PCI DSS 4.0: How to Ensure Full Compliance with New Requirements
Qualys Security Blog
The Payment Card Industry Data Security Standard (PCI DSS) is one of the oldest mainstream requirements for compliance, originating in 2004. The PCI Security Standards Council manages the standard to ensure security for the global payment system. It globally applies to all entities that store, process, or transmit payment cardholder data or sensitive authentication data or could impact the security of the cardholder data environment (CDE). The newest version is 4.0 and will become effective on March 31, 2024.
Qualys recently published a white paper explaining how we can put you in the driver’s seat for compliance with the revised standard.
In this blog post, we’ll assume you’re familiar with PCI DSS (see the white paper if you need a refresher). Our aim here is to summarize the high points of how Qualys can help.
Four-Step Process for Compliance
The PCI Council provides four ongoing steps for PCI DSS 4.0 that organizations should use to protect payment account data. As described by its PCI DSS Quick Reference Guide: Understanding the Payment Card Industry Data Security Standard version 4.0 (p. 4), these steps are:
Assess – identifying all locations of payment account data, taking an inventory of all IT assets and business processes associated with payment processing, analyzing them for vulnerabilities that could expose payment account data, implementing or updating necessary controls, and undergoing a formal PCI DSS assessment.
Remediate – identifying and addressing gaps in security controls, fixing identified vulnerabilities, securely removing any unnecessary payment data storage, and implementing secure business processes.
Report – documenting assessment and remediation details and submitting compliance reports to the compliance-accepting entity (typically, an acquiring bank or payment brands).
Monitor and Maintain – Confirm that security controls put in place to secure the payment account data and environment continue to function effectively and properly on an ongoing basis.
Note that process methodologies for using Qualys Vulnerability Management, Detection and Response (VMDR) and other Qualys Cloud Platform applications align entirely with the PCI Council’s four-step process.
How Qualys Drives PCI DSS 4.0 Compliance
The six goals and twelve requirements for PCI DSS 4.0 cover a broad range, and many of these elements are things you would ordinarily do anyway for implementing and maintaining a comprehensive enterprise cybersecurity program. That’s why the Qualys Cloud Platform plays a key role; it helps drive an organization’s PCI DSS 4.0 compliance process in two ways.
One of these is enabling automatic documentation of compliance – basically, a status check of whether many of the controls for PCI DSS 4.0 requirements are in place and whether they are doing their respective jobs. Second, with various integrated Qualys security applications such as VMDR, Web Application Scanning, and others, the platform also provides specific controls for a robust subset of PCI DSS 4.0 requirements. Implementation leverages several of the more than two dozen Qualys applications that are integrated with the cloud platform.
Qualys Brings Automation to PCI DSS 4.0 Compliance
Qualys Policy Compliance (PC) is a cloud service that enables continuous assessment of the cardholder data environment. Qualys PC provides a ready-to-use mandate-based template for PCI DSS 4.0 consisting of security checks that automate the assessment of in-scope PCI assets. These checks automatically scan technical secure configuration assessment requirements of the standard.
Qualys Security Assessment Questionnaire is a cloud service to help automate the process of collecting and validating required information and completing the Self-Assessment Questionnaire (SAQ). Business process control automation includes the collaboration of all stakeholders inside and outside your organization. The final SAQ is automatically prepared for submission and submitted to the acquirer or payment brand(s). Qualys SAQ makes the process agile, accurate, comprehensive, centralized, scalable, and uniform across your organization.
Qualys Brings Security Controls to Meet PCI DSS 4.0 Requirements
Here are examples of how Qualys meets some of the many PCI DSS 4.0 requirements with the Qualys Cloud Platform, its integrated applications, and the use of a single agent:
Qualys Vulnerability Management, Detection, and Response (VMDR) – VMDR is not included with Total Compliance and is a recommended foundational solution for managing CDE cyber risks (Req. 2, 5, 6, 11). It addresses the third goal for a CDE vulnerability management program and Requirement 11’s need for regularly testing the security of CDE systems and networks. VMDR excels at detecting internal and external risks and efficiently responding to vulnerabilities. Unlike other scanners, it performs authenticated scans, such as for certificate inventory.
