Document Comparison
pci_dss_v1-1.pdf
→
PCI_Security_Assessment_Procedures_v1-2.pdf
33% similar
17 → 73
Pages
6435 → 22864
Words
113
Content Changes
Content Changes
113 content changes. 28 administrative changes (dates, page numbers) hidden.
Added
p. 5
PCI DSS Applicability Information The following table illustrates commonly used elements of cardholder and sensitive authentication data; whether storage of each data element is permitted or prohibited; and whether each data element must be protected. This table is not exhaustive, but is presented to illustrate the different types of requirements that apply to each data element.
PCI DSS Req. 3.4 Cardholder Data Primary Account Number (PAN) Yes Yes Yes Cardholder Name 1 Yes Yes 1 No Service Code 1 Yes Yes 1 No Expiration Date 1 Yes Yes 1 No Sensitive Authentication Full Magnetic Stripe Data 3 No N/A N/A CAV2/CVC2/CVV2/CID No N/A N/A PIN/PIN Block No N/A N/A 1 These data elements must be protected if stored in conjunction with the PAN. This protection should be per PCI DSS requirements for general protection of the cardholder data environment. Additionally, other legislation (for example, related to consumer personal data protection, privacy, …
PCI DSS Req. 3.4 Cardholder Data Primary Account Number (PAN) Yes Yes Yes Cardholder Name 1 Yes Yes 1 No Service Code 1 Yes Yes 1 No Expiration Date 1 Yes Yes 1 No Sensitive Authentication Full Magnetic Stripe Data 3 No N/A N/A CAV2/CVC2/CVV2/CID No N/A N/A PIN/PIN Block No N/A N/A 1 These data elements must be protected if stored in conjunction with the PAN. This protection should be per PCI DSS requirements for general protection of the cardholder data environment. Additionally, other legislation (for example, related to consumer personal data protection, privacy, …
Added
p. 6
Network Segmentation Network segmentation of, or isolating (segmenting), the cardholder data environment from the remainder of the corporate network is not a PCI DSS requirement. However, it is recommended as a method that may reduce:
The scope of the PCI DSS assessment The cost of the PCI DSS assessment The cost and difficulty of implementing and maintaining PCI DSS controls The risk to an organization (reduced by consolidating cardholder data into fewer, more controlled locations) Without adequate network segmentation (sometimes called a "flat network") the entire network is in scope of the PCI DSS assessment. Network segmentation can be achieved through internal network firewalls, routers with strong access control lists or other technology that restricts access to a particular segment of a network. An important prerequisite to reduce the scope of the cardholder data environment is a clear understanding of business needs and processes related to the …
The scope of the PCI DSS assessment The cost of the PCI DSS assessment The cost and difficulty of implementing and maintaining PCI DSS controls The risk to an organization (reduced by consolidating cardholder data into fewer, more controlled locations) Without adequate network segmentation (sometimes called a "flat network") the entire network is in scope of the PCI DSS assessment. Network segmentation can be achieved through internal network firewalls, routers with strong access control lists or other technology that restricts access to a particular segment of a network. An important prerequisite to reduce the scope of the cardholder data environment is a clear understanding of business needs and processes related to the …
Added
p. 7
Third Parties/Outsourcing For service providers required to undergo an annual onsite assessment, compliance validation must be performed on all system components where cardholder data is stored, processed, or transmitted.
A service provider or merchant may use a third-party provider to store, process, or transmit cardholder data on their behalf, or to manage components such as routers, firewalls, databases, physical security, and/or servers. If so, there may be an impact on the security of the cardholder data environment.
For those entities that outsource storage, processing, or transmission of cardholder data to third-party service providers, the Report on Compliance (ROC) must document the role of each service provider, clearly identifying which requirements apply to the reviewed entity and which apply to the service provider. There are two options for third-party service providers to validate compliance: 1) They can undergo a PCI DSS assessment on their own and provide evidence to their customers to demonstrate …
A service provider or merchant may use a third-party provider to store, process, or transmit cardholder data on their behalf, or to manage components such as routers, firewalls, databases, physical security, and/or servers. If so, there may be an impact on the security of the cardholder data environment.
For those entities that outsource storage, processing, or transmission of cardholder data to third-party service providers, the Report on Compliance (ROC) must document the role of each service provider, clearly identifying which requirements apply to the reviewed entity and which apply to the service provider. There are two options for third-party service providers to validate compliance: 1) They can undergo a PCI DSS assessment on their own and provide evidence to their customers to demonstrate …
Added
p. 8
If there are standard, required PCI DSS processes in place that each facility must follow, the sample can be smaller than is necessary if there are no standard processes, to provide reasonable assurance that each facility is configured per the standard process.
If there is more than one type of standard process in place (for example, for different types of system components or facilities), then the sample must be large enough to include system components or facilities secured with each type of process.
If there are no standard PCI DSS processes in place and each facility is responsible for their processes, then sample size must be larger to be assured that each facility understands and implements PCI DSS requirements appropriately.
Please also refer to Appendix F: PCI DSS Reviews
• Scoping and Selecting Samples.
Compensating Controls On an annual basis, any compensating controls must be documented, reviewed and validated by the assessor …
If there is more than one type of standard process in place (for example, for different types of system components or facilities), then the sample must be large enough to include system components or facilities secured with each type of process.
If there are no standard PCI DSS processes in place and each facility is responsible for their processes, then sample size must be larger to be assured that each facility understands and implements PCI DSS requirements appropriately.
Please also refer to Appendix F: PCI DSS Reviews
• Scoping and Selecting Samples.
Compensating Controls On an annual basis, any compensating controls must be documented, reviewed and validated by the assessor …
Added
p. 9
Report Content and Format Follow these instructions for report content and format when completing a Report on Compliance:
1. Executive Summary Include the following:
Describe the entity’s payment card business, including:
- Their business role with payment cards, which is how and why they store, process, and/or transmit cardholder data Note: This is not intended to be a cut-and-paste from the entity’s web site, but should be a tailored description that shows the assessor understands payment and the entity’s role.
- How they process payment (directly, indirectly, etc.)
- What types of payment channels they serve, such as card-not-present, (for example, mail-order-telephone-order (MOTO), e- Commerce), or card-present
- Any entities that they connect to for payment transmission or processing, including processor relationships A high-level network diagram (either obtained from the entity or created by assessor) of the entity’s networking topography that includes:
- Connections into and out of the network
- Critical components within the cardholder …
1. Executive Summary Include the following:
Describe the entity’s payment card business, including:
- Their business role with payment cards, which is how and why they store, process, and/or transmit cardholder data Note: This is not intended to be a cut-and-paste from the entity’s web site, but should be a tailored description that shows the assessor understands payment and the entity’s role.
- How they process payment (directly, indirectly, etc.)
- What types of payment channels they serve, such as card-not-present, (for example, mail-order-telephone-order (MOTO), e- Commerce), or card-present
- Any entities that they connect to for payment transmission or processing, including processor relationships A high-level network diagram (either obtained from the entity or created by assessor) of the entity’s networking topography that includes:
- Connections into and out of the network
- Critical components within the cardholder …
Added
p. 12
6. Findings and Observations Summarize in the Executive Summary any findings that may not fit into the standard Report on Compliance template format. All assessors must use the Detailed PCI DSS Requirements and Security Assessment Procedures template to provide detailed report descriptions and findings on each requirement and sub-requirement. The assessor must review and document any compensating controls considered to conclude that a control is in place.
See Compensating Controls section above and Appendices B and C for more details on “compensating controls.” Revalidation of Open Items A “controls in place” report is required to verify compliance. The report is considered non-compliant if it contains “open items,” or items that will be finished at a future date. The merchant/service provider must address these items before validation is completed. After these items are addressed by the merchant/service provider, the assessor will then reassess to validate that the remediation occurred …
See Compensating Controls section above and Appendices B and C for more details on “compensating controls.” Revalidation of Open Items A “controls in place” report is required to verify compliance. The report is considered non-compliant if it contains “open items,” or items that will be finished at a future date. The merchant/service provider must address these items before validation is completed. After these items are addressed by the merchant/service provider, the assessor will then reassess to validate that the remediation occurred …
Added
p. 13
PCI DSS Requirements
• This column defines the Data Security Standard and lists requirements to achieve PCI DSS compliance; compliance will be validated against these requirements.
Testing Procedures
• This column shows processes to be followed by the assessor to validate that PCI DSS requirements are “in place” In Place
• This column must be used by the assessor to provide a brief description of controls found in place, including those controls found to be in place as a result of compensating controls. (Note: that this column must not be used for items that are not yet in place or for open items to be completed at a future date.) Not in Place
• This column must be used by the assessor to provide a brief description controls that are not in place. Note that a non- compliant report should not be submitted to a payment brand or acquirer unless specifically …
• This column defines the Data Security Standard and lists requirements to achieve PCI DSS compliance; compliance will be validated against these requirements.
Testing Procedures
• This column shows processes to be followed by the assessor to validate that PCI DSS requirements are “in place” In Place
• This column must be used by the assessor to provide a brief description of controls found in place, including those controls found to be in place as a result of compensating controls. (Note: that this column must not be used for items that are not yet in place or for open items to be completed at a future date.) Not in Place
• This column must be used by the assessor to provide a brief description controls that are not in place. Note that a non- compliant report should not be submitted to a payment brand or acquirer unless specifically …
Added
p. 14
PCI DSS Requirements Testing Procedures In Place Not in Target Date/ 1.1 Establish firewall and router configuration standards that include the following:
Added
p. 14
1.1.2.b Verify that the diagram is kept current.
Added
p. 15
PCI DSS Requirements Testing Procedures In Place Not in Target Date/ 1.1.5 Documentation and business justification for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure 1.1.5.a Verify that firewall and router configuration standards include a documented list of services, protocols and ports necessary for business•for example, hypertext transfer protocol (HTTP) and Secure Sockets Layer (SSL), Secure Shell (SSH), and Virtual Private Network (VPN) protocols.
