Document Comparison

PCI DSS Quick Reference Guide: Understanding the Payment Card Industry Data Security Standard version 4.0.

August 2022 3 This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents.

POS Merchant Acquirer Service Provider INTERNET PUBLIC NETWORKS WIRELESS INTERNET PUBLIC NETWORKS WIRELESS INTERNET PUBLIC NETWORKS WIRELESS The intent of this PCI DSS v4.0 Quick Reference Guide is to help you understand how PCI DSS can help protect your payment processing environment and how to apply the standard.

Mobile Standards

• Includes the Contactless Payments on COTS (CPoC) and Software-based PIN Entry on COTS (SPoC) standards for mobile payment-acceptance solutions on commercial-off-the-shelf (COTS) devices (e.g., smartphone or tablet) in a merchant-attended environment.

Other Standards

• Other PCI Standards define controls and testing requirements for PIN security, physical and logical card production and provisioning, token service providers, and access security (3-D Secure).

PCI DSS is intended for all entities that store, process, or transmit cardholder data (CHD) and/or sensitive authentication data (SAD) or could impact the security of the cardholder data environment (CDE). This includes all entities involved in payment account processing

• merchants, processors, acquirers, issuers, and other service providers. Cardholder data and sensitive authentication data are considered account data and are defined as follows:

PCI DSS requirements apply to entities with environments where account data (cardholder data and/or sensitive authentication data) is stored, processed, or transmitted, and entities with environments that can impact the security of the CDE. Some PCI DSS requirements may also apply to entities with environments that do not store, process, or transmit account data

• for example, entities that outsource payment operations or management of their CDE.

Choosing an Approved Scanning Vendor The ASV’s role is to determine whether the customer meets the PCI DSS external vulnerability scanning requirements. ASVs and their ASV scan solutions are qualified by the PCI Security Standards Council to perform external network and system scans as required by PCI DSS. An ASV may use its own software or a commercial or open-source solution that is PCI-approved as part of the ASV qualification process. An ASV scan solution includes the scanning procedures and …

• System components, people, and processes that could impact the security of the CDE.

Understanding responsibilities between customers and TPSPs Customers and TPSPs should clearly identify and understand the services and system components included in the scope of the TPSP’s PCI DSS assessment, the specific PCI DSS requirements and sub- requirements covered by the TPSP’s PCI DSS assessment, and any requirements that are the responsibility of the TPSP’s customers to include in their own PCI DSS assessments, and any requirements for which responsibility is shared between the TPSP and its customers.

Understanding PCI DSS v4.0 This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents.

Understanding PCI DSS v4.0 Approaches for Implementing and Validating PCI DSS To provide flexibility for different ways entities may use to meet security objectives, PCI DSS v4.0 includes two approaches for implementing controls and validating to PCI DSS. Entities should identify the approach, or combination of approaches, best suited to their needs.

Summary of PCI DSS v4.0 Requirements 1•12 Build and Maintain a Secure Network and Systems In the past, theft of financial records required a criminal to physically enter an entity’s business site. Now, payment transactions occur with many different electronic devices, including traditional payment terminals, mobile devices, and other Internet connected computer systems. By using network security controls, entities can prevent criminals from virtually accessing payment system networks and stealing payment account data.

Requirement 11: Test security of systems and networks regularly Vulnerabilities are being discovered continually by malicious individuals and researchers, and being introduced by new software. System components, processes, and bespoke and custom software should be tested frequently to ensure security controls continue to reflect a changing environment.