Qualys Policy Compliance – PC is included with the Qualys Total Compliance Solution Set and enables continuous assessment of the cardholder data environment. Qualys PC provides a ready-to-use mandate-based template for PCI DSS 4.0 consisting of security checks that automate the assessment of in-scope PCI assets. These checks automatically scan technical secure configuration assessment requirements.
Qualys PC supports different in-scope operating systems, databases, web servers, devices, etc. It also simplifies and accelerates the formal annual PCI DSS assessment via collaboration with the Qualified Security Assessor – including automatic generation of the Report on Compliance. The ability to create custom dashboards and reports ensure an all-time audit-ready status should an auditor require something non-standard.
Numerous requirements in almost every section refer to Policy Compliance capabilities, such as ensuring that “all changes to network connections and configurations to network security controls are approved and tested following the Requirement 6.5.1.” Qualys PC enables you to automate security configuration evaluations and rapidly identify compliance with the PCI DSS v4.0 technical security requirements.
Qualys PC also provides out-of-the-box reports that customers can run to quickly document their preparation for PCI DSS v4.0 Standard. Qualys has released a ready-to-use mandate-based template for PCI DSS v4.0 consisting of security checks that automate the assessment of ‘in-scope’ PCI assets.
This template simplifies the process merchants must undertake to validate PCI compliance for a critical set of technical controls that need to be validated across different technologies. Qualys PC can now automatically scan for all these PCI controls and provide a detailed report to validate ongoing compliance.
Qualys Web Application Scanning (WAS) – WAS is included with Total Compliance and continuously detects vulnerabilities and misconfigurations of CDE internal and external-facing web applications (Req. 6, 11). This app finds malware in web apps and informs DevOps teams on exposed payment data and other PII.
Qualys File Integrity Monitoring (FIM) – FIM provides “low-noise” CDE integrity monitoring efforts and compliance (Req. 1, 10, 11, 12), including unauthorized modification and change detection that accurately separates false alerts from positive hits and allows for whitelisting.
Qualys CyberSecurity Asset Management (CSAM) with External Attack Surface Management (EASM) – CSAM provides an accurate, context-rich inventory of all CDE cyber assets to identify security gaps (Req. 2), and CSAM provides complete visibility and control of the CDE’s external attack surface (Req. 2, 12).
Qualys Patch Management – Patch Management enables automating the entire patching process for operating systems, mobile devices, and third-party applications – even for remote devices within the cardholder data environment (Req. 1, 6, 10, 11).
Custom Assessment & Remediation – CAR is included with Total Compliance and creates reusable custom detections and remediations while allowing for the deployment of custom configurations.
Security Assessment Questionnaire – SAQ, included with Total Compliance, allows you to document and generate proof of compliance with detailed reports for auditors and executives.
PCI ASV Compliance – As an Approved Scanning Vendor (ASV), Qualys has been authorized by the PCI Security Standards Council to conduct the quarterly scans required to show compliance with PCI DSS. This helps ensure accurate and effective PCI ASV compliance testing, reporting, and submission.
Qualys Multi-Vector Endpoint Detection and Response (EDR) – EDR is not included with Total Compliance but is recommended as an addition to integrate vulnerability management of the CDE with endpoint threat detection and response (Req. 5, 12).
Qualys Context XDR – Extended Detection and Response is not included with Total Compliance but should be added to accelerate remediation of complex, advanced threats to the CDE using MITRE ATT&CK-driven threat hunting and analytics (Req. 10).
To learn more about PCI DSS, read the full text of PCI DSS 4.0 and other supporting documents in the PCI DSS v4.0 Resource Hub on the PCI Council website. For full details on how Qualys enables PCI DSS 4.0 compliance, download our whitepaper [PCI 4.0 v2 white paper URL], “PCI DSS 4.0: How to Ensure Full Compliance with New Requirements.”
We invite you to learn more about using Qualys to achieve PCI DSS 4.0 compliance and start your free trial.
Bill Reed, Qualys Product Marketing
Dave Breuger, Qualys Product Marketing