{"id":157,"date":"2022-08-18T01:34:25","date_gmt":"2022-08-17T23:34:25","guid":{"rendered":"https:\/\/pcihispano.org\/?p=157"},"modified":"2026-05-06T19:17:19","modified_gmt":"2026-05-06T17:17:19","slug":"analisis-de-pci-dss-v4-0-parte-ii-requerimientos-1-y-2","status":"publish","type":"post","link":"https:\/\/www.pcihispano.com\/en\/analisis-de-pci-dss-v4-0-parte-ii-requerimientos-1-y-2\/","title":{"rendered":"Analysis of PCI DSS v4.0 \u2013 Part II: Requirements 1 and 2"},"content":{"rendered":"<p><span class=\"intro-text\">In this second part of the series \u201c<a href=\"https:\/\/www.pcihispano.com\/en\/category\/pci-dss-4-0\/\">Analysis of PCI DSS v4.0<\/a>\u201d a review shall be carried out of requirements 1 and 2 of the standard, which are part of the group \u201c<em>Build and Maintain a Secure Network and Systems<\/em>\u201d, aimed at controlling incoming and outgoing network traffic from the environment and the secure configuration of system components; or <em>hardening<\/em>.<\/span><\/p>\n<div class=\"su-box su-box-style-glass\" id=\"\" style=\"border-color:#000000;border-radius:5px;max-width:none\"><div class=\"su-box-title\" style=\"background-color:#333333;color:#FFFFFF;border-top-left-radius:3px;border-top-right-radius:3px\">Analysis of PCI DSS v4.0<\/div><div class=\"su-box-content su-u-clearfix su-u-trim\" style=\"border-bottom-left-radius:3px;border-bottom-right-radius:3px\">\n<p>All articles in the series <a href=\"https:\/\/www.pcihispano.com\/en\/category\/pci-dss-4-0\/\" target=\"_blank\" rel=\"noopener\">Analysis of PCI DSS v4.0<\/a>:<\/p>\n<ul>\n<li><a href=\"https:\/\/www.pcihispano.com\/en\/analisis-de-pci-dss-v4-0-parte-1-introduccion\/\" rel=\"bookmark\">Analysis of PCI DSS v4.0 \u2013 Part I: Introduction<\/a><\/li>\n<li><a href=\"https:\/\/www.pcihispano.com\/en\/analisis-de-pci-dss-v4-0-parte-ii-requerimientos-1-y-2\/\" rel=\"bookmark\">Analysis of PCI DSS v4.0 \u2013 Part II: Requirements 1 and 2<\/a><\/li>\n<li><a href=\"https:\/\/www.pcihispano.com\/en\/analisis-de-pci-dss-v4-0-parte-iii-requerimientos-3-y-4\/\" rel=\"bookmark\">Analysis of PCI DSS v4.0 \u2013 Part III: Requirements 3 and 4<\/a><\/li>\n<li><a href=\"https:\/\/www.pcihispano.com\/en\/analisis-de-pci-dss-v4-0-parte-iv-requerimientos-5-y-6\/\" rel=\"bookmark\">Analysis of PCI DSS v4.0 \u2013 Part IV: Requirements 5 and 6<\/a><\/li>\n<li><a href=\"https:\/\/www.pcihispano.com\/en\/analisis-de-pci-dss-v4-0-parte-v-requerimientos-7-8-y-9\/\" rel=\"bookmark\">Analysis of PCI DSS v4.0 \u2013 Part V: Requirements 7, 8 and 9<\/a><\/li>\n<li><a href=\"https:\/\/www.pcihispano.com\/en\/analisis-de-pci-dss-v4-0-parte-vi-requerimientos-10-y-11\/\" rel=\"bookmark\">Analysis of PCI DSS v4.0 Part VI: Requirements 10 and 11<\/a><\/li>\n<li><a href=\"https:\/\/www.pcihispano.com\/en\/analisis-de-pci-dss-v4-0-parte-vii-requerimiento-12\/\" target=\"_blank\" rel=\"noopener\">Analysis of PCI DSS v4.0 \u2013 Part VII: Requirement 12<\/a><\/li>\n<\/ul>\n<\/div><\/div>\n<p>As indicated in the first part of this series of articles, it is important to note that these requirements have been renamed in version 4.0 of the standard to adapt to technological changes in security controls and to expand the scope of their applicability.<\/p>\n<div id=\"attachment_184\" style=\"width: 1261px\" class=\"wp-caption aligncenter\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-184\" class=\"size-full wp-image-184\" src=\"https:\/\/i0.wp.com\/pcihispano.com\/wp-content\/uploads\/2022\/08\/Group1.png?resize=900%2C184&#038;ssl=1\" alt=\"\" width=\"900\" height=\"184\" srcset=\"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/Group1.png?w=1251&amp;ssl=1 1251w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/Group1.png?resize=300%2C61&amp;ssl=1 300w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/Group1.png?resize=1024%2C210&amp;ssl=1 1024w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/Group1.png?resize=768%2C157&amp;ssl=1 