{"id":61,"date":"2022-10-02T22:46:00","date_gmt":"2022-10-03T03:46:00","guid":{"rendered":"https:\/\/terrabytefoundry.com\/blog_s\/?p=61"},"modified":"2022-10-02T19:54:03","modified_gmt":"2022-10-03T00:54:03","slug":"intro-to-pci-version-4-requirement-4","status":"publish","type":"post","link":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/10\/02\/intro-to-pci-version-4-requirement-4\/","title":{"rendered":"Intro to PCI version 4: Requirement 4"},"content":{"rendered":"\n<p>Encrypt transmission of cardholder data across open, public networks.&nbsp; What is an open, public network?&nbsp; There are technically (no pun intended) many different ways to define an open, public network.&nbsp; For our purposes, we will just declare that an open network is one that shared connections between internal and external users that are visible to others, outside of the authorized individuals and\/or systems.&nbsp; In other words, if the connection type leaves your environment and does not use a locked down private connection (VPN, etc.), let\u2019s consider it in scope for requirement 4.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Overall Thoughts<\/h2>\n\n\n\n<h2 class=\"wp-block-heading\">So, we can frame the conversation, I feel the need to point something out from the start \u2013 we are discussing IT security through the lens of PCI security and what it takes to be compliant with the digital security standards, specifically to point out the deltas between version 3.2.1 and 4.&nbsp; The reason I say this, is to point out that from an over all security mindset, you should be working to do more than is required for compliance.&nbsp; Compliance is not a sign of overall security; it is a single measuring point.&nbsp; Think of compliance against any standards as one of your KPIs and develop additional indicators to achieve a higher level of security within your environment. &nbsp;&nbsp;Once we are done with the series on changes coming up for PCI v4, I will work on one to highlight some low hanging fruit items to build on your compliant environment and start working towards a more secure stance.<\/h2>\n\n\n\n<h2 class=\"wp-block-heading\">What\u2019s New for Req 4 in v4<\/h2>\n\n\n\n<p>Back to the topic at hand.&nbsp; The changes in the form of new controls in requirement 4 of version 4 are:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>4.1.2 &#8211; Roles and responsibilities for performing activities in Requirement 4 are documented, assigned, and understood.es to the existing controls (surprised?)<\/li><li>4.2.1 &#8211; Certificates used to safeguard PAN during transmission over open, public networks are confirmed as valid and are not expired or revoked. \u00df Something that has not been part of the assessment before, so start tracking this data now.<\/li><li>4.2.1.1 &#8211; An inventory of the entity\u2019s trusted keys and certificates is maintained.&nbsp; (Certificate inventory \u2013 see above where I say \u201cstart tracking this data now\u201d)<\/li><\/ul>\n\n\n\n<p>It would be accurate to say there are not a lot of changes to existing controls, and there are also a lot of changes to existing controls.  Generally speaking that is because there is  change to the overall focus, which impacts all controls within the requirement, but no changes specifically made to the existing controls.<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>4 \u2013 Clarification\/guidance \u2013 The overall focus of requirement 4 is to confirm \u201cstrong cryptography\u201d being used to protect the transmission of cardholder data as the focus of the requirement.<\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion<\/h2>\n\n\n\n<p>I can already feel some of relaxing because the lack of changes in requirement 4 make it feel as though this one will be easy to manage.&nbsp; Well, the good news, for those of you that only use P2PE connections, or hosted iFrame solutions, it will be really easy!&nbsp; Since it is pretty much not applicable to you already and nothing new changes that.&nbsp; However, as we mentioned earlier when I mentioned the difference between compliant and secure, even if you can claim N\/A due to a service provider managing this aspect of security for you, it is a good idea to track this information.&nbsp; Now, your service provider is probably not going to share the actual certificate details with you but part of the due diligence in requirement 12 calls for you to maintain a program to confirm service providers are working in a PCI compliant manner.&nbsp; This not only gives you the authority to check their AoC to make sure there were no issues with this part of their assessment, but it is actually better to view this as a requirement on your end to do so.