{"id":57,"date":"2022-09-25T20:50:41","date_gmt":"2022-09-26T01:50:41","guid":{"rendered":"https:\/\/terrabytefoundry.com\/blog_s\/?p=57"},"modified":"2022-09-25T20:50:42","modified_gmt":"2022-09-26T01:50:42","slug":"intro-to-pci-version-4-requirement-3","status":"publish","type":"post","link":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/09\/25\/intro-to-pci-version-4-requirement-3\/","title":{"rendered":"Intro to PCI version 4: Requirement 3"},"content":{"rendered":"\n<p>For those of you that found the previous blog posts on changes in the specific requirements for PCI v4, I have some great news.\u00a0 This one will be just as exciting, so get comfortable and prepare to be informed AND entertained! Requirement 3 is one of the key areas with PCI.\u00a0 When you talk about a security standard specifically designed around protection of credit card data, then we all need acknowledge the importance of the part of the standard focused on actually storing that data.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Overall Thoughts<\/h2>\n\n\n\n<p>Obviously, the best plan is to not store any cardholder data, if you can help it.\u00a0 For those that can\u2019t (or won\u2019t) avoid storing cardholder data in their environment, protecting it should be a top priority for you.\u00a0 Bury it deep in the environment.\u00a0 Restrict the access to as few people as possible.\u00a0 Encrypt the data when it is at rest.\u00a0 You get the idea.\u00a0 Worst case scenario you have unencrypted data in your environment that is accessible by numerous employees.\u00a0 Actually, it can get much worse than that, but I want to give you the benefit of the doubt on having some modicum of sense in this area.\u00a0 We have a lot to go over in requirement 3, so I am not going to go on and on here, despite it being my nature to drone on (and on).<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What\u2019s New for Req 3 in v4<\/h2>\n\n\n\n<p>Compared to our previous requirements discussed, R3 has a fair number of new changes to it in version 4.&nbsp; As previously mentioned, anyone reading the series won\u2019t be surprised to learn that a new 3.1.2 has been added to further develop the needs to account for ownership of the PCI program. Of course, with requirement 3 you might want to go into a more detailed accountability matrix or RACI based on your environment.&nbsp; Some companies will have different management chains for different types of databases (SQL v Oracle, etc.) and may have different responsible parties handling application level data management.&nbsp; This needs to all be accounted for in 3.1.2.<\/p>\n\n\n\n<p>The other net new changes for requirement 3 are:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>3.4.2 &#8211; Technical controls to prevent copy and\/or relocation of PAN when using remote-access technologies except with explicit authorization. \u2013 A policy is no longer sufficient to prevent this from happening.&nbsp; A technical control\/tool needs to be in place to manage this potential aspect of data management.<\/li><li>3.5.1.1 &#8211; Hashes used to render PAN unreadable are keyed cryptographic hashes with associated key management.<\/li><li>3.5.1.2 &#8211; Implementation of disk-level or partition level encryption when used to render PAN unreadable.<\/li><li>3.6.1.1 &#8211; A documented description of the cryptographic architecture includes prevention of the use of cryptographic keys in production and test environments.<\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Changes to the existing controls&nbsp;<\/h2>\n\n\n\n<p>Changes to existing controls for requirement 3 are about the same amount as new controls.&nbsp; As previously done in this post and others, we will just touch on the items in these blog posts and save detailed discussions on the changes for you to have between yourself and your trusted subject matter experts and\/or consultants.&nbsp; There are few that we will list below in changes that the DSS lists as \u201cnew\u201d, but I disagree with that designation, so am placing them here under changes.&nbsp; I will mark them through, so you can treat them as is appropriate in your environment.<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>3 (in general) \u2013 Clarification\/guidance &#8211; Updated principal requirement title to reflect the focus on account data over the term cardholder data.\u00a0 It is still the \u201ccredit card account\u201d though, not the individual\u2019s personal data.\u00a0 That data will be covered by privacy standards.<\/li><li>3.2.a \u2013 Clarification\/guidance \u2013 Combined with 3.2.b to now be 3.3.3 and added a requirement to address former testing procedures that any storage of SAD by issuers is limited to that which is needed for a legitimate issuing business need and is secured.<\/li><li>3.2.1 \u2013 Listed as \u201cnew\u201d &#8211; Any SAD stored prior to completion of authorization is kept to a minimum during implementation of data retention and disposal policies, procedures, and processes. (Fun Fact \u2013 3.2.1, along with 3.2.2, 3.2.3 are the only areas in the DSS that cannot be checked as N\/A)<\/li><li>3.2.2 \u2013 Listed as \u201cnew\u201d &#8211; Encrypt SAD that is stored electronically prior to completion of authorization.\u00a0 (HUGE \u00a0&#8211; this is usually done in VRAM, so make sure you are doing this, or are at least capable of doing so).<\/li><li>3.2.3 \u2013 Listed as \u201cnew\u201d &#8211; SAD stored by issuers is encrypted using strong cryptography.\u00a0 (This one probably won\u2019t have much, if any, impact on you.)