{"id":179,"date":"2022-08-18T18:42:59","date_gmt":"2022-08-18T16:42:59","guid":{"rendered":"https:\/\/pcihispano.org\/?p=179"},"modified":"2026-05-06T19:17:03","modified_gmt":"2026-05-06T17:17:03","slug":"analisis-de-pci-dss-v4-0-parte-v-requerimientos-7-8-y-9","status":"publish","type":"post","link":"https:\/\/www.pcihispano.com\/en\/analisis-de-pci-dss-v4-0-parte-v-requerimientos-7-8-y-9\/","title":{"rendered":"Analysis of PCI DSS v4.0 \u2013 Part V: Requirements 7, 8 and 9"},"content":{"rendered":"<p><span class=\"intro-text\">In this fifth instalment of the series \u201c<a href=\"https:\/\/www.pcihispano.com\/en\/category\/pci-dss-4-0\/\">Analysis of PCI DSS v4.0<\/a>\u201d the changes applied to requirements 7, 8 and 9 of the standard in its new version (4.0) shall be analysed. These requirements \u2013 which are part of Group 4 \u201c<em>Implement Strong Access Control Measures<\/em>\u201d \u2013 are oriented towards the implementation and monitoring of physical and logical controls for the identification, authentication, authorisation and privilege management of system components that are part of the PCI DSS compliance environment to prevent unauthorised access, control the confidentiality, integrity and availability of assets and enable the relationship between an entity (a person or a computer system) and the actions that that entity performs in the environment.<\/span><\/p>\n<div class=\"su-box su-box-style-glass\" id=\"\" style=\"border-color:#000000;border-radius:5px;max-width:none\"><div class=\"su-box-title\" style=\"background-color:#333333;color:#FFFFFF;border-top-left-radius:3px;border-top-right-radius:3px\">Analysis of PCI DSS v4.0<\/div><div class=\"su-box-content su-u-clearfix su-u-trim\" style=\"border-bottom-left-radius:3px;border-bottom-right-radius:3px\">\n<p>All articles in the series <a href=\"https:\/\/www.pcihispano.com\/en\/category\/pci-dss-4-0\/\" target=\"_blank\" rel=\"noopener\">Analysis of PCI DSS v4.0<\/a>:<\/p>\n<ul>\n<li><a href=\"https:\/\/www.pcihispano.com\/en\/analisis-de-pci-dss-v4-0-parte-1-introduccion\/\" rel=\"bookmark\">Analysis of PCI DSS v4.0 \u2013 Part I: Introduction<\/a><\/li>\n<li><a href=\"https:\/\/www.pcihispano.com\/en\/analisis-de-pci-dss-v4-0-parte-ii-requerimientos-1-y-2\/\" rel=\"bookmark\">Analysis of PCI DSS v4.0 \u2013 Part II: Requirements 1 and 2<\/a><\/li>\n<li><a href=\"https:\/\/www.pcihispano.com\/en\/analisis-de-pci-dss-v4-0-parte-iii-requerimientos-3-y-4\/\" rel=\"bookmark\">Analysis of PCI DSS v4.0 \u2013 Part III: Requirements 3 and 4<\/a><\/li>\n<li><a href=\"https:\/\/www.pcihispano.com\/en\/analisis-de-pci-dss-v4-0-parte-iv-requerimientos-5-y-6\/\" rel=\"bookmark\">Analysis of PCI DSS v4.0 \u2013 Part IV: Requirements 5 and 6<\/a><\/li>\n<li><a href=\"https:\/\/www.pcihispano.com\/en\/analisis-de-pci-dss-v4-0-parte-v-requerimientos-7-8-y-9\/\" rel=\"bookmark\">Analysis of PCI DSS v4.0 \u2013 Part V: Requirements 7, 8 and 9<\/a><\/li>\n<li><a href=\"https:\/\/www.pcihispano.com\/en\/analisis-de-pci-dss-v4-0-parte-vi-requerimientos-10-y-11\/\" rel=\"bookmark\">Analysis of PCI DSS v4.0 Part VI: Requirements 10 and 11<\/a><\/li>\n<li><a href=\"https:\/\/www.pcihispano.com\/en\/analisis-de-pci-dss-v4-0-parte-vii-requerimiento-12\/\" target=\"_blank\" rel=\"noopener\">Analysis of PCI DSS v4.0 \u2013 Part VII: Requirement 12<\/a><\/li>\n<\/ul>\n<\/div><\/div>\n<p><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-231\" src=\"https:\/\/i0.wp.com\/pcihispano.com\/wp-content\/uploads\/2022\/08\/Group4.png?resize=900%2C200&#038;ssl=1\" alt=\"\" width=\"900\" height=\"200\" srcset=\"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/Group4.png?w=1258&amp;ssl=1 1258w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/Group4.png?resize=300%2C67&amp;ssl=1 300w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/Group4.png?resize=1024%2C227&amp;ssl=1 1024w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/Group4.png?resize=768%2C170&amp;ssl=1 768w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/Group4.png?resize=500%2C111&amp;ssl=1 500w\" sizes=\"auto, (max-width: 900px) 100vw, 900px\" \/><\/p>\n<p>Before proceeding with the analysis of the changes applied to these requirements, it is important to remember the definitions of some terms used throughout the standard:<\/p>\n<ul>\n<li>The <strong>identification<\/strong> is the attribution of a unique identity to a person or system.