PCI DSS Controls

Req Level One Two Three Three Three Three Three Three Three Three

Parent Req # 1 1 1 1 1 1 1 1 1 1

Req # 1 1.1 1.1.1 1.1.2

Test Proc # 1 1.1 1.1.1

PCI Requirement Requirement 1: Install and maintain a firewall configuration to protect cardholder data 1.1 Establish firewall and router configuration standards that include the following:

Testing Procedure

PCI SSC Guidance

1.1.1 A formal process for approving and testing all network connections and changes to the firewall and router configurations 1.1.2 Current network diagram with all connections to 1.1.2.a cardholder data, including any wireless networks 1.1.2.b

1.1 Obtain and inspect the firewall and router configuration standards and other documentation specified below to verify that standards are complete. 1.1.1 Verify that there is a formal process for testing and approval of all network connections and changes to firewall and router configurations. 1.1.2.a Verify that a current network diagram (for example, one that shows cardholder data flows over the network) exists and that it documents all 1.1.2.b Verify that the diagram is kept current.

Firewalls and routers are key components of the architecture that controls entry to and exit from the network. These devices are software or hardware A policy and process for approving and testing all connections and changes to the firewalls and routers will help prevent security problems caused by Network diagrams enable the organization to identify the location of all its network devices. Additionally, the network diagram can be used to map the data flow of

1.1.3

1.1.3 Requirements for a firewall at each Internet 1.1.3.a Verify that firewall configuration standards 1.1.3.a connection and between any demilitarized zone (DMZ) include requirements for a firewall at each Internet and the internal network zone connection and between any DMZ and the internal 1.1.3.b Verify that the current network diagram is 1.1.3.b consistent with the firewall configuration standards. 1.1.4 Verify that firewall and router configuration standards include a description of groups, roles, and responsibilities for logical management of network 1.1.5 Documentation and business justification for use 1.1.5.a Verify that firewall and router configuration 1.1.5.a of all services, protocols, and ports allowed, including standards include a documented list of services, documentation of security features implemented for protocols and ports necessary for business—for 1.1.5.b Identify insecure services, protocols, and ports 1.1.5.b allowed; and verify they are necessary and that security features are documented and implemented by 1.1.4 1.1.4 Description of groups, roles, and responsibilities for logical management of network components

Using a firewall on every connection coming into (and out of) the network allows the organization to monitor and control access in and out, and to minimize the

1.1.4 1.1.5

This description of roles and assignment of responsibility ensures that someone is clearly responsible for the security of all components and is Compromises often happen due to unused or insecure service and ports, since these often have known vulnerabilities—and many

20

PCI DSS Controls

Req Level Three Three Two Two Three Three Three Three Two Three Three

Parent Req # 1 1 1 1 1 1 1 1 1 1 1

Req # 1.1.6

Test Proc # 1.1.6.a 1.1.6.b

PCI Requirement 1.1.6 Requirement to review firewall and router rule sets at least every six months

Testing Procedure 1.1.6.a Verify that firewall and router configuration standards require review of firewall and router rule sets at least every six months. 1.1.6.b Obtain and examine documentation to verify that the rule sets are reviewed at least every six months. 1.2 Examine firewall and router configurations to verify that connections are restricted between untrusted networks and system components in the cardholder

PCI SSC Guidance This review gives the organization an opportunity at least every six months to clean up any unneeded, outdated, or incorrect rules, and ensure that all rule

1.2 Note: 1.2.1

1.2 Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data Note: An “untrusted network” is any network that is external to the networks belonging to the entity under review, and/or which is out of the entity's ability to 1.2.1 Restrict inbound and outbound traffic to that 1.2.1.a which is necessary for the cardholder data environment. 1.2

It is essential to install network protection, namely a system component with (at a minimum) stateful inspection firewall capability, between the internal,

1.2.2 1.2.3 1.3 1.3.1 1.3.2

1.2.1.a Verify that inbound and outbound traffic is limited to that which is necessary for the cardholder data environment, and that the restrictions are 1.2.1.b Verify that all other inbound and outbound 1.2.1.b traffic is specifically denied, for example by using an explicit ―deny all‖ or an implicit deny after allow 1.2.2 Verify that router configuration files are secure 1.2.2 1.2.2 Secure and synchronize router configuration files. and synchronized—for example, running configuration files (used for normal running of the routers) and start1.2.3 Install perimeter firewalls between any wireless 1.2.3 Verify that there are perimeter firewalls installed 1.2.3 networks and the cardholder data environment, and between any wireless networks and systems that store configure these firewalls to deny or control (if such cardholder data, and that these firewalls deny or 1.3 Prohibit direct public access between the Internet 1.3 Examine firewall and router 1.3 and any system component in the cardholder data configurations—including but not limited to the choke environment. router at the Internet, the DMZ router and firewall, the 1.3.1 Implement a DMZ to limit inbound traffic to only 1.3.1 Verify that a DMZ is implemented to limit inbound 1.3.1 system components that provide authorized publicly traffic to only system components that provide accessible services, protocols, and ports. authorized publicly accessible services, protocols, and 1.3.2 Limit inbound Internet traffic to IP addresses 1.3.2 Verify that inbound Internet traffic is limited to IP 1.3.2 within the DMZ. addresses within the DMZ.

This requirement is intended to prevent malicious individuals from accessing the organization's network via unauthorized IP addresses or from using services,

While running configuration files are usually implemented with secure settings, the start-up files (routers run these files only upon re-start) may not be The known (or unknown) implementation and exploitation of wireless technology within a network is a common path for malicious individuals to gain access A firewall's intent is to manage and control all connections between public systems and internal systems (especially those that store, process or The DMZ is that part of the network that manages connections between the Internet (or other untrusted networks), and internal Termination of IP connections at the DMZ provides opportunity for inspection and restriction of source/destination, and/or inspection / blocking of

