The standards
specific Requirements for PCI DSS are defined below-
Req: 01- Install and maintain a
firewall configuration to protect cardholder data: Firewalls control the transmission of data
between an organization’s trusted internal networks and untrusted external
networks Req: 02- Do not use vendor-supplied defaults for system passwords and
other security parameters: The
default settings of many commonly used systems are well known, easily
exploitable and often used by criminal hackers to compromise those systems
Req: 03- Protect stored
cardholder data: The
storage of cardholder data should be kept to a minimum, and appropriate data
retention and disposal policies, procedures and processes should be
implemented. Certain data – such as the full contents of the chip or magnetic
strip, the CVN (card verification number) or the PIN (personal identification
number) – should never be stored. When data is stored, it should be stored
securely. Encryption, truncation, masking and hashing are critical components
of cardholder data protection.
Req: 04- Encrypt transmission of
cardholder data across open, public networks: Strong cryptography and security
protocols (e.g. TLS, IPSec, SSH, etc.) should be used to safeguard sensitive
cardholder data during transmission over open, public networks that could
easily be accessed by malicious individuals
Req: 05- Protect all systems against malware and
regularly update antivirus software or programs: Antivirus
software capable of detecting, removing and protecting against all known types
of malware (e.g. viruses, worms and Trojans) must be used on all systems
commonly affected by malware to protect them from threats.
Req: 06- Develop and maintain
secure systems and applications: Many
security vulnerabilities are fixed by patches issued by software vendors.
Organisations should establish a process to identify security vulnerabilities
and rank them according to their level of risk. Relevant security patches
should be installed within a month of their release to protect against
cardholder data compromise.
Req: 07- Restrict access to
cardholder data by business need to know: Exploiting
authorised accounts and abusing user privileges is one of the easiest ways for
criminal hackers to gain access to a system. It is also one of the most
difficult types of attack to detect.
Req: 08- Identify and
authenticate access to system components: The
ability to identify individual users not only ensures that system access is
limited to those with the proper authorisation, it also establishes an audit
trail that can be analysed following an incident. Documented policies and
procedures must therefore be implemented to ensure proper user identification
management for non-consumer users and administrators on all system components.
All users must be assigned a unique ID, which must be managed according to
specific guidelines.
Req: 09- Restrict physical access
to cardholder data:
Electronic data breaches are not the only source of data loss; physical access
to systems should also be limited and monitored using appropriate controls. Procedures
should be implemented to distinguish between on-site personnel and visitors,
and physical access to sensitive areas (e.g. server rooms and data centres)
should be restricted accordingly.
Req: 10- Track and monitor all
access to network resources and cardholder data: The use of logging mechanisms is
critical in preventing, detecting and minimising the impact of data compromise.
If system usage is not logged, potential breaches cannot be identified. Secure,
controlled audit trails must therefore be implemented that link all access to
system components with individual users and log their actions.
Req:11- Regularly test security
systems and processes: New
vulnerabilities are regularly found and exploited, so it is essential that
system components, processes and custom software are regularly tested.
Documented processes must be implemented to detect and identify all
unauthorised wireless access points on a quarterly basis. Internal and external
network vulnerability scans must be performed by qualified personnel at least
quarterly and after any significant change in the network (e.g. new system
component installations, changes in network topology, firewall rule
modifications and product upgrades)
User questions & answers