PCI Compliance Forums

vBulletin Message

Invalid Blog specified. If you followed a valid link, please notify the administrator

Site Areas
Settings
Private Messages
Subscriptions
Who's Online
Search Forums
Forums Home
Forums
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
1. 1.1 Establish firewall and router configuration standards
2. 1.1.1 A formal process for approving and testing all network connections and changes to the...
3. 1.1.2 Current network diagram with all connections to cardholder data, including any wireless...
4. 1.1.3 Requirements for a firewall at each Internet connection and between any demilitarized zone...
5. 1.1.4 Decription of groups,roles,and responsibility for logical management
6. 1.1.5 Documentation And Business Justification for use of all services
7. 1.1.6 Requirements to review firewall and router rules
8. 1.2 Building firewall and router configuration
9. 1.2.1 Restrict inbound and outbound traffic
10. 1.2.2 Secure and synchronize router configuration files
11. 1.2.3 Install perimeter firewalls
12. 1.3 Prohibit direct public access
13. 1.3.1 Implement a DMZ to limit inbound traffic
14. 1.3.2 Limit inbound Internet traffic to IP addresses within the DMZ
15. 1.3.3 Direct connection inbound or outbound
16. 1.3.4 Internal adresses to pass from internet to DMZ
17. 1.3.5 Unauthoirzed outbound traffic from the cardholder
18. 1.3.6 Stateful inspection or dynamic packet filtering
19. 1.3.7 System component that stored cardholder data
20. 1.3.8 Do not disclose private ip and routing
21. 1.4 Install personal firewall software on ay mobile
Requirment 2: Do not use vendor-supplied defaults for system passwords and other security parameters
1. 2.1 Always change vendor-supplied defaults before installing a system on the network, including...
2. 2.1.1 For wireless environments connected to the cardholder data environment or transmitting...
3. 2.2 Configuration standard for all system components
4. 2.2.1 Implementation per primary server
5. 2.2.2 Implementation of necessary and secure services...
6. 2.2.3 Configure system security parameters
7. 2.2.4 Remove all un-necessay functions,scripts,drivers e.t.c
8. 2.3 Encrypt all non-console administrative acess
9. 2.4 Shared hosting providers
3 Protect Cardholder Data
1. 3.1 Card holder data storage
2. 3.1.1 Impmementation of data retention and disposal policy
3. 3.2 Store sensitive authentication data
4. 3.2.1 Storage of full contents of any track
5. 3.2.2 Card verification code or value
6. 3.2.3 Storage of personal identification number
7. 3.3 Mask PAN when displayed digits
8. 3.4 Render PAN unreadable anywhere
9. 3.4.1Disk encryption and logical access
10. 3.5 Kyes to used to secure cardholder data
11. 3.5.1 Restrict access to cryptographic keys
12. 3.5.2 Store cryptographic keys securely
13. 3.6 Fully documentation and implementation all key-management
14. 3.6.1 Generation of strong cryptographic keys
15. 3.6.2 Secure cryptographic distribution
16. 3.6.3 Secure cryptographic key storage
17. 3.6.4 Cryptographic key changes
18. 3.6.5 Retirement or replacement
19. 3.6.6 Creytographic key management operations
20. 3.6.7 Prevention of unauthorized substitution of cryptographic keys
21. 3.6.8 Requirement for cryptographic
4 Encrypt transmission of cardholder data across open, public networks
1. 4.1 Cryptography and security protocols
2. 4.1.1 Ensure wireless networks transmitting cardholder data
3. 4.2 PANs by end-user messaging technologies
5 Maintain a Vulnerability Management Program
1. 5.1Deploy anti-virus software on all system
2. 5.1.1 Is all anti-virus programs are capable of detecting malicious threads
3. 5.2 Ensure that all anti-virus mechanisms are current, actively running, and generating audit logs.
6 Develop and maintain secure systems and applications
1. 6.1 Ensure that all sstem components and software are protected from vulnerabilities
2. 6.2 Establish a precess to identify and assign a risk ranking
3. 6.3 Develop software application in accordance with PCI-DSS
4. 6.3.1 Removal of custom application accounts,and more
5. 6.3.2 Review of custom code prior to release to production
6. 6.4 Procedures for all changes to system
7. 6.4.1 Separate development/test and production environments
8. 6.4.2 Separation of duties between development/test and production environments
9. 6.4.3 Production data (live PANs) are not used for testing or development
10. 6.4.4 Removal of test data and accounts before production systems become active
11. 6.4.5 Control procedures for the implementation of security
12. 6.4.5.1 Documentation of impact.
13. 6.4.5.2 Documented change approval by authorized parties.
