{"id":391,"date":"2022-09-15T14:08:03","date_gmt":"2022-09-15T12:08:03","guid":{"rendered":"https:\/\/pcihispano.com\/?p=391"},"modified":"2026-05-06T19:16:53","modified_gmt":"2026-05-06T17:16:53","slug":"analisis-de-pci-dss-v4-0-parte-vi-requerimientos-10-y-11","status":"publish","type":"post","link":"https:\/\/www.pcihispano.com\/en\/analisis-de-pci-dss-v4-0-parte-vi-requerimientos-10-y-11\/","title":{"rendered":"Analysis of PCI DSS v4.0 Part VI: Requirements 10 and 11"},"content":{"rendered":"<p><span class=\"intro-text\">In this sixth installment of the series \u2018PCI DSS analysis v4.0\u2019, requirements 10 and 11 of the PCI DSS standard v4.0 will be analysed. These requirements are part of the group <em>5. Regularly Monitor and Test Networks, <\/em>It continues with the same name as version 3.2.1 of the standard.<\/span><\/p>\n<p><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-396\" src=\"https:\/\/i0.wp.com\/pcihispano.com\/wp-content\/uploads\/2022\/09\/5_10_11.png?resize=900%2C148&#038;ssl=1\" alt=\"\" width=\"900\" height=\"148\" srcset=\"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/09\/5_10_11.png?w=1261&amp;ssl=1 1261w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/09\/5_10_11.png?resize=300%2C49&amp;ssl=1 300w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/09\/5_10_11.png?resize=1024%2C168&amp;ssl=1 1024w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/09\/5_10_11.png?resize=768%2C126&amp;ssl=1 768w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/09\/5_10_11.png?resize=500%2C82&amp;ssl=1 500w\" sizes=\"auto, (max-width: 900px) 100vw, 900px\" \/><\/p>\n<p>The objective of these two requirements is to ensure traceability in the compliance environment in order to detect malicious patterns and serve as a basis in the case of a forensic investigation and validate that the security levels of the environment continue to be acceptable over time.<\/p>\n<div class=\"su-box su-box-style-glass\" id=\"\" style=\"border-color:#000000;border-radius:5px;max-width:none\"><div class=\"su-box-title\" style=\"background-color:#333333;color:#FFFFFF;border-top-left-radius:3px;border-top-right-radius:3px\">Analysis of PCI DSS v4.0<\/div><div class=\"su-box-content su-u-clearfix su-u-trim\" style=\"border-bottom-left-radius:3px;border-bottom-right-radius:3px\">\n<p>All articles in the series <a href=\"https:\/\/www.pcihispano.com\/en\/category\/pci-dss-4-0\/\" target=\"_blank\" rel=\"noopener\">Analysis of PCI DSS v4.0<\/a>:<\/p>\n<ul>\n<li><a href=\"https:\/\/www.pcihispano.com\/en\/analisis-de-pci-dss-v4-0-parte-1-introduccion\/\" rel=\"bookmark\">Analysis of PCI DSS v4.0 \u2013 Part I: Introduction<\/a><\/li>\n<li><a href=\"https:\/\/www.pcihispano.com\/en\/analisis-de-pci-dss-v4-0-parte-ii-requerimientos-1-y-2\/\" rel=\"bookmark\">Analysis of PCI DSS v4.0 \u2013 Part II: Requirements 1 and 2<\/a><\/li>\n<li><a href=\"https:\/\/www.pcihispano.com\/en\/analisis-de-pci-dss-v4-0-parte-iii-requerimientos-3-y-4\/\" rel=\"bookmark\">Analysis of PCI DSS v4.0 \u2013 Part III: Requirements 3 and 4<\/a><\/li>\n<li><a href=\"https:\/\/www.pcihispano.com\/en\/analisis-de-pci-dss-v4-0-parte-iv-requerimientos-5-y-6\/\" rel=\"bookmark\">Analysis of PCI DSS v4.0 \u2013 Part IV: Requirements 5 and 6<\/a><\/li>\n<li><a href=\"https:\/\/www.pcihispano.com\/en\/analisis-de-pci-dss-v4-0-parte-v-requerimientos-7-8-y-9\/\" rel=\"bookmark\">Analysis of PCI DSS v4.0 \u2013 Part V: Requirements 7, 8 and 9<\/a><\/li>\n<li><a href=\"https:\/\/www.pcihispano.com\/en\/analisis-de-pci-dss-v4-0-parte-vi-requerimientos-10-y-11\/\" rel=\"bookmark\">Analysis of PCI DSS v4.0 Part VI: Requirements 10 and 11<\/a><\/li>\n<li><a href=\"https:\/\/www.pcihispano.com\/en\/analisis-de-pci-dss-v4-0-parte-vii-requerimiento-12\/\" target=\"_blank\" rel=\"noopener\">Analysis of PCI DSS v4.0 \u2013 Part VII: Requirement 12<\/a><\/li>\n<\/ul>\n<\/div><\/div>\n<h4>Requirement 10: <em>Log and Monitor All Access to System Components and Cardholder Data<\/em><\/h4>\n<p><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-397\" src=\"https:\/\/i0.wp.com\/pcihispano.com\/wp-content\/uploads\/2022\/09\/10.png?resize=900%2C89&#038;ssl=1\" alt=\"\" width=\"900\" height=\"89\" srcset=\"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/09\/10.png?w=1255&amp;ssl=1 1255w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/09\/10.png?resize=300%2C30&amp;ssl=1 300w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/09\/10.png?resize=1024%2C101&amp;ssl=1 1024w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/09\/10.png?resize=768%2C76&amp;ssl=1 768w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/09\/10.png?resize=500%2C49&amp;ssl=1 500w\" sizes=\"auto, (max-width: 900px) 100vw, 900px\" \/><\/p>\n<p>Requirement 10 defines the security controls necessary to record activities affecting the system components of the environment and cardholder data in order to proactively identify any suspicious events and to be able to conduct a post-incident investigation. The critical elements that are part of this requirement are the event\/audit records (or <em>logs<\/em>) and its synchronization at the time level, to ensure the correct correlation of activities of all assets involved in a particular event.<\/p>\n<p>It is important to clarify that in version 4.0 of PCI DSS the activities carried out by cardholders are explicitly excluded from this requirement (<em>cardholders<\/em>) and includes actions taken by employees, contractors, consultants, internal and external suppliers and any other entity that has access to or may affect the security of the environment.<\/p>\n<p>Generally speaking, this requirement had no relevant changes beyond a reorganisation of controls and the addition of some clarifications:<\/p>\n<p><strong>Event logs management:<\/strong><\/p>\n<ul>\n<li>It is clarified that audit records (<em>logs<\/em>) must be enabled and active for all system components and cardholder data. Likewise, it is emphasized that these records should only contain the information required for their operation, avoiding the storage of sensitive data (req. 10.2.1).<\/li>\n<li>From 31 March 2025 <span class=\"highlight\">the review of event logs must be carried out using automated tools <\/span>. This requirement responds to the need to minimize human interaction and its consequent error rate during the manual log review process.<\/li>\n<li>Periods of review of event logs that should not be reviewed daily (req. 10.4.1) should be adjusted based on a risk analysis, in accordance with requirement 12.3.1.<\/li>\n<\/ul>\n<p>All other controls related to logs (types of actions to be registered, details of each event, centralization and protection of logs, retention times, etc.) do not change in this new version.<\/p>\n<p><strong>Time synchronization:<\/strong><\/p>\n<p>All controls related to time synchronization do not change in this new version.<\/p>\n<p><strong>Response to failures in critical security systems:<\/strong><\/p>\n<ul>\n<li>Unlike PCI DSS v3.2.1 where only service providers were required to perform <span class=\"highlight\">Detective and corrective actions against any critical failure in critical security systems, in PCI DSS v4.0 this requirement has been extended to all entities affected by PCI DSS compliance as of 31 March 2025 (req. 10.7.2) <\/span>. This includes not only the identification and generation of alerts of the critical security control affected but also the definition of activities aimed at the restoration of the affected service (req. 10.7.3). These controls introduce the concept of availability in a subtle way (<em>availability<\/em>) within the controls of PCI DSS, traditionally oriented to the protection of confidentiality (<em>confidentiality<\/em>) and integrity (<em>integrity<\/em>).