Document Comparison
PCIDSS_QRGv3.pdf
→
PCIDSS_QRGv3_1.pdf
93% similar
40 → 40
Pages
10708 → 10724
Words
17
Content Changes
Content Changes
17 content changes. 1 administrative change (dates, page numbers) hidden.
Added
p. 20
Illustration: Wikimedia Commons This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents. 21 9.4 Ensure all visitors are authorized before entering areas where cardholder data is processed or maintained; given a physical token that expires and that identifies visitors as not onsite personnel; and are asked to surrender the physical token before leaving the facility or at the date of expiration. Use a visitor log to maintain a physical audit trail of visitor information and activity, including visitor name, company, and the onsite personnel authorizing physical access. Retain the log for at least three months unless otherwise restricted by law.
Modified
p. 1
PCI DSS Quick Reference Guide Understanding the Payment Card Industry Data Security Standard version 3.0 For merchants and other entities involved in payment card processing
PCI DSS Quick Reference Guide Understanding the Payment Card Industry Data Security Standard version 3.1 For merchants and other entities involved in payment card processing
Modified
p. 2
PCI DSS Quick Reference Guide: Understanding the Payment Card Industry Data Security Standard version 3.0.
PCI DSS Quick Reference Guide: Understanding the Payment Card Industry Data Security Standard version 3.1.
Modified
p. 4
Source: Forrester Consulting: The State of PCI Compliance (commissioned by RSA/EMC) This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents. 5 The intent of this PCI DSS Quick Reference Guide is to help you understand how the PCI DSS can help protect your payment card transaction environment and how to apply it.
Source: Forrester Consulting: The State of PCI Compliance (commissioned by RSA/ EMC) This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents. 5 The intent of this PCI DSS Quick Reference Guide is to help you understand how the PCI DSS can help protect your payment card transaction environment and how to apply it.
Modified
p. 5
Report •documenting assessment and remediation details, and submitting compliance reports to the acquiring bank and card brands you do business with (or other requesting entity if you’re a service provider).
Report • documenting assessment and remediation details, and submitting compliance reports to the acquiring bank and card brands you do business with (or other requesting entity if you’re a service provider).
Modified
p. 7
PCI Security Standards Include: PCI Data Security Standard (PCI DSS) The PCI DSS applies to all entities that store, process, and/or transmit cardholder data. It covers technical and operational system components included in or connected to cardholder data. If you accept or process payment cards, PCI DSS applies to you. PIN Transaction Security (PTS) Requirements The PCI PTS is a set of security requirements focused on characteristics and management of devices used in the protection of cardholder PINs and other …
PCI Security Standards Include: PCI Data Security Standard (PCI DSS) The PCI DSS applies to all entities that store, process, and/or transmit cardholder data. It covers technical and operational system components included in or connected to cardholder data. If you accept or process payment cards, PCI DSS applies to you. PIN Transaction Security (PTS) Requirements The PCI PTS is a set of security requirements focused on characteristics and management of devices used in the protection of cardholder PINs and other …
Modified
p. 14
Illustration: Wikimedia Commons This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents. 15 3.5 Document and implement procedures to protect any keys used for encryption of cardholder data from disclosure and misuse. 3.6 Fully document and implement key management processes and procedures for cryptographic keys used for encryption of cardholder data. 3.7 Ensure that related security policies and operational procedures are documented, in use, and known to all affected parties.
Illustration: Wikimedia Commons This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents. 15 3.5 Document and implement procedures to protect any keys used for encryption of cardholder data from disclosure and misuse.
Modified
p. 15
Guidelines for Cardholder Data Elements Data Element Storage Permitted Render Stored Data Unreadable per Requirement 3.4 Cardholder Data Primary Account Number (PAN) Yes Yes Cardholder Name Yes No Service Code Yes No Expiration Date Yes No Sensitive Authentication Data1 Full Track Data2 No Cannot store per Requirement 3.2 CAV2/CVC2/CVV2/CID3 No Cannot store per Requirement 3.2 PIN/PIN Block4 No Cannot store per Requirement 3.2 1 Sensitive authentication data must not be stored after authorization (even if encrypted) 2 Full track data …
Guidelines for Cardholder Data Elements Data Element Storage Permitted Render Stored Data Unreadable per Requirement 3.4 Cardholder Data Primary Account Number (PAN) Yes Yes Cardholder Name Yes No Service Code Yes No Expiration Date Yes No Sensitive Authentication Data1 Full Track Data2 No Cannot store per Requirement 3.2 CAV2/CVC2/CVV2/CID3 No Cannot store per Requirement 3.2 PIN/PIN Block4 No Cannot store per Requirement 3.2 1 Sensitive authentication data must not be stored after authorization (even if encrypted) 2 Full track data …
Modified
p. 16
Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs Malicious software (a.k.a “malware”) exploits system vulnerabilities after entering the network via users’ e-mail and other online business activities. Anti-virus software must be used on all systems commonly affected by malware to protect systems from current and evolving malicious software threats.
Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs Malicious software (a.k.a “malware”) exploits system vulnerabilities after entering the network via users’ e-mail and other online business activities. Anti-virus software must be used on all systems commonly affected by malware to protect systems from current and evolving malicious software threats. Additional anti-malware solutions may supplement (but not replace) anti-virus software.
Modified
p. 17
This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents. 17 Additional anti-malware solutions may supplement (but not replace) anti-virus software.
This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents. 17 5.1 Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers). For systems not affected commonly by malicious software, perform periodic evaluations to evaluate evolving malware threats and confirm whether such systems continue to not require anti-virus software.
Modified
p. 18
Restrict Access to Cardholder Data Environments by employing access controls Limit access to only those individuals whose job requires such access Formalize an access control policy that includes a list of who gets access to specified cardholder data and systems Deny all access to anyone who is not specifically allowed to access cardholder data and systems Photo: Wikimedia Commons This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents. 19
Restrict Access to Cardholder Data Environments by employing access controls Limit access to only those individuals whose job requires such access Formalize an access control policy that includes a list of who gets access to specified cardholder data and systems Deny all access to anyone who is not specifically allowed to access cardholder data and systems Photo: Wikimedia Commons This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents. 19 7.2 …
Modified
p. 20
Requirement 9: Restrict physical access to cardholder data Any physical access to data or systems that house cardholder data provides the opportunity for persons to access and/or remove devices, data, systems or hardcopies, and should be appropriately restricted. “Onsite personnel” are full- and part-time employees, temporary employees, contractors, and consultants who are physically present on the entity’s premises.
Requirement 9: Restrict physical access to cardholder data Any physical access to data or systems that house cardholder data provides the opportunity for persons to access and/or remove devices, data, systems or hardcopies, and should be appropriately restricted. “Onsite personnel” are full- and part-time employees, temporary employees, contractors, and consultants who are physically present on the entity’s premises. “Visitors” are vendors and guests that enter the facility for a short duration - usually up to one day. “Media” is all …
Modified
p. 20 → 22
This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents.
Modified
p. 22
Photo: Wikimedia Commons This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents. 23 10.6 Review logs and security events for all system components to identify anomalies or suspicious activity. Perform critical log reviews at least daily. 10.7 Retain audit trail history for at least one year; at least three months of history must be immediately available for analysis. 10.8 Ensure that related security policies and operational procedures are documented, in …
Photo: Wikimedia Commons This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents. 23
Modified
p. 24
“With version 3.0, PCI DSS is more mature than ever, and covers a broad base of technologies and processes such as encryption, access control, and vulnerability scanning to offer a sound baseline of security. The range of supporting standards, roadmaps, guidance, and methodologies is expanding. And our research suggests that organizations are complying at a higher rate than in previous years.” (2014 Verizon PCI Compliance Report) This Guide provides supplemental information that does not replace or supersede PCI SSC Security …
“With version 3.0, PCI DSS is more mature than ever, and covers a broad base of technologies and processes such as encryption, access control, and vulnerability scanning to offer a sound baseline of security. The range of supporting standards, roadmaps, guidance, and methodologies is expanding. And our research suggests that organizations are complying at a higher rate than in previous years.” (2014 Verizon PCI Compliance Report) This Guide provides supplemental information that does not replace or supersede PCI SSC Security …
Modified
p. 30
Scoping must occur at least annually and prior to the annual assessment. Merchants and other entities must identify all locations and flows of cardholder data to ensure all applicable system components are included in scope for PCI DSS. Entities should confirm the accuracy and appropriateness of PCI DSS scope by performing these steps:
Scoping must occur at least annually and prior to the annual assessment. Merchants and other entities must identify all locations and flows of cardholder data, and identify all systems that are connected to or if compromised could impact the CDE (e.g. authentication servers) to ensure all applicable system components are included in scope for PCI DSS. Entities should confirm the accuracy of the defined CDE by performing these steps:
Modified
p. 34
C-VT Merchants who manually enter a single transaction at a time via a keyboard into an Internet- based virtual terminal solution that is provided and hosted by a PCI DSS validated third- party service provider. No electronic cardholder data storage. Not applicable to e-commerce channels.
C-VT Merchants who manually enter a single transaction at a time via a keyboard into an Internet-based virtual terminal solution that is provided and hosted by a PCI DSS validated third-party service provider. No electronic cardholder data storage. Not applicable to e-commerce channels.