768w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/Group1.png?resize=500%2C102&amp;ssl=1 500w\" sizes=\"auto, (max-width: 900px) 100vw, 900px\" \/><p id=\"caption-attachment-184\" class=\"wp-caption-text\">Changes in the names of PCI DSS requirements 1 and 2<\/p><\/div>\n<h4>Requirement 1: <em>Install and Maintain Network Security Controls <\/em><\/h4>\n<p><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-186\" src=\"https:\/\/i0.wp.com\/pcihispano.com\/wp-content\/uploads\/2022\/08\/Req1.png?resize=900%2C85&#038;ssl=1\" alt=\"\" width=\"900\" height=\"85\" srcset=\"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/Req1.png?w=1249&amp;ssl=1 1249w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/Req1.png?resize=300%2C28&amp;ssl=1 300w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/Req1.png?resize=1024%2C97&amp;ssl=1 1024w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/Req1.png?resize=768%2C73&amp;ssl=1 768w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/Req1.png?resize=500%2C47&amp;ssl=1 500w\" sizes=\"auto, (max-width: 900px) 100vw, 900px\" \/><\/p>\n<p>The overcrowding of the use of virtualisation technologies (including software-defined networks \u2013 <em>Software Defined Networks<\/em> or SDN) and containers, as well as network infrastructures provided by cloud service providers (<em>cloud<\/em>) have significantly impacted the first PCI DSS requirement. In fact, this change can be seen in the renaming of the requirement and the removal of the term \u2018firewall\u2019, which has been present since the first version of the standard.<\/p>\n<p>However, these changes were no surprise, as the PCI SSC had already advanced some of them in the document. <a href=\"https:\/\/www.pcisecuritystandards.org\/pdfs\/PCI_SSC_Cloud_Guidelines_v3.pdf\">Information Supplement \u2013 Cloud Computing Guidelines<\/a>, published in April 2018, where a series of technical security considerations were analyzed in the implementation of multi-user environments in the cloud (<em>Multi-tenant cloud environment<\/em>) and emerging architectures such as the Internet of Things (<em>Internet of Things<\/em> \u2013 IoT) or <em>Fog Computing<\/em>, and technologies such as <em>Software Defined Networking<\/em> (SND), containers and <em>Virtual Desktop Infrastructure<\/em> (VDI). All these technological changes are accompanied by new threats and new risks that were not being managed correctly or that did not completely adapt to the criteria established in version 3.2.1 of PCI DSS.<\/p>\n<p>That is why <span class=\"highlight\">In PCI DSS version 4.0, the traditional concept of \u201cfirewall\u201d has been dispensed with and replaced by the concept of \u201cfirewall\u201d. <strong>Network Security Controls (NSCs)<\/strong><\/span>, a much broader concept encompassing not only <em>firewalls<\/em> previously named, but also to any other network technology that allows controlling network traffic between two or more logical or physical network segments based on predefined rules or policies.<\/p>\n<div id=\"attachment_187\" style=\"width: 1262px\" class=\"wp-caption aligncenter\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-187\" class=\"size-full wp-image-187\" src=\"https:\/\/i0.wp.com\/pcihispano.com\/wp-content\/uploads\/2022\/08\/fw_vs_nsc.png?resize=900%2C293&#038;ssl=1\" alt=\"\" width=\"900\" height=\"293\" srcset=\"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/fw_vs_nsc.png?w=1252&amp;ssl=1 1252w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/fw_vs_nsc.png?resize=300%2C98&amp;ssl=1 300w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/fw_vs_nsc.png?resize=1024%2C334&amp;ssl=1 1024w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/fw_vs_nsc.png?resize=768%2C250&amp;ssl=1 768w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/fw_vs_nsc.png?resize=500%2C163&amp;ssl=1 500w\" sizes=\"auto, (max-width: 900px) 100vw, 900px\" \/><p