20

3.3. only ―established‖ inspection (dynamic packet filtering). the Internet into the DMZ. If cardholder data is located 1.4 Do not allow internal addresses to pass from the 1.6 dynamic packet filtering. viruses.8.PCI DSS Controls Req Level Three Three Three Three Three Three Three Two Two One Parent Req # 1 1 1 1 1 1 1. disclosure of private IP addresses and routing ―learning‖ the IP addresses of the internal network.8 Do not disclose private IP addresses and routing 1.3. (Only established keeps "state" (or the status) for each connection to the connections are allowed into the network.3. within the DMZ. Testing Procedure PCI SSC Guidance 1.3. This allows other 1.3 Do not allow any direct connections inbound or outbound for traffic between the Internet and the cardholder data environment.3.a Verify that methods are in place to prevent the Restricting the broadcast of IP addresses is essential to prevent a hacker 1. (That is.7 1. worms and rootkits (malware) may be 1.a information to unauthorized parties.3.3. data environment to the Internet is explicitly authorized evaluated to ensure that outbound traffic follows A firewall that performs stateful packet inspection 1. cardholder data are on an internal network zone.b addresses and routing information to external entities is authorized.6 1.3.4 Verify that internal addresses cannot pass from computer that originally sent it. and which are Trojans. and only if they are firewall. also known as 1.3. Normally a packet contains the IP address of the 1. All traffic outbound from inside the cardholder data 1.b configured by the organization to specific standards and is not alterable by users of mobile and/or Requirement 2: Do not use vendor-supplied 2 defaults for system passwords and other security parameters 20 .8.4 Install personal firewall software on any mobile 1.3 1. By keeping "state.3.3. laptops used by employees).7 Verify that system components that store information protection.3.7 data (such as a database) in an internal network zone.4. spyware. and/or inspection / cardholder data environment.7 Place system components that store cardholder 1.3.3.4.3 Verify direct connections inbound or outbound are not allowed for traffic between the Internet and the outbound provides opportunity for inspection and restriction of source/destination.b 1. access to this information is easier for segregated from the DMZ and other untrusted segregated from the DMZ and other untrusted 1.3.3.a Verify that mobile and/or employee-owned program installed.3.5 1.4 Require ment Termination of IP connections both inbound and 1.3. If a computer does not have a firewall or anti-virus 1.b Verify that any disclosure of private IP 1.4 Internet into the DMZ.3.4.5 the cardholder data environment to the Internet. laptops used example.3.3.5 Do not allow unauthorized outbound traffic from 1.a 1.4 1.8 Test Proc # 1.3.3." the firewall knows whether Cardholder data requires the highest level of 1.6 Implement stateful inspection.3. computers in the network to know where it came from.8.5 Verify that outbound traffic from the cardholder environment should be 1.3 PCI Requirement 1.8.4. 1.) connections should be allowed in.8.3.3.b Verify that the personal firewall software is 1.a and/or employee-owned computers with direct computers with direct connectivity to the Internet (for connectivity to the Internet (for example.b 2 Req # 1.4.4.6 Verify that the firewall performs stateful 1. 1. and information from internal networks to the Internet.

1.1.b Verify default SNMP community strings on wireless devices were changed.1.1. including but not limited to passwords.1.c 2.d 2.1.1 Choose a sample of system components.1. These Many users install these devices without management approval and do not change default settings or configure security settings.1 2.1.1.1. simple network management 2.1. 2.1. PCI SSC Guidance Malicious individuals (external and internal to a company) often use vendor default settings.1. including but Testing Procedure 2.b 2.e Verify other security-related wireless vendor defaults were changed. if applicable.a Verify encryption keys were changed from default at installation.1.1 Always change vendor-supplied defaults before installing a system on the network.1 For wireless environments connected to the cardholder data environment or transmitting cardholder data.e PCI Requirement 2.1. and are changed anytime anyone with knowledge of the keys leaves the company or 2.1. 2.1.a 2.PCI DSS Controls Req Level Two Three Three Three Three Three Three Parent Req # 2 2 2 2 2 2 2 Req # 2. and passwords to compromise systems.1. If wireless networks are not 20 .1 2.1.1.1.c Verify default passwords/passphrases on access points were changed.1 2.1. and attempt to log on (with system administrator help) to the devices using default vendor-supplied accounts 2.1 Verify the following regarding vendor default settings for wireless environments: 2.1. change wireless vendor defaults.1.d Verify firmware on wireless devices is updated to support strong encryption for authentication and transmission over wireless networks. 2. account names.1 Test Proc # 2.

a Interview system administrators and/or security 2.b If virtualization technologies are used. 20 . daemons. verify that The server-hardening standards must include processes to address unnecessary functionality with all unnecessary functionality (for example.2 Test Proc # 2.4.1.4).b Identify any enabled insecure services.2.a prevent functions that require different security levels only one primary function is implemented per server.b that only one primary function is implemented per virtual system component or device.2.a 2..2 Enable only necessary and secure services.d PCI Requirement 2.2.2.a For a sample of system components.c.2.3. drivers.3 2. verify 2.b daemons.1.2. Verify enabled functions are documented and support secure configuration.4 2. Verify that only necessary services or protocols are 2.4. file systems.2.c 2.b.2.c.2.b Review services and parameter files on systems to determine that Telnet and other remote login commands are not available for use internally. daemons. there are many protocols that a business may need (or have enabled by default) that are commonly used by malicious This is intended to ensure your organization’s system configuration standards and related processes specifically address security settings and parameters 2. 2.a 2. 2.3. features.2.b 2. 2.3.2.a 2.3 Configure system security parameters to prevent 2.3 For a sample of system components.2.3 2.2. as required for the function enabled system services.3.2.a Examine the organization’s system configuration There are known weaknesses with many operating systems. or protocols.1 – 2.3.4 Remove all unnecessary functionality.4 2. As stated in Requirement 1. This is intended to ensure your organization's system configuration standards and related processes address server functions that need to have different security 2. drivers.2. Use technologies such as SSH. 2.2. verify that authentication and encrypted non-console administrative access is encrypted by communications.a managers to verify that they have knowledge of misuse. VPN. etc.c Verify that administrator access to the web-based management interfaces is encrypted with strong cryptography.5. sensitive administrative or performing the following: 2. Assure that these standards address all known security vulnerabilities and are consistent with Testing Procedure PCI SSC Guidance 2.2. 2. scripts.3. and there are also known ways verify the system configuration standards are 2.c 2. file systems. common security parameter settings for system 2.2. subsystems.3.2 2.2.2. subsystems.2. Verify that only documented functionality is present on the sampled system components.2. of the system. 2.2. 2. 2.a For a sample of system components.4 For a sample of system components. specific security implications (like removing/disabling drivers.2. or SSL/TLS for web-based management If remote administration is not done with secure 2. Verify they are justified and that security features are documented and implemented.) is 2.3 Encrypt all non-console administrative access using strong cryptography.a For a sample of system components. 2.2.3.3.b Verify that common security parameter settings 2. and protocols. 2. from co-existing on the same server. as defined in Requirement 6.PCI DSS Controls Req Level Two Two Two Two Three Three Three Three Three Three Three Three Three Three Three Two Two Two Two Parent Req # 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 Req # 2.2. 2.3 2.2.c For a sample of system components.2. 2.2.2.4. inspect 2.2. 2. features. verify that common security parameters are set appropriately. verify that all unnecessary functionality (for example.a protocols. scripts.b Verify that system configuration standards are updated as new vulnerability issues are identified. and unnecessary web servers.2. verify that 2.b. and standards for all types of system components and enterprise applications.3.1.2.b 2.) is 2. subsystems.2.2.c Verify that system configuration standards are applied when new systems are configured.2. such as scripts. file systems.a Observe an administrator log on to each system to verify that a strong encryption method is invoked before the administrator’s password is requested. 2.2.2.1 2. etc.1.4. features.2.d Verify that system configuration standards include each item below (2.2.2. 2.1.1 Implement only one primary function per server to 2. databases.2.3. (For example.4.4.c 2.2.2.2. etc.b are included in the system configuration standards.2 Develop configuration standards for all system components.3.

