We recently discussed the required cataloging of your organization’s software for the future PCI DSS v4. While maintaining inventories is not a novel concept for digital organizations, PCI DSS v4.0.1 introduces several new inventory requirements that many organizations may not currently have in place:
Documented Cipher Suite Inventory
No doubt at some point you have rummaged through a drawer and found an old key or two and wondered if you may still need them or if you should dispose of them. This example also applies to cryptographic security. PCI DSS Requirement 12.3.3, which becomes mandatory on March 31, 2025, emphasizes the documentation and regular review of cryptographic cipher suites and protocols to ensure outdated or weak encryption methods are identified and replaced, strengthening overall security.
For starters, PCI DSS v4.0.1 aligns with NIST industry’s best practices regarding the use of modern, secure cipher suites for encryption and secure communications. Key points include:
- Requiring the use of strong cryptographic protocols, such as TLS 1.2 or higher, for securing cardholder data.
- Deprecating weak encryption standards, including TLS 1.0, TLS 1.1, and older cipher suites deemed insecure.
- Encouraging the use of strong encryption algorithms (e.g., AES-256) where applicable but not explicitly mandating specific ciphers.
Regarding documentation requirements, Requirement 12.3.3 introduces new mandates that include the following:
- Document and review cryptographic cipher suites and protocols in use at least once every 12 months.
- Maintain an up-to-date inventory of all cryptographic cipher suites and protocols in use. This should also include where these cipher suites and protocols are used and what the purpose is of each implementation.
- Develop and document a response plan for addressing new or emerging cryptographic vulnerabilities.
- Actively monitor market trends to ensure the continued viability of the cryptographic cipher suites in use.
Securing and Documenting your Certificates
If your organization accepts online transactions, then it has one or more digital certificates. These certificates provide a foundation of trust and security in online commerce. They authenticate the identity of websites and ensure customers that the site they are interacting with is owned and run by a legitimate business. They also enable encrypted connections to protect sensitive data like credit card information from interception. With all the things your certificates do; it is no wonder that PCI DSS v4 has specific requirements for them.
The new 4.2.1.1 requirement that comes into effect on March 31, 2025, mandates that organizations maintain an inventory of trusted keys and certificates used to protect PAN (Primary Account Number) during transmission. This inventory should include:
- Issuing Certificate Authority (CA)
- Certificate expiration dates
- Where certificates are used and for what purpose
It also mandates documenting and reviewing cryptographic cipher suites and protocols in use at least once every 12 months. Procedures must also be placed to check certificates for expiration or revocation.
While the use of self-signed certificates is not explicitly prohibited under the new requirements, PCI DSS v4.0.1 does mandate that only trusted certificates be used for protecting primary account numbers (PANs). This implies that organizations should use certificates issued by a trusted Certificate Authority (CA) to maintain secure encrypted connections.
As a reminder, PCI DSS has long required the security of cryptographic keys used to protect stored account data. For instance, PCI DSS Requirement 3.6 mandates securing cryptographic keys used for account data, limiting access to essential key custodians only.
If you find these evolving compliance standards challenging to navigate, we strongly encourage you to reach out to HALOCK Security Labs. Our compliance team and QSAs can:
- Provide clarity on the numerous compliance changes coming soon.
- Conduct a comprehensive gap analysis to identify potential compliance issues.
- Develop a tailored strategy to accelerate your path to compliance.
Do not let the complexity of these changes put your compliance at risk. Our experts can guide you through this critical transition.