<\/li><li>3.3 \u2013 Evolving Requirement \u2013 Previously 3.4.1 &#8211; Clarified that PAN is masked when displayed such that only personnel with a business need can see more than the BIN\/last four digits of the PAN.\u00a0 (Note \u2013 it used to be that masked PANs referred to first 6 and last 4, but they have updated the term to be BIN\/Last Four, to account for some Bank Identification Numbers being longer than 6 digits).<\/li><li>3.4 \u2013 Evolving Requirement \u2013 previously 3.5.1 &#8211; Removed pads from the \u201cIndex tokens and pads\u201d bullet for rendering PAN unreadable.<\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion<\/h2>\n\n\n\n<p>As you can see running through the list, the PCI council is changing both terminology and technical control requirements for how data storage is managed.&nbsp; You will see this approach throughout the majority of the v4 changes.&nbsp; A push for updated technical capabilities and automation, when applicable, allows for a faster reaction time when attacks happen, which lowers potential impact and risk. In the case of R3 the efforts are focused on making sure that not only are we reacting faster, but if (when) we fail to protect data from being taken by some unethical actor that has access to the environment, the usability of that data is reduced (ideally eliminated).&nbsp;<\/p>\n\n\n\n<p>As always, I hope this tidbit of information gives you a base to have discussions with your internal subject matter experts and your trusted external sources for IT security and PCI knowledge.\u00a0 Feel free to reach out to me directly with questions or to have a conversation via my email and\/or social media information on the TBF website.\u00a0 Thanks for taking the time to read my thoughts on PCI v4 Requirement 3.\u00a0 We will continue to work through each of the PCI requirements each week.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">~ Shawn<\/h2>\n","protected":false},"excerpt":{"rendered":"<p>For those of you that found the previous blog posts on changes in the specific requirements for PCI v4, I have some great news.\u00a0 This one will be just as exciting, so get comfortable and prepare to be informed AND entertained! Requirement 3 is one of the key areas with PCI.\u00a0 When you talk about &hellip; <\/p>\n<p class=\"link-more\"><a href=\"https:\/\/terrabytefoundry.com\/blog_s\/2022\/09\/25\/intro-to-pci-version-4-requirement-3\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Intro to PCI version 4: Requirement 3&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"nf_dc_page":"","om_disable_all_campaigns":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[8,5,7,6],"tags":[],"class_list":["post-57","post","type-post","status-publish","format-standard","hentry","category-assurance","category-pci","category-shawn","category-version-4"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.4 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Intro to PCI version 4: Requirement 3 - Shawn&#039;s Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/terrabytefoundry.com\/blog_s\/2022\/09\/25\/intro-to-pci-version-4-requirement-3\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Intro to PCI version 4: Requirement 3 - Shawn&#039;s Blog\" \/>\n<meta property=\"og:description\" content=\"For those of you that found the previous blog posts on changes in the specific requirements for PCI v4, I have some great news.\u00a0 This one will be just as exciting, so get comfortable and prepare to be informed AND entertained! Requirement 3 is one of the key areas with PCI.\u00a0 When you talk about &hellip; Continue reading &quot;Intro to PCI version 4: Requirement 3&quot;\" \/>\n<meta property=\"og:url\" content=\"https:\/\/terrabytefoundry.com\/blog_s\/2022\/09\/25\/intro-to-pci-version-4-requirement-3\/\" \/>\n<meta property=\"og:site_name\" content=\"Shawn&#039;s Blog\" \/>\n<meta property=\"article:published_time\" content=\"2022-09-26T01:50:41+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2022-09-26T01:50:42+00:00\" \/>\n<meta name=\"author\" content=\"TBF_Shawn\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TBF_Shawn\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/2022\\\/09\\\/25\\\/intro-to-pci-version-4-requirement-3\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/2022\\\/09\\\/25\\\/intro-to-pci-version-4-requirement-3\\\/\"},\"author\":{\"name\":\"TBF_Shawn\",\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/#\\\/schema\\\/person\\\/588d52e259ebeabac260cbb21bb1aeb4\"},\"headline\":\"Intro to PCI version 4: Requirement 3\",\"datePublished\":\"2022-09-26T01:50:41+00:00\",\"dateModified\":\"2022-09-26T01:50:42+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/2022\\\/09\\\/25\\\/intro-to-pci-version-4-requirement-3\\\/\"},\"wordCount\":1040,\"articleSection\":[\"Assurance\",\"PCI\",\"Shawn\",\"version 4\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/2022\\\/09\\\/25\\\/intro-to-pci-version-4-requirement-3\\\/\",\"url\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/2022\\\/09\\\/25\\\/intro-to-pci-version-4-requirement-3\\\/\",\"name\":\"Intro to PCI version 4: Requirement 3 - Shawn&#039;s Blog\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/#website\"},\"datePublished\":\"2022-09-26T01:50:41+00:00\",\"dateModified\":\"2022-09-26T01:50:42+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/#\\\/schema\\\/person\\\/588d52e259ebeabac260cbb21bb1aeb4\"},\"breadcrumb\":{\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/2022\\\/09\\\/25\\\/intro-to-pci-version-4-requirement-3\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/2022\\\/09\\\/25\\\/intro-to-pci-version-4-requirement-3\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/2022\\\/09\\\/25\\\/intro-to-pci-version-4-requirement-3\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Intro to PCI version 4: Requirement 3\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/#website\",\"url\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/\",\"name\":\"Shawn&#039;s Blog\",\"description\":\"Shawn&#039;s Thoughts and Ramblings\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/#\\\/schema\\\/person\\\/588d52e259ebeabac260cbb21bb1aeb4\",\"name\":\"TBF_Shawn\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/5acf07715e5622368f9bc851369ef517917f409c14615da93434e0dcf7bbed28?