1.1.5.b Identify insecure services, protocols, and ports allowed; and verify they are necessary and that security features are documented and implemented by examining firewall and router configuration standards and settings for each service. An example of an insecure service, protocol, or port is FTP, which passes user credentials in clear-text.
1.1.5.b Identify insecure services, protocols, and ports allowed; and verify they are necessary and that security features are documented and implemented by examining firewall and router configuration standards and settings for each service. An example of an insecure service, protocol, or port is FTP, which passes user credentials in clear-text.
Added
p. 15
1.1.6.b Obtain and examine documentation to verify that the rule sets are reviewed at least every six months.
Added
p. 15
Note: An “untrusted network” is any network that is external to the networks belonging to the entity under review, and/or which is out of the entity's ability to control or manage.
Added
p. 15
1.2.1.a Verify that inbound and outbound traffic is limited to that which is necessary for the cardholder data environment, and that the restrictions are documented.
1.2.1.b Verify that all other inbound and outbound traffic is specifically denied, for example by using an explicit “deny all” or an implicit deny after allow statement.
1.2.1.b Verify that all other inbound and outbound traffic is specifically denied, for example by using an explicit “deny all” or an implicit deny after allow statement.
Added
p. 16
PCI DSS Requirements Testing Procedures In Place Not in Target Date/ 1.2.3 Install perimeter firewalls between any wireless networks and the cardholder data environment, and configure these firewalls to deny or control (if such traffic is necessary for business purposes) any traffic from the wireless environment into the cardholder data environment.
Added
p. 17
PCI DSS Requirements Testing Procedures In Place Not in Target Date/ 1.3.6 Implement stateful inspection, also known as dynamic packet filtering. (That is, only ”established” connections are allowed into the network.) 1.3.6 Verify that the firewall performs stateful inspection (dynamic packet filtering). [Only established connections should be allowed in, and only if they are associated with a previously established session (run a port scanner on all TCP ports with “syn reset” or ”syn ack” bits set•a response means packets are allowed through even if they are not part of a previously established session).] 1.3.7 Place the database in an internal network zone, segregated from the DMZ.
Added
p. 17
1.4.a Verify that mobile and/or employee-owned computers with direct connectivity to the Internet (for example, laptops used by employees), and which are used to access the organization’s network, have personal firewall software installed and active.
1.4.b Verify that the personal firewall software is configured by the organization to specific standards and is not alterable by mobile computer users.
PCI DSS Requirements Testing Procedures In Place Not in Target Date/ Comments 2.1 Always change vendor-supplied defaults before installing a system on the network•for example, include passwords, simple network management protocol (SNMP) community strings, and elimination of unnecessary accounts.
1.4.b Verify that the personal firewall software is configured by the organization to specific standards and is not alterable by mobile computer users.
PCI DSS Requirements Testing Procedures In Place Not in Target Date/ Comments 2.1 Always change vendor-supplied defaults before installing a system on the network•for example, include passwords, simple network management protocol (SNMP) community strings, and elimination of unnecessary accounts.
Added
p. 18
Encryption keys were changed from default at installation, and are changed anytime anyone with knowledge of the keys leaves the company or changes positions Default SNMP community strings on wireless devices were changed Default passwords/passphrases on access points were changed Firmware on wireless devices is updated to support strong encryption for authentication and transmission over wireless networks (for example, WPA/WPA2) Other security-related wireless vendor defaults, if applicable
PCI DSS Requirements Testing Procedures In Place Not in Target Date/ 2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards.
2.2.a Examine the organization’s system configuration standards for all types of system components and verify the system configuration standards are consistent with industry- accepted hardening standards•for example, SysAdmin Audit Network Security (SANS), National Institute of Standards Technology (NIST), and Center for Internet Security (CIS).
2.2.b …
PCI DSS Requirements Testing Procedures In Place Not in Target Date/ 2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards.
2.2.a Examine the organization’s system configuration standards for all types of system components and verify the system configuration standards are consistent with industry- accepted hardening standards•for example, SysAdmin Audit Network Security (SANS), National Institute of Standards Technology (NIST), and Center for Internet Security (CIS).
2.2.b …
Added
p. 19
2.2.3.a Interview system administrators and/or security managers to verify that they have knowledge of common security parameter settings for system components.
2.2.3.b Verify that common security parameter settings are included in the system configuration standards.
2.2.3.c For a sample of system components, verify that common security parameters are set appropriately.
2.2.3.b Verify that common security parameter settings are included in the system configuration standards.
2.2.3.c For a sample of system components, verify that common security parameters are set appropriately.
Added
p. 20
PCI DSS Requirements Testing Procedures In Place Not in Target Date/ 2.3 Encrypt all non-console administrative access. Use technologies such as SSH, VPN, or SSL/TLS for web- based management and other non-console administrative access.
Added
p. 20
Observing an administrator log on to each system to verify that a strong encryption method is invoked before the administrator’s password is requested; Reviewing services and parameter files on systems to determine that Telnet and other remote log-in commands are not available for use internally; and Verifying that administrator access to the web- based management interfaces is encrypted with strong cryptography.
Added
p. 21
Please refer to the PCI DSS Glossary of Terms, Abbreviations, and Acronyms for definitions of “strong cryptography” and other PCI DSS terms.
PCI DSS Requirements Testing Procedures In Place Not in Target Date/ 3.1 Keep cardholder data storage to a minimum. Develop a data retention and disposal policy. Limit storage amount and retention time to that which is required for business, legal, and/or regulatory purposes, as documented in the data retention policy.
PCI DSS Requirements Testing Procedures In Place Not in Target Date/ 3.1 Keep cardholder data storage to a minimum. Develop a data retention and disposal policy. Limit storage amount and retention time to that which is required for business, legal, and/or regulatory purposes, as documented in the data retention policy.
Added
p. 22
PCI DSS Requirements Testing Procedures In Place Not in Target Date/ 3.2 Do not store sensitive authentication data after authorization (even if encrypted). Sensitive authentication data includes the data as cited in the following Requirements 3.2.1 through 3.2.3:
Added
p. 22
Note: In the normal course of business, the following data elements from the magnetic stripe may need to be retained: The cardholder’s name, Primary account number (PAN), Expiration date, and Service code To minimize risk, store only these data elements as needed for business.
Note: See PCI DSS Glossary of Terms, Abbreviations, and Acronyms for additional information.
Note: See PCI DSS Glossary of Terms, Abbreviations, and Acronyms for additional information.
Added
p. 22
Incoming transaction data All logs (for example, transaction, history, debugging, error) History files Trace files Several database schemas Database contents
Note: See PCI DSS Glossary of Terms, Abbreviations, and Acronyms for additional information.
PCI DSS Requirements Testing Procedures In Place Not in Place Target Date/ Comments 3.2.2 Do not store the card- verification code or value (three- digit or four-digit number printed on the front or back of a payment card) used to verify card-not- present transactions.
Note: See PCI DSS Glossary of Terms, Abbreviations, and Acronyms for additional information.
PCI DSS Requirements Testing Procedures In Place Not in Place Target Date/ Comments 3.2.2 Do not store the card- verification code or value (three- digit or four-digit number printed on the front or back of a payment card) used to verify card-not- present transactions.
Added
p. 23
Incoming transaction data All logs (for example, transaction, history, debugging, error) History files Trace files Several database schemas Database contents 3.2.3 Do not store the personal identification number (PIN) or the encrypted PIN block.
Added
p. 23
Incoming transaction data All logs (for example, transaction, history, debugging, error) History files Trace files Several database schemas Database contents 3.3 Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed). Notes:
This requirement does not apply to employees and other parties with a legitimate business need to see the full PAN. This requirement does not supersede stricter requirements in place for displays of cardholder data•for example, for point-of- sale (POS) receipts.
This requirement does not apply to employees and other parties with a legitimate business need to see the full PAN. This requirement does not supersede stricter requirements in place for displays of cardholder data•for example, for point-of- sale (POS) receipts.
Added
p. 24
PCI DSS Requirements Testing Procedures In Place Not in Place Target Date/ Comments 3.4 Render PAN, at minimum, unreadable anywhere it is stored (including on portable digital media, backup media, in logs) by using any of the following approaches:
One-way hashes based on strong cryptography Truncation Index tokens and pads (pads must be securely stored) Strong cryptography with associated key-management processes and procedures The MINIMUM account information that must be rendered unreadable is the PAN. Notes:
If for some reason, a company is unable render the PAN unreadable, refer to Appendix B: Compensating Controls. “Strong cryptography” is defined in the PCI DSS Glossary of Terms, Abbreviations, and Acronyms.
3.4.a Obtain and examine documentation about the system used to protect the PAN, including the vendor, type of system/process, and the encryption algorithms (if applicable). Verify that the PAN is rendered unreadable using one of the following methods:
One-way …
One-way hashes based on strong cryptography Truncation Index tokens and pads (pads must be securely stored) Strong cryptography with associated key-management processes and procedures The MINIMUM account information that must be rendered unreadable is the PAN. Notes:
If for some reason, a company is unable render the PAN unreadable, refer to Appendix B: Compensating Controls. “Strong cryptography” is defined in the PCI DSS Glossary of Terms, Abbreviations, and Acronyms.
3.4.a Obtain and examine documentation about the system used to protect the PAN, including the vendor, type of system/process, and the encryption algorithms (if applicable). Verify that the PAN is rendered unreadable using one of the following methods:
One-way …
Added
p. 24
3.4.1.b Verify that cryptographic keys are stored securely (for example, stored on removable media that is adequately protected with strong access controls).
