Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: yes
Selections:Description: None
Levels:Automated: no
No rules selected
Description: Examples of insecure services, protocols, or ports include but are not limited to FTP, Telnet, POP3, IMAP, and SNMP v1 and v2.
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: yes
Selections:Description: None
Levels:Automated: yes
Selections:Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: Note: An "untrusted network" is any network that is external to the networks belonging to the entity under review, and/or which is out of the entity's ability to control or manage.
Levels:Automated: yes
Selections:Description: None
Levels:Automated: no
Selections:Description: None
Levels:Automated: no
Selections:Description: (For example, block traffic originating from the Internet with an internal source address.)
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
Selections:Description: Note: Methods to obscure IP addressing may include, but are not limited to: * Network Address Translation (NAT) * Placing servers containing cardholder data behind proxy servers/firewalls, * Removal or filtering of route advertisements for private networks that employ registered addressing, * Internal use of RFC1918 address space instead of registered addresses.
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
Selections:Description: Firewall configurations include: * Specific configuration settings are defined for personal firewall software. * Personal firewall software is actively running. * Personal firewall software is not alterable by users of mobile and/or employee-owned devices.
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: This applies to ALL default passwords, including but not limited to those used by operating systems, software that provides security services, application and system accounts, point-of-sale (POS) terminals, Simple Network Management Protocol (SNMP) community strings, etc.).
Levels:Automated: yes
Selections:Description: None
Levels:Automated: no
No rules selected
Description: (For example, web servers, database servers, and DNS should be implemented on separate servers.) Note: Where virtualization technologies are in use, implement only one primary function per virtual system component.
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: for example, use secured technologies such as SSH, S-FTP, TLS, or IPSec VPN to protect insecure services such as NetBIOS, file-sharing, Telnet, FTP, etc. Note: SSL and early TLS are not considered strong cryptography and cannot be used as a security control after June 30, 2016. Prior to this date, existing implementations that use SSL and/or early TLS must have a formal Risk Mitigation and Migration Plan in place. Effective immediately, new implementations must not use SSL or early TLS. POS POI terminals (and the SSL/TLS termination points to which they connect) that can be verified as not being susceptible to any known exploits for SSL and early TLS may continue using these as a security control after June 30, 2016.'
Levels:Automated: yes
Selections:Description: None
Levels:Automated: yes
Selections:Description: None
Levels:Automated: no
No rules selected
Description: Sources of industry-accepted system hardening standards may include, but are not limited to: * Center for Internet Security (CIS) * International Organization for Standardization (ISO) * SysAdmin Audit Network Security (SANS) Institute * National Institute of Standards Technology (NIST)
Levels:Automated: yes
Selections:Description: Note: SSL and early TLS are not considered strong cryptography and cannot be used as a security control after June 30, 2016. Prior to this date, existing implementations that use SSL and/or early TLS must have a formal Risk Mitigation and Migration Plan in place. Effective immediately, new implementations must not use SSL or early TLS. POS POI terminals (and the SSL/TLS termination points to which they connect) that can be verified as not being susceptible to any known exploits for SSL and early TLS may continue using these as a security control after June 30, 2016.
Levels:Automated: yes
Selections:Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: These providers must meet specific requirements as detailed in Appendix A: Additional PCI DSS Requirements for Shared Hosting Providers.
Levels:Automated: no
No rules selected
Description: * Limiting data storage amount and retention time to that which is required for legal, regulatory, and/or business requirements * Specific retention requirements for cardholder data * Processes for secure deletion of data when no longer needed * A quarterly process for identifying and securely deleting stored cardholder data that exceeds defined retention.
Levels:Automated: no
No rules selected
Description: Note: In the normal course of business, the following data elements from the magnetic stripe may need to be retained: * The cardholder's name * Primary account number (PAN) * Expiration date * Service code To minimize risk, store only these data elements as needed for business.
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: If sensitive authentication data is received, render all data unrecoverable upon completion of the authorization process. It is permissible for issuers and companies that support issuing services to store sensitive authentication data if: * There is a business justification and * The data is stored securely. Sensitive authentication data includes the data as cited in the following Requirements 3.2.1 through 3.2.3:
Levels:Automated: no
No rules selected
Description: Note: This requirement does not supersede stricter requirements in place for displays of cardholder data; for example, legal or payment card brand requirements for point-of-sale (POS) receipts.