<\/li>\n<li>The <strong>authentication<\/strong> is the process of verifying the identity of the user\/system. By requesting access and submitting a unique User\/System ID, the User\/System provides a set of private data to which only the User\/System has access or knowledge. Validation of one or more of the following factors is used for this process:\n<ul>\n<li>Something that is known (<em>something you know<\/em> \u2013 SYK), as a password,<\/li>\n<li>Something you have (<em>something you have<\/em> \u2013 SYH), such as a token or smart card (<em>smart card<\/em>),<\/li>\n<li>Something that is (<em>something you are<\/em> -SYA), as a biometric control.<\/li>\n<\/ul>\n<\/li>\n<li>The <strong>authorisation<\/strong> is the process of defining the specific resources a user\/system needs (access) and determining privileges over those resources. The management of the authorisation should be based on the following criteria:\n<ul>\n<li>\u2018<strong>Need to know<\/strong>\u00bb (<em>Need-to-know<\/em>) refers to providing access only to the least amount of data necessary to perform a job.<\/li>\n<li>The \"<strong>minimum privileges<\/strong>\u00bb (<em>Least privileges<\/em>) refer to providing only the minimum level of privileges necessary to perform a job.<\/li>\n<li>The \u201c<strong>separation of responsibilities<\/strong>\u201d (<em>Separation of duties<\/em>) allow the division of mission critical functions between different individuals and\/or functions, defines roles and responsibilities for each individual or role and ensures that security personnel who manage access control functions do not also manage audit functions to avoid conflicts of interest using dual control and divided knowledge:\n<ul>\n<li><strong>Dual control<\/strong> (<em>dual control<\/em>): A process that uses two or more separate entities (usually individuals) that operate in concert to protect sensitive functions or information. No single entity may access or use the material.<\/li>\n<li><strong>Divided knowledge<\/strong> (S<em>plit knowledge<\/em>): Separation of data or information into two or more parts, each of which is constantly kept under the control of separately authorized persons or teams, so that no person or team knows the whole of the data.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>The relationship between these three important concepts is simple:<\/p>\n<ul>\n<li>Identification provides <em>uniqueness<\/em><\/li>\n<li>Authentication provides <em>validity<\/em><\/li>\n<li>Authorization provides <em>control<\/em><\/li>\n<\/ul>\n<div id=\"attachment_232\" style=\"width: 1220px\" class=\"wp-caption aligncenter\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-232\" class=\"wp-image-232\" src=\"https:\/\/i0.wp.com\/pcihispano.com\/wp-content\/uploads\/2022\/08\/IAM_PCIDSS.png?resize=900%2C391&#038;ssl=1\" alt=\"\" width=\"900\" height=\"391\" srcset=\"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/IAM_PCIDSS.png?w=1390&amp;ssl=1 1390w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/IAM_PCIDSS.png?resize=300%2C130&amp;ssl=1 300w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/IAM_PCIDSS.png?resize=1024%2C445&amp;ssl=1 1024w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/IAM_PCIDSS.png?resize=768%2C334&amp;ssl=1 768w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/IAM_PCIDSS.png?resize=500%2C217&amp;ssl=1 500w\" sizes=\"auto, (max-width: 900px) 100vw, 900px\" \/><p id=\"caption-attachment-232\" class=\"wp-caption-text\">Relationship between Authentication, Authorization and Identification<\/p><\/div>\n<p>The management of these three concepts is called \u2018Identity and access management\u2019 (<em>Identity and Access Management<\/em> \u2013 IAM) and its implementing rules are assessed in the controls of these three PCI DSS requirements.