4 3 3.d 3.3 Do not store the personal identification number data sources.1.1 Test Proc # 2. verify there is a business justification for the validation code or value.3 3.1 Keep cardholder data storage to a minimum by implementing data retention and disposal policies.2. if sensitive authentication 3. receipts) to verify that primary account numbers 3.2.2.1. 3. procedures and processes.1.2. These detailed in Appendix A: Additional PCI DSS providers must meet specific requirements as detailed Requirements for Shared Hosting Providers for PCI Requirement 3: Protect stored cardholder data 3.2.1 3.1.b For all other entities.3 3. regulatory.e cardholder data.1. and the encryption algorithms 3. Storage of 3.2 3. perform the following steps: 3.4 Shared hosting providers must protect each entity’s 2. 3.a 3. as follows.b data is received and deleted.1 For a sample of system components. The purpose of the card validation code is to protect "card-not-present" transactions—Internet or mail order/telephone order These values should be known only to the card owner or bank that issued the card. and system used to protect the PAN.3 Obtain and examine written policies and examine four digits are the maximum number of digits to be displays of PAN (for example.1.a authorization (even if encrypted).1.b Examine several tables or files from a sample of data repositories to verify the PAN is rendered unreadable (that is.b 3.1 Do not store the full contents of any track (from the magnetic stripe located on the back of a card.2 3. and verify that PINs and encrypted PIN blocks are not 3.1.1. equivalent data contained on a chip.1. including but not limited to the following. on paper displayed).b Verify that policies and procedures include provisions for secure disposal of data when no longer needed for legal.1. PANs stored in primary storage (databases. examine data sources.2.c Examine a sample of removable media (for example. including the vendor. in logs) by using any of the following approaches: type of system/process.e For a sample of system components that store 3.2.4. When all data is on the same server and 2.1 Implement a data retention and disposal policy 3. not stored in plain-text).2. 3.2 For a sample of system components.2. faxes.2 3.1 Obtain and examine the policies. verify that the data stored does not exceed the requirements defined in the data retention Sensitive authentication data consists of magnetic 3. examine 3.1. including but not limited to the following. regulatory.1.3 Mask PAN when displayed (the first six and last 3.2 Do not store the card verification code or value (three-digit or four-digit number printed on the front or back of a payment card) used to verify card-not3.a that includes: · Limiting data storage amount and retention time to 3. or paper reports can result in this data Lack of protection of PANs can allow malicious individuals to view or download this data. and verify that the full contents of any track from the 3.1 through A.4.2.1. on screen.2.1.4 Require ment 3.4. or elsewhere).3 For a sample of system components. 3. payment card receipts.2.c For each item of sensitive authentication data 3. obtain and review the processes for securely deleting the data to verify that 3.3 3.4 hosted environment and cardholder data.1.1. and where that data resides so it can be securely destroyed or deleted as soon as it is the following: 3.d Verify that policies and procedures include at least one of the following: A programmatic process (automatic or manual) to 3.b 3.1 3. malicious individuals who obtain that data can reproduce and sell payment cards. 3.2.a Verify that policies and procedures are implemented and include legal.1.3 3.d 3.4.2.c below. If this prohibited data is stored and subsequently stolen.c Verify that policies and procedures include coverage for all storage of cardholder data.a Obtain and examine documentation about the (including on portable digital media. including 3.PCI DSS Controls Req Level Two One Two Three Three Three Three Three Two Two Two Three Three Three Two Two Two Two Two Parent Req # 2 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 Req # 2. 3.2. If full track data is stored.4.c 3. backup media.2.1 PCI Requirement Testing Procedure PCI SSC Guidance This is intended for hosting providers that provide shared hosting environments for multiple clients on the same server. and business requirements for data retention.1. including but not limited to the following (PIN) or the encrypted PIN block.2.4. procedures and A formal data retention policy identifies what data processes for data retention and disposal.d Examine a sample of audit logs to confirm that the PAN is rendered unreadable or removed from the logs.1.1.2.4 20 .1 3.4 Render PAN unreadable anywhere it is stored 3. and perform needs to be retained. examine data sources. malicious individuals The display of full PAN on items such as computer screens.a For issuers and/or companies that support stripe (or track) data6. card 3. or flat files such as text 3. or business reasons.2 Do not store sensitive authentication data after 3. back-up tapes) to confirm that the PAN is rendered unreadable.1. and verify that the three-digit or four-digit card 3.4.1.4 Perform testing procedures A.4.c 3. issuing services and store sensitive authentication Sensitive authentication data includes the data as cited data.1. and PIN data.

