We’ve introduced multiple enhancements to elevate your compliance experience. Here are some of the highlights:

Latest Improvements

PCI DSS 4.0.1 

The PCI DSS Security Council released a minor update to PCI, updating the text and making corrections to a number of the requirements, and we now have those updated in the Drata platform!

PCI Security Standards Council (PCI SSC) has published a limited revision to the standard, PCI DSS v4.0.1. It includes corrections to formatting and typographical errors and clarifies the focus and intent of some of the requirements and guidance. There are no additional or deleted requirements in this revision.  

Requirement 3 

• Clarified Applicability Notes for issuers and companies that support issuing services.

• Added a Customized Approach Objective and clarified applicability for organizations using keyed cryptographic hashes to render Primary Account Numbers (PAN) unreadable. 

Requirement 6 

• Reverted to PCI DSS v3.2.1 language that installing patches/updates within 30 days applies only for “critical vulnerabilities.”

• Added Applicability Notes to clarify how the requirement for managing payment page scripts applies. 

Requirement 8 

• Added an Applicability Note that multi-factor authentication for all (non-administrative) access into the CDE does not apply to user accounts that are only authenticated with phishing-resistant authentication factors. 

Requirement 12

• Updated Applicability Notes to clarify several points about relationships between customers and third-party service providers (TPSPs). 

Appendices

• Removed Customized Approach sample templates from Appendix E and referred to the sample templates that are available on the PCI SSC website.

• Added definitions for “Legal Exception,” "Phishing Resistant Authentication," and “Visitor” to Appendix G. 

For More Information about PCI DSS 4.0.1 https://blog.pcisecuritystandards.org/just-published-pci-dss-v4-0-1

FRAMEWORK READINESS TOGGLE

There is a new toggle on the frameworks page that allows administrative users to see framework readiness based on controls or requirements.  

• The default calculation for framework readiness will now be based on controls, but customers can use the new toggle to change the calculation back to being based on requirements if desired.

• This new configuration option allows customers to manage their compliance program in the way that works best for them.

• This is a per user setting.

The following Help articles have been updated:

• https://help.drata.com/en/articles/6219885-framework-requirements

• https://help.drata.com/en/articles/6188149-framework-readiness

VIRTUAL ASSETS for AWS ORG UNITS

We are pleased to announce the full support of Virtual Assets for AWS Org Units.

• No new permissions are needed to get the assets loaded.

• These assets are populated nightly during Drata's infrastructure sync.

• Pulls the same asset types that a single-account AWS connection does.