14. 6.4.5.3 Functionality testing to verify adversal impact the security of system
15. 6.5.5.4 Back-out procedures
16. 6.5 Develop application based o secure coding guidelines
17. 6.5.1 Injection flaws,particularly SQL injection
18. 6.5.2 Buffer overflow
19. 6.5.3 Insecure cryptographic storage
20. 6.5.4 Insecure communications
21. 6.5.5 Improper error handling
22. 6.5.6 Cross-site scripting (XSS)
23. 6.5.7 Cross-site scripting (XSS)
24. 6.5.8 Improper access control
25. 6.5.9 Cross-site request forgery (CSRF)
26. 6.6 Public facing web application
7 Implement Strong Access Control Measures
1. 7.1 Limit access to system components and cardholder data
2. 7.1.1 Restriction of access rights to privileged user IDs
3. 7.1.2 Assignment of privileges is based on individual personnel’s job classification and function
4. 7.1.3 Requirement for a documented approval by authorize parties
5. 7.1.4 Implementation of an automated access control system
6. 7.2 Establish an access control system
7. 7.2.1 Coverage of all system components
8. 7.2.2 Assignment of privileges to individuals based on job classification and function
9. 7.2.3 Default setting
8 Assign a unique ID to each person with computer access
1. 8.1 Assign users unique ID
2. 8.2 Methods of assigning a unique ID
3. 8.3 Two-factor authentication for remote access
4. 8.4 Render Password,unreadable during transmission
5. 8.5.1 Control addition,deletion,and modification of user IDs
6. 8.5.2 Verify user identity before performing password resets.
7. 8.5.3 Set password for first time use and reset to a unique value for each user
8. 8.5.4 Immediately revoke access for any terminated users.
9. 8.5.5 Remove/disable inactive user accounts at least every 90 days.
10. 8.5.6 Enable accounts used by vendors for remote access
11. 8.5.7 Communicate authentication procedures and policies to all users
12. 8.5.8 Do not use group, shared, or generic accounts and passwords
13. 8.5.9 Change user passwords at least every 90 days.
14. 8.5.10 Require a minimum password length of at least seven characters.
15. 8.5.11 Use passwords containing both numeric and alphabetic characters
16. 8.5.12 Do not allow an individual to submit a new password
17. 8.5.13 Limit repeated access attempts by locking out the user ID
18. 8.5.14 Set the lockout duration to a minimum of 30 minutes
19. 8.5.15 Require the user to re-authenticate
20. 8.5.16 Authenticate all access to any database containing cardholder data
9 Restrict physical access to cardholder data
1. 9.1 Appropriate facility entry controls
2. 9.1.1 Access control machanisms
3. 9.1.2 Restrict physical access to publicily accessible network jacks
4. 9.1.3 Restrict physical access to wireless access pints
5. 9.2 Develop procedures to easily distinguish between onsite personnel and visitors
6. 9.3 Make sure all visitors are handled
7. 9.3.1 Authorized before entering areas
8. 9.3.2 Give a physical token
9. 9.3.3 Asked to surrender the physical token
10. 9.4 visitor log to maintain a physical audit trail of visitor activity
11. 9.5 Store media back-ups in a secure location
12. 9.6 Physically secure all media.
13. 9.7 Maintain strict control over the internal or external distribution of any kind of media
14. 9.7.1 Classify media so the sensitivity of the data can be determined.
15. 9.7.2 Send the media by secured courier
16. 9.8 Ensure management approves any and all media
17. 9.9 Maintain strict control over the storage and accessibility of media.
18. 9.9.1 Porperly maintain inventory logs of all media
19. 9.10 Destroy media when it is no longer needed
20. 9.10.1 Shred,incinerate,or pulp hardcopy materials
21. 9.10.2 Render cardholder data on electronic media
10 Regularly Monitor and Test Networks
1. 10.1 Establish a process for linking all access to system components administrative privileges
2. 10.2 Implement automated audit trails for all system components
3. 10.2.1 All individual accesses to cardholder data
4. 10.2.2 All action taken by an individual with root or administrative privilages
5. 10.2.3 Access to all audit trails
6. 10.2.4 Invalid logical access attempts
7. 10.2.5 Use of identification and authentication mechanisms
8. 10.2.6 Initialization of the audit logs
9. 10.2.7 Creation and deletion of system-level objects
10. 10.3 Record at least the following audit trail entries
11. 10.3.1 User identification
12. 10.3.2 Type of event
13. 10.3.3Date and time
14. 10.3.4 Success or failure indication
15. 10.3.5 Origination of event
16. 10.3.6 Identity or name of affected data, system component, or resource.
17. 10.4 Using time-synchronization technology
18. 10.4.1 Critical systems have the correct and consistent time.