PCI DSS Requirements Testing Procedures In Place Not in Place Target Date/ Comments not be tied to user accounts. 3.4.1.c Verify that cardholder data on removable media is encrypted wherever stored. Note: Disk encryption often cannot encrypt removable media, so data stored on this media will need to be encrypted separately.
PCI DSS Requirements Testing Procedures In Place Not in Place Target Date/ Comments not be tied to user accounts. 3.4.1.c Verify that cardholder data on removable media is encrypted wherever stored. Note: Disk encryption often cannot encrypt removable media, so data stored on this media will need to be encrypted separately.
Added
p. 25
3.6.a Verify the existence of key-management procedures for keys used for encryption of cardholder data. Note: Numerous industry standards for key management are available from various resources including NIST, which can be found at http://csrc.nist.gov.
3.6.b For service providers only: If the service provider shares keys with their customers for transmission of cardholder data, verify that the service provider provides documentation to customers that includes guidance on how to securely store and change customer’s keys (used to transmit data between customer and service provider).
3.6.c Examine the key-management procedures and perform the following:
3.6.b For service providers only: If the service provider shares keys with their customers for transmission of cardholder data, verify that the service provider provides documentation to customers that includes guidance on how to securely store and change customer’s keys (used to transmit data between customer and service provider).
3.6.c Examine the key-management procedures and perform the following:
Added
p. 26
PCI DSS Requirements Testing Procedures In Place Not in Place Target Date/ Comments 3.6.4 Periodic cryptographic key changes As deemed necessary and recommended by the associated application (for example, re-keying); preferably automatically At least annually 3.6.4 Verify that key-management procedures are implemented to require periodic key changes at least annually.
Added
p. 26
3.6.5.b Verify that the key-management procedures are implemented to require the replacement of known or suspected compromised keys.
Added
p. 27
The Internet, Wireless technologies, Global System for Mobile communications (GSM), and General Packet Radio Service (GPRS).
4.1.a Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks Verify that strong encryption is used during data transmission For SSL implementations:
- Verify that the server supports the latest patched versions. - Verify that HTTPS appears as a part of the browser Universal Record Locator (URL). - Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.)
PCI DSS Requirements …
4.1.a Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks Verify that strong encryption is used during data transmission For SSL implementations:
- Verify that the server supports the latest patched versions. - Verify that HTTPS appears as a part of the browser Universal Record Locator (URL). - Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.)
PCI DSS Requirements …
Added
p. 28
4.2.a Verify that strong cryptography is used whenever cardholder data is sent via end-user messaging technologies.
4.2.b Verify the existence of a policy stating that unencrypted PANs are not to be sent via end-user messaging technologies.
Requirement 5: Use and regularly update anti-virus software or programs Malicious software, commonly referred to as “malware”
•including viruses, worms, and Trojans
•enters the network during many business approved activities including employees’ e-mail and use of the Internet, mobile computers, and storage devices, resulting in the exploitation of system vulnerabilities. Anti-virus software must be used on all systems commonly affected by malware to protect systems from current and evolving malicious software threats.
PCI DSS Requirements Testing Procedures In Place Not in Place Target Date/ Comments 5.1 Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers).
4.2.b Verify the existence of a policy stating that unencrypted PANs are not to be sent via end-user messaging technologies.
Requirement 5: Use and regularly update anti-virus software or programs Malicious software, commonly referred to as “malware”
•including viruses, worms, and Trojans
•enters the network during many business approved activities including employees’ e-mail and use of the Internet, mobile computers, and storage devices, resulting in the exploitation of system vulnerabilities. Anti-virus software must be used on all systems commonly affected by malware to protect systems from current and evolving malicious software threats.
PCI DSS Requirements Testing Procedures In Place Not in Place Target Date/ Comments 5.1 Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers).
Added
p. 29
5.2.a Obtain and examine the policy and verify that it requires updating of anti-virus software and definitions.
5.2.b Verify that the master installation of the software is enabled for automatic updates and periodic scans.
5.2.c For a sample of system components including all operating system types commonly affected by malicious software, verify that automatic updates and periodic scans are enabled.
5.2d For a sample of system components, verify that antivirus software log generation is enabled and that such logs are retained in accordance with PCI DSS Requirement 10.7
PCI DSS Requirements Testing Procedures In Place Not in Place Target Date/ Comments 6.1 Ensure that all system components and software have the latest vendor-supplied security patches installed. Install critical security patches within one month of release. Note: An organization may consider applying a risk-based approach to prioritize their patch installations. For example, by prioritizing critical infrastructure (for example, public-facing devices and systems, databases) higher than …
5.2.b Verify that the master installation of the software is enabled for automatic updates and periodic scans.
5.2.c For a sample of system components including all operating system types commonly affected by malicious software, verify that automatic updates and periodic scans are enabled.
5.2d For a sample of system components, verify that antivirus software log generation is enabled and that such logs are retained in accordance with PCI DSS Requirement 10.7
PCI DSS Requirements Testing Procedures In Place Not in Place Target Date/ Comments 6.1 Ensure that all system components and software have the latest vendor-supplied security patches installed. Install critical security patches within one month of release. Note: An organization may consider applying a risk-based approach to prioritize their patch installations. For example, by prioritizing critical infrastructure (for example, public-facing devices and systems, databases) higher than …
Added
p. 30
6.2.a Interview responsible personnel to verify that processes are implemented to identify new security vulnerabilities.
6.2.b Verify that processes to identify new security vulnerabilities include using outside sources for security vulnerability information and updating the system configuration standards reviewed in Requirement 2.2 as new vulnerability issues are found.
PCI DSS Requirements Testing Procedures In Place Not in Place Target Date/ Comments 6.3 Develop software applications in accordance with PCI DSS (for example, secure authentication and logging) and based on industry best practices, and incorporate information security throughout the software development life cycle. These processes must include the following:
6.3.a Obtain and examine written software development processes to verify that the processes are based on industry standards, security is included throughout the life cycle, and software applications are developed in accordance with PCI DSS.
6.3.b From an examination of written software development processes, interviews of software developers, and examination of relevant data (network configuration documentation, …
6.2.b Verify that processes to identify new security vulnerabilities include using outside sources for security vulnerability information and updating the system configuration standards reviewed in Requirement 2.2 as new vulnerability issues are found.
PCI DSS Requirements Testing Procedures In Place Not in Place Target Date/ Comments 6.3 Develop software applications in accordance with PCI DSS (for example, secure authentication and logging) and based on industry best practices, and incorporate information security throughout the software development life cycle. These processes must include the following:
6.3.a Obtain and examine written software development processes to verify that the processes are based on industry standards, security is included throughout the life cycle, and software applications are developed in accordance with PCI DSS.
6.3.b From an examination of written software development processes, interviews of software developers, and examination of relevant data (network configuration documentation, …
Added
p. 32
PCI DSS Requirements Testing Procedures In Place Not in Place Target Date/ Comments 6.3.6 Removal of custom application accounts, user IDs, and passwords before applications become active or are released to customers 6.3.6 Custom application accounts, user IDs and/or passwords are removed before system goes into production or is released to customers.
Added
p. 32
6.3.7.a Obtain and review policies to confirm all custom application code changes for internal applications must be reviewed (either using manual or automated processes), as follows:
Code changes are reviewed by individuals other then the originating code author, and by individuals who are knowledgeable in code review techniques and secure coding practices. Appropriate corrections are implemented prior to release. Code review results are reviewed and approved by management prior to release.
6.3.7.b Obtain and review policies to confirm that all custom application code changes for web applications must be reviewed (using either manual or automated processes) as follows:
Code changes are reviewed by individuals other then the originating code author, and by individuals who are knowledgeable in code review techniques and secure coding practices. Code reviews ensure code is developed according to secure coding guidelines such as the Open Web Security Project Guide (see PCI DSS Requirement 6.5). …
Code changes are reviewed by individuals other then the originating code author, and by individuals who are knowledgeable in code review techniques and secure coding practices. Appropriate corrections are implemented prior to release. Code review results are reviewed and approved by management prior to release.
6.3.7.b Obtain and review policies to confirm that all custom application code changes for web applications must be reviewed (using either manual or automated processes) as follows:
Code changes are reviewed by individuals other then the originating code author, and by individuals who are knowledgeable in code review techniques and secure coding practices. Code reviews ensure code is developed according to secure coding guidelines such as the Open Web Security Project Guide (see PCI DSS Requirement 6.5). …
Added
p. 33
6.5.a Obtain and review software development processes for any web-based applications. Verify that processes require training in secure coding techniques for developers, and are based on guidance such as the OWASP guide (http://www.owasp.org).
6.5.b Interview a sample of developers and obtain evidence that they are knowledgeable in secure coding techniques.
6.5.c Verify that processes are in place to ensure that web applications are not vulnerable to the following:
PCI DSS Requirements Testing Procedures In Place Not in Target Date/ 6.5.1 Cross-site scripting (XSS) 6.5.1 Cross-site scripting (XSS) (Validate all parameters before inclusion.) 6.5.2 Injection flaws, particularly SQL injection. Also consider LDAP and Xpath injection flaws as well as other injection flaws.
6.5.b Interview a sample of developers and obtain evidence that they are knowledgeable in secure coding techniques.
6.5.c Verify that processes are in place to ensure that web applications are not vulnerable to the following:
PCI DSS Requirements Testing Procedures In Place Not in Target Date/ 6.5.1 Cross-site scripting (XSS) 6.5.1 Cross-site scripting (XSS) (Validate all parameters before inclusion.) 6.5.2 Injection flaws, particularly SQL injection. Also consider LDAP and Xpath injection flaws as well as other injection flaws.