<\/p>\n<h4>Requirement 7: <em>Restrict Access to System Components and Cardholder Data by Business Need to Know<\/em><\/h4>\n<p><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-233\" src=\"https:\/\/i0.wp.com\/pcihispano.com\/wp-content\/uploads\/2022\/08\/Req7.png?resize=900%2C91&#038;ssl=1\" alt=\"\" width=\"900\" height=\"91\" srcset=\"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/Req7.png?w=1252&amp;ssl=1 1252w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/Req7.png?resize=300%2C30&amp;ssl=1 300w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/Req7.png?resize=1024%2C103&amp;ssl=1 1024w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/Req7.png?resize=768%2C77&amp;ssl=1 768w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/Req7.png?resize=500%2C50&amp;ssl=1 500w\" sizes=\"auto, (max-width: 900px) 100vw, 900px\" \/><\/p>\n<p>Requirement 7 defines the criteria for the <strong>authorisation and privilege management. <\/strong>This requirement has traditionally been the requirement with fewer controls of the PCI DSS standard and so has continued in version 4.0 of the standard.<\/p>\n<p>The changes implemented in this version are minimal and are mainly focused on clarifications and extension of their applicability.<\/p>\n<ul>\n<li>It is explicitly clarified that this requirement applies to <strong>interactive accounts<\/strong> (associated with a particular user) and access by employees, contractors, internal and external suppliers and other third parties. Certain controls also apply to application and system accounts used by the entity (also called \u00ab<strong>service accounts\u2019<\/strong>, used for connection between applications without direct interaction with a person).<\/li>\n<li>It is clarified that the controls of this requirement <u>do not apply to consumers<\/u> (cardholders).<\/li>\n<li>Required <u>a biannual review of all user accounts and their privileges<\/u> to validate and confirm that these elements continue to be appropriate based on the roles and responsibilities defined to identify variations during the processes of high, low or changes during the life cycle of the accounts. The Directorate must recognize that access is adequate (req. 7.2.4) \u2013 <em>This check will be valid from March 31, 2025.<\/em><\/li>\n<li>The applicability of this requirement is extended to cover not only interactive user accounts but also application and system accounts. To this end:\n<ul>\n<li>The allocation of privileges to these accounts must be based on the least privilege and their access must be limited to the systems, applications or processes that specifically require their use (req. 7.2.5) \u2013 <em>This check will be valid from March 31, 2025<\/em>.<\/li>\n<li>Required <u>a regular review of the implementation and system accounts<\/u> to remedy any inappropriate access. The Directorate must recognize that access is adequate (req. 7.2.5.1) \u2013 <em>This check will be valid from March 31, 2025<\/em>.<\/li>\n<li>Access to payment card data repositories must be through applications or programmatic methods based on roles and based on the least privilege, where only responsible administrators can execute direct queries to such repositories (req. 7.2.6). This control replaces PCI DSS v3.2.1 control 8.7, clarifying that access is not only to databases but to any card data repository.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>The controls associated with the existence of an access control system for the environment configured to \u201cdeny everything\u201d (<em>deny all<\/em>) continuous default without major changes in this new version of the standard.