<\/li>\n<\/ul>\n<div id=\"attachment_398\" style=\"width: 705px\" class=\"wp-caption aligncenter\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-398\" class=\"wp-image-398\" src=\"https:\/\/i0.wp.com\/pcihispano.com\/wp-content\/uploads\/2022\/09\/CIA.png?resize=695%2C533&#038;ssl=1\" alt=\"\" width=\"695\" height=\"533\" srcset=\"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/09\/CIA.png?w=1771&amp;ssl=1 1771w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/09\/CIA.png?resize=300%2C230&amp;ssl=1 300w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/09\/CIA.png?resize=1024%2C786&amp;ssl=1 1024w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/09\/CIA.png?resize=768%2C589&amp;ssl=1 768w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/09\/CIA.png?resize=1536%2C1179&amp;ssl=1 1536w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/09\/CIA.png?resize=500%2C384&amp;ssl=1 500w\" sizes=\"auto, (max-width: 695px) 100vw, 695px\" \/><p id=\"caption-attachment-398\" class=\"wp-caption-text\">Information Security Triad (ICS)<\/p><\/div>\n<h4>Requirement 11: <em>Test Security of Systems and Networks Regularly<\/em><\/h4>\n<p><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-399\" src=\"https:\/\/i0.wp.com\/pcihispano.com\/wp-content\/uploads\/2022\/09\/11.png?resize=900%2C77&#038;ssl=1\" alt=\"\" width=\"900\" height=\"77\" srcset=\"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/09\/11.png?w=1246&amp;ssl=1 1246w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/09\/11.png?resize=300%2C26&amp;ssl=1 300w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/09\/11.png?resize=1024%2C87&amp;ssl=1 1024w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/09\/11.png?resize=768%2C65&amp;ssl=1 768w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/09\/11.png?resize=500%2C43&amp;ssl=1 500w\" sizes=\"auto, (max-width: 900px) 100vw, 900px\" \/><\/p>\n<p>Generally speaking, actions related to the lifecycle of security controls for payment card data protection are listed throughout the PCI DSS standard: asset categorization, selection and implementation (requirements 1, 2, 3, 4, 5, 6, 7, 8 and 9), monitoring (requirement 10) and evaluation (requirement 11). The objective of the evaluation phase of controls is to determine the extent to which controls are correctly implemented, function as intended and produce the desired result with respect to compliance with the requirements of the standard. All of these actions are covered in PCI DSS requirement 11.<\/p>\n<p>As a result of the evolution in attack techniques and software vulnerabilities, as well as the overcrowding in the use of cloud platforms (<em>cloud<\/em>), requirement 11 has included a series of updates that allow optimizing the activities oriented towards the evaluation of the security controls required by the standard, among which are:<\/p>\n<p><strong>Wireless networks:<\/strong><\/p>\n<ul>\n<li>Wireless network identification processes should detect and identify not only authorised but also unauthorised access points (req. 11.2.1). The applicability of this control is extended both to organizations that allow the use of this type of technology in their facilities and those that prohibit it by regulation.<\/li>\n<li>The control associated with response procedures to the identification of unauthorized wireless access points (11.1.2 in PCI DSS v3.2.1) was moved to requirement 12.10.5 in PCI DSS v4.0.<\/li>\n<\/ul>\n<p><strong>Internal vulnerability scans:<\/strong><\/p>\n<ul>\n<li>For internal vulnerability scans it is clarified that the tool used must be updated with the latest vulnerability information (req. 11.3.1).<\/li>\n<li>Unlike PCI DSS v3.2.1, vulnerabilities not categorized as critical or high-risk should be managed according to a risk analysis and re-scans should be executed if necessary (req. 11.3.1.1). This check is applicable from 31 March 2025.<\/li>\n<li>Probably one of the most relevant changes in PCI DSS is the inclusion of <span class=\"highlight\">concept of \u201cauthenticated scans\u201d (<em>authenticated scanning<\/em>)<\/span>. This approach allows internal scans to go beyond the detection of vulnerabilities from the network point of view and evolve towards the identification of vulnerabilities from the asset point of view (<em>host<\/em>), giving greater visibility to the results and incorporating not only the vulnerabilities of the services published in data networks but also of the local software and its configuration. To do this, the entity must establish authentication credentials with sufficient privileges so that they can be used by the scanning tool. In the event that the device does not support authentication, it is necessary to document this exception (req. 11.3.1.2). This check is applicable from 31 March 2025.