Added
p. 35
PCI DSS Requirements Testing Procedures In Place Not in Target Date/ 6.6 For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods:
Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes Installing a web-application firewall in front of public-facing web applications 6.6 For public-facing web applications, ensure that either one of the following methods are in place as follows:
Verify that public-facing web applications are reviewed (using either manual or automated vulnerability security assessment tools or methods), as follows:
- At least annually - After any changes - By an organization that specializes in application security - That all vulnerabilities are corrected - That the application is re-evaluated after the corrections Verify that a web-application firewall is in …
Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes Installing a web-application firewall in front of public-facing web applications 6.6 For public-facing web applications, ensure that either one of the following methods are in place as follows:
Verify that public-facing web applications are reviewed (using either manual or automated vulnerability security assessment tools or methods), as follows:
- At least annually - After any changes - By an organization that specializes in application security - That all vulnerabilities are corrected - That the application is re-evaluated after the corrections Verify that a web-application firewall is in …
Added
p. 36
“Need to know” is when access rights are granted to only the least amount of data and privileges needed to perform a job.
PCI DSS Requirements Testing Procedures In Place Not in Target Date/ 7.1 Limit access to system components and cardholder data to only those individuals whose job requires such access. Access limitations must include the following:
PCI DSS Requirements Testing Procedures In Place Not in Target Date/ 7.1 Limit access to system components and cardholder data to only those individuals whose job requires such access. Access limitations must include the following:
Added
p. 37
PCI DSS Requirements Testing Procedures In Place Not in Target Date/ 7.2 Establish an access control system for systems components with multiple users that restricts access based on a user’s need to know, and is set to “deny all” unless specifically allowed. This access control system must include the following:
Added
p. 38
PCI DSS Requirements Testing Procedures In Place Not in Target Date/ 8.1 Assign all users a unique ID before allowing them to access system components or cardholder data.
Added
p. 38
Password or passphrase Two-factor authentication (for example, token devices, smart cards, biometrics, or public keys) 8.2 To verify that users are authenticated using unique ID and additional authentication (for example, a password) for access to the cardholder data environment, perform the following:
Obtain and examine documentation describing the authentication method(s) used. For each type of authentication method used and for each type of system component, observe an authentication to verify authentication is functioning consistent with documented authentication method(s).
Obtain and examine documentation describing the authentication method(s) used. For each type of authentication method used and for each type of system component, observe an authentication to verify authentication is functioning consistent with documented authentication method(s).
Added
p. 38
8.4.a For a sample of system components, examine password files to verify that passwords are unreadable during transmission and storage.
8.4.b For service providers only, observe password files to verify that customer passwords are encrypted.
PCI DSS Requirements Testing Procedures In Place Not in Target Date/ 8.5 Ensure proper user authentication and password management for non- consumer users and administrators on all system components as follows:
8.4.b For service providers only, observe password files to verify that customer passwords are encrypted.
PCI DSS Requirements Testing Procedures In Place Not in Target Date/ 8.5 Ensure proper user authentication and password management for non- consumer users and administrators on all system components as follows:
Added
p. 39
8.5.1.a Select a sample of user IDs, including both administrators and general users. Verify that each user is authorized to use the system according to company policy by performing the following:
Obtain and examine an authorization form for each ID. Verify that the sampled user IDs are implemented in accordance with the authorization form (including with privileges as specified and all signatures obtained), by tracing information from the authorization form to the system.
Obtain and examine an authorization form for each ID. Verify that the sampled user IDs are implemented in accordance with the authorization form (including with privileges as specified and all signatures obtained), by tracing information from the authorization form to the system.
Added
p. 40
PCI DSS Requirements Testing Procedures In Place Not in Target Date/ 8.5.8 Do not use group, shared, or generic accounts and passwords.
8.5.8.a For a sample of system components, examine user ID lists to verify the following Generic user IDs and accounts are disabled or removed. Shared user IDs for system administration activities and other critical functions do not exist. Shared and generic user IDs are not used to administer any system components.
8.5.8.b Examine password policies/procedures to verify that group and shared passwords are explicitly prohibited.
8.5.8.c Interview system administrators to verify that group and shared passwords are not distributed, even if requested.
8.5.8.a For a sample of system components, examine user ID lists to verify the following Generic user IDs and accounts are disabled or removed. Shared user IDs for system administration activities and other critical functions do not exist. Shared and generic user IDs are not used to administer any system components.
8.5.8.b Examine password policies/procedures to verify that group and shared passwords are explicitly prohibited.
8.5.8.c Interview system administrators to verify that group and shared passwords are not distributed, even if requested.
Added
p. 41
PCI DSS Requirements Testing Procedures In Place Not in Target Date/ 8.5.11 Use passwords containing both numeric and alphabetic characters.
Added
p. 42
PCI DSS Requirements Testing Procedures In Place Not in Target Date/ 8.5.16 Authenticate all access to any database containing cardholder data. This includes access by applications, administrators, and all other users.
8.5.16.a Review database and application configuration settings and verify that user authentication and access to databases includes the following:
All users are authenticated prior to access. All user access to, user queries of, and user actions on (for example, move, copy, delete), the database are through programmatic methods only (for example, through stored procedures). Direct access or queries to databases are restricted to database administrators.
8.5.16.b Review database applications and the related application IDs to verify that application IDs can only be used by the applications (and not by individual users or other processes).
PCI DSS Requirements Testing Procedures In Place Not in Target Date/ 9.1 Use appropriate facility entry controls to limit and monitor physical access to systems in …
8.5.16.a Review database and application configuration settings and verify that user authentication and access to databases includes the following:
All users are authenticated prior to access. All user access to, user queries of, and user actions on (for example, move, copy, delete), the database are through programmatic methods only (for example, through stored procedures). Direct access or queries to databases are restricted to database administrators.
8.5.16.b Review database applications and the related application IDs to verify that application IDs can only be used by the applications (and not by individual users or other processes).
PCI DSS Requirements Testing Procedures In Place Not in Target Date/ 9.1 Use appropriate facility entry controls to limit and monitor physical access to systems in …
Added
p. 43
Verify that access is controlled with badge readers or other devices including authorized badges and lock and key. Observe a system administrator’s attempt to log into consoles for randomly selected systems in the cardholder environment and verify that they are “locked” to prevent unauthorized use.
Added
p. 44
PCI DSS Requirements Testing Procedures In Place Not in Target Date/ 9.2 Develop procedures to help all personnel easily distinguish between employees and visitors, especially in areas where cardholder data is accessible. For purposes of this requirement, “employee” refers to full-time and part- time employees, temporary employees and personnel, and contractors and consultants who are “resident” on the entity’s site. A “visitor” is defined as a vendor, guest of an employee, service personnel, or anyone who needs to enter the facility for a short duration, usually not more than one day.
9.2.a Review processes and procedures for assigning badges to employees, and visitors, and verify these processes include the following:
Granting new badges, changing access requirements, and revoking terminated employee and expired visitor badges Limited access to badge system 9.2.b Observe people within the facility to verify that it is easy to distinguish between employees and visitors.
9.2.a Review processes and procedures for assigning badges to employees, and visitors, and verify these processes include the following:
Granting new badges, changing access requirements, and revoking terminated employee and expired visitor badges Limited access to badge system 9.2.b Observe people within the facility to verify that it is easy to distinguish between employees and visitors.
Added
p. 44
9.4.a Verify that a visitor log is in use to record physical access to the facility as well as for computer rooms and data centers where cardholder data is stored or transmitted.
9.4.b Verify that the log contains the visitor’s name, the firm represented, and the employee authorizing physical access, and is retained for at least three months.
PCI DSS Requirements Testing Procedures In Place Not in Target Date/ 9.5 Store media back-ups in a secure location, preferably an off-site facility, such as an alternate or back-up site, or a commercial storage facility. Review the location’s security at least annually.
9.4.b Verify that the log contains the visitor’s name, the firm represented, and the employee authorizing physical access, and is retained for at least three months.
PCI DSS Requirements Testing Procedures In Place Not in Target Date/ 9.5 Store media back-ups in a secure location, preferably an off-site facility, such as an alternate or back-up site, or a commercial storage facility. Review the location’s security at least annually.
Added
p. 46
PCI DSS Requirements Testing Procedures In Place Not in Target Date/ 9.10 Destroy media containing cardholder data when it is no longer needed for business or legal reasons as follows:
Added
p. 46
9.10.1.a Verify that hard-copy materials are cross-cut shredded, incinerated, or pulped such that there is reasonable assurance the hard-copy materials cannot be reconstructed.
9.10.1.b Examine storage containers used for information to be destroyed to verify that the containers are secured. For example, verify that a “to-be-shredded” container has a lock preventing access to its contents.
9.10.1.b Examine storage containers used for information to be destroyed to verify that the containers are secured. For example, verify that a “to-be-shredded” container has a lock preventing access to its contents.
Added
p. 47
Logging mechanisms and the ability to track user activities are critical in preventing, detecting, or minimizing the impact of a data compromise. The presence of logs in all environments allows thorough tracking, alerting, and analysis when something does go wrong. Determining the cause of a compromise is very difficult without system activity logs.
PCI DSS Requirements Testing Procedures In Place Not in Target Date/ 10.1 Establish a process for linking all access to system components (especially access done with administrative privileges such as root) to each individual user.
PCI DSS Requirements Testing Procedures In Place Not in Target Date/ 10.1 Establish a process for linking all access to system components (especially access done with administrative privileges such as root) to each individual user.
Added
p. 48
PCI DSS Requirements Testing Procedures In Place Not in Target Date/ 10.3.4 Success or failure indication 10.3.4 Verify success or failure indication is included in log entries.
Added
p. 48
10.4.a Verify that a known, stable version of NTP (Network Time Protocol) or similar technology, kept current per PCI DSS Requirements 6.1 and 6.2, is used for time synchronization.
