Timeline for PCI DSS 4.0: The First Requirement and Best Practices for Network Security Controls

PCI DSS compliance is verifying that your systems, those that handle personal and cardholder information, meet all the expectations of the 12 requirements of the standard. These requirements describe security and privacy controls to protect against modern threats and vulnerabilities and call for both attention to implementing controls and maintaining long-term best practices. 

The best way to understand expectations under PCI DSS is to walk through the requirements and what they say about security. Here, we’ll touch on the first requirement: Install and maintain security controls.

What Is The First Requirement for PCI DSS 4.0?

The first requirement focuses on how the company deployed and maintained its network and system security. Specifically, this requirement refers to network security controls (NSC) and policy enforcement. 

Additionally, this approach to security addresses some of the most vulnerable spots in these secure systems, including their connections to unprotected networks and devices. 

This requirement focuses on a few key areas:

• Perimeter Security: Organizations are expected to install perimeter security, specifically firewall technology, to control unauthorized internet traffic coming in and out of the system. These can be either hardware or software firewalls so long as they meet the standards set by the PCI Security Standards Council.
• Network Security: Organizations must enforce network policy at all access points to and from the network. These internal networks must also have secure segmentation to isolate different parts of the network. 
• Configuration Security: All secure systems must be properly configured to protect against threats, including the use of strong authentication credentials, authorization protocols, and hardening of systems by keeping hardware and software patched and updated. 
• Policy and Procedure: Organizations must not deploy security, much less PCI DSS measures to meet Requirement 1, in an ad hoc manner. Policies and procedures must be documented, regularly updated, and available to stakeholders. 

All the components of Requirement 1 will fall under one of these specific areas.

What Are the Major Expectations Under Requirement 1?

Since Requirement 1 covers security and maintenance of networks handling cardholder data, it stands to reason that all its components will address the different facets of this goal across management, deployment, and monitoring. 

The primary components of PCI DSS 4.0 Requirement 1 are:

1.1 – Processes and mechanisms for Installing and Maintaining Network Security Controls

• Documentation of Policies: Organizations must maintain proper documentation and security policies related to Requirement 1, including updating these policies as needed to address any changes or additions over time. 
• Roles and Responsibilities: Including documentation of policies, the organization must also have a clear record of roles and responsibilities related to security and compliance. This ensures accountability and a clear chain of command in changes or emergencies. 
• Defined Configuration Standards: Alongside regular policy and personnel documentation, the organization must also have a policy in place describing their standards for managing system configurations related to PCI DSS compliance. This ensures the company does not update or set configurations in an ad hoc manner. 

1.2 – Configuring and Maintaining Network Security Controls

• Configuration Management: The organization should have a standard in place for how systems securely communicate with one another, including the use of open ports, secure protocols, authentication and authorization standards, and expected standards for communication between these systems. Additionally, change policies should be in place to control the pace and approach to updating, upgrading, or retiring assets.
• Network Diagrams: Organizations should have up-to-date network diagrams that identify and map network assets, access points, segments, and connections that could serve as a security vulnerability. 
• Data Flow Diagrams: Additionally, all organizations should have a data flow diagram to inventory any and all systems and stakeholders interacting with private consumer and cardholder data for security and auditing purposes. This includes processing flows for common operations like processing payments, chargebacks, and storage. 
• Resource and Security Approval: Any assets, protocols, or connections should have an identified and approved security and business purposes approved by relevant management as determined by the company roles and responsibilities.
• Review: Companies must review NSCs and configurations at least once every six months to ensure they remain functional and effective. 

1.3 – Restrictions for Network Access

• Network Traffic Restriction: Inbound and outbound traffic to Cardholder Data Environments (CDEs) must be restricted no matter where it comes from, and all connections must be inspected.
• Network Security Controls: NSCs must be installed between wireless and wired access points so that only internet traffic from authorized sources is allowed into the CDE.

1.4 – Network Connections for Trust and Untrusted Networks

• Separation of Untrusted Networks: NSCs must be installed and maintained between trusted and untrusted networks, including third-party vendor networks, to restrict incoming and outgoing traffic. This traffic is restricted to communications between authorized systems and protocols, stateful responses for components, and legitimate services.
• Anti-Spoofing Controls: NSCs must include capabilities to block spoofed IP addresses from untrusted or trusted networks.
• Separating Cardholder Data: Systems holding cardholder data must be separated from untrusted networks.
• Limiting Disclosure of IP Addresses: Only authorized parties may be privy to internal IP addresses and routing information.