id=\"caption-attachment-187\" class=\"wp-caption-text\">Difference between the concept of \u2018Firewall\u2019 and \u2018Network Security Control\u2019<\/p><\/div>\n<p>Generally speaking, this requirement retains the same organization of controls seen in PCI DSS v3.2.1 but some of them have been added or changed to adapt them to the concept of NSCs. Some of the most representative changes are:<\/p>\n<ul>\n<li>Required <strong>configuration standards for NSC filtering rules<\/strong> (1.2.1)<\/li>\n<li>Changes to network connections and NSC configurations (1.2.2) must be implemented following the <strong>PCI DSS change management methodology<\/strong>, as specified in requirement 6.<\/li>\n<li>In the case of <strong>the Network Diagrams<\/strong> (1.2.3), good practices have been added, among which are the labelling of network segments, the identification of security controls that provide segmentation and their details (control name, model, version, etc.), inclusion of all components in the scope, labelling of areas out of scope and information on changes to the document (date of the last update, responsible for the change, approver of the change and an explanatory legend of the diagram).<\/li>\n<li>In the case of <strong>the Flowcharts<\/strong> (1.2.4), it is indicated that this diagram complements the network diagram and it is recommended to include all processes (authorization, capture, settlement, returns, refunds, etc.) and card data flows, including those involving physical means.<\/li>\n<li>Only permitted <strong>identified services, protocols and ports<\/strong>, approved and with a defined business need (1.2.5), including additional controls for ports considered unsafe (1.2.6).<\/li>\n<li>Must be carried out <strong>a six-monthly review of the NSC configuration<\/strong> to confirm that they are relevant and effective (1.2.7).<\/li>\n<li>If the NSCs use <strong>configuration files<\/strong>, these must be protected against unauthorised access and consistent with the active network configuration (1.2.8).<\/li>\n<\/ul>\n<p>Likewise, <span class=\"highlight\">the terminology of the network segments to be protected has been clarified, aligning it with the criteria described in the document <a href=\"https:\/\/www.pcisecuritystandards.org\/documents\/Guidance-PCI-DSS-Scoping-and-Segmentation_v1_1.pdf\">Information Supplement \u2013 Guidance for PCI DSS Scoping and Network Segmentation<\/a><\/span>. In that sense, the intention is for it to deploy a network security control (<em>Network Security Control<\/em> \u2013 NSC) between environments with different levels of trust (including internal networks). From this perspective, two main network blocks are identified:<\/p>\n<ul>\n<li><strong>Reliable networks <\/strong><em>(trusted networks): <\/em>Any network that is under the control or management of the entity and that complies with the applicable PCI DSS requirements. This category includes CDE and systems connected to or likely to impact CDE security.<\/li>\n<li><strong>Unreliable networks<\/strong> (<em>untrusted networks<\/em>): Any network outside the entity's control, including the Internet, dedicated communication channels, wireless networks, Internet Service Provider (ISP) networks, including mobile networks and third-party networks. It is also clarified that, <em>if a network is out of reach of PCI DSS, such a network should be considered as an unreliable network<\/em>.