PCI DSS Requirements

FAQs


The Payment Card Industry Data Security Standard (PCI DSS) focuses on protecting cardholder data and sensitive authentication data wherever a merchants or service providers store, process, or transmit it. Established by the Payment Card Industry Security Standards Council (PCI SSC), PCI DSS compliance requires a self-assessment questionnaire (SAQ) and qualified security assessor (QSA) to ensure credit card information remains on a secure network.  The PCI Security Standards Council founding members, including card brands American Express, Discover Financial Services, JCB international, Mastercard, and Visa, Inc., created the PCI Data Security Standard so that a single set of security controls to protect against data breaches would exist for merchants and service providers.

PCI compliance incorporates twelve PCI DSS requirements.

Requirement 1: Install and maintain a firewall configuration to protect cardholder data

  • Establish and implement firewall and router configurations that identify all connections between the cardholder data environment (CDE) and other networks, including documentation and diagrams to secure card data.
  • Build firewall and router configurations that restrict all inbound and outbound traffic.
  • Prohibit public access between the internet and any system component in the CDE
  • Ensure all devices, including company and employee owned, have personal firewall software or equivalent functions installed
  • Document security policies and operational procedures, as well as communicate those and ensure they are in use

Requirement 2: Do not use vendor supplied defaults for system passwords and other security parameters

  • Change all vendor-supplied defaults and remove or disable unnecessary default account before installing systems on the network
  • Develop configuration standards for all system component to address known security vulnerabilities and update configurations when new vulnerabilities are discovered.
  • Use strong cryptography and encrypt all non-console administrative access
  • Inventory all in-scope system components
  • Document security policies and operational procedures, as well as communicate those and ensure they are in use

Requirement 3: Protect stored cardholder data

  • Only store and retain cardholder data as required for business, legal and/or regulatory purposes and at least quarterly purge unnecessary data.
  • Make sure to never store authentication data after authorization and ensure the data is unrecoverable
  • Only display the six or last four digits of Primary Account Number (PAN) for anyone in the organization other than authorized individual with a legitimate business need.
  • Encrypt PAN with either one-way hash function, truncation, index tokens, or strong cryptography to ensure portable digital media, backup media, logs, and wireless networks cannot read PAN
  • Document and implement protection procedures used to protect encryption keys
  • Document and implement key management process and procedures for cypto-graphic keys
  • Document security policies and operational procedures, as well as communicate those and ensure they are in use

Requirement 4: Encrypt transmission of cardholder data across open, public networks.

  • Protect sensitive cardholder data using strong cryptography and security protocols
  • Never send unprotect PANs through end-user messaging technologies
  • Document security policies and operational procedures, as well as communicate those and ensure they are in use

Requirement 5: Protect all systems against malware and regularly update anti-virus software

  • Ensure anti-virus software is used on systems commonly targeted by malicious software and perform periodic reviews of other software to ensure they remain secure.
  • Perform period scans and generate audit logs to ensure anti-virus mechanisms are current
  • Ensure anti-virus mechanisms are actively running and cannot be disabled or altered
  • Document security policies and operational procedures, as well as communicate those and ensure they are in use

Requirement 6: Develop and maintain secure systems and applications

  • Assign risk ratings to create a process for identifying security vulnerabilities
  • Install security updates within one month of release
  • Follow change control process and procedures when making changes to any system components
  • Train developers in secure coding techniques and develop applications based on secure coding guidelines
  • Protect all public-facing web application from known attacks by at least annually performing a vulnerability assessment as part of the vulnerability management program or installing an automated solution to detect and prevent attacks
  • Document security policies and operational procedures, as well as communicate those and ensure they are in use

Requirement 7: Restrict access to cardholder data by business need-to-know

  • Use a role-based principle of least privilege (PoLP) for access to system components
  • Restrict access based on need to know and “deny all” unless specifically allows
  • Document security policies and operational procedures, as well as communicate those and ensure they are in use

