{"id":98,"date":"2022-08-17T21:33:45","date_gmt":"2022-08-17T19:33:45","guid":{"rendered":"https:\/\/pcihispano.org\/?p=98"},"modified":"2026-05-06T19:17:24","modified_gmt":"2026-05-06T17:17:24","slug":"analisis-de-pci-dss-v4-0-parte-1-introduccion","status":"publish","type":"post","link":"https:\/\/www.pcihispano.com\/en\/analisis-de-pci-dss-v4-0-parte-1-introduccion\/","title":{"rendered":"Analysis of PCI DSS v4.0 \u2013 Part I: Introduction"},"content":{"rendered":"<p><span class=\"intro-text\">In this first part of this series \u00ab<a href=\"https:\/\/www.pcihispano.com\/en\/category\/pci-dss-4-0\/\">Analysis of PCI DSS v4.0<\/a>\u00bb the history behind version 4.0 of the standard, the variables that influenced its change and the associated review and publication process will be analyzed. Then, in subsequent deliveries, a review will be made of the changes in the requirements and in the reporting documents and finally an action plan will be proposed for the alignment of the controls from version 3.2.1 to version 4.0 to meet the deadlines established by the PCI SSC and the payment brands.<\/span><\/p>\r\n<div class=\"su-box su-box-style-glass\" id=\"\" style=\"border-color:#000000;border-radius:5px;max-width:none\"><div class=\"su-box-title\" style=\"background-color:#333333;color:#FFFFFF;border-top-left-radius:3px;border-top-right-radius:3px\">Analysis of PCI DSS v4.0<\/div><div class=\"su-box-content su-u-clearfix su-u-trim\" style=\"border-bottom-left-radius:3px;border-bottom-right-radius:3px\">\r\n<p>All articles in the series <a href=\"https:\/\/www.pcihispano.com\/en\/category\/pci-dss-4-0\/\" target=\"_blank\" rel=\"noopener\">Analysis of PCI DSS v4.0<\/a>:<\/p>\r\n<ul>\r\n<li><a href=\"https:\/\/www.pcihispano.com\/en\/analisis-de-pci-dss-v4-0-parte-1-introduccion\/\" rel=\"bookmark\">Analysis of PCI DSS v4.0 \u2013 Part I: Introduction<\/a><\/li>\r\n<li><a href=\"https:\/\/www.pcihispano.com\/en\/analisis-de-pci-dss-v4-0-parte-ii-requerimientos-1-y-2\/\" rel=\"bookmark\">Analysis of PCI DSS v4.0 \u2013 Part II: Requirements 1 and 2<\/a><\/li>\r\n<li><a href=\"https:\/\/www.pcihispano.com\/en\/analisis-de-pci-dss-v4-0-parte-iii-requerimientos-3-y-4\/\" rel=\"bookmark\">Analysis of PCI DSS v4.0 \u2013 Part III: Requirements 3 and 4<\/a><\/li>\r\n<li><a href=\"https:\/\/www.pcihispano.com\/en\/analisis-de-pci-dss-v4-0-parte-iv-requerimientos-5-y-6\/\" rel=\"bookmark\">Analysis of PCI DSS v4.0 \u2013 Part IV: Requirements 5 and 6<\/a><\/li>\r\n<li><a href=\"https:\/\/www.pcihispano.com\/en\/analisis-de-pci-dss-v4-0-parte-v-requerimientos-7-8-y-9\/\" rel=\"bookmark\">Analysis of PCI DSS v4.0 \u2013 Part V: Requirements 7, 8 and 9<\/a><\/li>\r\n<li><a href=\"https:\/\/www.pcihispano.com\/en\/analisis-de-pci-dss-v4-0-parte-vi-requerimientos-10-y-11\/\" rel=\"bookmark\">Analysis of PCI DSS v4.0 Part VI: Requirements 10 and 11<\/a><\/li>\r\n<li><a href=\"https:\/\/www.pcihispano.com\/en\/analisis-de-pci-dss-v4-0-parte-vii-requerimiento-12\/\" target=\"_blank\" rel=\"noopener\">Analysis of PCI DSS v4.0 \u2013 Part VII: Requirement 12<\/a><\/li>\r\n<\/ul>\r\n<\/div><\/div>\r\n<p>The first half of 2022 has been quite interesting for the cybersecurity community due to the publication of the standard <a href=\"https:\/\/www.advantio.com\/blog\/whats-new-in-iso\/iec-27002-2022-updates\">ISO\/IEC 27002:2022<\/a> \u2013 <em>Information security, cybersecurity and privacy protection \u2014 Information security controls <\/em>in February and the release of version 4.0 of the PCI DSS standard in March. In both cases, the goal was to update existing security controls and add new requirements to adapt them to current technological changes and cybersecurity threats.<\/p>\r\n\r\n<p>In the case of PCI DSS v4.0, from PCI Hispano we have prepared a series of articles in which a detailed analysis of the development process of this version of the standard, the changes in the requirements and the adaptation process from version 3.2.1 to version 4.0 will be carried out, among other topics.