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/5acf07715e5622368f9bc851369ef517917f409c14615da93434e0dcf7bbed28?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/5acf07715e5622368f9bc851369ef517917f409c14615da93434e0dcf7bbed28?s=96&d=mm&r=g\",\"caption\":\"TBF_Shawn\"},\"sameAs\":[\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\"],\"url\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/author\\\/tbf_shawn\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Intro to PCI version 4: Requirement 3 - Shawn&#039;s Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/09\/25\/intro-to-pci-version-4-requirement-3\/","og_locale":"en_US","og_type":"article","og_title":"Intro to PCI version 4: Requirement 3 - Shawn&#039;s Blog","og_description":"For those of you that found the previous blog posts on changes in the specific requirements for PCI v4, I have some great news.\u00a0 This one will be just as exciting, so get comfortable and prepare to be informed AND entertained! Requirement 3 is one of the key areas with PCI.\u00a0 When you talk about &hellip; Continue reading \"Intro to PCI version 4: Requirement 3\"","og_url":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/09\/25\/intro-to-pci-version-4-requirement-3\/","og_site_name":"Shawn&#039;s Blog","article_published_time":"2022-09-26T01:50:41+00:00","article_modified_time":"2022-09-26T01:50:42+00:00","author":"TBF_Shawn","twitter_card":"summary_large_image","twitter_misc":{"Written by":"TBF_Shawn","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/09\/25\/intro-to-pci-version-4-requirement-3\/#article","isPartOf":{"@id":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/09\/25\/intro-to-pci-version-4-requirement-3\/"},"author":{"name":"TBF_Shawn","@id":"https:\/\/terrabytefoundry.com\/blog_s\/#\/schema\/person\/588d52e259ebeabac260cbb21bb1aeb4"},"headline":"Intro to PCI version 4: Requirement 3","datePublished":"2022-09-26T01:50:41+00:00","dateModified":"2022-09-26T01:50:42+00:00","mainEntityOfPage":{"@id":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/09\/25\/intro-to-pci-version-4-requirement-3\/"},"wordCount":1040,"articleSection":["Assurance","PCI","Shawn","version 4"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/09\/25\/intro-to-pci-version-4-requirement-3\/","url":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/09\/25\/intro-to-pci-version-4-requirement-3\/","name":"Intro to PCI version 4: Requirement 3 - Shawn&#039;s Blog","isPartOf":{"@id":"https:\/\/terrabytefoundry.com\/blog_s\/#website"},"datePublished":"2022-09-26T01:50:41+00:00","dateModified":"2022-09-26T01:50:42+00:00","author":{"@id":"https:\/\/terrabytefoundry.com\/blog_s\/#\/schema\/person\/588d52e259ebeabac260cbb21bb1aeb4"},"breadcrumb":{"@id":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/09\/25\/intro-to-pci-version-4-requirement-3\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/terrabytefoundry.com\/blog_s\/2022\/09\/25\/intro-to-pci-version-4-requirement-3\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/09\/25\/intro-to-pci-version-4-requirement-3\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/terrabytefoundry.com\/blog_s\/"},{"@type":"ListItem","position":2,"name":"Intro to PCI version 4: Requirement 3"}]},{"@type":"WebSite","@id":"https:\/\/terrabytefoundry.com\/blog_s\/#website","url":"https:\/\/terrabytefoundry.com\/blog_s\/","name":"Shawn&#039;s Blog","description":"Shawn&#039;s Thoughts and Ramblings","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/terrabytefoundry.com\/blog_s\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/terrabytefoundry.com\/blog_s\/#\/schema\/person\/588d52e259ebeabac260cbb21bb1aeb4","name":"TBF_Shawn","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/5acf07715e5622368f9bc851369ef517917f409c14615da93434e0dcf7bbed28?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/5acf07715e5622368f9bc851369ef517917f409c14615da93434e0dcf7bbed28?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/5acf07715e5622368f9bc851369ef517917f409c14615da93434e0dcf7bbed28?s=96&d=mm&r=g","caption":"TBF_Shawn"},"sameAs":["https:\/\/terrabytefoundry.com\/blog_s"],"url":"https:\/\/terrabytefoundry.com\/blog_s\/author\/tbf_shawn\/"}]}},"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/posts\/57","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/comments?post=57"}],"version-history":[{"count":2,"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/posts\/57\/revisions"}],"predecessor-version":[{"id":60,"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/posts\/57\/revisions\/60"}],"wp:attachment":[{"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/media?parent=57"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/categories?post=57"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/tags?post=57"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}