<\/li>\n<\/ul>\n<p>Thus, the traffic filtering rules that must be implemented by NSCs must follow the following criteria:<\/p>\n<div id=\"attachment_188\" style=\"width: 1325px\" class=\"wp-caption aligncenter\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-188\" class=\"size-full wp-image-188\" src=\"https:\/\/i0.wp.com\/pcihispano.com\/wp-content\/uploads\/2022\/08\/rules_networks_PCIDSS.png?resize=900%2C543&#038;ssl=1\" alt=\"\" width=\"900\" height=\"543\" srcset=\"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/rules_networks_PCIDSS.png?w=1315&amp;ssl=1 1315w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/rules_networks_PCIDSS.png?resize=300%2C181&amp;ssl=1 300w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/rules_networks_PCIDSS.png?resize=1024%2C618&amp;ssl=1 1024w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/rules_networks_PCIDSS.png?resize=768%2C463&amp;ssl=1 768w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/rules_networks_PCIDSS.png?resize=500%2C302&amp;ssl=1 500w\" sizes=\"auto, (max-width: 900px) 100vw, 900px\" \/><p id=\"caption-attachment-188\" class=\"wp-caption-text\">Criteria to follow in NSCs policies or rules<\/p><\/div>\n<p>An interesting theme in this version of the standard is that <span class=\"highlight\">the obligation to implement a <strong>Demilitarized Network<\/strong> (DMZ) as a network segment to limit incoming traffic access (1.3.1 in PCI DSS 3.2.1) has disappeared, although it is now recommended as a good practice<\/span>. However, if a DMZ is implemented and this segment processes or transmits payment card data, it should be considered as part of the CDE.<\/p>\n<h4>Requirement 2: <em>Apply Secure Configurations to All System Components<\/em><\/h4>\n<p><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-189\" src=\"https:\/\/i0.wp.com\/pcihispano.com\/wp-content\/uploads\/2022\/08\/Req2.png?resize=900%2C91&#038;ssl=1\" alt=\"\" width=\"900\" height=\"91\" srcset=\"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/Req2.png?w=1254&amp;ssl=1 1254w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/Req2.png?resize=300%2C30&amp;ssl=1 300w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/Req2.png?resize=1024%2C104&amp;ssl=1 1024w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/Req2.png?resize=768%2C78&amp;ssl=1 768w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/Req2.png?resize=500%2C51&amp;ssl=1 500w\" sizes=\"auto, (max-width: 900px) 100vw, 900px\" \/><\/p>\n<p>As with requirement 1, this requirement was renamed to make the applicability of secure configuration controls more flexible, emphasizing that not only do you have to change the default values, but you also have to remove unnecessary software, functions, and accounts, and deactivate or eliminate unnecessary services. Also, <span class=\"highlight\">emphasis is placed on the fact that this requirement applies not only to \u201ctraditional\u201d systems but to any other system accessed through a cloud subscription service (<em>cloud<\/em>)<\/span>.<\/p>\n<p>Among the changes applied, this requirement should be highlighted the following:<\/p>\n<ul>\n<li>The development of <strong>Secure Configuration Standards<\/strong> for all system components (2.2.1), including cloud systems. In this way, as a reference, it is also added to the Cloud Security Alliance (CSA).<\/li>\n<li>Allowed <strong>the use of default accounts of manufacturers<\/strong> (<em>vendors<\/em>), as long as your default password is changed (2.2.2). Otherwise, these accounts must be removed or deleted. This is an important change from PCI DSS v3.2.1, since in that version of the standard simply these default accounts had to be deleted or removed and any exceptions had to be managed through compensatory controls.<\/li>\n<li>Clarification of the applicability of the concept of \u201c<strong>primary function<\/strong>\u201d (2.2.3), allowing the coexistence of different main functions with different levels of security in the same system as long as they are isolated from each other or as long as they are all secured at the same level as the one with the highest level of security. This concept had already been discussed earlier in the document. <a href=\"https:\/\/www.pcisecuritystandards.org\/documents\/Virtualization_InfoSupp_v2.pdf\">Information Supplement \u2013 PCI DSS Virtualization Guidelines<\/a> June 2011, focused on virtualization technologies, but PCI DSS version 4.0 has already been explicitly included.