<\/p>\r\n\r\n\r\n\r\n\r\n\r\n<h4 class=\"wp-block-heading\">History<\/h4>\r\n\r\n\r\n\r\n<p>The Payment Card Industry Data Security Standard (<em>Payment Card Industry Data Security Standard<\/em> \u2013 <strong>PCI DSS<\/strong>) arose as a result of the joint work of the main brands of payment cards, which chose to centralize the security controls of their different compliance programs in a single standard that would facilitate the implementation of security measures and the management of card data protection in a homogeneous way, avoiding overlaps, duplications and inconsistencies.<\/p>\r\n<div id=\"attachment_138\" style=\"width: 669px\" class=\"wp-caption aligncenter\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-138\" class=\"wp-image-138\" src=\"https:\/\/i0.wp.com\/pcihispano.com\/wp-content\/uploads\/2022\/08\/Programas_Marcas_PCIDSS.webp?resize=659%2C432&#038;ssl=1\" alt=\"\" width=\"659\" height=\"432\" srcset=\"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/Programas_Marcas_PCIDSS.webp?w=831&amp;ssl=1 831w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/Programas_Marcas_PCIDSS.webp?resize=300%2C197&amp;ssl=1 300w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/Programas_Marcas_PCIDSS.webp?resize=768%2C504&amp;ssl=1 768w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/Programas_Marcas_PCIDSS.webp?resize=500%2C328&amp;ssl=1 500w\" sizes=\"auto, (max-width: 659px) 100vw, 659px\" \/><p id=\"caption-attachment-138\" class=\"wp-caption-text\">Convergence of the security programs of each of the brands in the PCI DSS standard<\/p><\/div>\r\n\r\n\r\n\r\n\r\n\r\n<p>This is how in 2004 the first version of the PCI DSS standard was published, which defined the basic principles of cybersecurity for the protection of payment card data that had to be implemented by any entity that processed, stored and \/ or transmitted such data, mainly merchants and service providers. Later, in 2006, version 1.1 of the standard was published, developed this time by the Payment Card Industry Security Standards Council.<a href=\"https:\/\/www.pcisecuritystandards.org\/about_us\/\">PCI SSC<\/a>), an independent entity made up of major payment card brands and responsible for managing the life cycle of PCI DSS and other standards of the payment media industry.<\/p>\r\n<!-- \/wp:post-content -->\r\n\r\n<!-- wp:paragraph -->\r\n<p>As affected companies implemented and managed the controls of the standard, PCI SSC began to receive comments and suggestions from different companies and organizations related to the security of means of payment, something that in the long run would end up influencing the publication of the following versions of the standard, incorporating improvements, clarifications and minor corrections based on the feedback provided by the community.<\/p>\r\n<div id=\"attachment_140\" style=\"width: 705px\" class=\"wp-caption aligncenter\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-140\" class=\"wp-image-140\" src=\"https:\/\/i0.wp.com\/pcihispano.com\/wp-content\/uploads\/2022\/08\/publicacion_PCI_DSS.webp?resize=695%2C471&#038;ssl=1\" alt=\"\" width=\"695\" height=\"471\" srcset=\"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/publicacion_PCI_DSS.webp?w=876&amp;ssl=1 876w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/publicacion_PCI_DSS.webp?resize=300%2C203&amp;ssl=1 300w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/publicacion_PCI_DSS.webp?resize=768%2C521&amp;ssl=1 768w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/publicacion_PCI_DSS.webp?resize=500%2C339&amp;ssl=1 500w\" sizes=\"auto, (max-width: 695px) 100vw, 695px\" \/><p id=\"caption-attachment-140\" class=\"wp-caption-text\">PCI DSS Standard Timeline<\/p><\/div>\r\n<!-- \/wp:paragraph -->\r\n\r\n<!