Intro to PCI version 4: Appendixes

Well, you thought we had come to the conclusion of our PCI v4 journey last week (probably because I said as much), but you were wrong! (or I was and you just went along with it).  We should also discuss changes to the appendixes, which are the “requirements” as the end of the document (just before the compensating control worksheet).  These won’t be applicable to most, but since we are discussing the changes and additions, we should include them.  This will be a pretty short one compared to some of the others (looking at you 12).

Overall Thoughts

Almost all of the items here are only applicable for service providers.  If that is not you, it still may be worth the 2 minutes it takes to read this post to make sure you know what to expect from any service providers engaging with you in these areas.

What’s New in the appendixes for v4

  • A1.1.1 – The multi-tenant service provider confirms access to and from customer environment is logically separated to prevent unauthorized access. Deeper dive into the management of the hosted (now called ‘multi-tenant’) environment. 
  • A1.1.4 – The multi-tenant service provider confirms effectiveness of logical separation controls used to separate customer environments at least once every six months via penetration testing. Make sure you are including this in your pen testing now.
  • A1.2.3 – The multi-tenant service provider implements processes or mechanisms for reporting and addressing suspected or confirmed security incidents and vulnerabilities.
  • A3.3.1 – Failures of the following are detected, alerted, and reported in a timely manner:
      • Automated log review mechanisms
    • Automated code review tools.

None of the existing controls within the appendixes are being adjusted or modified.

Conclusion

So, as I stated at the start of the post, almost every change to appendixes is focused on service provider.  As you can see, it is even more specific to “multi-tenant” (or what we used to call shared hosting) service providers.  The goal here is to make sure that the QSA is doing the proper due diligence when looking into the environment’s client access management, to prevent one customer from being able to access and view information from another.

As always, I hope this tidbit of information gives you a base to have discussions with your internal subject matter experts and your trusted external sources for IT security and PCI knowledge.  Feel free to reach out to me directly with questions or to have a conversation via my email and/or social media information on the TBF website.  Thanks for taking the time to read my thoughts on PCI v4 Appendix changes.  Now that we have gone through the incremental changes to the requirements for PCI v4, we will start a series on some of the other changes coming up as we come to the end of the year.