{"id":47,"date":"2022-09-11T21:40:47","date_gmt":"2022-09-12T02:40:47","guid":{"rendered":"https:\/\/terrabytefoundry.com\/blog_s\/?p=47"},"modified":"2022-09-11T21:43:03","modified_gmt":"2022-09-12T02:43:03","slug":"intro-to-pci-version-4-requirement-1","status":"publish","type":"post","link":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/09\/11\/intro-to-pci-version-4-requirement-1\/","title":{"rendered":"Intro to PCI version 4: Requirement 1"},"content":{"rendered":"\n

Our previous discussion touched on the (very) high level aspects of what makes version 4 of the PCI DSS different than its predecessors, so now we are in a better position to dive into some of the details.  To this we are going to look at each requirement individually.  This week we are going to start at the beginning \u2013 Requirement 1. As we work through the differences, let me apologize in advance for how dry the content is going to be as you work through it.  I really wanted to make it lighthearted and fun.  I decided that the information regarding the changes was too important, and I didn\u2019t want anyone to miss something.  I will write something clever (someday) to make up for this (and the next 11 or so blogs in this series)<\/p>\n\n\n\n

Overall Thoughts<\/h2>\n\n\n\n

Keeping with the general direction of the maturation of PCI with version 4, Requirement 1 is all about expanding the language to be more encompassing of changing technologies and assuring management takes ownership of the program.  One of the common shortcomings within security programs is figuring out who will own each aspect of the program.  The more complicated the environment, the more complicated the organization structure, and the number of security standards effecting the company all play into a (sometimes) overwhelming jumble of chaos that requires numerous specializations among the staff (PCI, HIPAA, SOX, FedRamp, GDPR, etc.)  Not wanting to get lost in the shuffle, PCI is making a point (that you will see mentioned in every post in this series) regarding not losing site of the importance of protecting consumers and their cardholder data.<\/p>\n\n\n\n

What\u2019s New for Req 1 in v4<\/h2>\n\n\n\n

The only net new item in version 4 for requirement 1 is the new 1.1.2, which states \u201cRoles and responsibilities for performing activities in Requirement 1 are documented, assigned, and understood.\u201d  This goes back to what I was mentioning in the previous paragraph.  A formal document stating who is \u201cresponsible\u201d.  An interesting note though about how this is worded.  It doesn\u2019t say to document who is responsible for requirement 1, but rather \u201cfor performing activities\u201d are \u201cdocumented, assigned, and understood\u201d.  In short, for each requirement in section 1 of the PCI DSS you have to list who is responsible for actually doing the work, confirm it has been assigned to someone, and they have to demonstrate understanding of the processes, as the apply to PCI.<\/p>\n\n\n\n

Changes to the existing controls <\/h2>\n\n\n\n

A decent number of items have been changed between v3.2.1 and v4.  To keep track of them all, I am going to bullet them out for you and give a (very) brief note on them.<\/p>\n\n\n\n