-- wp:paragraph -->\r\n<p>In order to manage specific periods in the publication of the PCI DSS standard that would allow the PCI SSC to analyze and incorporate updates in the document based on the experience of the companies with its implementation and the evolution in technologies and threats, it was defined <a href=\"https:\/\/www.pcisecuritystandards.org\/pdfs\/pci_lifecycle_for_changes_to_dss_and_padss.pdf\">a period of 36 months with eight stages<\/a> allowing for a gradual and step-by-step introduction of changes. However, this initiative did not last for long due to different external variables that forced to advance or delay the publication of subsequent versions of the standard, including the impact of different SSL and TLS vulnerabilities in the transmission of card data over open public networks and the optimization in the processes of receiving comments by different organizations. <span class=\"highlight\">\u00a0In fact, in the development of version 4.0 of the standard, the periods raised in this life cycle were not followed and probably this will not happen with future versions either.<\/span><\/p>\r\n<div id=\"attachment_142\" style=\"width: 452px\" class=\"wp-caption aligncenter\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-142\" class=\"wp-image-142 size-full\" src=\"https:\/\/i0.wp.com\/pcihispano.com\/wp-content\/uploads\/2022\/08\/PCIDSS_Publication_Lifecycle.webp?resize=442%2C371&#038;ssl=1\" alt=\"\" width=\"442\" height=\"371\" srcset=\"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/PCIDSS_Publication_Lifecycle.webp?w=442&amp;ssl=1 442w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/PCIDSS_Publication_Lifecycle.webp?resize=300%2C252&amp;ssl=1 300w\" sizes=\"auto, (max-width: 442px) 100vw, 442px\" \/><p id=\"caption-attachment-142\" class=\"wp-caption-text\">Lifecycle for change management of PCI DSS standard (not currently used)<\/p><\/div>\r\n<!-- \/wp:paragraph -->\r\n\r\n<!-- wp:heading -->\r\n<h4>Development and publication of the PCI DSS v4.0 standard<\/h4>\r\n<!-- \/wp:heading -->\r\n\r\n<!-- wp:paragraph -->\r\n<p>Version 3.2.1 of PCI DSS was released in May 2018 as a minor version that included some clarifications and revisions to version 3.2, released in April 2016. It could be said that since that year (2016) no substantial changes had been added to the standard, since a balance had been achieved between the level of maturity of the controls and the cybersecurity needs at that time.<\/p>\r\n<!-- \/wp:paragraph -->\r\n\r\n<!-- wp:paragraph -->\r\n<p>However, technological changes in infrastructure linked to the massification of cloud services (<em>cloud<\/em>), the adoption of container-based platforms, orchestration and microservices and the implementation of development practices such as DevOps, demonstrated the need to adapt the PCI DSS standard to the new times to face the challenges arising from emerging threats against payment card data.<\/p>\r\n<!-- \/wp:paragraph -->\r\n\r\n<!-- wp:paragraph -->\r\n<p>Unlike previous versions of the standard, for the development of PCI DSS version 4.0 the PCI SSC defined a new working model that allowed different organizations related to card payments to actively participate in the review and preparation of the standard and its support documents through feedback periods (<a href=\"https:\/\/www.pcisecuritystandards.org\/get_involved\/request_for_comments\">Request for Comments (RFC)<\/a>). For the development of PCI DSS version 4.0, two RFC exercises were executed: one in the last quarter of 2019 (with more than 3,200 comments) and another between September and November 2020. Likewise, at the close of the RFC processes, a draft of the standard was shared exclusively (<em>PCI DSS v4.0 Draft for Stakeholder Preview<\/em>) with participating organisations (<a href=\"https:\/\/www.pcisecuritystandards.org\/get_involved\/participating_organizations\">Participating Organizations<\/a>), qualified security advisers (<a href=\"https:\/\/www.pcisecuritystandards.org\/assessors_and_solutions\/qualified_security_assessors\">Qualified Security Assessors<\/a>) and companies approved to perform vulnerability scans (<a href=\"https:\/\/www.pcisecuritystandards.org\/assessors_and_solutions\/approved_scanning_vendors\">Approved Scanning Vendors<\/a>) to give final shape to the <a href=\"https:\/\/www.pcisecuritystandards.org\/documents\/PCI-DSS-v4-0-At-A-Glance.pdf\">version 4.0<\/a>, which was published at the end of March 2022, following more than 6000 comments received from more than 200 entities.<\/p>\r\n<!-- \/wp:paragraph -->\r\n\r\n<!-- wp:paragraph -->\r\n<p>Although the RFC processes allowed to align the standard to the reality of the entities that must implement the security controls, they also forced the postponement in the publication of version 4.0, initially scheduled for Q2 of 2021, then for Q4 of 2021 and finally published in Q1 of 2022.<\/p>\r\n<!-- \/wp:paragraph -->\r\n\r\n<!-- wp:heading -->\r\n<h4>Implementation periods of PCI DSS v4.0<\/h4>\r\n<!-- \/wp:heading -->\r\n\r\n<!-- wp:paragraph -->\r\n<p>Once PCI DSS version 4.0 and the templates of its support documents have been published (<em>Report on Compliance<\/em> (ROC) and <em>Attestation of Compliance<\/em> (AOC)), the PCI SSC confirmed the dates during which the two standards would be valid in parallel, the official withdrawal date of the PCI DSS v3.2.1 standard and the date of applicability of controls with a date of entry into force in the future, to allow for proper implementation by the entities concerned:<\/p>\r\n<div id=\"attachment_144\" style=\"width: 634px\" class=\"wp-caption aligncenter\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-144\" class=\"size-full wp-image-144\" src=\"https:\/\/i0.wp.com\/pcihispano.com\/wp-content\/uploads\/2022\/08\/Periodos_PCIDSS_4.0.webp?resize=624%2C235&#038;ssl=1\" alt=\"\" width=\"624\" height=\"235\" srcset=\"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/Periodos_PCIDSS_4.0.webp?w=624&amp;ssl=1 624w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/Periodos_PCIDSS_4.0.webp?resize=300%2C113&amp;ssl=1 300w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/Periodos_PCIDSS_4.0.webp?resize=500%2C188&amp;ssl=1 500w\" sizes=\"auto, (max-width: 624px) 100vw, 624px\" \/><p id=\"caption-attachment-144\" class=\"wp-caption-text\">Implementation periods of PCI DSS v4.0<\/p><\/div>\r\n<!-- \/wp:paragraph -->\r\n\r\n<!-- wp:paragraph -->\r\n<p>According to these dates, <span class=\"highlight\">has been defined <strong>a transition period of 24 months<\/strong> since the publication of the PCI DSS v4.0 standard (March 2022) in which the previous version (3.2.1) and version 4.0 will be able to coexist, which implies that the affected organizations can be evaluated with either version indifferently. However, as of 31 March 2024, the only version valid for evaluations will be version 4.0.<\/span><\/p>\r\n<!-- \/wp:paragraph -->\r\n\r\n<!-- wp:paragraph -->\r\n<p>Both the translations of the standard and the Self-Assessment Questionnaires will be published in Q2 2022 (<em>Self-Assessment Questionnaires<\/em>) and <em>Attestation of Compliance<\/em> (AoC) related.<\/p>\r\n<!-- \/wp:paragraph -->\r\n\r\n<!-- wp:heading -->\r\n<h4>Main changes in the approach to the standard<\/h4>\r\n<!-- \/wp:heading -->\r\n\r\n<!-- wp:paragraph -->\r\n<p><strong><em>Note<\/em><\/strong><em>: Changes related to the requirements of the standard will be discussed in future articles in this series.<\/em><\/p>\r\n<!-- \/wp:paragraph -->\r\n\r\n<!-- wp:paragraph -->\r\n<p>During the development process of the <a href=\"https:\/\/www.pcisecuritystandards.org\/documents\/PCI-DSS-v4-0-At-A-Glance.pdf\">version 4.0<\/a> According to the PCI DSS standard, the priorities of the PCI SSC were managing the evolution of risks and threats to payment data and strengthening security as an ongoing process. As a result of the application of these criteria, the names of the groups and the requirements of the standard changed between version 3.2.1 and version 4.0, to reflect this evolution in controls and to adapt to changes in technologies:<\/p>\r\n<div id=\"attachment_145\" style=\"width: 954px\" class=\"wp-caption aligncenter\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-145\" class=\"size-full wp-image-145\" src=\"https:\/\/i0.wp.com\/pcihispano.com\/wp-content\/uploads\/2022\/08\/cambio_nombres_grupos_PCIDSS.webp?resize=900%2C262&#038;ssl=1\" alt=\"\" width=\"900\" height=\"262\" srcset=\"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/cambio_nombres_grupos_PCIDSS.webp?w=944&amp;ssl=1 944w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/cambio_nombres_grupos_PCIDSS.webp?resize=300%2C87&amp;ssl=1 300w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/cambio_nombres_grupos_PCIDSS.webp?resize=768%2C224&amp;ssl=1 768w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/cambio_nombres_grupos_PCIDSS.webp?resize=500%2C146&amp;ssl=1 500w\" sizes=\"auto, (max-width: 900px) 100vw, 900px\" \/><p id=\"caption-attachment-145\" class=\"wp-caption-text\">Changes in the names of the 6 groups of PCI DSS 4.0 requirements<\/p><\/div>\r\n<!