<\/li>\n<\/ul>\n<div id=\"attachment_400\" style=\"width: 958px\" class=\"wp-caption aligncenter\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-400\" class=\"wp-image-400\" src=\"https:\/\/i0.wp.com\/pcihispano.com\/wp-content\/uploads\/2022\/09\/net_scan_vs_auth_scan.png?resize=900%2C539&#038;ssl=1\" alt=\"\" width=\"900\" height=\"539\" srcset=\"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/09\/net_scan_vs_auth_scan.png?w=2314&amp;ssl=1 2314w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/09\/net_scan_vs_auth_scan.png?resize=300%2C180&amp;ssl=1 300w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/09\/net_scan_vs_auth_scan.png?resize=1024%2C614&amp;ssl=1 1024w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/09\/net_scan_vs_auth_scan.png?resize=768%2C460&amp;ssl=1 768w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/09\/net_scan_vs_auth_scan.png?resize=1536%2C921&amp;ssl=1 1536w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/09\/net_scan_vs_auth_scan.png?resize=2048%2C1228&amp;ssl=1 2048w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/09\/net_scan_vs_auth_scan.png?resize=500%2C300&amp;ssl=1 500w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/09\/net_scan_vs_auth_scan.png?resize=1000%2C600&amp;ssl=1 1000w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/09\/net_scan_vs_auth_scan.png?w=1800&amp;ssl=1 1800w\" sizes=\"auto, (max-width: 900px) 100vw, 900px\" \/><p id=\"caption-attachment-400\" class=\"wp-caption-text\">Differences between traditional vulnerability scanning and authenticated scanning<\/p><\/div>\n<p><strong>External vulnerability scans:<\/strong><\/p>\n<p>All controls related to external vulnerability scans do not change in this new release.<\/p>\n<p><strong>Internal and external penetration tests:<\/strong><\/p>\n<ul>\n<li>It is clarified that:\n<ul>\n<li>In-network testing (or \"internal penetration testing\") means testing from within the CDE and into the CDE from trusted and untrusted internal networks.<\/li>\n<li>External network tests (or \u2018external penetration tests\u2019) are those carried out on the exposed external perimeter of trusted networks and critical systems connected or accessible to public networks.<\/li>\n<li>Penetration test reports should be stored for at least 12 months.<\/li>\n<\/ul>\n<\/li>\n<li>Exploitable vulnerabilities identified in this exercise should be corrected according to the risk levels defined by the organization (req. 11.4.4).<\/li>\n<li>In the case of suppliers <em>multi-tenant<\/em>, these suppliers shall provide evidence to their customers that the penetration tests of their infrastructure have been successfully executed and facilitate their customers in the execution of their own tests (req. 11.4.7). This check is applicable from 31 March 2025.<\/li>\n<\/ul>\n<p><strong>Intrusion detection\/prevention systems (IDS\/IPS):<\/strong><\/p>\n<ul>\n<li>For service providers, <span class=\"highlight\">intrusion detection or prevention systems must be able to detect, alert, prevent and manage covert communication channels of malware (req. 11.5.1.1)<\/span>. This check is applicable from 31 March 2025.<\/li>\n<\/ul>\n<p><strong>Protection against unauthorized changes to payment pages:<\/strong><\/p>\n<p>Probably one of the most anticipated controls in this version of PCI DSS was the <strong>control for protection against unauthorized changes to payment pages<\/strong>. With the escalation of attacks against e-commerce websites using <em>digital skimmers<\/em>malicious code developed to remain hidden while capturing and exfiltrating sensitive data on websites, being the digital equivalent of <em>skimmers<\/em> physical devices installed in POI devices and electronic tellers), it was a matter of time before the PCI SSC took action on the matter, since this type of attack could not be identified or managed with the controls of version 3.2.1 of PCI DSS.