&nbsp; Don\u2019t let the interconnectivity of the DSS get lost on you through allowing yourself to focus on the single controls without also looking at the bigger picture.<\/p>\n\n\n\n<p>As always, I hope this tidbit of information gives you a base to have discussions with your internal subject matter experts and your trusted external sources for IT security and PCI knowledge.\u00a0 Feel free to reach out to me directly with questions or to have a conversation via my email and\/or social media information on the TBF website.\u00a0 <\/p>\n\n\n\n<p>Thanks for taking the time to read my thoughts on PCI v4 Requirement 4.\u00a0 We will continue to work through each of the PCI requirements each week. <\/p>\n","protected":false},"excerpt":{"rendered":"<p>Encrypt transmission of cardholder data across open, public networks.&nbsp; What is an open, public network?&nbsp; There are technically (no pun intended) many different ways to define an open, public network.&nbsp; For our purposes, we will just declare that an open network is one that shared connections between internal and external users that are visible to &hellip; <\/p>\n<p class=\"link-more\"><a href=\"https:\/\/terrabytefoundry.com\/blog_s\/2022\/10\/02\/intro-to-pci-version-4-requirement-4\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Intro to PCI version 4: Requirement 4&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"nf_dc_page":"","om_disable_all_campaigns":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[7],"tags":[],"class_list":["post-61","post","type-post","status-publish","format-standard","hentry","category-shawn"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.4 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Intro to PCI version 4: Requirement 4 - Shawn&#039;s Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/terrabytefoundry.com\/blog_s\/2022\/10\/02\/intro-to-pci-version-4-requirement-4\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Intro to PCI version 4: Requirement 4 - Shawn&#039;s Blog\" \/>\n<meta property=\"og:description\" content=\"Encrypt transmission of cardholder data across open, public networks.&nbsp; What is an open, public network?&nbsp; There are technically (no pun intended) many different ways to define an open, public network.&nbsp; For our purposes, we will just declare that an open network is one that shared connections between internal and external users that are visible to &hellip; Continue reading &quot;Intro to PCI version 4: Requirement 4&quot;\" \/>\n<meta property=\"og:url\" content=\"https:\/\/terrabytefoundry.com\/blog_s\/2022\/10\/02\/intro-to-pci-version-4-requirement-4\/\" \/>\n<meta property=\"og:site_name\" content=\"Shawn&#039;s Blog\" \/>\n<meta property=\"article:published_time\" content=\"2022-10-03T03:46:00+00:00\" \/>\n<meta name=\"author\" content=\"TBF_Shawn\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TBF_Shawn\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/2022\\\/10\\\/02\\\/intro-to-pci-version-4-requirement-4\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/2022\\\/10\\\/02\\\/intro-to-pci-version-4-requirement-4\\\/\"},\"author\":{\"name\":\"TBF_Shawn\",\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/#\\\/schema\\\/person\\\/588d52e259ebeabac260cbb21bb1aeb4\"},\"headline\":\"Intro to PCI version 4: Requirement 4\",\"datePublished\":\"2022-10-03T03:46:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/2022\\\/10\\\/02\\\/intro-to-pci-version-4-requirement-4\\\/\"},\"wordCount\":767,\"articleSection\":[\"Shawn\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/2022\\\/10\\\/02\\\/intro-to-pci-version-4-requirement-4\\\/\",\"url\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/2022\\\/10\\\/02\\\/intro-to-pci-version-4-requirement-4\\\/\",\"name\":\"Intro to PCI version 4: Requirement 4 - Shawn&#039;s Blog\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/#website\"},\"datePublished\":\"2022-10-03T03:46:00+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/#\\\/schema\\\/person\\\/588d52e259ebeabac260cbb21bb1aeb4\"},\"breadcrumb\":{\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/2022\\\/10\\\/02\\\/intro-to-pci-version-4-requirement-4\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/2022\\\/10\\\/02\\\/intro-to-pci-version-4-requirement-4\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/2022\\\/10\\\/02\\\/intro-to-pci-version-4-requirement-4\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Intro to PCI version 4: Requirement 4\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/#website\",\"url\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/\",\"name\":\"Shawn&#039;s Blog\",\"description\":\"Shawn&#039;s Thoughts and Ramblings\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/#\\\/schema\\\/person\\\/588d52e259ebeabac260cbb21bb1aeb4\",\"name\":\"TBF_Shawn\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/5acf07715e5622368f9bc851369ef517917f409c14615da93434e0dcf7bbed28?