Levels:Automated: no
No rules selected
Description: * One-way hashes based on strong cryptography, (hash must be of the entire PAN) * Truncation (hashing cannot be used to replace the truncated segment of PAN) * Index tokens and pads (pads must be securely stored) * Strong cryptography with associated key-management processes and procedures. Note: It is a relatively trivial effort for a malicious individual to reconstruct original PAN data if they have access to both the truncated and hashed version of a PAN. Where hashed and truncated versions of the same PAN are present in an entity's environment, additional controls must be in place to ensure that the hashed and truncated versions cannot be correlated to reconstruct the original PAN.
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
Selections:Description: * Details of all algorithms, protocols, and keys used for the protection of cardholder data, including key strength an d expiry date * Description of the key usage for each key * Inventory of any HSMs and other SCDs used for key management
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: * Encrypted with a key-encrypting key that is at least as strong as the data-encrypting key, and that is stored separately from the data-encrypting key * Within a secure cryptographic device (such as a hardware (host) security module (HSM) or PTS- approved point-of-interaction device) * As at least two full-length key components or key shares, in accordance with an industry- accepted method\nNote: It is not required that public keys be stored in one of these forms.
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: Note: This requirement applies to keys used to encrypt stored cardholder data, and also applies to key-encrypting keys used to protect data-encrypting keys; such key-encrypting keys must be at least as strong as the data-encrypting key.
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: Note: If retired or replaced cryptographic keys need to be retained, these keys must be securely archived (for example, by using a key-encryption key). Archived cryptographic keys should only be used for decryption/verification purposes.
Levels:Automated: no
No rules selected
Description: Note: Examples of manual key- management operations include, but are not limited to: key generation, transmission, loading, storage and destruction.
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: Note: Numerous industry standards for key management are available from various resources including NIST, which can be found at http://csrc.nist.gov.
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: * Only trusted keys and certificates are accepted. * The protocol in use only supports secure versions or configurations. * The encryption strength is appropriate for the encryption methodology in use. Note: SSL and early TLS are not considered strong cryptography and cannot be used as a security control after June 30, 2016. Prior to this date, existing implementations that use SSL and/or early TLS must have a formal Risk Mitigation and Migration Plan in place. Effective immediately, new implementations must not use SSL or early TLS. POS POI terminals (and the SSL/TLS termination points to which they connect) that can be verified as not being susceptible to any known exploits for SSL and early TLS may continue using these as a security control after June 30, 2016. Examples of open, public networks include but are not limited to: * The Internet * Wireless technologies, including 802.11 and Bluetooth * Cellular technologies, for example, Global System for Mobile communications (GSM), Code division multiple access (CDMA) * General Packet Radio Service (GPRS) * Satellite communications
Levels:Automated: yes
Selections:Description: Note: The use of WEP as a security control is prohibited.
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: yes
Selections:Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: yes
Selections:Description: * Are kept current, * Perform periodic scans * Generate audit logs which are retained per PCI DSS Requirement 10.7.
Levels:Automated: yes
Selections:Description: Note: Anti-virus solutions may be temporarily disabled only if there is legitimate technical need, as authorized by management on a case-by-case basis. If anti-virus protection needs to be disabled for a specific purpose, it must be formally authorized. Additional security measures may also need to be implemented for the period of time during which anti-virus protection is not active.
Levels:Automated: yes
Selections:Description: None
Levels:Automated: no
No rules selected
Description: Note: Risk rankings should be based on industry best practices as well as consideration of potential impact. For example, criteria for ranking vulnerabilities may include consideration of the CVSS base score, and/or the classification by the vendor, and/or type of systems affected. Methods for evaluating vulnerabilities and assigning risk ratings will vary based on an organization's environment and risk- assessment strategy. Risk rankings should, at a minimum, identify all vulnerabilities considered to be a 'high risk' to the environment. In addition to the risk ranking, vulnerabilities may be considered 'critical' if they pose an imminent threat to the environment, impact critical systems, and/or would result in a potential compromise if not addressed. Examples of critical systems may include security systems, public-facing devices and systems, databases, and other systems that store, process, or transmit cardholder data.
