PCI Compliance is evolving. The payment card industry will see a new update to PCI DSS (Payment Card Industry Data Security Standard) enforced at the end of this month, with version 4.0 of the industry-wide regulations being applied from March 31st, 2024. We've shared how network assurance can assist in the PCI compliance processes before:

• Part 1: An Introduction to PCI Compliance
• Part 2: Limiting Audit Scope
• Part 3: Inventory & Topology
• Part 4: Path Tracing

What are PCI Compliance, and PCI DSS?

We've discussed the 12 requirements PCI DSS compliance before, but as a quick overview, this regulation requires all businesses that process payment card data must adhere to the following:

• Install and maintain a firewall configuration to protect Card Holder Data
• Do not use vendor-supplied defaults for system passwords and other security parameters
• Protect stored CHD
• Encrypt transmission of CHD across open, public networks
• Use and regularly update anti-virus software or programs
• Develop and maintain secure systems and applications
• Restrict access to cardholder data by “business need to know”
• Assign a unique ID to each person with computer access
• Restrict physical access to CHD
• Track and monitor all access to network resources and CHD
• Regularly test security systems and processes
• Maintain a policy that addresses information security for all personnel

What's changing with 4.0?

From March 31st, these requirements become stricter in the interest of treating data security as a continuous business activity, with more frequent testing, strengthened security, and streamlined compliance reporting. Additionally, more flexibility has also been introduced, with the acknowledgment and support of alternate methods of securing payment data, as long as security objectives are reached.

The full list of over 50 adjustments can be read in the PCI Council's Summary of Changes.

The spirit of proactivity and continuous assessment

Key themes emerging from the buzz around developing PCI DSS compliance standards are proactively taking measures to prevent, detect, and resolve security incidences, and continuous assessment is part of this proactive spirit.

The PCI Security Standards Council states that "doing the work" for PCI Compliance means documenting everything and avoiding recurring cycles of short-term compliance in favor of continuous practices.

When it comes to your IT network estate, automated assurance can help provide this continuous understanding of your end-to-end network state by automating your security audits, or providing daily network analysis reports for the teams that need them. Comprehensive and accurate historical understanding and documentation of your entire complex network estate will be part of a successful PCI-compliant organization.

For more detail on how IP Fabric can help, read our prior 4-part series on PCI compliance for your network linked above.

Want to try IP Fabric right now? Here's a self-guided, free online demo to see what automated network assurance is all about.