10.4.b Verify that internal servers are not all receiving time signals from external sources. [Two or three central time servers within the organization receive external time signals [directly from a special radio, GPS satellites, or other external sources based on International Atomic Time and UTC (formerly GMT)], peer with each other to keep accurate time, and share the time with other internal servers.] 10.4.c Verify that specific external hosts are designated from which the timeservers will accept NTP time updates (to prevent a malicious individual from changing the clock). Optionally, those updates can be encrypted with a symmetric key, and access control lists can be created that specify the IP addresses of client machines that will be provided with the NTP service …
10.4.b Verify that internal servers are not all receiving time signals from external sources. [Two or three central time servers within the organization receive external time signals [directly from a special radio, GPS satellites, or other external sources based on International Atomic Time and UTC (formerly GMT)], peer with each other to keep accurate time, and share the time with other internal servers.] 10.4.c Verify that specific external hosts are designated from which the timeservers will accept NTP time updates (to prevent a malicious individual from changing the clock). Optionally, those updates can be encrypted with a symmetric key, and access control lists can be created that specify the IP addresses of client machines that will be provided with the NTP service …
Added
p. 49
PCI DSS Requirements Testing Procedures In Place Not in Target Date/ 10.5.1 Limit viewing of audit trails to those with a job-related need.
Added
p. 49
10.6.b Through observation and interviews, verify that regular log reviews are performed for all system components.
10.7.a Obtain and examine security policies and procedures and verify that they include audit log retention policies and require audit log retention for at least one year.
10.7.b Verify that audit logs are available for at least one year and processes are in place to restore at least the last three months’ logs for immediate analysis.
Vulnerabilities are being discovered continually by malicious individuals and researchers, and being introduced by new software. System components, processes, and custom software should be tested frequently to ensure security controls continue to reflect a changing environment.
PCI DSS Requirements Testing Procedures In Place Not in Target Date/ 11.1 Test for the presence of wireless access points by using a wireless analyzer at least quarterly or deploying a wireless IDS/IPS to identify all wireless devices in use.
11.1.a Verify that a wireless analyzer is …
10.7.a Obtain and examine security policies and procedures and verify that they include audit log retention policies and require audit log retention for at least one year.
10.7.b Verify that audit logs are available for at least one year and processes are in place to restore at least the last three months’ logs for immediate analysis.
Vulnerabilities are being discovered continually by malicious individuals and researchers, and being introduced by new software. System components, processes, and custom software should be tested frequently to ensure security controls continue to reflect a changing environment.
PCI DSS Requirements Testing Procedures In Place Not in Target Date/ 11.1 Test for the presence of wireless access points by using a wireless analyzer at least quarterly or deploying a wireless IDS/IPS to identify all wireless devices in use.
11.1.a Verify that a wireless analyzer is …
Added
p. 50
11.2.a Inspect output from the most recent four quarters of internal network, host, and application vulnerability scans to verify that periodic security testing of the devices within the cardholder data environment occurs. Verify that the scan process includes rescans until passing results are obtained. Note: External scans conducted after network changes, and internal scans, may be performed by the company’s qualified internal personnel or third parties.
11.2.b Verify that external scanning is occurring on a quarterly basis in accordance with the PCI Security Scanning Procedures, by inspecting output from the four most recent quarters of external vulnerability scans to verify that:
Four quarterly scans occurred in the most recent 12- month period; The results of each scan satisfy the PCI Security Scanning Procedures (for example, no urgent, critical, or high vulnerabilities); The scans were completed by an Approved Scanning Vendor (ASV) qualified by PCI SSC. Note: It is not …
11.2.b Verify that external scanning is occurring on a quarterly basis in accordance with the PCI Security Scanning Procedures, by inspecting output from the four most recent quarters of external vulnerability scans to verify that:
Four quarterly scans occurred in the most recent 12- month period; The results of each scan satisfy the PCI Security Scanning Procedures (for example, no urgent, critical, or high vulnerabilities); The scans were completed by an Approved Scanning Vendor (ASV) qualified by PCI SSC. Note: It is not …
Added
p. 51
11.3.a Obtain and examine the results from the most recent penetration test to verify that penetration testing is performed at least annually and after any significant changes to the environment. Verify that noted vulnerabilities were corrected and testing repeated.
11.3.b Verify that the test was performed by a qualified internal resource or qualified external third party, and if applicable, organizational independence of the tester exists (not required to be a QSA or ASV).
11.3.b Verify that the test was performed by a qualified internal resource or qualified external third party, and if applicable, organizational independence of the tester exists (not required to be a QSA or ASV).
Added
p. 51
11.4.a Verify the use of intrusion-detection systems and/or intrusion-prevention systems and that all traffic in the cardholder data environment is monitored.
11.4.b Confirm IDS and/or IPS are configured to alert personnel of suspected compromises.
PCI DSS Requirements Testing Procedures In Place Not in Target Date/ 11.4.c Examine IDS/IPS configurations and confirm IDS/IPS devices are configured, maintained, and updated per vendor instructions to ensure optimal protection.
11.4.b Confirm IDS and/or IPS are configured to alert personnel of suspected compromises.
PCI DSS Requirements Testing Procedures In Place Not in Target Date/ 11.4.c Examine IDS/IPS configurations and confirm IDS/IPS devices are configured, maintained, and updated per vendor instructions to ensure optimal protection.
Added
p. 52
Note: For file-integrity monitoring purposes, critical files are usually those that do not regularly change, but the modification of which could indicate a system compromise or risk of compromise. File-integrity monitoring products usually come pre-configured with critical files for the related operating system. Other critical files, such as those for custom applications, must be evaluated and defined by the entity (that is, the merchant or service provider).
Added
p. 52
Examples of files that should be monitored:
System executables Application executables Configuration and parameter files Centrally stored, historical or archived, log and audit files
A strong security policy sets the security tone for the whole company and informs employees what is expected of them. All employees should be aware of the sensitivity of data and their responsibilities for protecting it. For the purposes of this requirement, “employees” refers to full-time and part-time employees, temporary employees and personnel, and contractors and consultants who are “resident” on the company’s site.
PCI DSS Requirements Testing Procedures In Place Not in Target Date/ 12.1 Establish, publish, maintain, and disseminate a security policy that accomplishes the following:
System executables Application executables Configuration and parameter files Centrally stored, historical or archived, log and audit files
A strong security policy sets the security tone for the whole company and informs employees what is expected of them. All employees should be aware of the sensitivity of data and their responsibilities for protecting it. For the purposes of this requirement, “employees” refers to full-time and part-time employees, temporary employees and personnel, and contractors and consultants who are “resident” on the company’s site.
PCI DSS Requirements Testing Procedures In Place Not in Target Date/ 12.1 Establish, publish, maintain, and disseminate a security policy that accomplishes the following:
Added
p. 53
12.2.a Examine the daily operational security procedures. Verify that they are consistent with this specification, and include administrative and technical procedures for each of the requirements.
PCI DSS Requirements Testing Procedures In Place Not in Target Date/ 12.3 Develop usage policies for critical employee-facing technologies (for example, remote-access technologies, wireless technologies, removable electronic media, laptops, personal data/digital assistants (PDAs), e-mail usage and Internet usage) to define proper use of these technologies for all employees and contractors. Ensure these usage policies require the following:
PCI DSS Requirements Testing Procedures In Place Not in Target Date/ 12.3 Develop usage policies for critical employee-facing technologies (for example, remote-access technologies, wireless technologies, removable electronic media, laptops, personal data/digital assistants (PDAs), e-mail usage and Internet usage) to define proper use of these technologies for all employees and contractors. Ensure these usage policies require the following:
Added
p. 55
PCI DSS Requirements Testing Procedures In Place Not in Target Date/ 12.3.10 When accessing cardholder data via remote-access technologies, prohibit copy, move, and storage of cardholder data onto local hard drives and removable electronic media.
Added
p. 56
PCI DSS Requirements Testing Procedures In Place Not in Target Date/ 12.6 Implement a formal security awareness program to make all employees aware of the importance of cardholder data security.
12.6.a Verify the existence of a formal security awareness program for all employees.
12.6.b Obtain and examine security awareness program procedures and documentation and perform the following:
12.6.a Verify the existence of a formal security awareness program for all employees.
12.6.b Obtain and examine security awareness program procedures and documentation and perform the following:
Added
p. 56
12.6.1.a Verify that the security awareness program provides multiple methods of communicating awareness and educating employees (for example, posters, letters, memos, web based training, meetings, and promotions).
12.6.1.b Verify that employees attend awareness training upon hire and at least annually.
12.6.1.b Verify that employees attend awareness training upon hire and at least annually.
Added
p. 57
PCI DSS Requirements Testing Procedures In Place Not in Target Date/ 12.8.2 Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess.
Added
p. 57
(12.9 continued on next page)
PCI DSS Requirements Testing Procedures In Place Not in Target Date/ 12.9.1 Create the incident response plan to be implemented in the event of system breach. Ensure the plan addresses the following, at a minimum:
Roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum Specific incident response procedures Business recovery and continuity procedures Data back-up processes Analysis of legal requirements for reporting compromises Coverage and responses of all critical system components Reference or inclusion of incident response procedures from the payment brands 12.9.1 Verify that the Incident Response Plan includes:
Roles, responsibilities, and communication strategies in the event of a compromise including notification of the payment brands, at a minimum Specific incident response procedures, Business recovery and continuity procedures, Data back-up processes Analysis …
PCI DSS Requirements Testing Procedures In Place Not in Target Date/ 12.9.1 Create the incident response plan to be implemented in the event of system breach. Ensure the plan addresses the following, at a minimum:
Roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum Specific incident response procedures Business recovery and continuity procedures Data back-up processes Analysis of legal requirements for reporting compromises Coverage and responses of all critical system components Reference or inclusion of incident response procedures from the payment brands 12.9.1 Verify that the Incident Response Plan includes:
Roles, responsibilities, and communication strategies in the event of a compromise including notification of the payment brands, at a minimum Specific incident response procedures, Business recovery and continuity procedures, Data back-up processes Analysis …
Added
p. 59
PCI DSS Requirements Testing Procedures In Place Not in Target Date/ 12.9.5 Include alerts from intrusion- detection, intrusion-prevention, and file-integrity monitoring systems.