<\/p>\n<p>In April 2017 the PCI SSC published the document <a href=\"https:\/\/docs-prv.pcisecuritystandards.org\/Guidance%20Document\/e-Commerce\/best_practices_securing_ecommerce.pdf\" target=\"_blank\" rel=\"noopener\"><em>Information Supplement: Best Practices for Securing E-commerce<\/em><\/a>. This document in its section 7.7 \u201c<em>Best Practices for Securing e-Commerce<\/em>\u201d described a number of best practices including regular review of any web links (such as URLs, iFrames, APIs, etc.) from the merchant website to the payment gateway to confirm that these links had not been altered to redirect traffic to unauthorized locations. Still, these actions fell short of mitigating the attacks of <em>Digital Skimmers<\/em>.<\/p>\n<p>In PCI DSS v4.0 control 11.6.1 has been included, where <span class=\"highlight\">the deployment of a control is required to detect unauthorized changes and manipulations on payment pages. <\/span>These solutions should alert internal staff in case of unauthorised modifications and their implementation should be at least every 7 days or at regular intervals based on a risk analysis of the institution.<\/p>\n<p>This control (11.6.1) complements PCI DSS v4.0 control 6.4.3 where a verification of the scripts loaded on the payment forms is required.<\/p>\n<h4>References<\/h4>\n<ul>\n<li>Information Supplement: Effective Daily Log Monitoring <a href=\"https:\/\/docs-prv.pcisecuritystandards.org\/Guidance%20Document\/Logging\/Effective-Daily-Log-Monitoring-Guidance.pdf\">https:\/\/docs-prv.pcisecuritystandards.org\/Guidance%20Document\/Logging\/Effective-Daily-Log-Monitoring-Guidance.pdf<\/a><\/li>\n<li>NIST Risk Management Framework (RMF) Overview <a href=\"https:\/\/csrc.nist.rip\/Projects\/Risk-Management\/Risk-Management-Framework-(RMF)-Overview\">https:\/\/csrc.nist.rip\/Projects\/Risk-Management\/Risk-Management-Framework-(RMF)-Overview<\/a><\/li>\n<li>Information Supplement: Best Practices for Securing E-commerce <a href=\"https:\/\/docs-prv.pcisecuritystandards.org\/Guidance%20Document\/e-Commerce\/best_practices_securing_ecommerce.pdf\">https:\/\/docs-prv.pcisecuritystandards.org\/Guidance%20Document\/e-Commerce\/best_practices_securing_ecommerce.pdf<\/a><\/li>\n<\/ul>","protected":false},"excerpt":{"rendered":"<p>In this sixth installment of the series \u2018PCI DSS analysis v4.0\u2019, requirements 10 and 11 of the PCI DSS standard v4.0 will be analysed. These requirements are part of group 5. Regularly Monitor and Test Networks, which continues with the [\u2026]<\/p>","protected":false},"author":2,"featured_media":392,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_feature_clip_id":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_post_was_ever_published":false},"categories":[7,354],"tags":[39,72,67,68,70,69,73,71],"class_list":["post-391","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-pci-dss-4-0","category-pcidss","tag-asv","tag-escaneo","tag-ids","tag-ips","tag-log","tag-ntp","tag-pentest","tag-scan"],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/09\/Parte6.png?fit=2547%2C1426&ssl=1","jetpack-related-posts":[{"id":98,"url":"https:\/\/www.pcihispano.com\/en\/analisis-de-pci-dss-v4-0-parte-1-introduccion\/","url_meta":{"origin":391,"position":0},"title":"An\u00e1lisis de PCI DSS v4.0 &#8211; Parte I: Introducci\u00f3n","author":"David Acosta","date":"agosto 17, 2022","format":false,"excerpt":"En esta primera parte de esta serie \"An\u00e1lisis de PCI DSS v4.0\" se analizar\u00e1 la historia detr\u00e1s de la versi\u00f3n 4.0 del est\u00e1ndar, las variables que influyeron en su cambio y el proceso de revisi\u00f3n y publicaci\u00f3n asociado. A continuaci\u00f3n, en entregas subsiguientes, se realizar\u00e1 una revisi\u00f3n a los cambios\u2026","rel":"","context":"In &quot;An\u00e1lisis de PCI DSS v4.0&quot;","block_context":{"text":"An\u00e1lisis de PCI DSS