Levels:Automated: no
No rules selected
Description: Note: Critical security patches should be identified according to the risk ranking process defined in Requirement 6.1.
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: * Code changes are reviewed by individuals other than the originating code author, and by individuals knowledgeable about code-review techniques and secure coding practices. * Code reviews ensure code is developed according to secure coding guidelines * Appropriate corrections are implemented prior to release. * Code-review results are reviewed and approved by management prior to release. Note: This requirement for code reviews applies to all custom code (both internal and public-facing), as part of the system development life cycle. Code reviews can be conducted by knowledgeable internal personnel or third parties. Public-facing web applications are also subject to additional controls, to address ongoing threats and vulnerabilities after implementation, as defined at PCI DSS Requirement 6.6.
Levels:Automated: no
No rules selected
Description: * In accordance with PCI DSS (for example, secure authentication and logging) * Based on industry standards and/or best practices. * Incorporating information security throughout the software-development life cycle Note: this applies to all software developed internally as well as bespoke or custom software developed by a third party.
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
Selections:Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: Note: Requirement 6.5.10 is a best practice until June 30, 2015, after which it becomes a requirement.
Levels:Automated: no
No rules selected
Description: * Train developers in secure coding techniques, including how to avoid common coding vulnerabilities, and understanding how sensitive data is handled in memory. * Develop applications based on secure coding guidelines. Note: The vulnerabilities listed at 6.5.1 through 6.5.10 were current with industry best practices when this version of PCI DSS was published. However, as industry best practices for vulnerability management are updated (for example, the OWASP Guide, SANS CWE Top 25, CERT Secure Coding, etc.), the current best practices must be used for these requirements.
Levels:Automated: no
Selections:Description: * Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes Note: This assessment is not the same as the vulnerability scans performed for Requirement 11.2. * Installing an automated technical solution that detects and prevents web-based attacks (for example, a web- application firewall) in front of public- facing web applications, to continually check all traffic.
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: * System components and data resources that each role needs to access for their job function * Level of privilege required (for example, user, administrator, etc.) for accessing resources.
Levels:Automated: yes
Selections:Description: None
Levels:Automated: no
Selections:Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: yes
Selections:Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: This access control system must include the following:
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: yes
Selections:Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: Enabled only during the time period needed and disabled when not in use. Monitored when in use.
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
Selections:Description: None
Levels:Automated: no
No rules selected
Description: for example, performing password resets, provisioning new tokens, or generating new keys."
Levels:Automated: no
No rules selected
Description: * Require a minimum length of at least seven characters. * Contain both numeric and alphabetic characters. Alternatively, the passwords/phrases must have complexity and strength at least equivalent to the parameters specified above.
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: * Something you know, such as a password or passphrase * Something you have, such as a token device or smart card * Something you are, such as a biometric.
Levels:Automated: no
No rules selected
Description: Examples of two-factor technologies include remote authentication and dial-in service (RADIUS) with tokens; terminal access controller access control system (TACACS) with tokens; and other technologies that facilitate two-factor authentication.
Levels:Automated: no
No rules selected
Description: * Guidance on selecting strong authentication credentials * Guidance for how users should protect their authentication credentials * Instructions not to reuse previously used passwords * Instructions to change passwords if there is any suspicion the password could be compromised.
Levels:Automated: no
No rules selected
Description: * Generic user IDs are disabled or removed. * Shared user IDs do not exist for system administration and other critical functions. * Shared and generic user IDs are not used to administer any system components.
Levels:Automated: no
No rules selected
Description: Note: This requirement is not intended to apply to shared hosting providers accessing their own hosting environment, where multiple customer environments are hosted. Note: Requirement 8.5.1 is a best practice until June 30, 2015, after which it becomes a requirement.
Levels:Automated: no
No rules selected
Description: Authentication mechanisms must be assigned to an individual account and not shared among multiple accounts. Physical and/or logical controls must be in place to ensure only the intended account can use that mechanism to gain access.
Levels:Automated: no
No rules selected
Description: All user access to, user queries of, and user actions on databases are through programmatic methods. Only database administrators have the ability to directly access or query databases. Application IDs for database applications can only be used by the applications (and not by individual users or other non-application processes).
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: Note: “Sensitive areas” refers to any data center, server room or any area that houses systems that store, process, or transmit cardholder data. This excludes public-facing areas where only point-of- sale terminals are present, such as the cashier areas in a retail store.
