PCI DSS 4.0: New Requirement to Automate Detection and Prevention of Web-Based Attacks

PUBLISHED ON May 9, 2022
LAST UPDATED June 14, 2022

Backed by all major credit card and payment processing companies, the PCI Data Security Standard (DSS) is a cybersecurity standard that any business that transmits, stores, or processes credit card data must comply with. 

In March 2022, the PCI Security Standards Council published version 4.0 of the PCI Data Security Standard (DSS), which replaces v 3.2.1, published in 2018. Version 3.2.1 will remain active for two years (until March 31, 2024), when it will be retired and replaced by v4.0. In addition, some of the new requirements include an additional year before they go into effect.  

What’s New in v 4.0 

The 12 main requirements are the same in v4.0 as in the previous version, but there are some tweaks and enhancements. Notably, from an application security perspective, there is a new requirement to “deploy an automated technical solution for public-facing web applications that continually detects and prevents web-based attacks. This new requirement removes the option in Requirement 6.4.1 to review web applications via manual or automated application vulnerability assessment tools or methods.” This development clearly highlights the pressing need for automated web-application solutions, not manual solutions or vulnerability assessment tools that require teams to respond to alerts or remediate vulnerabilities. 

See page 12 in the PCI 4.0 Summary of Changes document for exact language and details on this new requirement. 

A few other noteworthy changes: new requirements for multi-factor authentication, passwords, and phishing prevention. There is more emphasis on security as a continuous process and on flexibility in meeting the requirements. For example, there is now an expectation that there are clearly assigned roles and responsibilities for each requirement and a new ability to customize the way organizations meet the requirements. Finally, there is a new emphasis on validating compliance with the requirements to promote transparency. 

You can see everything that has changed here

How ThreatX Can Help 

ThreatX can help organizations comply with several of the requirements in PCI v4, especially the new requirement to “deploy an automated technical solution for public-facing web applications that continually detects and prevents web-based attacks.” This new requirement underscores the fact that identifying vulnerabilities is only one part of an application security program, and that blocking attacks in real time is critical. ThreatX can help address this requirement because it analyzes all inbound web app and API traffic to identify and block advanced as well as low-slow attack methods. ThreatX’s real-time behavioral analysis executes advanced threat engagement techniques, starting with IP fingerprinting, active interrogation, and tar-pitting traffic generated from attackers. These capabilities allow ThreatX to identify and stop the most complex attacks, including large-scale botnets and application DDoS. 

See below for more details on Requirement 6, and additional PCI v4.0 requirements that ThreatX can help with. 

Requirement 6: Develop and Maintain Secure Systems and Software 

When using automated technical solutions, it is important to include processes that facilitate timely responses to alerts generated by the solutions so that any detected attacks can be mitigated. Such solutions may also be used to automate mitigation, for example rate-limiting controls, which can be implemented to mitigate against brute-force attacks and enumeration attacks. 

  • 6.4.0 Public-facing web applications are protected against attacks. 
  • 6.4.2 [Note that this is a new requirement that is a best practice now and will be required as of March 31, 2025] For public-facing web applications, an automated technical solution is deployed that continually detects and prevents web-based attacks, with at least the following: 
  1. Is installed in front of public-facing web applications and is configured to detect and prevent web-based attacks.
  2. Actively running and up to date as applicable.
  3. Generating audit logs.
  4. Configured to either block web-based attacks or generate an alert that is immediately investigated.

The ThreatX Platform uses automated, behavior-based detection to analyze the intention of and block suspicious traffic being sent to an organization’s web applications and APIs. ThreatX provides organizations with various dashboards and audit logs to review blocked threat actors that have accumulated risk based on suspicious activity. 

Requirement 1: Install and Maintain Network Security Controls 

Network security controls (NSCs), such as firewalls and other network security technologies, are network policy enforcement points that typically control network traffic between two or more logical or physical network segments (or subnets) based on pre-defined policies or rules. 

  • 1.2.0 Requires network security controls (NSCs) are configured, implemented, and maintained. 
  • 1.3.0 Network access to and from the cardholder data environment is restricted. 
  • 1.4.0 Network connections between trusted and untrusted networks are controlled. 

ThreatX comes out of the box with common rulesets and requires minimal deployment to protect layer 7 web applications and APIs against common attacks. Along with options to create custom rules for more advanced attacks, the ThreatX SOC also pairs with organizations to fine-tune rules to meet required policies and enhance protection for cardholder environments. 

Requirement 5: Protect All Systems and Networks from Malicious Software 

It is beneficial for entities to be aware of “zero-day” attacks (those that exploit a previously unknown vulnerability) and consider solutions that focus on behavioral characteristics and will alert and react to unexpected behavior. 

  • 5.2.0 Malicious software (malware) is prevented, or detected and addressed. 
  • 5.3.0 Anti-malware mechanisms and processes are active, maintained, and monitored. 

The ThreatX SOC team monitors, investigates, and responds to threats produced by malicious software by fine-tuning new rules to detect and block traffic from reaching organizations’ web applications and APIs. As zero-day attacks are identified and evolve, the ThreatX SOC team works with customers to enhance their Layer-7 protection with new rulesets for zero-days. 

Requirement 10: Log and Monitor All Access to System Components and Cardholder Data 

Malicious individuals will often perform multiple access attempts on targeted systems. Multiple invalid login attempts may be an indication of an unauthorized user’s attempts to “brute force” or guess a password. Logging changes to authentication credentials (including elevation of privileges, additions, and deletions of accounts with administrative access) provides residual evidence of activities. Malicious users may attempt to manipulate authentication credentials to bypass them or impersonate a valid account. 

  • 10.2.0 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. 
  • 10.3 Audit logs are protected from destruction and unauthorized modifications. 
  • 10.4 Audit logs are reviewed to identify anomalies or suspicious activity. 
  • 10.5 Audit log history is retained and available for analysis. 

The ThreatX Platform retains up to 90 days of audit logs for changes made to applications being managed in ThreatX, application and API traffic data, and suspicious attacker activity accumulating risk that leads to bad actors getting blocked temporarily or permanently. 

For More Information 

Find more details on PCI v4 here

For more information on how we can help, please contact us


About the Author

Sydney Coffaro

Experienced subject-matter expert focused on cybersecurity automation, incident response, APIs, and application security with a demonstrated history of working in fast-paced early stage startups. Sydney is a certified product manager, Scrum Master, and has led technical sales initiatives for go to customer teams that resulted in the acquisition of hundreds of customers.