1.5 – Network Risks for Cardholder Data Environments (CDEs)

• Securing Internal and External Devices: Any device, from employee workstations to mobile devices and employee-owned computers, must only connect to a trusted network through strict security controls before communicating with a CDE. These controls must never be changeable by end users, including the stoppage of such services, and they must be specifically relevant to the system’s needs in question.

Prepare for PCI DSS 4.0 with Lazarus Alliance

Requirement 1 of PCI DSS is only the tip of the compliance iceberg for merchants and payment processors. But it is important–here, the basics for network security, device restriction, and system protection are established. If your business cannot meet these requirements, then it has no business holding cardholder data. 

Are You Thinking Ahead for PCI DSS 4.0?

Call Lazarus Alliance at 1-888-896-7580 or fill in this form. 

What Is Autonomous Malware?

We’re reaching the end of 2025, and looking ahead to 2026, most experts are discussing the latest threats that will shape the year ahead. This year, we’re seeing a new, but not unexpected, shift to autonomous threats driven by state-sponsored actors and AI.  With that in mind, a new generation of threats, broadly known as...Continue reading→

What CISA’s Emergency Directive 26-01 Means for Everyone

In mid-October 2025, the CISA issued one of its most urgent orders yet: Emergency Directive 26-01. The directive calls on all Federal Civilian Executive Branch (FCEB) agencies to immediately mitigate vulnerabilities in devices from F5 Networks following a state-sponsored breach of F5’s systems and access to portions of BIG-IP source code and vulnerability data. The event...Continue reading→

Cybersecurity and Vetting AI-Powered Tools

A recent exploit involving a new AI-focused browser shone a light on a critical problem–namely, that browser security is a constant issue, and AI is just making that threat more pronounced. Attackers discovered a way to use that browser’s memory features to implant hidden instructions inside an AI assistant. Once stored, those instructions triggered unwanted...Continue reading→

Shutdown Security And Cyber Vulnerability

When the federal government shuts down, the public sees closed monuments, unpaid workers, and halted programs. What they do not see is the silent surge of cyberattacks targeting agencies already operating on fumes. During the most recent shutdown, attacks against U.S. government systems spiked by nearly 85%.  Cybersecurity failures during government disruptions rarely start with...Continue reading→

Identity and the Shift from Malware

The world of cyber threats is rapidly evolving, and while we can see these changes more generally, it’s always crucial to understand them concretely. As the 2025 CrowdStrike Global Threat Report shows us, the landscape of our industry is changing.  We’re digging into this report to discuss a challenging trend: the move of hackers foregoing...Continue reading→

Maintaining Compliance Against Prompt Injection Attacks

The increasing adoption of AI by businesses introduces security risks that current cybersecurity frameworks are not prepared to address. A particularly complex emerging threat is prompt injection attacks. These attacks manipulate the integrity of large language models and other AI systems, potentially compromising security protocols and legal compliance. Organizations adopting AI must have a plan...Continue reading→

Are We Already Talking About CMMC 3.0?

The ink has barely dried on the CMMC final rule, and already the defense contracting community is buzzing with speculation about what comes next. Just when contractors thought they had a moment to catch their breath after years of regulatory limbo, whispers of CMMC 3.0 have begun circulating through the industry. But is this just...Continue reading→

Centralizing Identity-Based Risk

As the traditional network boundary dissolves and remote work becomes standard practice, identities are the major frontier for security. Whether we’re talking about human users, service accounts, or machine identities, these have emerged as both the primary access mechanism and the most targeted attack vector.  It has become imperative for providers to centralize identity management...Continue reading→

Deviation and Significant Change Requests in FedRAMP: A Comprehensive Guide

FedRAMP provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services used by federal agencies. While the program’s rigorous baseline requirements ensure consistent security, the reality is that this consistency calls for a little flexibility.  This is where deviation requests and significant change requests come into play. These two...Continue reading→

The Costs of Compliance and Data Breaches

Data is possibly one of the most valuable assets any organization holds. Customer information, employee records, and proprietary business intelligence present challenges because the data flowing through modern enterprises represents both significant opportunities and serious risks.  Businesses face a challenging balance: investing in compliance measures to protect sensitive information while also preparing for the real...Continue reading→