Levels:Automated: no
No rules selected
Description: For example, network jacks located in public areas and areas accessible to visitors could be disabled and only enabled when network access is explicitly authorized. Alternatively, processes could be implemented to ensure that visitors are escorted at all times in areas with active network jacks.
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: include: * Identifying onsite personnel and visitors (for example, assigning badges) * Changes to access requirements * Revoking or terminating onsite personnel and expired visitor identification (such as ID badges).
Levels:Automated: no
No rules selected
Description: * Access must be authorized and based on individual job function. * Access is revoked immediately upon termination, and all physical access mechanisms, such as keys, access cards, etc., are returned or disabled.
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: Document the visitor's name, the firm represented, and the onsite personnel authorizing physical access on the log. Retain this log for a minimum of three months, unless otherwise restricted by law.
Levels:Automated: no
No rules selected
Description: Procedures should include the following:
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: The list should include the following: * Make, model of device * Location of device (for example, the address of the site or facility where the device is located) * Device serial number or other method of unique identification.
Levels:Automated: no
No rules selected
Description: Note: Examples of signs that a device might have been tampered with or substituted include unexpected attachments or cables plugged into the device, missing or changed security labels, broken or differently colored casing, or changes to the serial number or other external markings.
Levels:Automated: no
No rules selected
Description: Training should include the following: * Verify the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices. * Do not install, replace, or return devices without verification. * Be aware of suspicious behavior around devices (for example, attempts by unknown persons to unplug or open devices). * Report suspicious behavior and indications of device tampering or substitution to appropriate personnel (for example, to a manager or security officer).
Levels:Automated: no
No rules selected
Description: Note: These requirements apply to card- reading devices used in card-present transactions (that is, card swipe or dip) at the point of sale. This requirement is not intended to apply to manual key-entry components such as computer keyboards and POS keypads.
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: yes
Selections:Description: None
Levels:Automated: yes
Selections:Description: None
Levels:Automated: yes
Selections:Description: None
Levels:Automated: yes
Selections:Description: None
Levels:Automated: no
Selections:Description: None
Levels:Automated: yes
Selections:Description: * All security events * Logs of all system components that store, process, or transmit CHD and/or SAD * Logs of all critical system components * Logs of all servers and system components that perform security functions (for example, firewalls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), authentication servers, e-commerce redirection servers, etc.).
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: Note: Log harvesting, parsing, and alerting tools may be used to meet this Requirement.
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: Note: Methods that may be used in the process include but are not limited to wireless network scans, physical/logical inspections of system components and infrastructure, network access control (NAC), or wireless IDS/IPS. Whichever methods are used, they must be sufficient to detect and identify both authorized and unauthorized devices.
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: Note: Quarterly external vulnerability scans must be performed by an Approved Scanning Vendor (ASV), approved by the Payment Card Industry Security Standards Council (PCI SSC). Refer to the ASV Program Guide published on the PCI SSC website for scan customer responsibilities, scan preparation, etc.
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: Note: Multiple scan reports can be combined for the quarterly scan process to show that all systems were scanned and all applicable vulnerabilities have been addressed. Additional documentation may be required to verify non-remediated vulnerabilities are in the process of being addressed. For initial PCI DSS compliance, it is not required that four quarters of passing scans be completed if the assessor verifies 1) the most recent scan result was a passing scan, 2) the entity has documented policies and procedures requiring quarterly scanning, and 3) vulnerabilities noted in the scan results have been corrected as shown in a re-scan(s). For subsequent years after the initial PCI DSS review, four quarters of passing scans must have occurred.
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: * Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115) * Includes coverage for the entire CDE perimeter and critical systems * Includes testing from both inside and outside the network * Includes testing to validate any segmentation and scope-reduction controls * Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5 * Defines network-layer penetration tests to include components that support network functions as well as operating systems * Includes review and consideration of threats and vulnerabilities experienced in the last 12 months * Specifies retention of penetration testing results and remediation activities results.
Levels:Automated: no
No rules selected
Description: Keep all intrusion-detection and prevention engines, baselines, and signatures up to date.