2 3.3 Verify that key-management procedures are meaning the keys are not stored in the clear (encrypt 3.1 If disk encryption is used (rather than file.c If retired or replaced cryptographic keys are 3.1 3.6.6.6.2. verify that logical 3. 3.4 Verify that key-management procedures are particular cryptographic key can be used for its defined 3. as 3.1.2 Secure cryptographic key distribution implemented to require secure key distribution.6.6.6.5 Verify processes to protect keys used for encryption of cardholder data against disclosure and misuse by performing the following: 3. and stored in very few locations.5 3.b Verify that cryptographic keys are stored 3.PCI DSS Controls Req Level Three Three Three Two Three Three Three Two Two Two Three Three Three Three Three Three Three Three Three Parent Req # 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 Req # 3. Key-encrypting keys.5.4.6.1. Disk encryption encrypts 3. 3.a archiving.6.6.1 Test Proc # PCI Requirement Testing Procedure PCI SSC Guidance The intent of this requirement is to address the 3.5. must be at There should be very few who have access to cryptographic keys. The encryption solution must store keys securely. A cryptoperiod is the time span during which a 3.3 3.6. verify that the service 3. or unexpected processes. usually only those who have key custodian responsibilities.6.6 Verify that manual clear-text key-management 3.1.6.6 management operations are used.b shares keys with their customers for transmission or storage of cardholder data.6.b For service providers only: If the service provider 3. logical access must access to encrypted file systems is implemented via a acceptability of disk encryption for rendering be managed independently of native operating system mechanism that is separate from the native operating cardholder data unreadable.4.6 3.4.c Examine the key-management procedures and 3.3 Secure cryptographic key storage implemented to require secure key storage.4.6. substitution of keys.b Verify that the key-management procedures 3. Considerations for defining the cryptoperiod after a defined period of time has passed and/or after a end of the defined cryptoperiod.1.6.5.b Identify key storage locations to verify that keys are stored in the fewest possible locations and forms. 3. 3. implemented to require periodic key changes at the purpose.4 3.1.a If disk encryption is used.5.6 Fully document and implement all key-management 3. and/or revocation) of keys as implemented to require the retirement of keys when the retired and destroyed to ensure that the keys can no longer be used.1 3. Cryptographic keys must be strongly protected because those who obtain access will be able to decrypt data.5.6 3.a Verify the existence of key-management processes and procedures for cryptographic keys used procedures for keys used for encryption of cardholder is a critical part of the continued security of the encryption solution. if used.6 If manual clear-text cryptographic key 3.2 Verify that key-management procedures are meaning the keys are not distributed in the clear.6.1.5 Retirement or replacement (for example. Cryptographic keys must be stored securely.a column-level database encryption).3 3. them with a key-encryption key). If old keys deemed necessary when the integrity of the key has integrity of the key has been weakened.6.2.2 3.4.c is encrypted wherever stored.b are implemented to require the replacement of known or suspected compromised keys.1 Restrict access to cryptographic keys to the fewest number of custodians necessary. these operations procedures require split knowledge and dual control of eliminate the possibility of one person’s having access to the whole key.b securely (for example.a 3.or 3. and Acronyms under "strong The encryption solution must distribute keys securely.6.a 20 . only to custodians identified in 3. 3. Split knowledge and dual control of keys are used to 3. 3. usually encrypted with key-encrypting keys.1 Examine user access lists to verify that access to keys is restricted to the fewest number of custodians necessary.6.6.5.6.6. 3. and 3.2.5. including the data.6. verify that these keys are not used for encryption operations. The encryption solution should not allow for or accept 3.5.2.6.a Examine system configuration files to verify that keys are stored in encrypted format and that keyencrypting keys are stored separately from data3.c Verify that cardholder data on removable media 3.5.6. 3.a Verify that key-management procedures are 3. 3.5 3.2 Store cryptographic keys securely in the fewest possible locations and forms.6.6.6. 3.1 Generation of strong cryptographic keys implemented to require the generation of strong keys.5.c perform the following: The encryption solution must generate strong keys.4 Cryptographic key changes for keys that have 3.5 Protect any keys used to secure cardholder data against disclosure and misuse: 3.6. It is not intended that the key-encrypting 3.1 Verify that key-management procedures are defined in the PCI DSS and PA-DSS Glossary of 3.4 reached the end of their cryptoperiod (for example.5.2 3.1 3.6.5 3.5.1. Old keys that are no longer used or needed should be 3.6. Terms. Abbreviations.5.6.6. This control is applicable for manual must be managed using split knowledge and dual keys.b 3.1 3.6.7 Verify that key-management procedures are 3.6.6.6. stored on removable media that is adequately protected with strong access controls).4.7 Prevention of unauthorized substitution of 3.5. A good for encryption of cardholder data. 3.7 The manner in which cryptographic keys are managed 3.c retained.5.6.7 implemented to require the prevention of unauthorized substitution of keys coming from unauthorized sources cryptographic keys.4. destruction.4.5. 3.5.

verify that automatic updates and It is important to protect against ALL types and forms of malicious software. remove.b 5.1 Deploy anti-virus software on all systems 5. Sensitive information must be encrypted during transmission over public networks.6. SSH.1.b Verify the existence of a policy stating that unprotected PANs are not to be sent via end-user messaging technologies. and does not support insecure versions or configurations. IEEE 802.1. Requirement 4: Encrypt transmission of cardholder data across open.) 4.2.b Verify that only trusted keys and/or certificates are accepted.8 Require ment 4.2. and protecting against all known types of malicious software. verify that anti-virus software is Malicious users use free and widely available tools to eavesdrop on wireless communications.1.a Obtain and examine the policy and verify that it requires updating of anti-virus software and definitions. public networks.c For a sample of system components including all operating system types commonly affected by malicious software.d Verify that the proper encryption strength is implemented for the encryption methodology in use.). verify that all anti-virus programs detect.2. 4. IPSEC.1. and chat can be easily intercepted by packet-sniffing during delivery traversal across internal and public networks. malicious software. use industry best practices (for example.a 5.2.2 5.1 For a sample of system components including all commonly affected by malicious software (particularly operating system types commonly affected by personal computers and servers).2 Verify that all anti-virus software is current.1.1 4. data or connected to the cardholder data environment.1.1. 5. etc. removing.2 Never send unprotected PANs by end-user 4.1.) to safeguard sensitive cardholder data during transmission over Testing Procedure PCI SSC Guidance This process will ensure individuals that act as key 3.2. and generating logs by performing the following: 5.1 Use strong cryptography and security protocols (for example.2.1. 4.6. 4. chat.a Verify that PAN is rendered unreadable or messaging technologies (for example.2. instant secured with strong cryptography whenever it is sent messaging. and generating audit logs. via end-user messaging technologies.8 Requirement for cryptographic key custodians to formally acknowledge that they understand and accept their key-custodian responsibilities. actively running.c 4.1.b Verify that the master installation of the software is enabled for automatic updates and periodic scans. IEEE 4.2 4.1.d 4.1.1 For a sample of system components.1 4. actively running.2.1 Test Proc # 3. The best anti-virus software is limited in effectiveness if it does not have current antivirus signatures or if it isn't active in the network or on an individual's 20 .1 5.a 4.c 5.b 4.1 4. and protect against all known types of malicious software (for 5.6.a Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit.1 For wireless networks transmitting cardholder data or connected to the cardholder data environment.1 Ensure wireless networks transmitting cardholder 4.1 5.1 Verify the use of security protocols wherever cardholder data is transmitted or received over open.1. Use of strong cryptography can limit E-mail.PCI DSS Controls Req Level Three One Two Two Two Two Two Two Three Two Two One Two Two Three Two Two Two Two Parent Req # 3 4 4 4 4 4 4 4 4 4 4 5 5 5 5 5 5 5 5 Req # 3. SSL/TLS.8 4 4.8 Verify that key-management procedures are implemented to require key custodians to acknowledge custodians commit to the key custodian role and understand the responsibilities.1 5 5.2 Ensure that all anti-virus mechanisms are current. 4.e For SSL/TLS implementations: · Verify that HTTPS appears as a part of the browser Universal Record Locator (URL). Requirement 5: Use and regularly update anti-virus software or programs 5.1. public networks 4. etc. often "0 day" (published and spread throughout networks within an hour of discovery) 5. because it is easy and common for a malicious individual to intercept 4. 5.1.2.1 4.b Require ment 5.e PCI Requirement 3. (in writing or electronically) that they understand and 4.1 Ensure that all anti-virus programs are capable of detecting. 4.11i) verify that industry best practices (for example. 5.c Verify that the protocol is implemented to use only secure configurations.1.a 4. instant messaging. (Check vendor recommendations/best practices. e-mail.6.2 Ensu re 5.1.1. 5. Do not utilize There is a constant stream of attacks using widely published exploits.2.