Added
p. 60
Requirements Testing Procedures In Place Not in Target Date/ A.1 Protect each entity’s (that is merchant, service provider, or other entity) hosted environment and data, per A.1.1 through A.1.4: A hosting provider must fulfill these requirements as well as all other relevant sections of the PCI DSS. Note: Even though a hosting provider may meet these requirements, the compliance of the entity that uses the hosting provider is not guaranteed. Each entity must comply with the PCI DSS and validate compliance as applicable.
A.1 Specifically for a PCI DSS assessment of a shared hosting provider, to verify that shared hosting providers protect entities’ (merchants and service providers) hosted environment and data, select a sample of servers (Microsoft Windows and Unix/Linux) across a representative sample of hosted merchants and service providers, and perform A.1.1 through A.1.4 below.
A.1.1 Ensure that each entity only runs processes that have access to that entity’s cardholder data …
A.1 Specifically for a PCI DSS assessment of a shared hosting provider, to verify that shared hosting providers protect entities’ (merchants and service providers) hosted environment and data, select a sample of servers (Microsoft Windows and Unix/Linux) across a representative sample of hosted merchants and service providers, and perform A.1.1 through A.1.4 below.
A.1.1 Ensure that each entity only runs processes that have access to that entity’s cardholder data …
Added
p. 61
A.1.2.a Verify the user ID of any application process is not a privileged user (root/admin).
A.1.2.b Verify each entity (merchant, service provider) has read, write, or execute permissions only for files and directories it owns or for necessary system files (restricted via file system permissions, access control lists, chroot, jailshell, etc.). IMPORTANT: An entity’s files may not be shared by group.
A.1.2.c Verify an entity’s users do not have write access to shared system binaries.
A.1.2.d Verify that viewing of log entries is restricted to the owning entity.
A.1.2.e To ensure each entity cannot monopolize server resources to exploit vulnerabilities (for example, error, race, and restart conditions, resulting in, for example, buffer overflows), verify restrictions are in place for the use of these system resources:
Disk space Bandwidth Memory CPU A.1.3 Ensure logging and audit trails are enabled and unique to each entity’s cardholder data environment and consistent with PCI DSS …
A.1.2.b Verify each entity (merchant, service provider) has read, write, or execute permissions only for files and directories it owns or for necessary system files (restricted via file system permissions, access control lists, chroot, jailshell, etc.). IMPORTANT: An entity’s files may not be shared by group.
A.1.2.c Verify an entity’s users do not have write access to shared system binaries.
A.1.2.d Verify that viewing of log entries is restricted to the owning entity.
A.1.2.e To ensure each entity cannot monopolize server resources to exploit vulnerabilities (for example, error, race, and restart conditions, resulting in, for example, buffer overflows), verify restrictions are in place for the use of these system resources:
Disk space Bandwidth Memory CPU A.1.3 Ensure logging and audit trails are enabled and unique to each entity’s cardholder data environment and consistent with PCI DSS …
Added
p. 62
1. Meet the intent and rigor of the original PCI DSS requirement.
2. Provide a similar level of defense as the original PCI DSS requirement, such that the compensating control sufficiently offsets the risk that the original PCI DSS requirement was designed to defend against. (See Navigating PCI DSS for the intent of each PCI DSS requirement.) 3. Be “above and beyond” other PCI DSS requirements. (Simply being in compliance with other PCI DSS requirements is not a compensating control.) When evaluating “above and beyond” for compensating controls, consider the following:
a) Existing PCI DSS requirements CANNOT be considered as compensating controls if they are already required for the item under review. For example, passwords for non-console administrative access must be sent encrypted to mitigate the risk of intercepting clear-text administrative passwords. An entity cannot use other PCI DSS password requirements (intruder lockout, complex passwords, etc.) to compensate for lack of encrypted …
2. Provide a similar level of defense as the original PCI DSS requirement, such that the compensating control sufficiently offsets the risk that the original PCI DSS requirement was designed to defend against. (See Navigating PCI DSS for the intent of each PCI DSS requirement.) 3. Be “above and beyond” other PCI DSS requirements. (Simply being in compliance with other PCI DSS requirements is not a compensating control.) When evaluating “above and beyond” for compensating controls, consider the following:
a) Existing PCI DSS requirements CANNOT be considered as compensating controls if they are already required for the item under review. For example, passwords for non-console administrative access must be sent encrypted to mitigate the risk of intercepting clear-text administrative passwords. An entity cannot use other PCI DSS password requirements (intruder lockout, complex passwords, etc.) to compensate for lack of encrypted …
Added
p. 63
Note: Only companies that have undertaken a risk analysis and have legitimate technological or documented business constraints can consider the use of compensating controls to achieve compliance. Requirement Number and Definition:
Information Required Explanation
1. Constraints List constraints precluding compliance with the original requirement.
2. Objective Define the objective of the original control; identify the objective met by the compensating control.
3. Identified Risk Identify any additional risk posed by the lack of the original control.
4. Definition of Compensating Controls Define the compensating controls and explain how they address the objectives of the original control and the increased risk, if any.
5. Validation of Compensating Controls Define how the compensating controls were validated and tested.
6. Maintenance Define process and controls in place to maintain compensating controls.
1. Constraints List constraints precluding compliance with the original requirement.
2. Objective Define the objective of the original control; identify the objective met by the compensating control.
3. Identified Risk Identify any …
Information Required Explanation
1. Constraints List constraints precluding compliance with the original requirement.
2. Objective Define the objective of the original control; identify the objective met by the compensating control.
3. Identified Risk Identify any additional risk posed by the lack of the original control.
4. Definition of Compensating Controls Define the compensating controls and explain how they address the objectives of the original control and the increased risk, if any.
5. Validation of Compensating Controls Define how the compensating controls were validated and tested.
6. Maintenance Define process and controls in place to maintain compensating controls.
1. Constraints List constraints precluding compliance with the original requirement.
2. Objective Define the objective of the original control; identify the objective met by the compensating control.
3. Identified Risk Identify any …
Added
p. 64
Company XYZ employs stand-alone Unix Servers without LDAP. As such, they each require a “root” login. It is not possible for Company XYZ to manage the “root” login nor is it feasible to log all “root” activity by each user.
The objective of requiring unique logins is twofold. First, it is not considered acceptable from a security perspective to share login credentials. Secondly, having shared logins makes it impossible to state definitively that a person is responsible for a particular action.
Additional risk is introduced to the access control system by not ensuring all users have a unique ID and are able to be tracked.
Company XYZ is going to require all users to log into the servers from their desktops using the SU command. SU allows a user to access the “root” account and perform actions under the “root” account but is able to be logged in the SU-log directory. In this …
The objective of requiring unique logins is twofold. First, it is not considered acceptable from a security perspective to share login credentials. Secondly, having shared logins makes it impossible to state definitively that a person is responsible for a particular action.
Additional risk is introduced to the access control system by not ensuring all users have a unique ID and are able to be tracked.
Company XYZ is going to require all users to log into the servers from their desktops using the SU command. SU allows a user to access the “root” account and perform actions under the “root” account but is able to be logged in the SU-log directory. In this …
Added
p. 66
Part 1. Qualified Security Assessor Company Information Company Name:
Lead QSA Contact Name: Title:
Lead QSA Contact Name: Title:
Added
p. 66
Part 2. Merchant Organization Information Company Name: DBA(s):
Part 2a. Type of Merchant Business (check all that apply) Retailer Telecommunication Grocery and Supermarkets Petroleum E-Commerce Mail/Telephone-Order Travel & Entertainment Others (please specify):
List facilities and locations included in PCI DSS review:
Part 2b. Relationships Does your company have a relationship with one or more third-party agents (for example, gateways, web- hosting companies, airline booking agents, loyalty program agents, etc)? Yes No Does your company have a relationship with more than one acquirer? Yes No Part 2c. Transaction Processing Payment Application in use: Payment Application Version:
Part 2a. Type of Merchant Business (check all that apply) Retailer Telecommunication Grocery and Supermarkets Petroleum E-Commerce Mail/Telephone-Order Travel & Entertainment Others (please specify):
List facilities and locations included in PCI DSS review:
Part 2b. Relationships Does your company have a relationship with one or more third-party agents (for example, gateways, web- hosting companies, airline booking agents, loyalty program agents, etc)? Yes No Does your company have a relationship with more than one acquirer? Yes No Part 2c. Transaction Processing Payment Application in use: Payment Application Version:
Added
p. 67
Compliant: All requirements in the ROC are marked “in place4,” and a passing scan has been completed by the PCI SSC Approved Scanning Vendor (ASV Name) thereby (Merchant Company Name) has demonstrated full compliance with the PCI DSS (insert version number).
Non-Compliant: Some requirements in the ROC are marked “not in place,” resulting in an overall NON-COMPLIANT rating, or a passing scan has not been completed by a PCI SSC Approved Scanning Vendor, thereby (Merchant Company Name) has not demonstrated full compliance with the PCI DSS.
Target Date for Compliance: An entity submitting this form with a status of Non-Compliant may be required to complete the Action Plan in Part 4 of this document. Check with your acquirer or the payment brand(s) before completing Part 4, since not all payment brands require this section.
Part 3a. Confirmation of Compliant Status QSA/Merchant confirms:
The ROC was completed according to the PCI DSS Requirements and Security …
Non-Compliant: Some requirements in the ROC are marked “not in place,” resulting in an overall NON-COMPLIANT rating, or a passing scan has not been completed by a PCI SSC Approved Scanning Vendor, thereby (Merchant Company Name) has not demonstrated full compliance with the PCI DSS.
