CHAPTER 8: ASPECTS OF PCI DSS COMPLIANCE

Requirement 1 (Install and maintain a firewall configuration to protect cardholder data)

• Establish and implement firewall and router configuration standards.
• Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment.
• Prohibit direct public access between the Internet and any system component in the cardholder data environment.
• Install personal firewall software on any mobile and/or employee-owned devices that connect to the Internet when outside the network.
• Ensure that security policies and operational procedures for managing firewalls are documented, in use, and known to all affected parties.
• Maintain current network and data flow diagrams.

Requirement 2 (Do not use vendor-supplied defaults for system passwords and other security parameters)

• Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network.
• Develop configuration standards for all system components. Ensure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards.
• Encrypt all non-console administrative access using strong cryptography. Use technologies such as SSH, VPN, or TLS for web-based management and other non-console administrative access. Note: SSL and early TLS are not to be used after 30 June 2018,
• Maintain an inventory of system components that are in scope for the PCI DSS.
• Ensure that security policies and operational procedures for managing vendor defaults and other security parameters are documented, in use, and known to all affected parties.
• Shared hosting providers must protect each entity’s hosted environment and cardholder data.

Requirement 3 (Protect stored cardholder data)

• Keep cardholder data storage to a minimum by implementing data retention and disposal policies, procedures and processes.
• Do not store sensitive authentication data after authorisation (even if encrypted). If sensitive authentication data is received, render all data unrecoverable upon completion of the authorisation process.
• Mask PAN when displayed (the first six and last four digits, at maximum), such that only personnel with a legitimate business need can see the full PAN.
• Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs).
• Document and implement procedures to protect keys used to secure stored cardholder data against disclosure and misuse.
• Fully document and implement all
• key-management processes and procedures for cryptographic keys used for encryption of cardholder data.
• Ensure that security policies and operational procedures for protecting stored cardholder data are documented, in use, and known to all affected parties.
• Service providers must maintain and detail their cryptographic architecture, if implemented.

Requirement 4 (Encrypt transmission of cardholder data across open, public networks)

• Use strong cryptography and security protocols (for example, TLS, IPsec, SSH, etc. Note: SSL and early TLS are not to be used after 30 June 2018) to safeguard sensitive cardholder data during transmission over open, public networks.
• Never send unprotected PANs by end-user messaging technologies (for example,
• email, instant messaging, chat etc.).
• Ensure that security policies and operational procedures for encrypting transmissions of cardholder data are documented, in use, and known to all affected parties.

Requirement 5 (Protect all systems against malware and regularly update anti-virus software or programs)

• Ensure that all antivirus mechanisms are maintained.
• Ensure that antivirus mechanisms are actively running and cannot be disabled or altered by users, unless specifically authorised by management on a
• case-by-case basis for a limited time period.
• Ensure that security policies and operational procedures for protecting systems against malware are documented, in use, and known to all affected parties.

Requirement 6 (Develop and maintain secure systems and applications)

• Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking.
• Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches. Install critical security patches within one month of release.
• Develop internal and external software applications securely (including web-based administrative access to applications).
• Follow change control processes and procedures for all changes to system components.
• Address common coding vulnerabilities in software development processes.
• For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks.
• Ensure that security policies and operational procedures for developing and maintaining secure systems and applications are documented, in use, and known to all affected parties.

Requirement 7 (Restrict access to cardholder data by business need-to-know)

• Limit access to system components and cardholder data to only those individuals whose job requires such access.
• Establish an access control system for systems components that restricts access based on a user’s need to know, and is set to “deny all” unless specifically allowed.
• Ensure that security policies and operational procedures for restricting access to cardholder data are documented, in use, and known to all affected parties.

Requirement 8 (Identify and authenticate access to system components)

• Define and implement policies and procedures to ensure proper user identification management for non-consumer users and administrators on all system components.
• In addition to assigning a unique ID, ensure proper user-authentication management for non-consumer users and administrators on all system components.
• Incorporate multi-factor authentication for remote network access originating from outside the network by personnel (including users and administrators) and all third parties, (including vendor access for support or maintenance),
• Implement multi-factor authentication for all administration-level access to any components within the CDE.
• Document and communicate authentication procedures and policies.
• Do not use group, shared or generic IDs, passwords, or other authentication methods.
• Where other authentication mechanisms are used (for example, physical or logical security tokens, smart cards, certificates etc.), use of these mechanisms must be assigned to an individual account and only the intended account can use that mechanism.
• All access to any database containing cardholder data (including access by applications, administrators, and all other users) is restricted.
• Ensure that security policies and operational procedures for identification and authentication are documented, in use, and known to all affected parties.
• Additional requirement for service providers: service providers must implement and maintain a system for identification and response to failures in security controls, such as logging and segmentation.

Requirement 9 (Restrict physical access to cardholder data)

• Use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment.
• Develop procedures to easily distinguish between onsite personnel and visitors.
• Control physical access for onsite personnel to the sensitive areas.
• Implement procedures to identify and authorise visitors.
• Physically secure all media.
• Maintain strict control over the internal or external distribution of any kind of media
• Maintain strict control over the storage and accessibility of media.
• Destroy media when it is no longer needed for business or legal reasons.
• Protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution.

Requirement 10 (Track and monitor all access to network resources and cardholder data)

• Implement audit trails to link all access to system components to each individual user.
• Implement automated audit trails for all system components to reconstruct events,
• create an audit trail for all system components for each event,
• Using time-synchronisation technology, synchronise all critical system clocks and times and ensure that the following is implemented for acquiring, distributing and storing time.
• Secure audit trails so they cannot be altered.
• Review logs and security events for all system components to identify anomalies or suspicious activity.
• Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis.
• Ensure that security policies and operational procedures for monitoring all access to network resources and cardholder data are documented, in use, and known to all affected parties.

Requirement 11 (Regularly test security systems and processes)

• Implement processes to test for the presence of wireless access points (802.11), and detect and identify all authorised and unauthorised wireless access points on a quarterly basis.
• Run internal and external network vulnerability scans at least quarterly and after any significant change in the network.
• Implement a methodology for penetration testing.
• Perform internal and external penetration testing at least annually.
• Additional requirement for service providers: perform penetration testing on internal segmentation systems at least every six months.
• Use intrusion-detection and/or
• intrusion-prevention techniques to detect and/or prevent intrusions into the network.
• Deploy a change-detection mechanism to alert personnel to unauthorised modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly.
• Ensure that security policies and operational procedures for security monitoring and testing are documented, in use, and known to all affected parties.

Requirement 12 (Maintain a policy that addresses information security for all personnel)

• Establish, publish, maintain and disseminate a security policy.
• Implement a risk assessment process.
• Develop usage policies for critical technologies and define proper use of these technologies.
• Ensure that the security policy and procedures clearly define information security responsibilities for all personnel.
• Assign to an individual or team information security management responsibilities.
• Implement a formal security awareness programme to make all personnel aware of the importance of cardholder data security.
• Screen potential personnel prior to hire to minimise the risk of attacks from internal sources.
• Maintain and implement policies and procedures to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data.
• Additional requirement for service providers: service providers must establish a charter to define executive responsibility for the protection of cardholder data and maintenance of PCI DSS compliance.
• Additional requirement for service providers: Service providers acknowledge in writing to customers that they are responsible for the security of cardholder data the service provider possesses or otherwise stores, processes or transmits on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment.
• Additional requirement for service providers: service providers must perform quarterly reviews of staff adherence to security policies and operational procedures.
• Implement an incident response plan. Be prepared to respond immediately to a system breach.

When an organisation is unable to meet the strict requirements of the PCI DSS, owing to legitimate or documented business constraints, it is permissible to submit a number of alternative measures. These measures are known as compensating controls, and must fully mitigate the risks associated with the requirements and meet the criteria as defined in PCI DSS Appendix B: Compensating Controls.

It is also possible for an organisation to mark most requirements as ‘not applicable’ if sufficient justification for the non-applicability can be provided.