v4.0","link":"https:\/\/www.pcihispano.com\/en\/category\/pci-dss-4-0\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte1.png?fit=1200%2C675&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte1.png?fit=1200%2C675&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte1.png?fit=1200%2C675&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte1.png?fit=1200%2C675&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte1.png?fit=1200%2C675&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":477,"url":"https:\/\/www.pcihispano.com\/en\/analisis-de-pci-dss-v4-0-parte-vii-requerimiento-12\/","url_meta":{"origin":391,"position":1},"title":"An\u00e1lisis de PCI DSS v4.0 \u2013 Parte VII: Requerimiento 12","author":"David Acosta","date":"noviembre 17, 2022","format":false,"excerpt":"En este pen\u00faltimo art\u00edculo de la serie \u201cAn\u00e1lisis de PCI DSS v4.0\u201d se presenta un an\u00e1lisis a los cambios del requerimiento 12 - parte del grupo 6 \u201cMaintain an Information Security Policy\u201d- en la versi\u00f3n 4.0 del est\u00e1ndar PCI DSS. Requerimiento 12: Support Information Security with Organizational Policies and Programs\u2026","rel":"","context":"In &quot;An\u00e1lisis de PCI DSS v4.0&quot;","block_context":{"text":"An\u00e1lisis de PCI DSS v4.0","link":"https:\/\/www.pcihispano.com\/en\/category\/pci-dss-4-0\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/11\/PCIDSS_PartVII.png?fit=1200%2C671&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/11\/PCIDSS_PartVII.png?fit=1200%2C671&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/11\/PCIDSS_PartVII.png?fit=1200%2C671&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/11\/PCIDSS_PartVII.png?fit=1200%2C671&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/11\/PCIDSS_PartVII.png?fit=1200%2C671&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":176,"url":"https:\/\/www.pcihispano.com\/en\/analisis-de-pci-dss-v4-0-parte-iv-requerimientos-5-y-6\/","url_meta":{"origin":391,"position":2},"title":"An\u00e1lisis de PCI DSS v4.0 \u2013 Parte IV: Requerimientos 5 y 6","author":"David Acosta","date":"agosto 18, 2022","format":false,"excerpt":"En esta cuarta entrega de la serie \u201cAn\u00e1lisis de PCI DSS 4.0\u201d se presenta una revisi\u00f3n a los cambios en los requerimientos 5 y 6 del est\u00e1ndar PCI DSS ocurridos entre las versiones 3.2.1 y 4.0. Estos dos requerimientos est\u00e1n enfocados a la protecci\u00f3n a nivel de software para prevenir,\u2026","rel":"","context":"In &quot;An\u00e1lisis de PCI DSS v4.0&quot;","block_context":{"text":"An\u00e1lisis de PCI DSS v4.0","link":"https:\/\/www.pcihispano.com\/en\/category\/pci-dss-4-0\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte4b.png?fit=1200%2C675&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte4b.png?fit=1200%2C675&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte4b.png?fit=1200%2C675&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte4b.png?fit=1200%2C675&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte4b.png?fit=1200%2C675&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":157,"url":"https:\/\/www.pcihispano.com\/en\/analisis-de-pci-dss-v4-0-parte-ii-requerimientos-1-y-2\/","url_meta":{"origin":391,"position":3},"title":"An\u00e1lisis de PCI DSS v4.0 \u2013 Parte II: Requerimientos 1 y 2","author":"David Acosta","date":"agosto 18, 2022","format":false,"excerpt":"En esta segunda parte de la serie \u201cAn\u00e1lisis de PCI DSS v4.0\u201d se realizar\u00e1 una revisi\u00f3n a los requerimientos 1 y 2 del est\u00e1ndar, que hacen parte del grupo \u201cBuild and Maintain a Secure Network and Systems\u201d, orientados al control del tr\u00e1fico de red entrante y saliente del entorno y\u2026","rel":"","context":"In &quot;An\u00e1lisis de PCI DSS v4.0&quot;","block_context":{"text":"An\u00e1lisis de PCI DSS