Target Date for Compliance: An entity submitting this form with a status of Non-Compliant may be required to complete the Action Plan in Part 4 of this document. Check with your acquirer or the payment brand(s) before completing Part 4, since not all payment brands require this section.
Part 3a. Confirmation of Compliant Status QSA/Merchant confirms:
The ROC was completed according to the PCI DSS Requirements and Security …
Added
p. 68
PCI Requirement Description Compliance Status (Select One) Remediation Date and Actions (if Compliance Status is “No”) Install and maintain a firewall configuration to protect cardholder data.
Added
p. 69
Appendix E: Attestation of Compliance
• Service Providers Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments
• Service Providers Version 1.2
Part 1. Qualified Security Assessor Company Information Company Name:
Lead QSA Contact Name: Title:
List facilities and locations included in PCI DSS review:
• Service Providers Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments
• Service Providers Version 1.2
Part 1. Qualified Security Assessor Company Information Company Name:
Lead QSA Contact Name: Title:
List facilities and locations included in PCI DSS review:
Added
p. 70
Part 2. Service Provider Organization Information Company Name: DBA(s):
Part 2a. Services Provided (check all that apply) Authorization Loyalty Programs 3-D Secure Access Control Server Switching IPSP (E-commerce) Process Magnetic-Stripe Transactions Payment Gateway Clearing & Settlement Process MO/TO Transactions Hosting Issuing Processing Others (please specify):
Part 2b. Relationships Does your company have a relationship with one or more third-party service providers (for example, gateways, web-hosting companies, airline booking agents, loyalty program agents, etc)? Yes No Part 2c. Transaction Processing How and in what capacity does your business store, process and/or transmit cardholder data? Payment Application in use: Payment Application Version:
The ROC was completed according to the PCI DSS Requirements and Security Assessment Procedures, Version (insert version number), and was completed according to the instructions therein.
All information within the above-referenced ROC and in this attestation fairly represents the results of the assessment in all material respects.
Lead QSA Name: Title:
Part 2a. Services Provided (check all that apply) Authorization Loyalty Programs 3-D Secure Access Control Server Switching IPSP (E-commerce) Process Magnetic-Stripe Transactions Payment Gateway Clearing & Settlement Process MO/TO Transactions Hosting Issuing Processing Others (please specify):
Part 2b. Relationships Does your company have a relationship with one or more third-party service providers (for example, gateways, web-hosting companies, airline booking agents, loyalty program agents, etc)? Yes No Part 2c. Transaction Processing How and in what capacity does your business store, process and/or transmit cardholder data? Payment Application in use: Payment Application Version:
The ROC was completed according to the PCI DSS Requirements and Security Assessment Procedures, Version (insert version number), and was completed according to the instructions therein.
All information within the above-referenced ROC and in this attestation fairly represents the results of the assessment in all material respects.
Lead QSA Name: Title:
Added
p. 71
Compliant: All requirements in the ROC are marked “in place8,” and a passing scan has been completed by the PCI SSC Approved Scanning Vendor (ASV Name) thereby (Service Provider Name) has demonstrated full compliance with the PCI DSS (insert version number).
Non-Compliant: Some requirements in the ROC are marked “not in place,” resulting in an overall NON-COMPLIANT rating, or a passing scan has not been completed by a PCI SSC Approved Scanning Vendor, thereby (Service Provider Name) has not demonstrated full compliance with the PCI DSS.
Target Date for Compliance: An entity submitting this form with a status of Non-Compliant may be required to complete the Action Plan in Part 4 of this document. Check with the payment brand(s) before completing Part 4, since not all payment brands require this section.
Part 3a. Confirmation of Compliant Status QSA and Service Provider confirm:
The Service Provider has read the PCI DSS and recognizes that they …
Non-Compliant: Some requirements in the ROC are marked “not in place,” resulting in an overall NON-COMPLIANT rating, or a passing scan has not been completed by a PCI SSC Approved Scanning Vendor, thereby (Service Provider Name) has not demonstrated full compliance with the PCI DSS.
Target Date for Compliance: An entity submitting this form with a status of Non-Compliant may be required to complete the Action Plan in Part 4 of this document. Check with the payment brand(s) before completing Part 4, since not all payment brands require this section.
Part 3a. Confirmation of Compliant Status QSA and Service Provider confirm:
The Service Provider has read the PCI DSS and recognizes that they …
Added
p. 72
PCI Requirement Description Compliance Status (Select One) Remediation Date and Actions (if Compliance Status is “No”) Install and maintain a firewall configuration to protect cardholder data.
Added
p. 72
Do not use vendor-supplied defaults for system passwords and other security parameters.
Added
p. 72
Track and monitor all access to network resources and cardholder data.
Modified
p. 1
Payment Card Industry (PCI) Data Security Standard Version 1.1 Release: September, 2006 1 Payment Card Industry (PCI) Data Security Standard Build and Maintain a Secure Network
Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures Version 1.2
Removed
p. 2
Requirement 12: Maintain a policy that addresses information security 2 Payment Card Industry (PCI) Data Security Standard This document describes the 12 Payment Card Industry (PCI) Data Security Standard (DSS) requirements. These PCI DSS requirements are organized in 6 logically related groups, which are “control objectives.” The following table illustrates commonly used elements of cardholder and sensitive authentication data; whether storage of each data element is permitted or prohibited; and if each data element must be protected. This table is not exhaustive, but is presented to illustrate the different types of requirements that apply to each data element.
Modified
p. 2 → 38
Requirement 8: Assign a unique ID to each person with computer access
Requirement 8: Assign a unique ID to each person with computer access.
Modified
p. 2 → 43
Requirement 3: Protect stored cardholder data
Requirement 9: Restrict physical access to cardholder data.
Modified
p. 2 → 47
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 10: Track and monitor all access to network resources and cardholder data.
Modified
p. 2 → 50
Requirement 11: Regularly test security systems and processes Maintain an Information Security Policy
Requirement 11: Regularly test security systems and processes.
Modified
p. 2 → 68
Do not use vendor-supplied defaults for system passwords and other security parameters.
Modified
p. 2 → 68
Track and monitor all access to network resources and cardholder data.
Removed
p. 3
PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or transmitted. If a PAN is not stored, processed, or transmitted, PCI DSS requirements do not apply.
* These data elements must be protected if stored in conjunction with the PAN. This protection must be consistent with PCI DSS requirements for general protection of the cardholder environment. Additionally, other legislation (for example, related to consumer personal data protection, privacy, identity theft, or data security) may require specific protection of this data, or proper disclosure of a company's practices if consumer-related personal data is being collected during the course of business. PCI DSS; however, does not apply if PANs are not stored, processed, or transmitted.
** Sensitive authentication data must not be stored subsequent to authorization (even if encrypted).
These security requirements apply to all “system components.” System components are defined as any network component, server, or application that is …
* These data elements must be protected if stored in conjunction with the PAN. This protection must be consistent with PCI DSS requirements for general protection of the cardholder environment. Additionally, other legislation (for example, related to consumer personal data protection, privacy, identity theft, or data security) may require specific protection of this data, or proper disclosure of a company's practices if consumer-related personal data is being collected during the course of business. PCI DSS; however, does not apply if PANs are not stored, processed, or transmitted.
** Sensitive authentication data must not be stored subsequent to authorization (even if encrypted).
These security requirements apply to all “system components.” System components are defined as any network component, server, or application that is …
Modified
p. 4 → 14
Requirement 1: Install and maintain a firewall configuration to protect cardholder data Firewalls are computer devices that control computer traffic allowed into and out of a company’s network, as well as traffic into more sensitive areas within a company’s internal network. A firewall examines all network traffic and blocks those transmissions that do not meet the specified security criteria.
Requirement 1: Install and maintain a firewall configuration to protect cardholder data Firewalls are computer devices that control computer traffic allowed between a company’s network (internal) and untrusted networks (external), as well as traffic into and out of more sensitive areas within a company’s internal trusted network. The cardholder data environment is an example of a more sensitive area within the trusted network of a company. A firewall examines all network traffic and blocks those transmissions that do not meet …
Modified
p. 5 → 18
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Hackers (external and internal to a company) often use vendor default passwords and other vendor default settings to compromise systems. These passwords and settings are well known in hacker communities and easily determined via public information.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Malicious individuals (external and internal to a company) often use vendor default passwords and other vendor default settings to compromise systems. These passwords and settings are well known by hacker communities and are easily determined via public information.
Removed
p. 6
• Strong one-way hash functions (hashed indexes)
• Index tokens and pads (pads must be securely stored)
• Strong cryptography with associated key management processes and procedures.
If for some reason, a company is unable to encrypt cardholder data, refer to Appendix B: “Compensating Controls for Encryption of Stored Data.” 3.4.1 If disk encryption is used (rather than file- or column-level database encryption), logical access must be managed independently of native operating system access control 6 Payment Card Industry (PCI) Data Security Standard mechanisms (for example, by not using local system or Active Directory accounts). Decryption keys must not be tied to user accounts.
• Index tokens and pads (pads must be securely stored)
• Strong cryptography with associated key management processes and procedures.
If for some reason, a company is unable to encrypt cardholder data, refer to Appendix B: “Compensating Controls for Encryption of Stored Data.” 3.4.1 If disk encryption is used (rather than file- or column-level database encryption), logical access must be managed independently of native operating system access control 6 Payment Card Industry (PCI) Data Security Standard mechanisms (for example, by not using local system or Active Directory accounts). Decryption keys must not be tied to user accounts.