<\/p>\n<h4>Requirement 8: <em>Identify Users and Authenticate Access to System Components<\/em><\/h4>\n<p><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-234\" src=\"https:\/\/i0.wp.com\/pcihispano.com\/wp-content\/uploads\/2022\/08\/Req8.png?resize=900%2C91&#038;ssl=1\" alt=\"\" width=\"900\" height=\"91\" srcset=\"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/Req8.png?w=1251&amp;ssl=1 1251w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/Req8.png?resize=300%2C30&amp;ssl=1 300w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/Req8.png?resize=1024%2C103&amp;ssl=1 1024w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/Req8.png?resize=768%2C77&amp;ssl=1 768w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/Req8.png?resize=500%2C50&amp;ssl=1 500w\" sizes=\"auto, (max-width: 900px) 100vw, 900px\" \/><\/p>\n<p>As a complement to the management of the authorisation processes described in requirement 7, requirement 8 establishes the criteria for the identification and authentication of users, systems and\/or applications.<\/p>\n<p>Among the most relevant changes to this requirement are:<\/p>\n<ul>\n<li>In PCI DSS version 4.0 <strong>the use of group, shared, generic or other shared authentication credentials will be allowed<\/strong>, as long as its use is made in an exceptional, justified way, approved by the Management, the individual who uses the account is identified before guaranteeing its access and that each activity can be related to the user who performed it. This change makes it possible to manage certain technical limitations (such as the use of the root account in Unix operating systems), where it was previously necessary to use compensatory control as an alternative to compliance.<\/li>\n<li>Several changes were made to the password policy:\n<ul>\n<li>Invalid authentication attempts were expanded from 6 to 10 (req. 8.3.4)<\/li>\n<li>The password length was extended from 7 to 12 characters (or to 8, if the system does not support 10 characters) (req. 8.3.6)<\/li>\n<li>In the event that the password is used as the only access factor, these passwords must be changed every 90 days or it is required to analyze the security posture of the account dynamically, determining access to resources automatically and in real time (req. 8.3.9). This requirement also applies to customer accounts of service providers, as of March 31, 2025 (req. 8.3.10.1)<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>Regarding the use of <strong>Multifactor Authentication<\/strong> (MFA), the changes included in version 4.0 are as follows:<\/p>\n<ul>\n<li>MFA is required for all non-console access (access made using a network interface instead of a direct physical connection) to the CDE by personnel with administrative access (req. 8.4.1)<\/li>\n<li>MFA is required for all accesses to the CDE (access to the CDE cannot be obtained using a single authentication factor) (req. 8.4.2) \u2013 applicable from March 31, 2025.<\/li>\n<li>MFA is required for all remote network accesses originating from outside the corporate network (including accesses by users and administrators, as well as third parties and vendors) that may access or impact the CDE (req. 8.4.3)<\/li>\n<li>The technical configurations to be implemented in MFA are described, including controls to prevent replay attacks, use of at least two different authentication factors, correct validation of all authentication factors before granting access to the resource\/network and restrictions to \u201cskip\u201d MFA controls if authorisation from the Directorate exists, is documented and allowed only within a limited timeframe (req. 8.5.1) \u2013 applicable from March 31, 2025.<\/li>\n<\/ul>\n<p>In this regard, <span class=\"highlight\">it is very important to highlight the concept of \u2018MFA chains\u2019 or multiple authentications using MFA depending on where the connection starts and ends<\/span>. There may be cases where an administrator connects from outside the corporate network to a network that may impact the CDE (first use of MFA) and, once there, requires a network connection to the CDE (second use of MFA). In these cases, the use of MFA is required twice.