-- \/wp:paragraph -->\r\n\r\n<!-- wp:paragraph -->\r\n<div id=\"attachment_146\" style=\"width: 948px\" class=\"wp-caption aligncenter\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-146\" class=\"size-full wp-image-146\" src=\"https:\/\/i0.wp.com\/pcihispano.com\/wp-content\/uploads\/2022\/08\/cambio_nombres_requisitos_PCIDSS.webp?resize=900%2C515&#038;ssl=1\" alt=\"\" width=\"900\" height=\"515\" srcset=\"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/cambio_nombres_requisitos_PCIDSS.webp?w=938&amp;ssl=1 938w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/cambio_nombres_requisitos_PCIDSS.webp?resize=300%2C172&amp;ssl=1 300w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/cambio_nombres_requisitos_PCIDSS.webp?resize=768%2C440&amp;ssl=1 768w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/cambio_nombres_requisitos_PCIDSS.webp?resize=500%2C286&amp;ssl=1 500w\" sizes=\"auto, (max-width: 900px) 100vw, 900px\" \/><p id=\"caption-attachment-146\" class=\"wp-caption-text\">Changes in the names of the 12 requirements of PCI DSS v4.0<\/p><\/div>\r\n<p>On the other hand, version 4.0 incorporates a large number of clarifications in the applicability of the standard that had been waiting for years, so that those ambiguous areas or that gave rise to interpretations have been clarified and there is already an official position on the matter, which previously could not exist or could be present in the Frequently Asked Questions (FAQs).<a href=\"https:\/\/www.pcisecuritystandards.org\/faqs\">FAQ<\/a>) of the PCI SSC or in other supporting documents, but not in the standard as such.<\/p>\r\n<!-- \/wp:paragraph -->\r\n\r\n<!-- wp:paragraph -->\r\n<p>Some of these clarifications are:<\/p>\r\n<div id=\"attachment_147\" style=\"width: 1034px\" class=\"wp-caption aligncenter\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-147\" class=\"size-full wp-image-147\" src=\"https:\/\/i0.wp.com\/pcihispano.com\/wp-content\/uploads\/2022\/08\/aclaraciones_PCIDSS.webp?resize=900%2C523&#038;ssl=1\" alt=\"\" width=\"900\" height=\"523\" srcset=\"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/aclaraciones_PCIDSS.webp?w=1024&amp;ssl=1 1024w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/aclaraciones_PCIDSS.webp?resize=300%2C174&amp;ssl=1 300w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/aclaraciones_PCIDSS.webp?resize=768%2C446&amp;ssl=1 768w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/aclaraciones_PCIDSS.webp?resize=500%2C291&amp;ssl=1 500w\" sizes=\"auto, (max-width: 900px) 100vw, 900px\" \/><p id=\"caption-attachment-147\" class=\"wp-caption-text\">List of clarifications included in PCI DSS v4.0<\/p><\/div>\r\n<!-- \/wp:paragraph -->\r\n\r\n<!-- wp:paragraph -->\r\n<p>However, the most significant change between versions 3.2.1 and 4.0 of PCI DSS is the introduction of the concept of <strong>Custom Approach<\/strong> (<em><strong>Customized Approach<\/strong><\/em>). Whereas in the traditional approach (now referred to as \u201c<strong>Defined Approach<\/strong>\u201d \u2013 <strong><em>Defined Approach<\/em><\/strong>) the entity implemented the established technical controls as they appeared in the standard, in the Custom Approach the entity can select the control that it considers most adapted to its environment to manage risk, offering greater flexibility and adaptation to emerging solutions. In this way, <span class=\"highlight\">In the PCI DSS v4.0 standard, an entity can choose between using the Defined Approach or using the Custom Approach depending on its needs.