Modified
p. 6 → 21
Requirement 3: Protect stored cardholder data Encryption is a critical component of cardholder data protection. If an intruder circumvents other network security controls and gains access to encrypted data, without the proper cryptographic keys, the data is unreadable and unusable to that person. Other effective methods of protecting stored data should be considered as potential risk mitigation opportunities. For example, methods for minimizing risk include not storing cardholder data unless absolutely necessary, truncating cardholder data if full PAN is not …
Requirement 3: Protect stored cardholder data Protection methods such as encryption, truncation, masking, and hashing are critical components of cardholder data protection. If an intruder circumvents other network security controls and gains access to encrypted data, without the proper cryptographic keys, the data is unreadable and unusable to that person. Other effective methods of protecting stored data should be considered as potential risk mitigation opportunities. For example, methods for minimizing risk include not storing cardholder data unless absolutely necessary, truncating …
Removed
p. 7
• As deemed necessary and recommended by the associated application (for example, re-keying); preferably automatically
• At least annually. 3.6.5 Destruction of old keys 3.6.6 Split knowledge and establishment of dual control of keys (so that it requires two or three people, each knowing only their part of the key, to reconstruct the whole key) 3.6.7 Prevention of unauthorized substitution of keys 3.6.8 Replacement of known or suspected compromised keys 3.6.9 Revocation of old or invalid keys 3.6.10 Requirement for key custodians to sign a form stating that they understand and accept their key-custodian responsibilities.
• At least annually. 3.6.5 Destruction of old keys 3.6.6 Split knowledge and establishment of dual control of keys (so that it requires two or three people, each knowing only their part of the key, to reconstruct the whole key) 3.6.7 Prevention of unauthorized substitution of keys 3.6.8 Replacement of known or suspected compromised keys 3.6.9 Revocation of old or invalid keys 3.6.10 Requirement for key custodians to sign a form stating that they understand and accept their key-custodian responsibilities.
Removed
p. 7
• Use with a minimum 104-bit encryption key and 24 bit-initialization value
• Use ONLY in conjunction with WiFi protected access (WPA or WPA2) technology, VPN, or SSL/TLS
• Rotate shared WEP keys quarterly (or automatically if the technology permits)
• Rotate shared WEP keys whenever there are changes in personnel with access to keys
• Restrict access based on media access code (MAC) address. 4.2 Never send unencrypted PANs by e-mail.
• Use ONLY in conjunction with WiFi protected access (WPA or WPA2) technology, VPN, or SSL/TLS
• Rotate shared WEP keys quarterly (or automatically if the technology permits)
• Rotate shared WEP keys whenever there are changes in personnel with access to keys
• Restrict access based on media access code (MAC) address. 4.2 Never send unencrypted PANs by e-mail.
Modified
p. 7 → 27
Requirement 4: Encrypt transmission of cardholder data across open, public networks Sensitive information must be encrypted during transmission over networks that are easy and common for a hacker to intercept, modify, and divert data while in transit.
Requirement 4: Encrypt transmission of cardholder data across open, public networks Sensitive information must be encrypted during transmission over networks that are easily accessed by malicious individuals. Misconfigured wireless networks and vulnerabilities in legacy encryption and authentication protocols can be continued targets of malicious individuals who exploit these vulnerabilities to gain privileged access to cardholder data environments.
Removed
p. 8
Requirement 5: Use and regularly update anti-virus software or programs Many vulnerabilities and malicious viruses enter the network via employees’ e-mail activities. Anti-virus software must be used on all systems commonly affected by viruses to protect systems from malicious software.
Modified
p. 8 → 30
Requirement 6: Develop and maintain secure systems and applications Unscrupulous individuals use security vulnerabilities to gain privileged access to systems. Many of these vulnerabilities are fixed by vendor-provided security patches. All systems must have the most recently released, appropriate software patches to protect against exploitation by employees, external hackers, and viruses. Note: Appropriate software patches are those patches that have been evaluated and tested sufficiently to determine that the patches do not conflict with existing security configurations. For in-house developed …
Requirement 6: Develop and maintain secure systems and applications Unscrupulous individuals use security vulnerabilities to gain privileged access to systems. Many of these vulnerabilities are fixed by vendor- provided security patches, which must be installed by the entities that manage the systems. All critical systems must have the most recently released, appropriate software patches to protect against exploitation and compromise of cardholder data by malicious individuals and malicious software.
Removed
p. 9
• Having all custom application code reviewed for common vulnerabilities by an organization that specializes in application security
• Installing an application layer firewall in front of web-facing applications.
Note: This method is considered a best practice until June 30, 2008, after which it becomes a requirement.
• Installing an application layer firewall in front of web-facing applications.
Note: This method is considered a best practice until June 30, 2008, after which it becomes a requirement.
Modified
p. 9 → 36
Requirement 7: Restrict access to cardholder data by business need-to-know This requirement ensures critical data can only be accessed by authorized personnel.
Requirement 7: Restrict access to cardholder data by business need to know To ensure critical data can only be accessed by authorized personnel, systems and processes must be in place to limit access based on need to know and according to job responsibilities.
Removed
p. 10
• Token devices (e.g., SecureID, certificates, or public key)
• Biometrics. 8.3 Implement two-factor authentication for remote access to the network by employees, administrators, and third parties. Use technologies such as remote authentication and dial-in service (RADIUS) or terminal access controller access control system (TACACS) with tokens; or VPN (based on SSL/TLS or IPSEC) with individual certificates. 8.4 Encrypt all passwords during transmission and storage on all system components. 8.5 Ensure proper user authentication and password management for non-consumer users and administrators on all system components as follows: 8.5.1 Control addition, deletion, and modification of user IDs, credentials, and other identifier objects 8.5.2 Verify user identity before performing password resets 8.5.3 Set first-time passwords to a unique value for each user and change immediately after the first use 8.5.4 Immediately revoke access for any terminated users 8.5.5 Remove inactive user accounts at least every 90 days 8.5.6 Enable accounts used by …
• Biometrics. 8.3 Implement two-factor authentication for remote access to the network by employees, administrators, and third parties. Use technologies such as remote authentication and dial-in service (RADIUS) or terminal access controller access control system (TACACS) with tokens; or VPN (based on SSL/TLS or IPSEC) with individual certificates. 8.4 Encrypt all passwords during transmission and storage on all system components. 8.5 Ensure proper user authentication and password management for non-consumer users and administrators on all system components as follows: 8.5.1 Control addition, deletion, and modification of user IDs, credentials, and other identifier objects 8.5.2 Verify user identity before performing password resets 8.5.3 Set first-time passwords to a unique value for each user and change immediately after the first use 8.5.4 Immediately revoke access for any terminated users 8.5.5 Remove inactive user accounts at least every 90 days 8.5.6 Enable accounts used by …
Modified
p. 10 → 38
Assigning a unique identification (ID) to each person with access ensures that each individual is uniquely accountable for his or her actions. When such accountability is in place, actions taken on critical data and systems are performed by, and can be traced to, known and authorized users.
Removed
p. 11
Requirement 9: Restrict physical access to cardholder data Any physical access to data or systems that house cardholder data provides the opportunity for individuals to access devices or data and to remove systems or hardcopies, and should be appropriately restricted.
Removed
p. 12
Requirement 10: Track and monitor all access to network resources and cardholder data Logging mechanisms and the ability to track user activities are critical. The presence of logs in all environments allows thorough tracking and analysis if something does go wrong. Determining the cause of a compromise is very difficult without system activity logs.
Removed
p. 13
Requirement 11: Regularly test security systems and processes Vulnerabilities are being discovered continually by hackers and researchers, and being introduced by new software. Systems, processes, and custom software should be tested frequently to ensure security is maintained over time and with any changes in software.
Modified
p. 14 → 53
Requirement 12: Maintain a policy that addresses information security for employees and contractors A strong security policy sets the security tone for the whole company and informs employees what is expected of them. All employees should be aware of the sensitivity of data and their responsibilities for protecting it.
Requirement 12: Maintain a policy that addresses information security for employees and contractors.
Removed
p. 17
The following guidance provides compensating controls when companies are unable to render cardholder data unreadable per requirement 3.4.
Compensating Controls for Requirement 3.4 For companies unable to render cardholder data unreadable (for example, by encryption) due to technical constraints or business limitations, compensating controls may be considered. Only companies that have undertaken a risk analysis and have legitimate technological or documented business constraints can consider the use of compensating controls to achieve compliance.
Companies that consider compensating controls for rendering cardholder data unreadable must understand the risk to the data posed by maintaining readable cardholder data. Generally, the controls must provide additional protection to mitigate any additional risk posed by maintaining readable cardholder data. The controls considered must be in addition to controls required in the PCI DSS, and must satisfy the “Compensating Controls” definition in the PCI DSS Glossary. Compensating controls may consist of either a device or combination of devices, …
Compensating Controls for Requirement 3.4 For companies unable to render cardholder data unreadable (for example, by encryption) due to technical constraints or business limitations, compensating controls may be considered. Only companies that have undertaken a risk analysis and have legitimate technological or documented business constraints can consider the use of compensating controls to achieve compliance.
Companies that consider compensating controls for rendering cardholder data unreadable must understand the risk to the data posed by maintaining readable cardholder data. Generally, the controls must provide additional protection to mitigate any additional risk posed by maintaining readable cardholder data. The controls considered must be in addition to controls required in the PCI DSS, and must satisfy the “Compensating Controls” definition in the PCI DSS Glossary. Compensating controls may consist of either a device or combination of devices, …
Modified
p. 17 → 62
The effectiveness of a compensating control is dependent on the specifics of the environment in which the control is implemented, the surrounding security controls, and the configuration of the control. Companies should be aware that a particular compensating control will not be effective in all environments. Each compensating control must be thoroughly evaluated after implementation to ensure effectiveness.
Note: The items at a) through c) below are intended as examples only. All compensating controls must be reviewed and validated for sufficiency by the assessor who conducts the PCI DSS review. The effectiveness of a compensating control is dependent on the specifics of the environment in which the control is implemented, the surrounding security controls, and the configuration of the control. Companies should be aware that a particular compensating control will not be effective in all environments.