<\/p>\n<div id=\"attachment_236\" style=\"width: 1109px\" class=\"wp-caption aligncenter\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-236\" class=\"wp-image-236\" src=\"https:\/\/i0.wp.com\/pcihispano.com\/wp-content\/uploads\/2022\/08\/Req9_clarifications.png?resize=900%2C436&#038;ssl=1\" alt=\"\" width=\"900\" height=\"436\" srcset=\"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/Req9_clarifications.png?w=1413&amp;ssl=1 1413w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/Req9_clarifications.png?resize=300%2C145&amp;ssl=1 300w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/Req9_clarifications.png?resize=1024%2C496&amp;ssl=1 1024w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/Req9_clarifications.png?resize=768%2C372&amp;ssl=1 768w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/Req9_clarifications.png?resize=500%2C242&amp;ssl=1 500w\" sizes=\"auto, (max-width: 900px) 100vw, 900px\" \/><p id=\"caption-attachment-236\" class=\"wp-caption-text\">Using MFA in PCI DSS v4.0<\/p><\/div>\n<p>Finally, the controls that must be applied to any system or application account are described:<\/p>\n<ul>\n<li>When these accounts are used as an interactive account (used by an individual), it must be managed as an exception, it must be used within a defined time limit, it must be approved by the Management and the identity of the user must be confirmed, as well as tracking the actions of said user (req. 8.6.1)\u2013 applicable from March 31, 2025.<\/li>\n<li>On the other hand, the controls are extended to prevent the passwords used by these accounts from being insecurely integrated into scripts, configuration files or application source code (req. 8.6.2).<\/li>\n<li>The passwords used by these accounts must be changed periodically and have an appropriate complexity based on the periods defined for their change.<\/li>\n<\/ul>\n<h4>Requirement 9: <em>Restrict Physical Access to Cardholder Data<\/em><\/h4>\n<p><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-235\" src=\"https:\/\/i0.wp.com\/pcihispano.com\/wp-content\/uploads\/2022\/08\/Req9.png?resize=900%2C80&#038;ssl=1\" alt=\"\" width=\"900\" height=\"80\" srcset=\"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/Req9.png?w=1258&amp;ssl=1 1258w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/Req9.png?resize=300%2C27&amp;ssl=1 300w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/Req9.png?resize=1024%2C91&amp;ssl=1 1024w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/Req9.png?resize=768%2C68&amp;ssl=1 768w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/Req9.png?resize=500%2C45&amp;ssl=1 500w\" sizes=\"auto, (max-width: 900px) 100vw, 900px\" \/><\/p>\n<p>Unlike the other requirements of the PCI DSS v4.0 standard, this is the only requirement whose name has not changed since version 3.2.1.\u00a0 However, multiple clarifications were added to facilitate the implementation of controls, including:<\/p>\n<ul>\n<li>Definition of three physical areas where PCI DSS controls are applicable:\n<ul>\n<li>Sensitive areas (<em>sensitive areas<\/em>)<\/li>\n<li>CDE<em>cardholder data environment)<\/em><\/li>\n<li>Installations (<em>facilities<\/em>)<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<div id=\"attachment_238\" style=\"width: 1196px\" class=\"wp-caption aligncenter\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-238\" class=\"wp-image-238\" src=\"https:\/\/i0.wp.com\/pcihispano.com\/wp-content\/uploads\/2022\/08\/Req9_areas.png?resize=900%2C404&#038;ssl=1\" alt=\"\" width=\"900\" height=\"404\" srcset=\"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/Req9_areas.png?w=1474&amp;ssl=1 1474w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/Req9_areas.png?resize=300%2C135&amp;ssl=1 300w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/Req9_areas.png?resize=1024%2C459&amp;ssl=1 1024w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/Req9_areas.png?resize=768%2C344&amp;ssl=1 768w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/Req9_areas.png?resize=500%2C224&amp;ssl=1 500w\" sizes=\"auto, (max-width: 900px) 100vw, 900px\" \/><p id=\"caption-attachment-238\" class=\"wp-caption-text\">Concepts of physical areas used in PCI DSS<\/p><\/div>\n<ul>\n<li>The procedures to be applied to the life cycle of the management of physical access to the CDE by employees (req. 9.3.1) and visitors (req. 9.3.2).<\/li>\n<li>The record of visits must include not only the name of the visitor and his company and the name of the person who authorizes his physical access, but also the date and time of the visit (req. 9.3.4).<\/li>\n<\/ul>\n<p>With regard to the security of the points of interaction (POI), the following clarifications were added:<\/p>\n<ul>\n<li>Controls related to the physical security of the POI are not applicable to COTS devices (<em>commercial off-the-shelf<\/em>) \u2013 as they are commercially owned devices designed for distribution in mass markets \u2013 nor to components that allow manual entry of NAP data, such as a computer keyboard.<\/li>\n<li>The frequency of physical inspections carried out on POIs should be defined by the organisation on the basis of a risk analysis (req. 9.5.1.2.1) \u2013 applicable from March 31, 2025.<\/li>\n<\/ul>\n<h4>References<\/h4>\n<ul>\n<li>Payment Data Security Essential: Secure Remote Access <a href=\"https:\/\/docs-prv.pcisecuritystandards.org\/Guidance%20Document\/Infographic\/Payment-Data-Security-Essential-Secure-Remote-Access.pdf\">https:\/\/docs-prv.pcisecuritystandards.org\/Guidance%20Document\/Infographic\/Payment-Data-Security-Essential-Secure-Remote-Access.pdf<\/a><\/li>\n<li>Payment Data Security Essential: Strong Passwords <a href=\"https:\/\/docs-prv.pcisecuritystandards.org\/Guidance%20Document\/Infographic\/Payment-Data-Security-Essential-Strong-Passwords.pdf\">https:\/\/docs-prv.pcisecuritystandards.org\/Guidance%20Document\/Infographic\/Payment-Data-Security-Essential-Strong-Passwords.pdf<\/a><\/li>\n<li>Multi-Factor Authentication Guidance <a href=\"https:\/\/docs-prv.pcisecuritystandards.org\/Guidance%20Document\/Authentication\/Multi-Factor-Authentication-Guidance-v1.pdf\">https:\/\/docs-prv.pcisecuritystandards.org\/Guidance%20Document\/Authentication\/Multi-Factor-Authentication-Guidance-v1.pdf<\/a><\/li>\n<li>Skimming Prevention: Best Practices for Merchants <a href=\"https:\/\/docs-prv.pcisecuritystandards.org\/Guidance%20Document\/Skimming%20Prevention\/Skimming_Prevention_BP_for_Merchants_Sept2014.pdf\">https:\/\/docs-prv.pcisecuritystandards.org\/Guidance%20Document\/Skimming%20Prevention\/Skimming_Prevention_BP_for_Merchants_Sept2014.pdf<\/a><\/li>\n<li>Skimming Prevention: Overview of Best Practices for Merchants <a href=\"https:\/\/docs-prv.pcisecuritystandards.org\/Guidance%20Document\/Skimming%20Prevention\/Skimming_Prevention_At-a-Glance_Sept2014.pdf\">https:\/\/docs-prv.pcisecuritystandards.org\/Guidance%20Document\/Skimming%20Prevention\/Skimming_Prevention_At-a-Glance_Sept2014.pdf<\/a><\/li>\n<li>Skimming Resource Guide <a href=\"https:\/\/docs-prv.pcisecuritystandards.org\/Guidance%20Document\/Skimming%20Prevention\/PCI_SSC_Skimming_Resource_Guide_v05.pdf\">https:\/\/docs-prv.pcisecuritystandards.org\/Guidance%20Document\/Skimming%20Prevention\/PCI_SSC_Skimming_Resource_Guide_v05.pdf<\/a><\/li>\n<\/ul>","protected":false},"excerpt":{"rendered":"<p>In this fifth installment of the series \u2018PCI DSS Analysis v4.0\u2019, the changes applied to requirements 7, 8 and 9 of the standard in its new version (4.0) will be analysed. These requirements \u2013 which are part of Group 4 [\u2026]<\/p>","protected":false},"author":2,"featured_media":180,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_feature_clip_id":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_post_was_ever_published":false},"categories":[7,354],"tags":[45,46,47,49,48,50,51,52],"class_list":["post-179","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-pci-dss-4-0","category-pcidss","tag-acceso","tag-autenticacion","tag-autorizacion","tag-dual-control","tag-identificacion","tag-need-to-know","tag-recurso","tag-split-knowledge"],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte5.png?fit=1920%2C1080&ssl=1","jetpack-related-posts":[{"id":391,"url":"https:\/\/www.pcihispano.com\/en\/analisis-de-pci-dss-v4-0-parte-vi-requerimientos-10-y-11\/","url_meta":{"origin":179,"position":0},"title":"An\u00e1lisis de PCI DSS v4.0 Parte VI: Requerimientos 10 y 11","author":"David Acosta","date":"septiembre 15, 2022","format":false,"excerpt":"En esta sexta entrega de la serie \u201cAn\u00e1lisis de PCI DSS v4.0\u201d se analizar\u00e1n los requerimientos 10 y 11 del est\u00e1ndar PCI DSS v4.0. Estos requerimientos hacen