<\/li>\n<li>They should only be allowed <strong>services, protocols, daemons and other functions<\/strong> necessary, removing or disabling all others (2.2.4), justifying and adding additional controls to those considered unsafe (2.2.5).<\/li>\n<li>Only the <strong>administrative access other than by console<\/strong> (<em>non-console<\/em>) as long as it is encrypted using robust cryptography. This includes not only traditional (browser-based) administrative interfaces but also access via application programming interfaces (<em>Application Programming Interfaces<\/em> \u2013 APIs).<\/li>\n<li>Additional controls are added in the secure configuration process of <strong>wireless environments<\/strong> (2.3.1), including the change of encryption keys of wireless networks that transmit card data or connected to the CDE if any personnel with knowledge of them leave the company or if the key is compromised or suspected.<\/li>\n<\/ul>\n<p>Finally, component inventory control (2.4 in PCI DSS v3.2.1) has moved to requirement 12, a location more consistent with its objective.<\/p>\n<p>The following article will analyze the requirements 3 and 4 of PCI DSS, oriented to the security of card data during its storage and transmission.<\/p>\n<h4>References<\/h4>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li>Information Supplement \u2013 Cloud Computing Guidelines <a href=\"https:\/\/www.pcisecuritystandards.org\/pdfs\/PCI_SSC_Cloud_Guidelines_v3.pdf\">https:\/\/www.pcisecuritystandards.org\/pdfs\/PCI_SSC_Cloud_Guidelines_v3.pdf<\/a><\/li>\n<li>Information Supplement \u2013 Guidance for PCI DSS Scoping and Network Segmentation <a href=\"https:\/\/www.pcisecuritystandards.org\/documents\/Guidance-PCI-DSS-Scoping-and-Segmentation_v1_1.pdf\" target=\"_blank\" rel=\"noopener\">https:\/\/www.pcisecuritystandards.org\/documents\/Guidance-PCI-DSS-Scoping-and-Segmentation_v1_1.pdf<\/a><\/li>\n<li>Information Supplement \u2013 PCI DSS Virtualization Guidelines <a href=\"https:\/\/www.pcisecuritystandards.org\/documents\/Virtualization_InfoSupp_v2.pdf\" target=\"_blank\" rel=\"noopener\">https:\/\/www.pcisecuritystandards.org\/documents\/Virtualization_InfoSupp_v2.pdf<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>","protected":false},"excerpt":{"rendered":"<p>In this second part of the series \u2018Analysis of PCI DSS v4.0\u2019, a review will be carried out of requirements 1 and 2 of the standard, which are part of the \u2018Build and Maintain a Secure Network and Systems\u2019 group, aimed at control [\u2026]<\/p>","protected":false},"author":2,"featured_media":159,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_post_was_ever_published":false},"categories":[7,354],"tags":[8,9,10,12,11,13,14],"class_list":["post-157","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-pci-dss-4-0","category-pcidss","tag-4-0","tag-dss","tag-hardening","tag-ncs","tag-network-security-control","tag-requerimiento-1","tag-requerimiento-2"],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte2.png?fit=1920%2C1080&ssl=1","jetpack-related-posts":[{"id":98,"url":"https:\/\/www.pcihispano.com\/en\/analisis-de-pci-dss-v4-0-parte-1-introduccion\/","url_meta":{"origin":157,"position":0},"title":"An\u00e1lisis de PCI DSS v4.0 &#8211; Parte I: Introducci\u00f3n","author":"David Acosta","date":"agosto 17, 2022","format":false,"excerpt":"En esta primera parte de esta serie \"An\u00e1lisis de PCI DSS v4.0\" se analizar\u00e1 la historia detr\u00e1s de la versi\u00f3n 4.0 del est\u00e1ndar, las variables que influyeron en su cambio y el proceso de revisi\u00f3n y publicaci\u00f3n asociado. A continuaci\u00f3n, en entregas subsiguientes, se realizar\u00e1 una revisi\u00f3n a los cambios\u2026","rel":"","context":"In &quot;An\u00e1lisis de PCI DSS v4.0&quot;","block_context":{"text":"An\u00e1lisis de PCI DSS