<\/span><\/p>\r\n<div id=\"attachment_148\" style=\"width: 1034px\" class=\"wp-caption aligncenter\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-148\" class=\"size-full wp-image-148\" src=\"https:\/\/i0.wp.com\/pcihispano.com\/wp-content\/uploads\/2022\/08\/enfoque_definido_personalizado.webp?resize=900%2C518&#038;ssl=1\" alt=\"\" width=\"900\" height=\"518\" srcset=\"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/enfoque_definido_personalizado.webp?w=1024&amp;ssl=1 1024w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/enfoque_definido_personalizado.webp?resize=300%2C173&amp;ssl=1 300w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/enfoque_definido_personalizado.webp?resize=768%2C442&amp;ssl=1 768w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/enfoque_definido_personalizado.webp?resize=500%2C288&amp;ssl=1 500w\" sizes=\"auto, (max-width: 900px) 100vw, 900px\" \/><p id=\"caption-attachment-148\" class=\"wp-caption-text\">Description of Defined Approach and Customized Approach in PCI DSS v4.0<\/p><\/div>\r\n<!-- \/wp:paragraph -->\r\n\r\n<!-- wp:paragraph -->\r\n<p>Additionally, the PCI SSC has added a large number of graphical aids (flow charts and figures), as well as clarifications in the margin, guides in each of the requirements, templates, examples, etc. that make this version one of the most descriptive and self-explanatory of all those that have been published, although this has involved going from 139 pages in PCI DSS v3.2.1 to 360 pages in PCI DSS v4.0.<\/p>\r\n<!-- \/wp:paragraph -->\r\n\r\n<!-- wp:paragraph -->\r\n<p>Part II of this series will explain the main changes to requirements 1 and 2 of the standard. You can receive notifications of the publication of the following parts of the series on the pages of <a href=\"https:\/\/www.linkedin.com\/company\/pci-hispano\">LinkedIn<\/a> and in the <a href=\"https:\/\/twitter.com\/pcihispano\">Twitter<\/a> by PCI Hispano.<\/p>\r\n<!-- \/wp:paragraph -->\r\n\r\n<!-- wp:heading -->\r\n<h4>References<\/h4>\r\n<!-- \/wp:heading -->\r\n\r\n<!-- wp:list -->\r\n<ul>\r\n<li>PCI DSS v4.0 At-a-Glance <a href=\"https:\/\/www.pcisecuritystandards.org\/documents\/PCI-DSS-v4-0-At-A-Glance.pdf\">https:\/\/www.pcisecuritystandards.org\/documents\/PCI-DSS-v4-0-At-A-Glance.pdf<\/a><\/li>\r\n<li>Payment Card Industry Data Security Standard (PCI DSS) Requirements and Testing Procedures Version 4.0 <a href=\"https:\/\/www.pcisecuritystandards.org\/documents\/PCI-DSS-v4_0.pdf\">https:\/\/www.pcisecuritystandards.org\/documents\/PCI-DSS-v4_0.pdf<\/a><\/li>\r\n<li>PCI DSS v4.0 Resource Hub <a href=\"https:\/\/blog.pcisecuritystandards.org\/pci-dss-v4-0-resource-hub\">https:\/\/blog.pcisecuritystandards.org\/pci-dss-v4-0-resource-hub<\/a><\/li>\r\n<\/ul>\r\n<!-- \/wp:list -->","protected":false},"excerpt":{"rendered":"<p>In this first part of this series \"PCI DSS Analysis v4.0\" we will analyze the history behind version 4.0 of the standard, the variables that influenced its change and the associated review and publication process. Next, [\u2026]<\/p>","protected":false},"author":2,"featured_media":161,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_post_was_ever_published":false},"categories":[7,354],"tags":[8,36,37,39,40,41,42,43,38,44],"class_list":["post-98","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-pci-dss-4-0","category-pcidss","tag-4-0","tag-analisis","tag-aoc","tag-asv","tag-cambios","tag-enfoque-definido","tag-enfoque-personalizado","tag-qsa","tag-roc","tag-saq"],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte1.png?fit=1920%2C1080&ssl=1","jetpack-related-posts":[{"id":477,"url":"https:\/\/www.pcihispano.com\/en\/analisis-de-pci-dss-v4-0-parte-vii-requerimiento-12\/","url_meta":{"origin":98,"position":0},"title":"An\u00e1lisis de PCI DSS v4.0 \u2013 Parte VII: Requerimiento 12","author":"David Acosta","date":"noviembre 17, 2022","format":false,"excerpt":"En este pen\u00faltimo art\u00edculo de la serie \u201cAn\u00e1lisis de PCI DSS v4.0\u201d se presenta un an\u00e1lisis a los cambios del requerimiento 12 - parte del grupo 6 \u201cMaintain an Information Security Policy\u201d- en la versi\u00f3n 4.0 del est\u00e1ndar PCI DSS. Requerimiento 12: Support Information Security with Organizational Policies and Programs\u2026","rel":"","context":"In &quot;An\u00e1lisis de PCI DSS v4.0&quot;","block_context":{"text":"An\u00e1lisis de PCI DSS v4.0","link":"https:\/\/www.pcihispano.com\/en\/category\/pci-dss-4-0\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/11\/PCIDSS_PartVII.png?fit=1200%2C671&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/11\/PCIDSS_PartVII.png?fit=1200%2C671&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/11\/PCIDSS_PartVII.png?fit=1200%2C671&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/11\/PCIDSS_PartVII.png?fit=1200%2C671&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/11\/PCIDSS_PartVII.png?fit=1200%2C671&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":176,"url":"https:\/\/www.pcihispano.com\/en\/analisis-de-pci-dss-v4-0-parte-iv-requerimientos-5-y-6\/","url_meta":{"origin":98,"position":1},"title":"An\u00e1lisis de PCI DSS v4.0 \u2013 Parte IV: Requerimientos 5 y 6","author":"David Acosta","date":"agosto 18, 2022","format":false,"excerpt":"En esta cuarta entrega de la serie \u201cAn\u00e1lisis de PCI DSS 4.0\u201d se presenta una revisi\u00f3n a los cambios en los requerimientos 5 y 6 del est\u00e1ndar PCI DSS ocurridos entre las versiones 3.2.1 y 4.0. Estos dos requerimientos est\u00e1n enfocados a la protecci\u00f3n a nivel de software para prevenir,\u2026","rel":"","context":"In &quot;An\u00e1lisis de PCI DSS v4.0&quot;","block_context":{"text":"An\u00e1lisis de PCI DSS v4.0","link":"https:\/\/www.pcihispano.com\/en\/category\/pci-dss-4-0\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte4b.png?fit=1200%2C675&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte4b.png?fit=1200%2C675&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte4b.png?fit=1200%2C675&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte4b.png?fit=1200%2C675&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte4b.png?fit=1200%2C675&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":391,"url":"https:\/\/www.pcihispano.com\/en\/analisis-de-pci-dss-v4-0-parte-vi-requerimientos-10-y-11\/","url_meta":{"origin":98,"position":2},"title":"An\u00e1lisis de PCI DSS v4.0 Parte VI: Requerimientos 10 y 11","author":"David Acosta","date":"septiembre 15, 2022","format":false,"excerpt":"En esta sexta entrega de la serie \u201cAn\u00e1lisis de PCI DSS v4.0\u201d se analizar\u00e1n los requerimientos 10 y 11 del est\u00e1ndar PCI DSS v4.0. Estos requerimientos hacen parte del grupo 5. Regularly Monitor and Test Networks, que continua con el mismo nombre de la versi\u00f3n 3.2.1 del est\u00e1ndar. El objetivo\u2026","rel":"","context":"In &quot;An\u00e1lisis de PCI DSS v4.0&quot;","block_context":{"text":"An\u00e1lisis de PCI DSS v4.0","link":"https:\/\/www.pcihispano.com\/en\/category\/pci-dss-4-0\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/09\/Parte6.png?fit=1200%2C672&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/09\/Parte6.png?fit=1200%2C672&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/09\/Parte6.png?fit=1200%2C672&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/09\/Parte6.png?fit=1200%2C672&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/09\/Parte6.png?fit=1200%2C672&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":157,"url":"https:\/\/www.pcihispano.com\/en\/analisis-de-pci-dss-v4-0-parte-ii-requerimientos-1-y-2\/","url_meta":{"origin":98,"position":3},"title":"An\u00e1lisis de PCI DSS v4.0 \u2013 Parte II: Requerimientos 1 y 2","author":"David Acosta","date":"agosto 18, 2022","format":false,"excerpt":"En esta segunda parte de la serie \u201cAn\u00e1lisis de PCI DSS v4.0\u201d se realizar\u00e1 una revisi\u00f3n a los requerimientos 1 y 2 del est\u00e1ndar, que hacen parte del grupo \u201cBuild and Maintain a Secure Network and Systems\u201d, orientados al control del tr\u00e1fico de red entrante y saliente del entorno y\u2026","rel":"","context":"In &quot;An\u00e1lisis de PCI DSS v4.0&quot;","block_context":{"text":"An\u00e1lisis de PCI DSS