parte del grupo 5. Regularly Monitor and Test Networks, que continua con el mismo nombre de la versi\u00f3n 3.2.1 del est\u00e1ndar. El objetivo\u2026","rel":"","context":"In &quot;An\u00e1lisis de PCI DSS v4.0&quot;","block_context":{"text":"An\u00e1lisis de PCI DSS v4.0","link":"https:\/\/www.pcihispano.com\/en\/category\/pci-dss-4-0\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/09\/Parte6.png?fit=1200%2C672&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/09\/Parte6.png?fit=1200%2C672&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/09\/Parte6.png?fit=1200%2C672&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/09\/Parte6.png?fit=1200%2C672&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/09\/Parte6.png?fit=1200%2C672&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":157,"url":"https:\/\/www.pcihispano.com\/en\/analisis-de-pci-dss-v4-0-parte-ii-requerimientos-1-y-2\/","url_meta":{"origin":179,"position":1},"title":"An\u00e1lisis de PCI DSS v4.0 \u2013 Parte II: Requerimientos 1 y 2","author":"David Acosta","date":"agosto 18, 2022","format":false,"excerpt":"En esta segunda parte de la serie \u201cAn\u00e1lisis de PCI DSS v4.0\u201d se realizar\u00e1 una revisi\u00f3n a los requerimientos 1 y 2 del est\u00e1ndar, que hacen parte del grupo \u201cBuild and Maintain a Secure Network and Systems\u201d, orientados al control del tr\u00e1fico de red entrante y saliente del entorno y\u2026","rel":"","context":"In &quot;An\u00e1lisis de PCI DSS v4.0&quot;","block_context":{"text":"An\u00e1lisis de PCI DSS v4.0","link":"https:\/\/www.pcihispano.com\/en\/category\/pci-dss-4-0\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte2.png?fit=1200%2C675&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte2.png?fit=1200%2C675&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte2.png?fit=1200%2C675&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte2.png?fit=1200%2C675&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte2.png?fit=1200%2C675&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":477,"url":"https:\/\/www.pcihispano.com\/en\/analisis-de-pci-dss-v4-0-parte-vii-requerimiento-12\/","url_meta":{"origin":179,"position":2},"title":"An\u00e1lisis de PCI DSS v4.0 \u2013 Parte VII: Requerimiento 12","author":"David Acosta","date":"noviembre 17, 2022","format":false,"excerpt":"En este pen\u00faltimo art\u00edculo de la serie \u201cAn\u00e1lisis de PCI DSS v4.0\u201d se presenta un an\u00e1lisis a los cambios del requerimiento 12 - parte del grupo 6 \u201cMaintain an Information Security Policy\u201d- en la versi\u00f3n 4.0 del est\u00e1ndar PCI DSS. Requerimiento 12: Support Information Security with Organizational Policies and Programs\u2026","rel":"","context":"In &quot;An\u00e1lisis de PCI DSS v4.0&quot;","block_context":{"text":"An\u00e1lisis de PCI DSS v4.0","link":"https:\/\/www.pcihispano.com\/en\/category\/pci-dss-4-0\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/11\/PCIDSS_PartVII.png?fit=1200%2C671&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/11\/PCIDSS_PartVII.png?fit=1200%2C671&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/11\/PCIDSS_PartVII.png?fit=1200%2C671&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/11\/PCIDSS_PartVII.png?fit=1200%2C671&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/11\/PCIDSS_PartVII.png?fit=1200%2C671&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":176,"url":"https:\/\/www.pcihispano.com\/en\/analisis-de-pci-dss-v4-0-parte-iv-requerimientos-5-y-6\/","url_meta":{"origin":179,"position":3},"title":"An\u00e1lisis de PCI DSS v4.0 \u2013 Parte IV: Requerimientos 5 y 6","author":"David Acosta","date":"agosto 18, 2022","format":false,"excerpt":"En esta cuarta entrega de la serie \u201cAn\u00e1lisis de PCI DSS 4.0\u201d se presenta una revisi\u00f3n a los cambios en los requerimientos 5 y 6 del est\u00e1ndar PCI DSS ocurridos entre las versiones 3.2.1 y 4.0. Estos dos requerimientos est\u00e1n enfocados a la protecci\u00f3n a nivel de software para prevenir,\u2026","rel":"","context":"In &quot;An\u00e1lisis de PCI DSS v4.0&quot;","block_context":{"text":"An\u00e1lisis