PCI-DSS v4.0
Achieve PCI-DSS compliance for payment card processing with CyberOrigen.
Overview
PCI-DSS (Payment Card Industry Data Security Standard) is required for any organization that stores, processes, or transmits cardholder data.
Requirements
12 Requirements
| # | Requirement |
|---|---|
| 1 | Install and maintain network security controls |
| 2 | Apply secure configurations |
| 3 | Protect stored account data |
| 4 | Protect cardholder data with strong cryptography |
| 5 | Protect systems against malware |
| 6 | Develop and maintain secure systems |
| 7 | Restrict access by business need-to-know |
| 8 | Identify users and authenticate access |
| 9 | Restrict physical access to cardholder data |
| 10 | Log and monitor all access |
| 11 | Test security regularly |
| 12 | Support security with policies and programs |
Validation Levels
| Level | Criteria | Validation |
|---|---|---|
| 1 | >6M transactions/year | Annual ROC by QSA |
| 2 | 1-6M transactions/year | Annual SAQ, quarterly ASV |
| 3 | 20K-1M e-commerce | Annual SAQ, quarterly ASV |
| 4 | <20K e-commerce or <1M other | Annual SAQ, quarterly ASV |
Getting Started
1. Enable Framework
- Go to GRC → Frameworks
- Click Enroll on PCI-DSS v4.0
- Select applicable SAQ type
- Click Enable
2. Scope Definition
Define your Cardholder Data Environment (CDE):
- Systems that store/process/transmit CHD
- Connected systems
- Security systems
3. Gap Assessment
- Run compliance scan
- Review requirements
- Identify gaps
- Plan remediation
Key Requirements
Requirement 6 - Secure Development
| Sub-Req | Title | CyberOrigen Feature |
|---|---|---|
| 6.2 | Vulnerability identification | Vulnerability scanning |
| 6.3 | Secure development | SAST with Semgrep |
| 6.4 | Web application security | Web app scanning |
| 6.5 | Change management | Change tracking |
Requirement 11 - Security Testing
| Sub-Req | Title | CyberOrigen Feature |
|---|---|---|
| 11.2 | Vulnerability scans | Quarterly scanning |
| 11.3 | Penetration testing | Scan reports |
| 11.4 | Intrusion detection | Threat intelligence |
Scanning Requirements
Internal Scanning
Requirement 11.2.1: Quarterly internal vulnerability scans.
CyberOrigen provides:
- Automated scheduling
- Compliance-mapped findings
- Remediation tracking
- Trend reporting
External Scanning
Requirement 11.2.2: Quarterly external scans by ASV.
CyberOrigen scans meet PCI requirements:
- External perspective
- Full port scanning
- SSL/TLS analysis
- Compliance reporting
Penetration Testing
Requirement 11.3: Annual penetration testing.
CyberOrigen supports:
- Scan-based assessment
- Finding documentation
- Remediation verification
Control Mapping
CyberOrigen maps PCI-DSS to other frameworks:
| PCI-DSS | SOC 2 | ISO 27001 |
|---|---|---|
| 1.1 | CC6.6 | A.8.20 |
| 2.1 | CC6.1 | A.8.9 |
| 3.4 | CC6.7 | A.8.24 |
| 6.1 | CC7.1 | A.8.8 |
| 7.1 | CC6.1 | A.5.15 |
| 8.1 | CC6.1 | A.5.16 |
| 10.1 | CC7.2 | A.8.15 |
| 11.2 | CC7.1 | A.8.8 |
Evidence Collection
Automated Evidence
- Vulnerability scan reports
- Configuration assessments
- Access reviews
- Network topology
Manual Evidence
- Policies and procedures
- Data flow diagrams
- Incident response plans
- Training records
SAQ Types
SAQ A
E-commerce, all cardholder data outsourced:
- Minimal requirements
- Mainly policies and vendor management
SAQ A-EP
E-commerce with partial outsourcing:
- Web application requirements
- Redirect security
SAQ D
Full assessment for service providers or merchants:
- All 12 requirements
- Complete documentation
Quarterly Activities
- Internal vulnerability scan
- External vulnerability scan (ASV)
- File integrity monitoring review
- User access review
- Wireless network scan
Annual Activities
- Penetration test
- Policy review
- Security awareness training
- Incident response testing
- Risk assessment
Common Gaps
| Requirement | Issue | Solution |
|---|---|---|
| 2.1 | Default passwords | Password policy |
| 3.4 | Unencrypted PAN | Encryption implementation |
| 6.2 | Unpatched systems | Patch management |
| 8.3 | No MFA | MFA deployment |
| 11.2 | Missing scans | Scan scheduling |