Document Comparison
PCI_DSS_v3-2-1.pdf
→
PCI-DSS-v3-2-1-r1.pdf
98% similar
139 → 139
Pages
57801 → 57964
Words
27
Content Changes
Content Changes
27 content changes. 47 administrative changes (dates, page numbers) hidden.
Added
p. 7
• CAV2/CVC2/CVN2/CVV2/CID
Modified
p. 8
Requirement 3.4 Account Data Cardholder Primary Account Number (PAN) Yes Yes Cardholder Name Yes No Service Code Yes No Expiration Date Yes No Sensitive Authentication Full Track Data3 No Cannot store per Requirement 3.2 CAV2/CVC2/CVV2/CID4 No Cannot store per Requirement 3.2 PIN/PIN Block5 No Cannot store per Requirement 3.2
Requirement 3.4 Account Data Cardholder Primary Account Number (PAN) Yes Yes Cardholder Name Yes No Service Code Yes No Expiration Date Yes No Sensitive Authentication Full Track Data3 No Cannot store per Requirement 3.2 CAV2/CVC2/CVN2/CVV2/CID4 No Cannot store per Requirement 3.2 PIN/PIN Block5 No Cannot store per Requirement 3.2
Modified
p. 9
Secure payment applications, when implemented in a PCI DSS-compliant environment, will minimize the potential for security breaches leading to compromises of PAN, full track data, card verification codes and values (CAV2, CID, CVC2, CVV2), and PINs and PIN blocks, along with the damaging fraud resulting from these breaches.
Secure payment applications, when implemented in a PCI DSS-compliant environment, will minimize the potential for security breaches leading to compromises of PAN, full track data, card verification codes and values (CAV2, CVC2, CVN2, CVV2, CID), and PINs and PIN blocks, along with the damaging fraud resulting from these breaches.
Modified
p. 10
• The entity considers any cardholder data found to be in scope of the PCI DSS assessment and part of the CDE. If the entity id entifies data that is not currently included in the CDE, such data should be securely deleted, migrated into the currently defined CDE, or the CDE redefined to include this data.
• The entity considers any cardholder data found to be in scope of the PCI DSS assessment and part of the CDE. If the entity identifies data that is not currently included in the CDE, such data should be securely deleted, migrated into the currently defined CDE, or the CDE redefined to include this data.
Modified
p. 11
If wireless technology is used to store, process, or transmit cardholder data (for example, point-of-sale transactions, “line-busting”), or if a wireless local area network (WLAN) is part of, or connected to the cardholder data environment, the PCI DSS requirements and testing p rocedures for wireless environments apply and must be performed (for example, Requirements 1.2.3, 2.1.1, and 4.1.1). Before wireless technology is implemented, an entity should carefully evaluate the need for the technology against the risk. Consider deploying wireless technology …
If wireless technology is used to store, process, or transmit cardholder data (for example, point-of-sale transactions, “line-busting”), or if a wireless local area network (WLAN) is part of, or connected to the cardholder data environment, the PCI DSS requirements and testing procedures for wireless environments apply and must be performed (for example, Requirements 1.2.3, 2.1.1, and 4.1.1). Before wireless technology is implemented, an entity should carefully evaluate the need for the technology against the risk. Consider deploying wireless technology only …
Modified
p. 13
• Resuming monitoring of the security control, perhaps with enhanced monitoring for a period of time, to verify the control is operating effectively 3. Reviewing changes to the environment (for example, addition of new systems, changes in system or network configurations) prior to completion of the change, and perform the following:
• Resuming monitoring of the security control, perhaps with enhanced monitoring for a period of time, to verify the control is operating effectively
Modified
p. 13
4. Changes to organizational structure (for example, a company merger or acquisition) resulting in formal review of the impact to PCI DSS scope and requirements.
Modified
p. 15
• If there are standardized, centralized PCI DSS security and operational processes and controls in place that ensure consistency and that each business facility/system component must follow, the sample can be smaller than if there are no standard processes/contro ls in place. The sample must be large enough to provide the assessor with reasonable assurance that all business facilities/system components are configured per the standard processes. The assessor must verify that the standardized, centralized controls are implemented and working effectively.
• If there are standardized, centralized PCI DSS security and operational processes and controls in place that ensure consistency and that each business facility/system component must follow, the sample can be smaller than if there are no standard processes/controls in place. The sample must be large enough to provide the assessor with reasonable assurance that all business facilities/system components are configured per the standard processes. The assessor must verify that the standardized, centralized controls are implemented and working effectively.
Modified
p. 17
4. Complete the Attestation of Compliance for Service Providers or Merchants, as applicable, in its entirety. Attestations of Co mpliance are available on the PCI SSC website.
4. Complete the Attestation of Compliance for Service Providers or Merchants, as applicable, in its entirety. Attestations of Compliance are available on the PCI SSC website.
Modified
p. 28
• Personal firewall software or equivalent functionality is required for all portable computing devices (including company and/or employee-owned) that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the CDE.
• Personal firewall software or equivalent functionality is required for all portable computing devices (including company and/or employee-owned) that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the CDE. • Specific configuration settings are defined for personal firewall (or equivalent functionality).