v4.0","link":"https:\/\/www.pcihispano.com\/en\/category\/pci-dss-4-0\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte2.png?fit=1200%2C675&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte2.png?fit=1200%2C675&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte2.png?fit=1200%2C675&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte2.png?fit=1200%2C675&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte2.png?fit=1200%2C675&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":179,"url":"https:\/\/www.pcihispano.com\/en\/analisis-de-pci-dss-v4-0-parte-v-requerimientos-7-8-y-9\/","url_meta":{"origin":98,"position":4},"title":"An\u00e1lisis de PCI DSS v4.0 \u2013 Parte V: Requerimientos 7, 8 y 9","author":"David Acosta","date":"agosto 18, 2022","format":false,"excerpt":"En esta quinta entrega de la serie \u201cAn\u00e1lisis de PCI DSS v4.0\u201d se analizar\u00e1n los cambios aplicados a los requerimientos 7, 8 y 9 del est\u00e1ndar en su nueva versi\u00f3n (4.0). Estos requerimientos \u2013 que hacen parte del grupo 4 \u201cImplement Strong Access Control Measures\u201d \u2013 est\u00e1n orientados hacia la\u2026","rel":"","context":"In &quot;An\u00e1lisis de PCI DSS v4.0&quot;","block_context":{"text":"An\u00e1lisis de PCI DSS v4.0","link":"https:\/\/www.pcihispano.com\/en\/category\/pci-dss-4-0\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte5.png?fit=1200%2C675&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte5.png?fit=1200%2C675&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte5.png?fit=1200%2C675&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte5.png?fit=1200%2C675&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte5.png?fit=1200%2C675&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":173,"url":"https:\/\/www.pcihispano.com\/en\/analisis-de-pci-dss-v4-0-parte-iii-requerimientos-3-y-4\/","url_meta":{"origin":98,"position":5},"title":"An\u00e1lisis de PCI DSS v4.0 \u2013 Parte III: Requerimientos 3 y 4","author":"David Acosta","date":"agosto 18, 2022","format":false,"excerpt":"Continuando con el an\u00e1lisis a la versi\u00f3n 4.0 del est\u00e1ndar PCI DSS, en esta tercera parte de la serie se analizar\u00e1n los requerimientos 3 y 4 que hacen parte del grupo \u201cProtect Account Data\u201d, enfocados a la protecci\u00f3n de la confidencialidad y la integridad de los datos de tarjetas de\u2026","rel":"","context":"In &quot;An\u00e1lisis de PCI DSS v4.0&quot;","block_context":{"text":"An\u00e1lisis de PCI DSS v4.0","link":"https:\/\/www.pcihispano.com\/en\/category\/pci-dss-4-0\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte3.png?fit=1200%2C675&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte3.png?fit=1200%2C675&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte3.png?fit=1200%2C675&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte3.png?fit=1200%2C675&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/parte3.png?fit=1200%2C675&ssl=1&resize=1050%2C600 3x"},"classes":[]}],"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.pcihispano.com\/en\/wp-json\/wp\/v2\/posts\/98","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.pcihispano.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.pcihispano.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.pcihispano.com\/en\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.pcihispano.com\/en\/wp-json\/wp\/v2\/comments?post=98"}],"version-history":[{"count":1,"href":"https:\/\/www.pcihispano.com\/en\/wp-json\/wp\/v2\/posts\/98\/revisions"}],"predecessor-version":[{"id":11752,"href":"https:\/\/www.pcihispano.com\/en\/wp-json\/wp\/v2\/posts\/98\/revisions\/11752"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.pcihispano.com\/en\/wp-json\/wp\/v2\/media\/161"}],"wp:attachment":[{"href":"https:\/\/www.pcihispano.com\/en\/wp-json\/wp\/v2\/media?parent=98"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.pcihispano.com\/en\/wp-json\/wp\/v2\/categories?post=98"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.pcihispano.com\/en\/wp-json\/wp\/v2\/tags?post=98"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}