security features could be inadvertently or deliberately omitted or rendered inoperable. application becomes active.a external. Without the inclusion of security during the requirements definition.4.2.3.3.2 Establish a process to identify and assign a risk 6.3.2. Use of production data provides malicious individuals with the opportunity to Test data and accounts should be removed from 6.4.2. user IDs and/or 6. and must include the following: examination of relevant data (network configuration 6.3.d PCI Requirement Testing Procedure 5.4. The processes interviews with system and network administrators.2.5.1.PCI DSS Controls Req Level Two One Two Two Two Two Two Two Two Two Three Three Three Two Three Three Three Three Three Parent Req # 5 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 Req # Test Proc # 5. processing Due to the constantly changing state of development and test environments.3.b processes to verify that information security is included throughout the life cycle.2.a Obtain and examine written software 6.4.4 for all changes to system components.4. and passwords before applications become active passwords are removed before system goes into or are released to customers production or is released to customers.2.4. processing modifications are documented and require items 20 .3.a Verify that change-control procedures related to Without proper change controls.4. they tend to be less secure than the production environment. and interviews of software developers.4.b Examine written software development 6.2 Separation of duties between development/test 6.2 Review of custom code prior to release to 6.5 Requirement 6: Develop and maintain secure systems and applications 6.1 from the production environment.4. Procedures must include the following: Without proper change controls. 6.3 6. and testing phases of software development.d From an examination of written software 6.1 6. and that a risk ranking is assigned to 6.4 From an examination of change control processes.1 The development/test environments are separate 6.3.4. 6.1 6.3.3.1. Without adequate Reducing the number of personnel with access to the production environment and cardholder data minimizes risk and helps ensure that access is limited to those Security controls are usually not as stringent in the development environment.4.4 6. 6. Custom application accounts.2 6.1 Custom application accounts.4.4.3.a are protected from known vulnerabilities by having the software.3. The intention of this requirement is that organizations keep up-to-date with new vulnerabilities that may impact their environment.4.1 Separate development/test and production 6. compare the list of security patches installed latest vendor-supplied security patches installed.1 Ensure that all system components and software 6.3 Production data (live PANs) are not used for 6.b changes and verify that custom application code is reviewed according to 6.a production or customers in order to identify any custom application code changes must be reviewed potential coding vulnerability.3.b installation to verify they require installation of all critical new security patches within one month.4.2 personnel assigned to the development/test and production environments environments and those assigned to the production 6.3. verify that: 6.4 Test data and accounts are removed before a production code before the production system becomes active. and including web-based administrative development processes to verify that the processes access to applications) in accordance with PCI DSS are based on industry standards and/or best practices. 6 6. (using either manual or automated processes) as 6.c processes to verify that software applications are developed in accordance with PCI DSS.3.2 There is a separation of duties between 6.2 6. since these items may 6.2 6. processes are implemented to identify new security vulnerabilities.b Examine policies related to security patch 6.3.4 Removal of test data and accounts before production systems become active There are a considerable amount of attacks using widely published exploits. 6.3 Develop software applications (internal and 6. above.3 6.4.4.4 6.a implementation of security patches and software modifications. 6.2.2. verify that anti-virus software log generation is enabled and that such logs are retained in accordance with PCI DSS PCI SSC Guidance Require ment 6. with access control in environments place to enforce the separation.a Obtain and review policies to confirm that all 6.2.1 6.c Examine written software development 6.1.b Verify that processes to identify new security 6.a ranking to newly discovered security vulnerabilities.3.3 testing or development testing or development.3.a Interview responsible personnel to verify that 6. Install on each system to the most recent vendor security 6.4. security features could be inadvertently or implementing security patches and software deliberately omitted or rendered inoperable. 6.4. user 6. and passwords should be removed from production code before the application becomes active or is released to Security vulnerabilities in custom code are commonly exploited by malicious individuals to gain access to a network and 6.4.1. design.a For a sample of system components and related 6.2. 6.4 Follow change control processes and procedures 6.a.4 6. 6.d For a sample of system components. user IDs.b Select a sample of recent custom application 6.3 Production data (live PANs) are not used for 6.3. analysis.1 Removal of custom application accounts.b vulnerabilities include using outside sources for security vulnerability information.5.3. often "0 day" (published within the hour) against otherwise secured systems.2.5 Change control procedures for the 6.d development processes. 6.1 IDs.