• Personal firewall (or equivalent functionality) is configured to actively run.
• Personal firewall (or equivalent functionality) is configured to not be alterable by users of the portable …
• Personal firewall (or equivalent functionality) is configured to actively run.
• Personal firewall (or equivalent functionality) is configured to not be alterable by users of the portable …
Modified
p. 28
• Personal firewall (or equivalent functionality) is installed and configured per the organization’s specific configuration settings.
• Personal firewall (or equivalent functionality) is installed and configured per the organization’s specific configuration settings. • Personal firewall (or equivalent functionality) is actively running.
• Personal firewall (or equivalent functionality) is not alterable by users of the portable computing devices.
• Personal firewall (or equivalent functionality) is not alterable by users of the portable computing devices.
Modified
p. 36
• Limiting data storage amount and retention time to that which is required for legal, regulatory, and/or business requirements
• Limiting data storage amount and retention time to that which is required for legal, regulatory, and/or business requirements • Specific retention requirements for cardholder data
• Processes for secure deletion of data when no longer needed
• A quarterly process for identifying and securely deleting stored cardholder data that exceeds defined retention.
• Processes for secure deletion of data when no longer needed
• A quarterly process for identifying and securely deleting stored cardholder data that exceeds defined retention.
Modified
p. 37
• Examine files and system records to verify that the data stored does not exceed the requirements defined in the data retention policy
• Examine files and system records to verify that the data stored does not exceed the requirements defined in the data retention policy • Observe the deletion mechanism to verify data is deleted securely.
Modified
p. 38
• All logs (for example, transaction, history, debugging, error) • History files
• All logs (for example, transaction, history, debugging, error)
Modified
p. 42
• Details of all algorithms, protocols, and keys used for the protection of cardholder data, including key strength and expiry date • Description of the key usage for each key
• Details of all algorithms, protocols, and keys used for the protection of cardholder data, including key strength and expiry date
Modified
p. 47
Examples of open, public networks include but are not limited to: • The Internet
Examples of open, public networks include but are not limited to:
Modified
p. 64
• Flagging session tokens (for example cookies) as “secure”
• Not exposing session IDs in the URL
• Not exposing session IDs in the URL
• Flagging session tokens (for example cookies) as
Modified
p. 64
- After any changes - By an organization that specializes in application security - That, at a minimum, all vulnerabilities in
- At least annually - After any changes - By an organization that specializes in application security - That, at a minimum, all vulnerabilities in
Modified
p. 64
- Is situated in front of public-facing web applications to detect and prevent web-based attacks. - Is actively running and up to date as applicable.
- Is situated in front of public-facing web applications to detect and prevent web-based attacks. - Is actively running and up to date as applicable. - Is generating audit logs. - Is configured to either block web-based attacks, or generate an alert that is immediately investigated.
Modified
p. 71
• Examine documentation describing the authentication method(s) used.
• Examine documentation describing the authentication method(s) used. • For each type of authentication method used and for each type of system component, observe an authentication to verify authentication is functioning consistent with documented authentication method(s).
Modified
p. 76
• Shared user IDs do not exist for system administration and other critical functions.
• Generic user IDs are disabled or removed.
• Shared user IDs do not exist for system administration and other critical functions. • Shared and generic user IDs are not used to administer any system components.
• Shared user IDs do not exist for system administration and other critical functions. • Shared and generic user IDs are not used to administer any system components.
Modified
p. 76
• Shared user IDs for system administration activities and other critical functions do not exist.
• Shared user IDs for system administration activities and other critical functions do not exist. • Shared and generic user IDs are not used to administer any system components.
Modified
p. 81
• Identifying onsite personnel and visitors (for example, assigning badges) • Changes to access requirements
• Identifying onsite personnel and visitors (for example, assigning badges)
Modified
p. 81
• Identifying onsite personnel and visitors (for example, assigning badges), • Changing access requirements, and
• Identifying onsite personnel and visitors (for example, assigning badges),
Modified
p. 87
• Verifying the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices • Not to install, replace, or return devices without verification
• Verifying the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices
Modified
p. 100
Penetration testing is generally a highly manual process. While some automated tools may be used, the tester uses their knowledge of systems to penetrate into an environment. Often the tester will chain several types of exploits together with a goal of breaking through layers of defenses. For example, if the tester finds a means to gain access to an application server, they will then use the compromised server as a point to stage a new attack based on the resources …
Penetration testing is generally a highly manual process. While some automated tools may be used, the tester uses their knowledge of systems to penetrate into an environment. Often the tester will chain several types of exploits together with a goal of breaking through layers of defenses. For example, if the tester finds a means to gain access to an application server, they will then use the compromised server as a point to stage a new attack based on the resources …
Modified
p. 123
• A process for performing business-impact analysis to determine potential PCI DSS impacts for strategic business decisions
• A process for performing business-impact analysis to determine potential PCI DSS impacts for strategic business decisions PCI DSS Reference: Requirements 1-12 A3.1.2.a Examine information security policies and procedures to verify that processes are specifically defined for the following: