CHAPTER 7: PCI DSS – THE STANDARD

 

The PCI DSS has 12 requirements, organised into six control objectives. Please note that this pocket guide is no substitute for obtaining your own copy of the Standard, which is freely downloadable from www.pcisecuritystandards.org/security_standards/documents.php.

PCI DSS version 1.0 was originally published in January 2005, with subsequent updates to version 1.1 in September 2006 and version 1.2 in October 2008. PCI DSS v2.0 was released on 28 October 2010, and v3.0 was published on 7 November 2013. The most recent version, v3.1, was released in April 2015.

With the release of PCI DSS v2.0, the PCI Security Standards Council introduced a new three-year lifecycle for standards development. This ensures a gradual and phased introduction of new versions, and helps to prevent organisations from becoming non-compliant when a new Standard is published.

Version 3.0 of the PCI DSS introduces more flexibility in implementing the requirements, and increases the focus on education, awareness and security as a shared responsibility.

Version 3.1 of the PCI DSS is an out-of-band update created in response to the repeated vulnerabilities discovered in the SSL security protocol throughout early 2015. It removes SSL and early versions of TLS as secure technologies, and dictates that they are replaced with TLS 1.2 and beyond, or IPsec.

The 12 PCI DSS requirements, and the six principles in which those requirements are grouped, are as follows:

Build and maintain a secure network and systems

Requirement 1: Install and maintain a firewall configuration to protect cardholder data.

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.

Protect cardholder data

Requirement 3: Protect stored cardholder data.

Requirement 4: Encrypt transmission of cardholder data across open, public networks.

Maintain a vulnerability management programme

Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs.

Requirement 6: Develop and maintain secure systems and applications.

Implement strong access control measures

Requirement 7: Restrict access to cardholder data by business need-to-know.

Requirement 8: Identify and authenticate access to system components.

Requirement 9: Restrict physical access to cardholder data.

Regularly monitor and test networks

Requirement 10: Track and monitor all access to network resources and cardholder data.

Requirement 11: Regularly test security systems and processes.

Maintain an information security policy

Requirement 12: Maintain a policy that addresses information security for all personnel.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset