PCI DSS (Payment Card Industry Data Security Standard) is a global security standard that all companies operating card payment systems must follow to maintain the security of credit card information. Developed jointly by major credit card brands (Visa, Mastercard, American Express, Discover, etc.), this standard plays a crucial role in safely protecting cardholder data, thereby safeguarding organizations from data breaches and cyberattacks. For companies operating card payment systems, PCI DSS compliance is no longer optional but mandatory. Failure to comply with PCI DSS can result in various risks and costs. For instance, non-compliant companies may face increased transaction fees, and payment networks may restrict or suspend card payment services. Furthermore, in the event of a data breach, they must bear legal liabilities and massive compensation costs, along with severe damage to the company's reputation. Therefore, PCI DSS compliance means more than just following security standards; it enables companies to provide a secure payment environment, maintain customer trust, and minimize legal risks and economic losses caused by data breaches.
2. PCI DSS v4.0: Why is it Important Now?
PCI DSS v4.0 is the latest standard released in March 2022, reflecting stricter security requirements than the previous version (3.2.1) to respond to technological advancements and increasing cyber threats.
As modern cyberattacks become more sophisticated and frequent, companies require security systems capable of real-time response. Accordingly, PCI DSS v4.0 emphasizes the importance of continuous security monitoring and automated response. One of the key features of PCI DSS v4.0 is the inclusion of real-time security monitoring and automated security solutions in its requirements. While existing security checks focused on periodic inspections and passive responses, PCI DSS v4.0 demands faster and stronger protection through continuous security surveillance and immediate response. By complying with these requirements, companies can quickly adapt and respond to new security threats.
PCI DSS v4.0 was given a transition period as follows, which is ending soon:
PCI DSS v4.0 was released in March 2022, and companies can operate under the existing PCI DSS v3.2.1 standard during the grace period until March 31, 2025.
From April 1, 2025, all companies must fully comply with PCI DSS v4.0. After this point, PCI DSS v3.2.1 cannot be used, and companies must improve their systems and strengthen their security frameworks to meet the requirements of version 4.0.
Therefore, companies must update their systems and strengthen security solutions during this grace period to prepare for meeting the requirements of version 4.0.
3. How Does WEBFRONT-K Help Comply with PCI DSS v4.0?
IN PCI DSS v4.0, the introduction of web security solutions, which was optional under existing Requirement 6.4.1, has become mandatory with the creation of Requirement 6.4.2.
PIOLINK's WEBFRONT-K is a WAF/WAAP solution that protects web traffic and APIs. It fully supports Requirement 6.3 (Identify and Address Security Vulnerabilities) and Requirement 6.4 (Protection of Public-Facing Web Applications), helping you comply with PCI DSS v4.0.
The scope of PCI DSS includes not only systems that process, store, and transmit cardholder data but also systems used to secure and log access to those systems. Therefore, whether the security solution to be introduced meets PCI DSS requirements is also a critical consideration.
WEBFRONT-K meets key PCI DSS requirements such as Requirement 7.2 (Define System Components and Appropriate Data Access) and Requirement 8.2 (Strict Lifecycle Management for User Identification and Related Accounts). The following are the main items that WEBFRONT-K complies with and satisfies:
Requirement 6.3 (Identify and Address Security Vulnerabilities)
- WEBFRONT-K identifies and manages the latest security vulnerabilities for the web by linking its self-analyzed CVE DB with KISA's C-TAS.
- It manages a list of security-certified software, including 3rd party software, and provides the latest security signatures once a month to meet requirements.
Requirement 6.4 (Protection of Public-Facing Web Applications)
- WEBFRONT-K provides automated protection for public-facing web applications through various detection technologies and security engines.
- It defends against vulnerabilities such as OWASP Security Top 10 and OWASP API Security Top 10, and ensures the integrity of each script loaded in the browser through web anti-tampering features.
Requirement 7.2 (Define System Components and Appropriate Data Access)
- WEBFRONT-K allows differential privileges to be granted based on user roles (System Group, Application Group, Monitor Group) through its user management function.
- Users are managed by categories such as GUI/API users, Shell users, and DB users, and all such privilege granting is approved and controlled by an administrator with admin privileges.
Requirement 8.2 (Strict Lifecycle Management for User Identification and Related Accounts)
- WEBFRONT-K assigns individual accounts to users, and administrators manage these accounts.
- Unused accounts are automatically deactivated through periodic settings and deactivation features, and access can be restricted to designated IP addresses only.
- It requires re-authentication by automatically logging out users if they remain idle for a set period through login duration settings.
Requirement 8.3 & 8.4 (Strong Authentication & MFA System Configuration)
- WEBFRONT-K supports MFA via passwords and Google OTP, ensuring only authenticated users can access the system.
- User account information is stored in an encrypted state, and additional authentication is required when changing passwords to enhance security.
- Passwords must be at least 12 characters long, including letters, numbers, and special characters, and recently used passwords are managed so they cannot be reused.
Requirement 10 (Log and Monitor All Access to System Components and Cardholder Data)
- WEBFRONT-K saves security logs, audit logs, and access logs in real-time and manages them safely through automated backup functions.