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: yes
Selections:Description: Note: For change-detection purposes, critical files are usually those that do not regularly change, but the modification of which could indicate a system compromise or risk of compromise. Change-detection mechanisms such as file-integrity monitoring products usually come pre- configured with critical files for the related operating system. Other critical files, such as those for custom applications, must be evaluated and defined by the entity (that is, the merchant or service provider).
Levels:Automated: yes
Selections:Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: * Is performed at least annually and upon significant changes to the environment (for example, acquisition, merger, relocation, etc.), * Identifies critical assets, threats, and vulnerabilities, and * Results in a formal, documented analysis of risk. Examples of risk-assessment methodologies include but are not limited to OCTAVE, ISO 27005 and NIST SP 800-30.
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: Where there is an authorized business need, the usage policies must require the data be protected in accordance with all applicable PCI DSS Requirements.
Levels:Automated: no
No rules selected
Description: Note: Examples of critical technologies include, but are not limited to, remote access and wireless technologies, laptops, tablets, removable electronic media, e- mail usage and Internet usage. Ensure these usage policies require the following:
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: yes
Selections:Description: None
Levels:Automated: no
Selections:Description: Note: Methods can vary depending on the role of the personnel and their level of access to the cardholder data.
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: Note: For those potential personnel to be hired for certain positions such as store cashiers who only have access to one card number at a time when facilitating a transaction, this requirement is a recommendation only.
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: Note: The exact wording of an acknowledgement will depend on the agreement between the two parties, the details of the service being provided, and the responsibilities assigned to each party. The acknowledgement does not have to include the exact wording provided in this requirement.
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: Note: This requirement is a best practice until June 30, 2015, after which it becomes a requirement. Note: The exact wording of an acknowledgement will depend on the agreement between the two parties, the details of the service being provided, and the responsibilities assigned to each party. The acknowledgement does not have to include the exact wording provided in this requirement.
Levels:Automated: no
No rules selected
Description: * Roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum * Specific incident response procedures * Business recovery and continuity procedures * Data backup processes * Analysis of legal requirements for reporting compromises * Coverage and responses of all critical system components * Reference or inclusion of incident response procedures from the payment brands.
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: yes
Selections:Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
Selections:Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: A hosting provider must fulfill these requirements as well as all other relevant sections of the PCI DSS. Note: Even though a hosting provider may meet these requirements, the compliance of the entity that uses the hosting provider is not guaranteed. Each entity must comply with the PCI DSS and validate compliance as applicable.
Levels:Automated: no
No rules selected
Description: * Overall accountability for maintaining PCI DSS compliance * Defining a charter for a PCI DSS compliance program * Providing updates to executive management and board of directors on PCI DSS compliance initiatives and issues, including remediation activities, at least annually PCI DSS Reference: Requirement 12
Levels:Automated: no
No rules selected
Description: * Definition of activities for maintaining and monitoring overall PCI DSS compliance, including business-as-usual activities * Annual PCI DSS assessment processes * Processes for the continuous validation of PCI DSS requirements (for example: daily, weekly, quarterly, etc. as applicable per requirement) * A process for performing business- impact analysis to determine potential PCI DSS impacts for strategic business decisions PCI DSS Reference: Requirements 1-12
Levels:Automated: no
No rules selected
Description: * Managing PCI DSS business-as-usual activities * Managing annual PCI DSS assessments * Managing continuous validation of PCI DSS requirements (for example: daily, weekly, quarterly, etc. as applicable per requirement) * Managing business-impact analysis to determine potential PCI DSS impacts for strategic business decisions PCI DSS Reference: Requirement 12
Levels:Automated: no
No rules selected
Description: PCI DSS Reference: Requirement 12
Levels:Automated: no
No rules selected
Description: * Identifying all in-scope networks and system components * Identifying all out-of-scope networks and justification for networks being out of scope, including descriptions of all segmentation controls implemented * Identifying all connected entities. e.g., third-party entities with access to the cardholder data environment (CDE) PCI DSS Reference: Scope of PCI DSS Requirements"