(Do not reply Do not reply on authorization credentials and tokens 6.5 6.8 6.4.5.5.5. during the development phase.5.) 6. a DSS Requirement 6.4. Note: Requirements 6.5.3. and object references. Prevent common coding vulnerabilities in software development processes.4.2 Buffer overflow (Validate buffer boundaries and truncate input strings. verify that functionality testing is performed to verify that the change does not adversely impact the security of the 6.5 Improper error handling via error messages) unintentionally leak information about their Any high vulnerabilities noted per Requirement 6. 6. (Validate input to verify user data cannot modify meaning of commands and queries.2 Documented change approval by authorized parties.6 6.5. the following: 6. failure to restrict URL access.4.a For each sampled change.5.5.9 Validate input to verify user data cannot modify meaning of commands and queries.5.4.5.5.2 Verify that documented approval by authorized parties is present for each sampled change.2.2 6.9 Cross-site request forgery (CSRF). 6.4.7 6.4.4.5.5.4 6.5. For example. there should be back-out procedures in case the change fails.1 6. Also consider OS Command Injection.4 Back-out procedures.3 Insecure cryptographic storage cryptographic flaws) data are at increased risk of being compromised and Properly encrypt all authenticated and sensitive 6.3 6. apply Web applications.2 6.) 6.5 before being deployed into 6.5.5.5.4. 6.5.4.5.c Verify that processes are in place to ensure that applications are not vulnerable to.5. Testing should validate that all 6. The application layer is high-risk and may be targeted by both internal and external threats.4.5.9 6.3. verify that all updates are tested for compliance with PCI DSS Requirement 6. 6.9.5. utilize context-sensitive supplied data and sends it to a web browser without escaping.5.4 6.6 All ―High‖ vulnerabilities identified in the 6.5. 6.PCI DSS Controls Req Level Three Four Four Four Four Four Two Two Two Three Three Three Three Three Three Two Three Three Three Parent Req # 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 Req # Test Proc # 6.5.8 Improper Access Control (such as insecure direct 6. A direct object reference occurs when a developer object references.5. at a minimum.5. Buffer 6.) PCI SSC Guidance 6.5. Approval by authorized parties indicates that the change is a legitimate and approved change sanctioned by the organization.3. 6.4.5 Develop applications based on secure coding guidelines.4. Without proper security. 6.1 Injection flaws.6 All ―High‖ vulnerabilities as identified in PCI DSS could affect the application should be accounted for vulnerability identification process (as defined in PCI Requirement 6.5. A CSRF attack forces a logged-on victim's browser to send a submitted by browsers.8 Improper Access Control.7 Cross-site scripting (XSS) (Validate all XSS flaws occur whenever an application takes user 6.2 6. below.4 6.5.4.1 6.4.5.5.1 Injection flaws.5.5. to include the For each change. based on 6.c 6.5.a Obtain and review software development processes.5.5 6.5.5. and exposes a reference to an internal implementation directory traversal) directory traversal (Properly authenticate users and 6. Thorough testing should be performed to verify that the security of the environment is not reduced by implementing a change. utilize 6.5. Verify that processes require training in secure coding techniques for developers.3 6.3 6.5.1 Verify that documentation of impact is included in the change control documentation for each sampled change.5. 6.7 Cross-site scripting (XSS) parameters before inclusion.3.5.5.1 6. both internally and externally (public) facing.2 that 6.1 6.5. LDAP and XPath injection flaws as well as other injection flaws.5.5.5. For 6. particularly SQL injection. etc. have unique to web applications and application interfaces (internal security risks based upon their architecture as well as or external): All parameters should be validated before inclusion. 6. cardholder data and other confidential 6.2).b For a sample of system components and recent changes/security patches.4.4 Insecure communications authenticated and sensitive communications) encrypt network traffic using strong cryptography are at Do not leak information via error messages or other 6.5 Improper error handling (Do not leak information means.5.5.6 Note: 6. Applications that fail to adequately 6.5.5. are Ensure that applications are not vulnerable to buffer overflow attacks.a 6.5.4.5. particularly SQL injection. to allow for restoring back to the previous state.4 Insecure communications (Properly encrypt all communications.5.5.5.4.2 6. such as insecure direct Do not expose internal object references to users.b For custom code changes. particularly SQL injection.5.4 Verify that back-out procedures are prepared for each sampled change.4.5.1 Documentation of impact.4 6.b 6.5.5.5.5 6.3 Functionality testing to verify that the change does not adversely impact the security of the system. overflows happen when an application does not have Prevent cryptographic flaws. Applications that do not 6. Applications can 6.5. failure to restrict URL access.b Interview a sample of developers and obtain evidence that they are knowledgeable in secure coding techniques.8 6.5. Injection flaws.9 Cross-site request forgery (CSRF) on authorization credentials and tokens automatically automatically submitted by browsers. 6.7 6.2 Buffer overflow. trace those changes back to related change control documentation. The impact of the change should be documented so that all affected parties will be able to plan appropriately for any processing changes.4.7 through 6.3 Insecure cryptographic storage (Prevent utilize strong cryptographic functions properly to store 6.b PCI Requirement Testing Procedure 6. 20 .5.

7.1. help protect ID and additional authentication (for example.1 8. Testing Procedure 6. 7.3 Confirm that documented approval by authorized parties is required (in writing or electronically) for all access.1 8.4.3 Confirm that the access control systems have a default ―deny-all‖ setting.a For a sample of system components.6 For public-facing web applications.3 Requirement for a documented approval by authorized parties specifying required privileges.4 7.2.1.2 Confirm that access control systems are configured to enforce privileges assigned to individuals based on job classification and function.1 Confirm that access rights for privileged user IDs are restricted to least privileges necessary to perform job responsibilities.2 To verify that users are authenticated using unique These authentication items.1. 8. and that it must specify required privileges.2.5. observe password files to verify that customer passwords are encrypted.2 7.1.2 8.3 8 8. the more risk there is that a user’s account will be used and verify that the policy incorporates the following: maliciously. examine password files to verify that passwords are unreadable user ID and unencrypted password across the network and/or also store the during transmission and storage. By ensuring each user is uniquely identified—instead of using one ID for several employees—an organization can maintain individual responsibility for 8. Verify that each user and recognized users.2 8.3 7.1 Confirm that access control systems are in place on all system components. employ at least one of the following methods to authenticate all users: 8.2 Assignment of privileges to individuals based on job classification and function 7. Access limitations must include the following: 7.4. 7.1 7.3 Require ment 8.3 Default ―deny-all‖ setting Note: Some access control systems are set by default Requirement 8: Assign a unique ID to each person with computer access 8.b For service providers only.1. an administrator) Many network devices and applications transmit the 8. and is set to ―deny 7.2 Assignment of privileges is based on individual personnel’s job classification and function 7. 20 .1 7.5 8.5 Ensure proper user identification and authentication management for non-consumer users and administrators on all system components as 8. deletion. address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known Requirement 7: Restrict access to cardholder data by business need-to-know 7.4 Render all passwords unreadable during transmission and storage on all system components using strong cryptography.4 Confirm that access controls are implemented via an automated access control system. 8.2 7.2.2 Confirm that privileges are assigned to individuals based on job classification and function (also called ―role-based access control‖ or RBAC).4 Test Proc # 6.6 Require ment 7.1 Assign all users a unique ID before allowing them to access system components or cardholder data.1. 8.1.2.1 8. when used in addition to unique IDs.2 7. it is important to implement identification and authentication management. including both administrators and general users.2. 7. Use of an is implemented as follows: 7.2.1.1. such as those originating from outside your an employee (for example.1 Restriction of access rights to privileged user IDs to least privileges necessary to perform job responsibilities 7.6 7 7. a users’ unique IDs from being compromised (since the password) for access to the cardholder data Two-factor authentication requires two forms of 8.2 7.b PCI Requirement 6.1 7.1. the is authorized to use the system according to policy by addition.6 For public-facing web applications.1 8.2 In addition to assigning a unique ID.3 To verify that two-factor authentication is authentication for higher-risk implemented for all remote network access.2.5. 8. 7. observe accesses.1.1 7.2.2. 7.2. This requirement for The more people who have access to cardholder data. Without a mechanism to restrict access based on 7.1.3 Incorporate two-factor authentication for remote access (network-level access originating from outside the network) to the network by employees. and modification of user IDs.1 Verify that all users are assigned a unique ID for access to system components or cardholder data.2 7. ensure that either one of the following methods are in place as follows: PCI SSC Guidance Attacks on web-facing applications are common and often successful.1. and modification of user IDs should 8.5.1 7.2.5 8.5.1 7.a 8.1 Control addition.2 Examine system settings and vendor documentation to verify that an access control system user’s need to know. 7.1. and are allowed by poor coding practices.4 Implementation of an automated access control system 7. deletion.4.4.3 8.1.3 7.1.PCI DSS Controls Req Level Two One Two Three Three Three Three Two Three Three Three One Two Two Two Two Two Two Three Parent Req # 6 7 7 7 7 7 7 7 7 7 7 8 8 8 8 8 8 8 8 Req # 6.2 Establish an access control system for systems components with multiple users that restricts access based on a user’s need to know. Since one of the first steps a malicious individual will 8.1 Obtain and examine written policy for data control.2.1 Coverage of all system components 7. credentials. Limiting access to those with a strong 7. by To ensure users added to your systems are all valid 8.1 Select a sample of user IDs. and other identifier objects.4 7. a user may unknowingly be granted access to cardholder data.5 Review procedures and interview personnel to take to compromise a system is to exploit weak or verify that procedures are implemented for user nonexistent passwords.3 8.2 7.1 Limit access to system components and cardholder data to only those individuals whose job requires such access.