v4.0","link":"https:\/\/www.pcihispano.com\/en\/category\/pci-dss-4-0\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte1.png?fit=1200%2C675&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte1.png?fit=1200%2C675&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte1.png?fit=1200%2C675&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte1.png?fit=1200%2C675&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte1.png?fit=1200%2C675&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":477,"url":"https:\/\/www.pcihispano.com\/en\/analisis-de-pci-dss-v4-0-parte-vii-requerimiento-12\/","url_meta":{"origin":157,"position":1},"title":"An\u00e1lisis de PCI DSS v4.0 \u2013 Parte VII: Requerimiento 12","author":"David Acosta","date":"noviembre 17, 2022","format":false,"excerpt":"En este pen\u00faltimo art\u00edculo de la serie \u201cAn\u00e1lisis de PCI DSS v4.0\u201d se presenta un an\u00e1lisis a los cambios del requerimiento 12 - parte del grupo 6 \u201cMaintain an Information Security Policy\u201d- en la versi\u00f3n 4.0 del est\u00e1ndar PCI DSS. Requerimiento 12: Support Information Security with Organizational Policies and Programs\u2026","rel":"","context":"In &quot;An\u00e1lisis de PCI DSS v4.0&quot;","block_context":{"text":"An\u00e1lisis de PCI DSS v4.0","link":"https:\/\/www.pcihispano.com\/en\/category\/pci-dss-4-0\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/11\/PCIDSS_PartVII.png?fit=1200%2C671&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/11\/PCIDSS_PartVII.png?fit=1200%2C671&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/11\/PCIDSS_PartVII.png?fit=1200%2C671&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/11\/PCIDSS_PartVII.png?fit=1200%2C671&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/11\/PCIDSS_PartVII.png?fit=1200%2C671&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":391,"url":"https:\/\/www.pcihispano.com\/en\/analisis-de-pci-dss-v4-0-parte-vi-requerimientos-10-y-11\/","url_meta":{"origin":157,"position":2},"title":"An\u00e1lisis de PCI DSS v4.0 Parte VI: Requerimientos 10 y 11","author":"David Acosta","date":"septiembre 15, 2022","format":false,"excerpt":"En esta sexta entrega de la serie \u201cAn\u00e1lisis de PCI DSS v4.0\u201d se analizar\u00e1n los requerimientos 10 y 11 del est\u00e1ndar PCI DSS v4.0. Estos requerimientos hacen parte del grupo 5. Regularly Monitor and Test Networks, que continua con el mismo nombre de la versi\u00f3n 3.2.1 del est\u00e1ndar. El objetivo\u2026","rel":"","context":"In &quot;An\u00e1lisis de PCI DSS v4.0&quot;","block_context":{"text":"An\u00e1lisis de PCI DSS v4.0","link":"https:\/\/www.pcihispano.com\/en\/category\/pci-dss-4-0\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/09\/Parte6.png?fit=1200%2C672&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/09\/Parte6.png?fit=1200%2C672&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/09\/Parte6.png?fit=1200%2C672&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/09\/Parte6.png?fit=1200%2C672&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/09\/Parte6.png?fit=1200%2C672&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":176,"url":"https:\/\/www.pcihispano.com\/en\/analisis-de-pci-dss-v4-0-parte-iv-requerimientos-5-y-6\/","url_meta":{"origin":157,"position":3},"title":"An\u00e1lisis de PCI DSS v4.0 \u2013 Parte IV: Requerimientos 5 y 6","author":"David Acosta","date":"agosto 18, 2022","format":false,"excerpt":"En esta cuarta entrega de la serie \u201cAn\u00e1lisis de PCI DSS 4.0\u201d se presenta una revisi\u00f3n a los cambios en los requerimientos 5 y 6 del est\u00e1ndar PCI DSS ocurridos entre las versiones 3.2.1 y 4.0. Estos dos requerimientos est\u00e1n enfocados a la protecci\u00f3n a nivel de software para prevenir,\u2026","rel":"","context":"In &quot;An\u00e1lisis de PCI DSS v4.0&quot;","block_context":{"text":"An\u00e1lisis de PCI DSS