Levels:Automated: no
No rules selected
Description: * Performing a formal PCI DSS impact assessment * Identifying applicable PCI DSS requirements to the system or network * Updating PCI DSS scope as appropriate * Documented sign-off of the results of the impact assessment by responsible personnel (as defined in A3.1.3) PCI DSS Reference: Scope of PCI DSS Requirements; Requirements 1-12
Levels:Automated: no
No rules selected
Description: * Network diagram is updated to reflect changes. * Systems are configured per configuration standards, with all default passwords changed and unnecessary services disabled. * Systems are protected with required controls. e.g., file-integrity monitoring (FIM), anti-virus, patches, audit logging. * Verify that sensitive authentication data (SAD) is not stored and that all cardholder data (CHD) storage is documented and incorporated into data-retention policy and procedures * New systems are included in the quarterly vulnerability scanning process. PCI DSS Reference: Scope of PCI DSS Requirements; Requirement 1-12
Levels:Automated: no
No rules selected
Description: PCI DSS Reference: Requirement 12
Levels:Automated: no
No rules selected
Description: PCI DSS Reference: Requirement 11
Levels:Automated: no
No rules selected
Description: The effectiveness of data-discovery methods must be confirmed at least annually. PCI DSS Reference: Scope of PCI DSS Requirements
Levels:Automated: no
No rules selected
Description: * Procedures for determining what to do if clear-text PAN is discovered outside of the CDE, including its retrieval, secure deletion and/or migration into the currently defined CDE, as applicable * Procedures for determining how the data ended up outside of the CDE * Procedures for remediating data leaks or process gaps that resulted in the data being outside of the CDE * Procedures for identifying the source of the data * Procedures for identifying whether any track data is stored with the PANs
Levels:Automated: no
No rules selected
Description: Data-discovery methodology must take into consideration the potential for clear-text PAN to reside on systems and networks outside of the currently defined CA3. PCI DSS Reference: Scope of PCI DSS Requirements
Levels:Automated: no
No rules selected
Description: PCI DSS Reference: Scope of PCI DSS Requirements
Levels:Automated: no
No rules selected
Description: Response procedures must include: * Procedures for the timely investigation of alerts by responsible personnel * Procedures for remediating data leaks\nor process gaps, as necessary, to prevent any data loss
Levels:Automated: no
No rules selected
Description: Examples of critical security controls include, but are not limited to: * Firewalls * IDS/IPS * FIM * Anti-virus * Physical access controls * Logical access controls * Audit logging mechanisms * Segmentation controls (if used) PCI DSS Reference: Requirements 1-12
Levels:Automated: no
No rules selected
Description: Processes for responding to failures in security controls must include: * Restoring security functions * Identifying and documenting the duration (date and time start to end) of the security failure * Identifying and documenting cause(s) of failure, including root cause, and documenting remediation required to address root cause * Identifying and addressing any security issues that arose during the failure * Performing a risk assessment to determine whether further actions are required as a result of the security failure\n\ * Implementing controls to prevent cause of failure from reoccurring * Resuming monitoring of security controls PCI DSS Reference: Requirements 1-12
Levels:Automated: no
No rules selected
Description: (For example, a review of technologies that are no longer supported by the vendor and/or no longer meet the security needs of the organization.) The process includes a plan for remediating technologies that no longer meet the organization\u2019s PCI DSS requirements, up to and including replacement of the technology, as appropriate. PCI DSS Reference: Requirement 2, 6"
Levels:Automated: no
No rules selected
Description: Reviews must be performed by personnel assigned to the PCI DSS compliance\ program (as identified in A3.1.3), and include the following: * Confirmation that all BAU activities (e.g., A3.2.2, A3.2.6, and A3.3.1) are being performed * Confirmation that personnel are following security policies and operational procedures (for example, daily log reviews, firewall rule-set reviews, configuration standards for new systems, etc.) * Documenting how the reviews were completed, including how all BAU activities were verified as being in place. * Collection of documented evidence as required for the annual PCI DSS assessment * Review and sign off of results by personnel assigned responsibility for the PCI DSS compliance program (as identified in A3.1.3) * Retention of records and documentation for at least 12 months, covering all BAU activities PCI DSS Reference: Requirements 1-12
Levels:Automated: no
No rules selected
Description: PCI DSS Reference: Requirement 7
Levels:Automated: no
No rules selected
Description: * Identification of anomalies or suspicious activity as they occur * Issuance of timely alerts upon detection of suspicious activity or anomaly to responsible personnel * Response to alerts in accordance with documented response procedures PCI DSS Reference: Requirements 10, 12
Levels:Automated: no
No rules selected