de PCI DSS v4.0","link":"https:\/\/www.pcihispano.com\/en\/category\/pci-dss-4-0\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte4b.png?fit=1200%2C675&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte4b.png?fit=1200%2C675&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte4b.png?fit=1200%2C675&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte4b.png?fit=1200%2C675&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte4b.png?fit=1200%2C675&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":173,"url":"https:\/\/www.pcihispano.com\/en\/analisis-de-pci-dss-v4-0-parte-iii-requerimientos-3-y-4\/","url_meta":{"origin":179,"position":4},"title":"An\u00e1lisis de PCI DSS v4.0 \u2013 Parte III: Requerimientos 3 y 4","author":"David Acosta","date":"agosto 18, 2022","format":false,"excerpt":"Continuando con el an\u00e1lisis a la versi\u00f3n 4.0 del est\u00e1ndar PCI DSS, en esta tercera parte de la serie se analizar\u00e1n los requerimientos 3 y 4 que hacen parte del grupo \u201cProtect Account Data\u201d, enfocados a la protecci\u00f3n de la confidencialidad y la integridad de los datos de tarjetas de\u2026","rel":"","context":"In &quot;An\u00e1lisis de PCI DSS v4.0&quot;","block_context":{"text":"An\u00e1lisis de PCI DSS v4.0","link":"https:\/\/www.pcihispano.com\/en\/category\/pci-dss-4-0\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte3.png?fit=1200%2C675&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte3.png?fit=1200%2C675&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte3.png?fit=1200%2C675&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte3.png?fit=1200%2C675&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte3.png?fit=1200%2C675&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":98,"url":"https:\/\/www.pcihispano.com\/en\/analisis-de-pci-dss-v4-0-parte-1-introduccion\/","url_meta":{"origin":179,"position":5},"title":"An\u00e1lisis de PCI DSS v4.0 &#8211; Parte I: Introducci\u00f3n","author":"David Acosta","date":"agosto 17, 2022","format":false,"excerpt":"En esta primera parte de esta serie \"An\u00e1lisis de PCI DSS v4.0\" se analizar\u00e1 la historia detr\u00e1s de la versi\u00f3n 4.0 del est\u00e1ndar, las variables que influyeron en su cambio y el proceso de revisi\u00f3n y publicaci\u00f3n asociado. A continuaci\u00f3n, en entregas subsiguientes, se realizar\u00e1 una revisi\u00f3n a los cambios\u2026","rel":"","context":"In &quot;An\u00e1lisis de PCI DSS v4.0&quot;","block_context":{"text":"An\u00e1lisis de PCI DSS v4.0","link":"https:\/\/www.pcihispano.com\/en\/category\/pci-dss-4-0\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte1.png?fit=1200%2C675&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte1.png?fit=1200%2C675&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte1.png?fit=1200%2C675&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte1.png?fit=1200%2C675&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte1.png?fit=1200%2C675&ssl=1&resize=1050%2C600 3x"},"classes":[]}],"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.pcihispano.com\/en\/wp-json\/wp\/v2\/posts\/179","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.pcihispano.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.pcihispano.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.pcihispano.com\/en\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.pcihispano.com\/en\/wp-json\/wp\/v2\/comments?post=179"}],"version-history":[{"count":1,"href":"https:\/\/www.pcihispano.com\/en\/wp-json\/wp\/v2\/posts\/179\/revisions"}],"predecessor-version":[{"id":11748,"href":"https:\/\/www.pcihispano.com\/en\/wp-json\/wp\/v2\/posts\/179\/revisions\/11748"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.pcihispano.com\/en\/wp-json\/wp\/v2\/media\/180"}],"wp:attachment":[{"href":"https:\/\/www.pcihispano.com\/en\/wp-json\/wp\/v2\/media?parent=179"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.pcihispano.com\/en\/wp-json\/wp\/v2\/categories?post=179"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.pcihispano.com\/en\/wp-json\/wp\/v2\/tags?post=179"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}