Requirement 8: Identify and authenticate access to system components

  • Define and implement user identification management policies and procedures across the enterprise and assign all users a unique ID
  • Ensure authentication methods include something you know (password/passphrase), something you have (token device/keycard), or something you are (biometrics) and use strong cryptography to ensure passwords/passphrases remain unreadable during transmission and storage
  • Use multifactor authentication by requiring at least two of the three above listed authentication methods for non-console administrative access and remote access to the CDE
  • Develop, implement, and communicate the policies and procedures governing authentication to all users
  • Never use group, shared, or generic IDs or authentication methods
  • Assign physical security tokens, smart cards, certificates, and other authentication mechanisms to individual accounts
  • Restrict access to databases containing cardholder data using programmatic method, application IDs for application users, and assigning only database administrators direct or query access
  • Document security policies and operational procedures, as well as communicate those and ensure they are in use

Requirement 9: Restrict physical access to cardholder data

  • Ensure appropriate facility for strong access control measures
  • Develop procedures to easily distinguish onsite personnel from visitor, such as ID badges
  • Limit physical access based on job function and ensure that access is immediately revoked upon employment termination, including the return or disablement of keys, access cards, or other mechanisms
  • Track visitors using logs that trace name and company and give visitors badges or identification that expires which must be returned upon leaving the facility
  • Physically secure all media and store media backups in an off-site, secure location
  • Strictly control internal or external media distribution
  • Strictly control media storage and accessibility
  • Destroy media no longer needed for business or legal reason
  • Ensure that devices such as POS devices and others directly interacting with payment cards are protected from tampering and substitution
  • Document security policies and operational procedures, as well as communicate those and ensure they are in use

Requirement 10: Track and monitor all access to network resources and cardholder data

  • Establish audit trails to link all access to system components to individual users
  • Implement automated audit trails for all system components to ensure reconstruction of individual user access to cardholder data, root or administrative privilege user actions, audit trail access, invalid logical access attempt, use of and changes to identification and authentication mechanisms, all changes, additions, and deletions to root or administrative privilege accounts, activities affecting audit logs, system-level object creation and deletion.
  • Ensure audit logs incorporate user identification, event type, date, time, success or failure, event origination, and identity/name of affected data, system component or resource
  • Synchronize all critical system clocks and times using synchronization technology and implement controls for acquiring, distributing, and storing time
  • Secure audit trails to ensure they are not altered
  • Review all logs to identify anomalous or suspicious activity daily
  • Retain audit trail history for at least one year and ensure most recent three months can be made available immediately
  • Document security policies and operational procedures, as well as communicate those and ensure they are in use

Requirement 11: Regularly test networks, security systems and processes

  • Implement testing process for the presence of wireless access points that detect and identify all authorized and unauthorized access and review at least quarterly
  • Maintain records of authorized wireless access points and implement incident response procedures when unauthorized wireless access points are detected
  • Run internal and external network vulnerability scans at least quarterly as well as after any significant network changes
  • Address vulnerabilities and rescan if necessary until passing scans are achieved
  • Develop and implement a penetration testing methodology that includes external and internal testing at least annually as well as when significant upgrades and modifications are made
  • Use network intrusion detection and/or intrusion prevention techniques to detect and/or prevent intrusions
  • Monitor all traffic at the CDE perimeter as well as critical points inside the CDE and alert personnel to suspected compromises
  • Deploy a change detection software that alerts personnel to unauthorized modification of critical system files, configuration files or content files that makes critical file comparisons at least weekly
  • Implement a process to respond to alerts provided by the change detection software
  • Document security policies and operational procedures, as well as communicate those and ensure they are in use

Requirement 12: Maintain a policy that addresses information security for all personnel

  • Establish, publish, maintain, and share across the organization a security policy that is reviewed at least annually and updated when the environment changes
  • Perform a formal risk assessment at least annually or when significant changes to the environment are made that identifies critical assets, threats and vulnerabilities as part of the risk assessment process
  • Establish usage policies for critical technologies that define proper use, including remote access, wireless access, removable electronic media, laptops, tablets, handheld devices, email, and internet use.
  • Incorporate clearly defined information security responsibilities for all personnel and all service providers as part of the security policies and procedures
  • Assign security responsibilities to an individual or security team
  • Implement formal security awareness training that includes data security policy and procedures
  • Incorporate background checks for potential employees to limit internal attacks
  • Manage service providers with CDE access using policies and procedures aligned to its information security policy
  • Provide customers with a written acknowledgment taking responsibility for cardholder data security that the organization possesses or otherwise stores, processes, or transmits on behave of the customer
  • Implement an incident response plan that prepares the organization to immediately respond to a system breach
  • Perform and document, at least quarterly, reviews confirming personnel follow security policies and operating procedures