Pci DSS
Pci DSS
com
Requirements Scope
The cardholder data environment (CDE) is comprised of people, processes, and technology that
handle cardholder data or sensitive authentication data. System components include network
devices, servers and applications. Virtualization components, such as virtual machines, virtual
switches/routers, virtual appliances, virtual applications/desktops, are also considered CDE
system components within PCI DSS.
#
1
Objective
Secure network
Vulnerability management
Requirement
-Install and maintain FIREWALL to protect
cardholder data
- All CDE locations of cardholder data are
identified and documented in diagram
-Do not used system stored passwords and
other security parameters alike
-Encrypt transmission of cardholder data
over public domain network - security
protocols such as SSL/TLS, SSH or IPSec
- Limit cardholder data storage and
retention time to that which is required for
business or legal
- Purge unnecessary stored data at least
quarterly.
- Regular update of anti virus and malware
software
- Prevent coding vulnerabilities in software
development processes
- Use secure coding techniques and APIs
- Guideline for coding how sensitive data is
handled in memory (OWASP Top 10, SANS
CWE Top 25, CERT Secure Coding)
-
The PCI Security Standards Council has released an updated version of the requirements and security
assessment procedures which took affect from Jan 2015. This update required all players in the
payment chain to certify and comply with Version 3.0 requirements.
Must include cardholder data flows and implemented into Business-as-usual activities
Must include clear boundary showing PCI DSS CDE scope and segments
The new standard brings some very significant changes to PCI compliance - the good news for the
service providers is that merchants are tempted to outsource more of their payment businesses to
service providers than ever before.
Masking PAN
PAN (when displayed) first 6 and last 4 digits are the maximum number of digits displayed. Only
authorized people with a legitimate business are allowed to see the full PAN.
Encrypting PAN Make PAN unreadable anywhere it is stored including portable digital media, backup
logs, data received from or by wireless networks. Technology solutions for include strong one-way hash
functions of the entire PAN, truncation, index tokens with securely stored pads, or strong cryptography.
Register and maintain all wireless access points, hardware and software components
Penetration testing MUST validate segmentation and prove that a compromise in non CDE
network will not result in a breach of the CDE environment
Changes to organization structure
Critical files must be checked weekly AND individual must evaluate any changes
Logging identification
If multiple users share the same authentication credentials, it becomes impossible to assign accountability for, or
to have effective logging of, an individuals actions, since a given action could have been performed by anyone that
has knowledge of the authentication credentials.
Req 5 Antivirus
Attempt to prevent malware in addition to viruses, in previous versions
Evaluate malware threats against systems (EVEN if it is not a system commonly affected by
viruses/malicious software, for e.g. AS/400, OS/2, IBM 3900, etc.)
Anti-virus should be running at ALL TIMES in active mode without disable option for standard
users
Payment application locks out user accounts after not more than six invalid logon attempts or
minimum of idle time of 15 minutes or less
3|P a ge
Req 8 Policies/Procedures
Third Party/Service provider requirements have been raised:
Keep registry of requirements which are dependent upon service provider
Written acknowledgement required from service providers attesting to PCI DSS
Third parties to provide PCI DSS certificate OR be willing to be a part of customers PCI DSS audit
SAQ
SAQ serves as a validation tool for service providers to report the results of their PCI DSS selfassessment, if they are not required to submit a Report on Compliance (ROC).
SAQ
Description
A-EP
B-IP
C-VT
C
P2PE-HW
5|P a ge