v4.0","link":"https:\/\/www.pcihispano.com\/en\/category\/pci-dss-4-0\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte2.png?fit=1200%2C675&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte2.png?fit=1200%2C675&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte2.png?fit=1200%2C675&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte2.png?fit=1200%2C675&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte2.png?fit=1200%2C675&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":173,"url":"https:\/\/www.pcihispano.com\/en\/analisis-de-pci-dss-v4-0-parte-iii-requerimientos-3-y-4\/","url_meta":{"origin":391,"position":4},"title":"An\u00e1lisis de PCI DSS v4.0 \u2013 Parte III: Requerimientos 3 y 4","author":"David Acosta","date":"agosto 18, 2022","format":false,"excerpt":"Continuando con el an\u00e1lisis a la versi\u00f3n 4.0 del est\u00e1ndar PCI DSS, en esta tercera parte de la serie se analizar\u00e1n los requerimientos 3 y 4 que hacen parte del grupo \u201cProtect Account Data\u201d, enfocados a la protecci\u00f3n de la confidencialidad y la integridad de los datos de tarjetas de\u2026","rel":"","context":"In &quot;An\u00e1lisis de PCI DSS v4.0&quot;","block_context":{"text":"An\u00e1lisis de PCI DSS v4.0","link":"https:\/\/www.pcihispano.com\/en\/category\/pci-dss-4-0\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte3.png?fit=1200%2C675&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte3.png?fit=1200%2C675&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte3.png?fit=1200%2C675&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte3.png?fit=1200%2C675&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte3.png?fit=1200%2C675&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":1402,"url":"https:\/\/www.pcihispano.com\/en\/controles-recurrentes-futuros-y-con-tra-de-pci-dss-v4-0-en-formato-excel\/","url_meta":{"origin":391,"position":5},"title":"Controles recurrentes, futuros y con TRA de PCI DSS v4.0 en formato Excel","author":"David Acosta","date":"diciembre 20, 2023","format":false,"excerpt":"Para garantizar la efectividad y eficacia de los controles de PCI DSS a lo largo del tiempo, algunos de los controles del est\u00e1ndar requieren una ejecuci\u00f3n peri\u00f3dica (recurrente). Esta recurrencia ha sido establecida por el PCI SSC en el est\u00e1ndar PCI DSS v4.0: Para algunos de estos controles, la entidad\u2026","rel":"","context":"In &quot;Descargas&quot;","block_context":{"text":"Descargas","link":"https:\/\/www.pcihispano.com\/en\/category\/descargas\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2023\/12\/Controles_recurrentes_TRA_Futuros_PCIDSSv4.png?fit=1200%2C676&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2023\/12\/Controles_recurrentes_TRA_Futuros_PCIDSSv4.png?fit=1200%2C676&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2023\/12\/Controles_recurrentes_TRA_Futuros_PCIDSSv4.png?fit=1200%2C676&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2023\/12\/Controles_recurrentes_TRA_Futuros_PCIDSSv4.png?fit=1200%2C676&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2023\/12\/Controles_recurrentes_TRA_Futuros_PCIDSSv4.png?fit=1200%2C676&ssl=1&resize=1050%2C600 3x"},"classes":[]}],"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.pcihispano.com\/en\/wp-json\/wp\/v2\/posts\/391","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.pcihispano.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.pcihispano.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.pcihispano.com\/en\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.pcihispano.com\/en\/wp-json\/wp\/v2\/comments?post=391"}],"version-history":[{"count":1,"href":"https:\/\/www.pcihispano.com\/en\/wp-json\/wp\/v2\/posts\/391\/revisions"}],"predecessor-version":[{"id":11746,"href":"https:\/\/www.pcihispano.com\/en\/wp-json\/wp\/v2\/posts\/391\/revisions\/11746"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.pcihispano.com\/en\/wp-json\/wp\/v2\/media\/392"}],"wp:attachment":[{"href":"https:\/\/www.pcihispano.com\/en\/wp-json\/wp\/v2\/media?parent=391"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.pcihispano.com\/en\/wp-json\/wp\/v2\/categories?post=391"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.pcihispano.com\/en\/wp-json\/wp\/v2\/tags?post=391"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}