10.11 Use passwords containing both numeric and alphabetic characters. or generic accounts 8.8. and still has access to the network via their user account.2 8.4 Select a sample of users terminated in the past six months.PCI DSS Controls Req Level Three Three Three Three Three Three Three Three Three Three Three Three Three Three Three Three Three Three Three Parent Req # 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 Req # 8. 8.5 Remove/disable inactive user accounts at least every 90 days.5.a 8.8. and enabled only when needed by the 8. 8. 8.3 8.13 Limit repeated access attempts by locking out the user ID after not more than six attempts.12 Do not allow an individual to submit a new 8. shared.b 8.8 Do not use group.a For a sample of system components.8.5. and review current user access lists to verify that their IDs have been deactivated or removed. user account and password).a 8. 8. calling a help desk and acting as a legitimate user—to have a password If the same password is used for every new user set up.5.5.9 8.3 Examine password procedures and observe security personnel to verify that first-time passwords for new users.5.c Interview system administrators to verify that group and shared passwords or other authentication methods are not distributed.c Communicating password/authentication procedures to all users helps those users understand and abide by the policies.7 8. 8. an internal user.12. obtain and inspect system configuration settings to verify that password parameters are set to require passwords to 8.5 PCI Requirement 8. Testing Procedure 8.5.5.8.3 8. 8. If an employee has left the company. review internal processes and customer/user documentation to verify that that non-consumer user passwords are required to 8. to verify that they are familiar with authentication procedures and policies.5. or other authentication methods.b For service providers only. 8.10.7 8.12. review internal processes and customer/user documentation to verify that non-consumer user passwords are required to 8.13.5. obtain and inspect system configuration settings to verify that user password parameters are set to require users to 8. review internal processes and customer/user documentation to verify that non-consumer user passwords are required to 8. if a user requests a password reset by phone.5.5. 8.5.b Verify that vendor remote access accounts are monitored while being used. unnecessary or malicious access to cardholder data Existence of inactive accounts allows an unauthorized user exploit the unused account to potentially access cardholder data. 8. it becomes impossible to 8.5. obtain and inspect system configuration settings to verify that authentication parameters are set to require that a PCI SSC Guidance Many malicious individuals use "social engineering‖—for example. 8.5. Without account-lockout mechanisms in place.3 Set passwords for first-time use and resets to a unique value for each user and change immediately after the first use.5.5 Vendor Test Proc # 8.b For service providers only.5.9.7 Interview the users from a sample of user IDs.5. e-mail.6.5.5.10 8.5.5.13.10 Require a minimum password length of at least seven characters.11. and to be alert for any malicious If multiple users share the same authentication credentials (for example. review internal processes and customer/user documentation to verify that new non-consumer user passwords cannot be the 8.5.a Verify that any accounts used by vendors to access.a and passwords.5. 8.5.5.11.8. examine user ID lists to verify the following: 8. former employee.11.10. 8. even if requested. support and maintain system components are disabled. 20 .b 8.5.5.5.5.2 8. 8.5.5.5.11 8.12.4 8.6.5.5.9. obtain and inspect system configuration settings to verify that password parameters are set to require passwords to 8.5.b For service providers only.5.7 Communicate authentication procedures and policies to all users who have access to cardholder data.5 Verify that inactive accounts over 90 days old are either removed or disabled. and reset passwords for existing users. or malicious individual may know or easily discover this password.5.5.5.5. 8.5. 8.2 Examine password/authentication procedures and observe security personnel to verify that.5.a 8.9.8 8.5.12 8.5.5.2 Verify user identity before performing password resets.5.b 8.5.a For a sample of system components.4 8.5.9.5.a 8. 8.b 8.13 8. web.a For a sample of system components.5.10. an attacker can continually attempt to guess a password through manual or automated tools (for example.b Examine authentication policies/procedures to verify that group and shared passwords or other authentication methods are explicitly prohibited.b Strong passwords are the first line of defense into a network since a malicious individual will often first try to find accounts with weak 8.5.5.5.5.5. or 8.6.5.12.11.8.a Vendor 8.5.5.b For service providers only.6.a For a sample of system components.a For a sample of system components.4 Immediately revoke access for any terminated users.a For a sample of system components.9 Change user passwords at least every 90 days.b 8.5.5. Allowing vendors (like POS vendors) to have 24/7 access into your network in case they need to support your systems increases the chances of unauthorized 8.a password that is the same as any of the last four passwords he or she has used. obtain and inspect system configuration settings to verify that password parameters are set to require that new 8.