19. 10.4.2 Time data is protected
20. 10.4.3 Time settings are received from industry-accepted time sources.
21. 10.5 Secure audit trails
22. 10.5.1 Limit viewing of audit trails to those with a job-related need.
23. 10.5.2 Protect audit trail files from unauthorized modifications.
24. 10.5.3 Promptly back up audit trail files
25. 10.5.4 Write logs for external-facing technologies
26. 10.5.5 Use file-integrity monitoring or change-detection software
27. 10.6 Review logs for all system components at least daily
28. 10.7 Retain audit trail history
11 Regularly test security systems and processes.
1. 11.1 Test for the presence of wireless access points and detect unauthorized wireless access points
2. 11.2 Run internal and external network vulnerability scans
3. 11.2.1 Perform quarterly internal vulnerability scans.
4. 11.2.2 Perform quarterly external vulnerability scans via an Approved Scanning Vendor
5. 11.2.3 Perform internal and external scans
6. 11.3 Perform external and internal testing at least once a year
7. 11.3.1 Network-layer penetration tests
8. 11.3.2 Application-layer penetration tests
9. 11.4 Use intrusion-detection systems to monitor all traffic
10. 11.5 Deploy file-integrity monitoring tools to alert personnel to unauthorized modification of criti
12 Maintain an Information Security Policy
1. 12.1 Establish, publish, maintain, and disseminate a security policy
2. 12.1.1 Addresses all PCI DSS requirements.
3. 12.1.2 annual process that identifies threats, and vulnerabilities, and results
4. 12.1.3 review at least annually and updates
5. 12.2 Develop daily operational security procedures
6. 12.3 Develop usage policies for critical technologies
7. 12.3.1 Explicit approval by authorized parties
8. 12.3.2 Authentication for use of the technology
9. 12.3.3 A list of all such devices and personnel with access
10. 12.3.4 Labeling of devices to determine owner, contact information and purpose
11. 12.3.5 Acceptable uses of the technology
12. 12.3.7 List of company-approved products
13. 12.3.6 Acceptable network locations for the technologies
14. 12.3.8 Automatic disconnect of sessions for remote-access technologies
15. 12.3.9 Activation of remote-access technologies for vendors and business partners
16. 12.3.10 For personnel accessing cardholder data via remote-access technologies
17. 12.4 Ensure that the security policy and procedures clearly define information security responsibili
18. 12.5 Assign to an individual or team the following information security management responsibilities:
19. 12.5.1 Establish, document, and distribute security policies and procedures.
20. 12.5.2 Monitor and analyze security alerts and information, and distribute to appropriate personnel
21. 12.5.3 Establish, document, and distribute security incident
22. 12.5.4 Administer user accounts, including additions, deletions, and modifications
23. 12.5.5 Monitor and control all access to data.
24. 12.6 Implement a formal security awareness program
25. 12.6.1 Educate personnel upon hire and at least annually
26. 12.6.2 Require personnel to acknowledge at least annually
27. 12.7 Screen potential personnel prior to hire to minimize the risk of attacks from internal sources
28. 12.8 If cardholder data is shared with service providers
29. 12.8.1 Maintain a list of service providers
30. 12.8.2 Maintain a written agreement that includes an acknowledgement
31. 12.8.3 Ensure there is an established process for engaging service providers
32. 12.8.4 Maintain a program to monitor service providers’ PCI DSS compliance status at least annually.
33. 12.9 Implement an incident response plan
34. 12.9.1 Create the incident response plan to be implemented in the event of system breach
35. 12.9.2 Test the plan at least annually.
36. 12.9.3 Designate specific personnel to be available
37. 12.9.4 Provide appropriate training to staff with security breach response responsibilities.
38. 12.9.5 Include alerts from intrusion detection, intrusion-prevention, and file integrity monitoring
39. 12.9.6 Develop a process to modify and evolve the incident response plan

All times are GMT. The time now is 08:27 PM.

Cheap PCI Compliant Hosting | Payment Card Industry Data Security Standards | Secure Hosting Directory
Disclaimer: Any informaton on this site is not necessarily accurate, error free or verified and should be taken only as advice and thoroughly reviewed and tested before implementing it in a production environment.
PCI Compliance Forums may receive revenue from and/or may be affliated with companies advertising, reviewed and/or mentioned on this site. Not all reviews and information are vetted by PCI Compliance Forums.