- Logs can be retained for up to 60 months, and the time synchronization function ensures that log generation times are recorded accurately.
- Through email alarm functions, administrators are quickly notified to respond in the event of a system failure or urgent security event.
4. Meeting PCI DSS v4.0 with WEBFRONT-K
PIOLINK WEBFRONT-K is a Web Application and API Protection (WAAP) solution for PCI DSS v4.0 compliance, playing a crucial role in responding to the latest security threats and strengthening data protection.
It effectively supports the continuous security monitoring and automated response required by PCI DSS v4.0, helping companies comply with strengthened security requirements and build a secure payment environment. In particular, as the introduction of web security solutions becomes mandatory in PCI DSS v4.0, WEBFRONT-K performs an essential role for companies to efficiently meet these new regulations. Through this, companies can reduce risks from data breaches, maintain customer trust, and enhance the safety of payment services.
| PCI DSS v4.0 Assessment Item | Compliant |
|---|
| 6.3.1 Security vulnerabilities are identified and managed as follows. | V |
|---|
| 6.3.2 An inventory of bespoke and custom software, and third-party software components incorporated into bespoke and custom software, is maintained to facilitate vulnerability and patch management. | V |
|---|
| 6.3.3 All system components are protected from known vulnerabilities by installing applicable security patches/updates as follows. | V |
|---|
| 6.4.1 For public-facing web applications, new threats and vulnerabilities are addressed on an ongoing basis, and these applications are protected against known attacks as follows. | V |
|---|
| 6.4.2 For public-facing web applications, an automated technical solution is deployed that continually detects and prevents web-based attacks, with at least the following capabilities. | V |
|---|
| 6.4.3 All payment page scripts that are loaded and executed in the consumer's browser are managed as follows. | V |
|---|
| 7.2.1 An access control model is defined and grants access rights as follows. | V |
|---|
| 7.2.2 Access is assigned to users, specifically privileged users, based on the following. | V |
|---|
| 7.2.3 Required privileges are approved by authorized personnel. | V |
|---|
| 7.2.5 Access rights associated with all application and system accounts are assigned and managed as follows. | V |
|---|
| 7.2.6 All user access to query repositories of stored cardholder data is restricted as follows. | V |
|---|
| 8.2.1 All users are assigned a unique ID before access to system components or cardholder data is allowed. | V |
|---|
| 8.2.5 Access for terminated users is immediately revoked. | V |
|---|
| 8.2.6 Inactive user accounts are removed or disabled within 90 days of inactivity. | V |
|---|
| 8.2.7 Accounts used by third parties to access, support, or maintain system components via remote access are managed as follows. | V |
|---|
| 8.2.8 If a user session has been idle for more than 15 minutes, the user is required to re-authenticate to re-activate the terminal or session. | V |
|---|
| 8.3.1 All user and administrator access to system components is authenticated via at least one of the following authentication factors. | V |
|---|
| 8.3.2 Strong cryptography is used to render all authentication factors unreadable during transmission and storage. | V |
|---|
| 8.3.3 The identity of a user is verified before modifying any authentication factor. | V |
|---|
| 8.3.4 The following restrictions apply when authentication attempts are invalid. | V |
|---|
| 8.3.6 If passwords or passphrases are used as an authentication factor, they must meet the following minimum complexity requirements. | V |
|---|
| 8.3.7 Individuals cannot submit a new password/passphrase that is the same as any of the last 4 passwords/passphrases used. | V |
|---|
| 8.3.9 If passwords/passphrases are used as the only authentication factor for user access (i.e., in a single-factor authentication implementation). | V |
|---|
| 8.3.11 If authentication factors such as security tokens, smart cards, or certificates are used. | V |
|---|
| 8.4.1 MFA is implemented for all non-console access into the CDE (Cardholder Data Environment) for personnel with administrative access. | V |
|---|
| 8.4.2 MFA is implemented for all access to the CDE. | V |
|---|
| 10.2.1 Audit logs are enabled for all system components and cardholder data. | V |
|---|
| 10.2.1.1 Audit logs record all individual user access to cardholder data. | V |
|---|
| 10.2.1.2 Audit logs record all actions taken by any individual with administrative access, including any interactive use of application or system accounts. | V |
|---|
| 10.2.1.3 Audit logs record all access to audit logs. | V |
|---|
| 10.2.1.4 Audit logs record all invalid logical access attempts. | V |
|---|
| 10.2.1.5 Audit logs record all changes to identification and authentication credentials, including the following. | V |
|---|
| 10.2.1.6 Audit logs record the following. | V |
|---|
| 10.2.1.7 Audit logs record the creation and deletion of all system-level objects. | V |
|---|
| 10.2.2 Audit logs record the following details for each auditable event. | V |
|---|
| 10.5.1 Audit log history is retained for at least 12 months, with records for the most recent 3 months immediately available for analysis. | V |
|---|
| 10.6.1 System clocks and time are synchronized using time-synchronization technology. | V |
|---|
| 10.7.2 Failures of critical security control systems are detected and alerted promptly, including failures of the following critical security control systems. | V |
|---|
|