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/5acf07715e5622368f9bc851369ef517917f409c14615da93434e0dcf7bbed28?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/5acf07715e5622368f9bc851369ef517917f409c14615da93434e0dcf7bbed28?s=96&d=mm&r=g\",\"caption\":\"TBF_Shawn\"},\"sameAs\":[\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\"],\"url\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/author\\\/tbf_shawn\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Intro to PCI version 4: Requirement 4 - Shawn&#039;s Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/10\/02\/intro-to-pci-version-4-requirement-4\/","og_locale":"en_US","og_type":"article","og_title":"Intro to PCI version 4: Requirement 4 - Shawn&#039;s Blog","og_description":"Encrypt transmission of cardholder data across open, public networks.&nbsp; What is an open, public network?&nbsp; There are technically (no pun intended) many different ways to define an open, public network.&nbsp; For our purposes, we will just declare that an open network is one that shared connections between internal and external users that are visible to &hellip; Continue reading \"Intro to PCI version 4: Requirement 4\"","og_url":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/10\/02\/intro-to-pci-version-4-requirement-4\/","og_site_name":"Shawn&#039;s Blog","article_published_time":"2022-10-03T03:46:00+00:00","author":"TBF_Shawn","twitter_card":"summary_large_image","twitter_misc":{"Written by":"TBF_Shawn","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/10\/02\/intro-to-pci-version-4-requirement-4\/#article","isPartOf":{"@id":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/10\/02\/intro-to-pci-version-4-requirement-4\/"},"author":{"name":"TBF_Shawn","@id":"https:\/\/terrabytefoundry.com\/blog_s\/#\/schema\/person\/588d52e259ebeabac260cbb21bb1aeb4"},"headline":"Intro to PCI version 4: Requirement 4","datePublished":"2022-10-03T03:46:00+00:00","mainEntityOfPage":{"@id":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/10\/02\/intro-to-pci-version-4-requirement-4\/"},"wordCount":767,"articleSection":["Shawn"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/10\/02\/intro-to-pci-version-4-requirement-4\/","url":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/10\/02\/intro-to-pci-version-4-requirement-4\/","name":"Intro to PCI version 4: Requirement 4 - Shawn&#039;s Blog","isPartOf":{"@id":"https:\/\/terrabytefoundry.com\/blog_s\/#website"},"datePublished":"2022-10-03T03:46:00+00:00","author":{"@id":"https:\/\/terrabytefoundry.com\/blog_s\/#\/schema\/person\/588d52e259ebeabac260cbb21bb1aeb4"},"breadcrumb":{"@id":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/10\/02\/intro-to-pci-version-4-requirement-4\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/terrabytefoundry.com\/blog_s\/2022\/10\/02\/intro-to-pci-version-4-requirement-4\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/10\/02\/intro-to-pci-version-4-requirement-4\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/terrabytefoundry.com\/blog_s\/"},{"@type":"ListItem","position":2,"name":"Intro to PCI version 4: Requirement 4"}]},{"@type":"WebSite","@id":"https:\/\/terrabytefoundry.com\/blog_s\/#website","url":"https:\/\/terrabytefoundry.com\/blog_s\/","name":"Shawn&#039;s Blog","description":"Shawn&#039;s Thoughts and Ramblings","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/terrabytefoundry.com\/blog_s\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/terrabytefoundry.com\/blog_s\/#\/schema\/person\/588d52e259ebeabac260cbb21bb1aeb4","name":"TBF_Shawn","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/5acf07715e5622368f9bc851369ef517917f409c14615da93434e0dcf7bbed28?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/5acf07715e5622368f9bc851369ef517917f409c14615da93434e0dcf7bbed28?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/5acf07715e5622368f9bc851369ef517917f409c14615da93434e0dcf7bbed28?s=96&d=mm&r=g","caption":"TBF_Shawn"},"sameAs":["https:\/\/terrabytefoundry.com\/blog_s"],"url":"https:\/\/terrabytefoundry.com\/blog_s\/author\/tbf_shawn\/"}]}},"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/posts\/61","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/comments?post=61"}],"version-history":[{"count":1,"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/posts\/61\/revisions"}],"predecessor-version":[{"id":62,"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/posts\/61\/revisions\/62"}],"wp:attachment":[{"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/media?parent=61"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/categories?post=61"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/tags?post=61"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}