https:\/\/www.dionach.com\/wp-content\/uploads\/2025\/02\/cropped-Dionach-vertical-col-yel-nomios-black-1.jpg","width":512,"height":512,"caption":"Dionach"},"image":{"@id":"https:\/\/dionach.com\/nl\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/dionachcyber","https:\/\/x.com\/dionachcyber","https:\/\/uk.linkedin.com\/company\/dionach-ltd","https:\/\/www.instagram.com\/dionachcyber\/"]},{"@type":"Person","@id":"https:\/\/dionach.com\/nl\/#\/schema\/person\/cda8ad8b5715b4d431547564ed6a9ca9","name":"Dionach by Nomios","image":{"@type":"ImageObject","inLanguage":"nl-NL","@id":"https:\/\/secure.gravatar.com\/avatar\/175b11c7f601b43fdf197d3d5c39805acf0e97b19ca7a4c4aa333ac557e98a09?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/175b11c7f601b43fdf197d3d5c39805acf0e97b19ca7a4c4aa333ac557e98a09?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/175b11c7f601b43fdf197d3d5c39805acf0e97b19ca7a4c4aa333ac557e98a09?s=96&d=mm&r=g","caption":"Dionach by Nomios"},"sameAs":["http:\/\/Dionach"]}]}},"jetpack_featured_media_url":"https:\/\/i0.wp.com\/dionach.com\/wp-content\/uploads\/2025\/01\/AdobeStock_999134919.jpeg?fit=2048%2C1365&ssl=1","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/ph4Ojq-4VN","_links":{"self":[{"href":"https:\/\/dionach.com\/nl\/wp-json\/wp\/v2\/posts\/18959","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dionach.com\/nl\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dionach.com\/nl\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dionach.com\/nl\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/dionach.com\/nl\/wp-json\/wp\/v2\/comments?post=18959"}],"version-history":[{"count":0,"href":"https:\/\/dionach.com\/nl\/wp-json\/wp\/v2\/posts\/18959\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/dionach.com\/nl\/wp-json\/wp\/v2\/media\/18968"}],"wp:attachment":[{"href":"https:\/\/dionach.com\/nl\/wp-json\/wp\/v2\/media?parent=18959"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dionach.com\/nl\/wp-json\/wp\/v2\/categories?post=18959"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dionach.com\/nl\/wp-json\/wp\/v2\/tags?post=18959"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}