Schedule Demo

Pass Your PCI-DSS 4.0 Audit with Help from Quantum Xchange

Addressing the evolving security needs and digitization of the payments industry, the Payment Card Industry Data Security Standard (PCI DSS) v. 3.2.1 will be officially retired on March 31, 2024, giving way to PCI-DSS v. 4.0 with full implementation mandated by March 2025.

The collective set of new and updated controls found in PCI-DSS 4.0 include several new cryptographic requirements that enforce the need for strong cryptography, annual inventory, and security protocols.

Download the solution brief to see a complete list of all cryptographic standards found in version 4.0 and how CipherInsights can be used to quickly determine which in-scope systems are out of compliance.

Download the Solution Brief

Despite this fast-approaching deadline and significant lift required, a vast majority of organizations are unprepared. A recent study by S&P Global found few organizations have a solid understanding of all PCI-DSS 4.0 requirements, and many indicate their organizations have yet to begin executing on these changes. As a result, 90% of those surveyed expressed concern over meeting the implementation timeline.

The collective set of new and updated controls found in PCI-DSS 4.0 address the always evolving threat landscape and serve to mitigate payment data risks. Several new cryptographic requirements that enforce the need for strong cryptography, annual inventory, and security protocols have been added to the updated standard (see chart below).

Compliance Begins with Visibility

Discovery, Inventory and Risk Assessment from CipherInsights

CipherInsights from Quantum Xchange can be deployed to identify and/or investigate cryptographic weaknesses, prioritize risk remediation, and generate the continuous monitoring and reporting needed to meet PCI-DSS 4.0 compliance requirements.

With a run time of as little as 90 minutes, organizations can quickly determine which in-scope systems are out of compliance. Deployed as a passive listener, CipherInsights is delivered as a virtual appliance which connects to a packet broker or SPAN/TAP. Unlike other scanning tools that can only inspect certificates and cryptographic libraries that are installed on endpoints, CipherInsights performs analysis on traffic as it passes by, identifying and classifying the encryption, both sanctioned and unsanctioned, that is in use on the network.

Compliance-oriented audit, consulting, and technology service providers can simply ask their customers to submit a network capture file (PCAP) as part of their evidence gathering and due diligence. CipherInsights then operates locally to obtain all the required reporting needed for PCI DSS 4.0 cryptography controls.

CipherInsights gives users near-immediate insights into how encryption is operating, not just how it is deployed, across their networks and presents a clear understanding of where and what type of remediation is required.

The following chart features the cryptographic requirements of PCI-DSS 4.0 addressed by CipherInsights:

2.2.7 All non-console administrative access is encrypted using strong cryptography.

2.2.7 a. Examine system configuration standards to verify they include encrypting all non-console administrative access using strong cryptography.

    • Inventory of all incoming network administrative sessions.
    • Details: source IP, destination IP, port, protocol, TLS version, cipher suite, volume of traffic.
    • Shows what clients have non-console administrative access.

4.2.1 Strong cryptography and security protocols are implemented as follows to safeguard PAN during transmission over open, public networks:

  • Only trusted keys and certificates are accepted.
  • Certificates used to safeguard PAN during transmission over open, public networks are confirmed as valid and are not expired or revoked. This bullet is a best practice until its effective date; refer to applicability notes below for details.
  • The protocol in use supports only secure versions or configurations and does not support fallback to, or use of insecure versions, algorithms, key sizes, or implementations.
  • The encryption strength is appropriate for the encryption methodology in use.

4.2.1.b Examine system configurations to verify that strong cryptography and security protocols are implemented in accordance with all elements specified in this requirement.

    • Inventory of protocols and cryptographic strength safeguard PAN.
    • Details: source IP, destination IP, port, protocol, TLS version, cipher suite (key size), volume of Traffic.

4.2.1.c Examine cardholder data transmissions to verify that all PAN is encrypted with strong cryptography when it is transmitted over open, public networks.

    • Inventory of cryptography and protocols used to safeguard PAN over open public networks.
    • Details: source IP, destination IP, port, protocol, TLS version, cipher suite (key size), volume of traffic.

4.2.1.d Examine system configurations to verify that keys and/or certificates that cannot be verified as trusted are rejected.

    • Inventory of public keys and certificates used to safeguard PAN.
    • Independent validation of certificate chain, to customer CA trust store.
    • List of all self-signed, untrusted, certificates.

4.2.1.1 An inventory of the entity’s trusted keys and certificates used to protect PAN during transmission is maintained.

  • Inventory of public keys and certificates used to safeguard PAN during transmission, including the algorithms, key lengths, and validity dates.

8.3.2 Strong cryptography is used to render all authentication factors unreadable during transmission and storage on all system components.

8.3.2.c Examine data transmissions to verify that authentication factors are unreadable during Customized Approach Objective transmission.

    • Inventory of all user authentication protocols (LDAP, LDAPS, SAML, etc.)
    • Identification of cleartext usernames and passwords.

12.3.3 Cryptographic cipher suites and protocols in use are documented and reviewed at least once every 12 months, including at least the following:

  • An up-to-date inventory of all cryptographic cipher suites and protocols in use, including purpose and where used.
  • Active monitoring of industry trends regarding continued viability of all cryptographic cipher suites and protocols in use.
  • A documented strategy to respond to anticipated changes in cryptographic vulnerabilities.
  • Inventory of all cryptographic cipher suites and protocols in use.
  • Active monitoring of cipher suites and protocols in use.
  • Details: source IP, destination IP, port, protocol, TLS version, cipher suite (key size), volume of Traffic.

12.5.2 PCI-DSS scope is documented and confirmed by the entity at least once every 12 months and upon significant change to the in-scope environment. At a minimum, the scoping validation includes:

  • Identifying all locations where account data is stored, processed, and transmitted, including but not limited to any locations outside of the currently defined CDE, applications that process CHD, transmissions between systems and networks, and file backups.
  • Inventory of all database instance names, and client accesses, and how it is secured in transit.
  • Inventory of all network sessions to third-party entities outside CDE, including business partners, remote support services, backup services, etc.
  • Details: source IP, destination IP, port, protocol, TLS version, cipher Suite (key size), volume of traffic.

Having actionable, crypto-intelligence readily available in a consolidated inventory helps organizations renew certificates on time, avoid application performance issues, prevent security weaknesses, and enforce policies.

Bringing Clarity to Cyber Risk Blind Spots

  • Can you see all endpoints on your network, including IoT?
  • Is your encryption working as implemented?
  • Are user credentials properly encrypted?
  • Is your MFA fully deployed?
  • Are there intermittent hosts — like for EoQ and EoY reporting, that are insecure or unpatched?
  • Is your database traffic encrypted properly, or at all?
  • Do you have rogue database instances on your network?
  • Are your partners, third parties, and cloud apps securing your data properly?
  • What has changed since your last scan?

Know with CipherInsights

  • Passively scans all traffic and detects all encryption on the network — even from IoT devices and malware.
  • Analyzes connections to external sources.
  • No more blind spots!

Contact Quantum Xchange Today to Learn More

Tweet
Share
Share
Subscribe to the Quantum Xchange Monthly Newsletter

Quantum Xchange does not share or rent your information to any third parties.