v4.0","link":"https:\/\/www.pcihispano.com\/en\/category\/pci-dss-4-0\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte4b.png?fit=1200%2C675&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte4b.png?fit=1200%2C675&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte4b.png?fit=1200%2C675&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte4b.png?fit=1200%2C675&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte4b.png?fit=1200%2C675&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":173,"url":"https:\/\/www.pcihispano.com\/en\/analisis-de-pci-dss-v4-0-parte-iii-requerimientos-3-y-4\/","url_meta":{"origin":157,"position":4},"title":"An\u00e1lisis de PCI DSS v4.0 \u2013 Parte III: Requerimientos 3 y 4","author":"David Acosta","date":"agosto 18, 2022","format":false,"excerpt":"Continuando con el an\u00e1lisis a la versi\u00f3n 4.0 del est\u00e1ndar PCI DSS, en esta tercera parte de la serie se analizar\u00e1n los requerimientos 3 y 4 que hacen parte del grupo \u201cProtect Account Data\u201d, enfocados a la protecci\u00f3n de la confidencialidad y la integridad de los datos de tarjetas de\u2026","rel":"","context":"In &quot;An\u00e1lisis de PCI DSS v4.0&quot;","block_context":{"text":"An\u00e1lisis de PCI DSS v4.0","link":"https:\/\/www.pcihispano.com\/en\/category\/pci-dss-4-0\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte3.png?fit=1200%2C675&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte3.png?fit=1200%2C675&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte3.png?fit=1200%2C675&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte3.png?fit=1200%2C675&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte3.png?fit=1200%2C675&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":179,"url":"https:\/\/www.pcihispano.com\/en\/analisis-de-pci-dss-v4-0-parte-v-requerimientos-7-8-y-9\/","url_meta":{"origin":157,"position":5},"title":"An\u00e1lisis de PCI DSS v4.0 \u2013 Parte V: Requerimientos 7, 8 y 9","author":"David Acosta","date":"agosto 18, 2022","format":false,"excerpt":"En esta quinta entrega de la serie \u201cAn\u00e1lisis de PCI DSS v4.0\u201d se analizar\u00e1n los cambios aplicados a los requerimientos 7, 8 y 9 del est\u00e1ndar en su nueva versi\u00f3n (4.0). Estos requerimientos \u2013 que hacen parte del grupo 4 \u201cImplement Strong Access Control Measures\u201d \u2013 est\u00e1n orientados hacia la\u2026","rel":"","context":"In &quot;An\u00e1lisis de PCI DSS v4.0&quot;","block_context":{"text":"An\u00e1lisis de PCI DSS v4.0","link":"https:\/\/www.pcihispano.com\/en\/category\/pci-dss-4-0\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte5.png?fit=1200%2C675&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte5.png?fit=1200%2C675&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte5.png?fit=1200%2C675&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte5.png?fit=1200%2C675&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte5.png?fit=1200%2C675&ssl=1&resize=1050%2C600 3x"},"classes":[]}],"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.pcihispano.com\/en\/wp-json\/wp\/v2\/posts\/157","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.pcihispano.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.pcihispano.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.pcihispano.com\/en\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.pcihispano.com\/en\/wp-json\/wp\/v2\/comments?post=157"}],"version-history":[{"count":1,"href":"https:\/\/www.pcihispano.com\/en\/wp-json\/wp\/v2\/posts\/157\/revisions"}],"predecessor-version":[{"id":11751,"href":"https:\/\/www.pcihispano.com\/en\/wp-json\/wp\/v2\/posts\/157\/revisions\/11751"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.pcihispano.com\/en\/wp-json\/wp\/v2\/media\/159"}],"wp:attachment":[{"href":"https:\/\/www.pcihispano.com\/en\/wp-json\/wp\/v2\/media?parent=157"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.pcihispano.com\/en\/wp-json\/wp\/v2\/categories?post=157"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.pcihispano.com\/en\/wp-json\/wp\/v2\/tags?post=157"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}