that they are identifiable as visitors 20 . disable.5.1.5.PCI DSS Controls Req Level Three Three Three Three Three Three Three One Two Three Three Three Three Three Two Two Two Two Three Parent Req # 8 8 8 8 8 8 8 9 9 9 9 9 9 9 9 9 9 9 9 Req # Test Proc # 8.2.2. gateways. unauthorized and malicious users can easily gain access to your facility to steal. 8.15 8.5.3. the potential for unauthorized or malicious access increases. 9. and other physical areas with systems in the cardholder data 9.b Verify that access to the badge system is limited 9. 9. Without user authentication for access to databases and applications. administrators.1 Use video cameras and/or access control 9. 9.1.15 For a sample of system components.5. 8. controls to delay reactivation of these locked accounts stops the When users walk away from an open machine with access to critical network or cardholder data.c 9. data center. obtain and inspect system configuration settings to verify that password parameters are set to require that once a 8.d If an account is locked out due to someone continually trying to guess a password.c Verify that database and application configuration settings restrict user direct access or queries to databases to database administrators.5.2.2.1. that machine may be used by others in the user’s absence.3 9.15 8.15 If a session has been idle for more than 15 minutes. handheld devices.c mechanisms are monitored and that data from cameras or other mechanisms is stored for at least 9.2. to cardholder data). 9. these processes include the following: 9.1.2 9. 8.1.a Review processes and procedures for assigning 9.1 Use appropriate facility entry controls to limit and 9.2 9.1.1 Visitor controls are important to reduce the ability of unauthorized and malicious persons to gain access to your facilities (and potentially.16 8. networking/communications hardware.1.5.1.1. unauthorized persons could potentially gain access to the building and to sensitive information.14 8. 8.c Verify that video cameras and/or access control 9.1 9. and 9.5. Requirement 9: Restrict physical access to cardholder data 9.1. review internal processes and customer/user documentation to verify that non-consumer user accounts are temporarily 8. these controls can help identify individuals that physically access those sensitive areas storing cardholder data.1.b PCI Requirement Testing Procedure 8. disrupt.1.1 9.a Verify that video cameras and/or access control mechanisms are in place to monitor the entry/exit points to sensitive areas.3 9. especially in areas where badges to onsite personnel and visitors.5.16.2. obtain and inspect system configuration settings to verify that system/session idle time out features have been set to 8. 8.5.c 8.16.14 Set the lockout duration to a minimum of 30 minutes or until administrator enables the user ID.5.3.2 Develop procedures to easily distinguish between 9. and networking/communications hardware. handheld devices.1. 9. and such access cannot Require ment 9.16.14 For a sample of system components.b Verify that video cameras and/or access 9.16.1. require the user to re-authenticate to reactivate the terminal or session.1. points.3 points.1 9.1 Authorized before entering areas where cardholder data is processed or maintained.3 Restrict physical access to wireless access 9.1.1 monitor physical access to systems in the cardholder data environment.a Review database and application configuration settings and verify that all users are authenticated prior to access.c Examine badges in use to verify that they clearly identify visitors and it is easy to distinguish between onsite personnel and visitors.2 Restrict physical access to publicly accessible 9. malicious users could use your organization’s unattended wireless devices to access Without badge systems and door controls. This includes access by applications. gateways.5.1.13. Restricting access to network jacks will prevent malicious individuals from plugging into readily available network jacks that may allow them access Without security over access to wireless components and devices. and verify cardholder data is accessible.3.3 Verify that visitor controls are in place as follows: 9.a onsite personnel and visitors.1 Observe the use of visitor ID badges to verify that a visitor ID badge does not permit unescorted access to physical areas that store cardholder data.d Review database applications and the related application IDs to verify that application IDs can only be used by the applications (and not by individual PCI SSC Guidance 8.5.5.1.b Verify that database and application configuration settings ensure that all user access to.b 8.16.3 9. and all other users.b control mechanisms are protected from tampering or disabling.16 Authenticate all access to any database 8.3 Verify that physical access to wireless access 9.3.2 network jacks.1 Verify the existence of physical security controls for each computer room.a containing cardholder data. 8.5.5.1. Review collected data and correlate 9 Without physical access controls.1.5. and When investigating physical breaches.1. and user actions on (for example.16.a mechanisms to monitor individual physical access to sensitive areas.5. or 9.16. user queries of.1. by observation that network jacks are enabled only when needed by authorized onsite personnel.3 Make sure all visitors are handled as follows: 9.5. 9. 9.2 Verify by interviewing network administrators and 9.14 8.13.5. Visitor controls are important to ensure visitors only enter areas they are authorized to enter.16.b For service providers only.b to authorized personnel.5.

1. and that the policy covers all distributed media including that distributed to individuals.8 Ensure management approves any and all media 9.1.3.3.4 9. or pulp hardcopy materials so 9.10. A visitor log documenting minimum information on the visitor is easy and inexpensive to maintain and will assist. 9.3 Asked to surrender the physical token before leaving the facility or at the date of expiration.10. stolen. the logs of tracking details and proper management 9. during a If stored in a non-secured facility.b 9. such as an alternate or to confirm that backup media storage is secure.b information to be destroyed to verify that the containers are secured. If steps are not taken to destroy information contained on hard disks.1 verify that periodic media inventories are performed at conduct media inventories at least annually.4.10.b Verify that the storage location security is reviewed at least annually.a Observe the storage location’s physical security preferably an off-site facility.7.9.10.9 Obtain and examine the policy for controlling 9.b Verify that the log contains the visitor’s name.10.1 9.7.1 Classify media so the sensitivity of the data can be determined.1. portable drives.7 9.3.2. or left Procedures and processes help protect cardholder data on media distributed to internal and/or external users.1 Obtain and review the media inventory log to 9.9 9.1 9.4. the firm access to the facility as well as for computer rooms represented. stolen or missing media could go unnoticed for an indefinite amount of time. 9.a 9.5 Store media back-ups in a secure location. removable 9. including the following: 9. 9. For secure storage. 9.8 Select a recent sample of several days of offsite 9.5. 9. Use the services of a secure courier to Cardholder data leaving secure areas without a process approved by management can lead to lost or stolen data. and verify the presence in media is distributed to individuals).3 9.9 Maintain strict control over the storage and 9.2 9. backups that contain cardholder data may easily be lost. a badge or 9.3 9. or copied for malicious intent.2 Given a physical token (for example.2 unrecoverable so that cardholder data cannot be is rendered unrecoverable via a secure wipe program reconstructed.5.5 9.2.10. 9.9. the firm represented.5. If media is not inventoried. and is retained for at least three 9.b Examine storage containers used for 9.4.2. incinerate.7.6 9. For example.7 Maintain strict control over the internal or external distribution of any kind of media.2 Verify that all media sent outside the facility is logged and authorized by management and sent via secured courier or other delivery method that can be 9.7 9.1 destruction policy and verify that it covers all media.7 Verify that a policy exists to control distribution of media.1 Properly maintain inventory logs of all media and 9.b 9. 9. 9. and the onsite personnel authorizing physical access.3 Observe visitors leaving the facility to verify visitors are asked to surrender their ID badge upon departure or expiration.9 storage and maintenance of all media and verify that accessibility of media.1 9. and that visitors are easily distinguishable from onsite personnel. or a commercial storage facility.a Verify that hard-copy materials are crosscut 9.a access device) that expires and that identifies the visitors as not onsite personnel.7.2 9.10.7. Without a firm process. least annually. malicious 20 .7.10 Obtain and examine the periodic media 9.a Observe people within the facility to verify the use of visitor ID badges.3. Without such procedures data can be lost or It is important that media be identified such that its classification status can be easily discernable. reasonable assurance the hard-copy materials cannot 9. 9.3.10 Destroy media when it is no longer needed for 9.1 Verify that all media is classified so the sensitivity of the data can be determined.8 9. Review 9.2 Verify that cardholder data on electronic media 9. media locations Without careful inventory methods and storage controls. CD/DVDs.7.b 9. the policy requires periodic media inventories.1 9.6 Verify that procedures for protecting cardholder data include controls for physically securing all media (including but not limited to computers.1 Shred. 9.4.a shredded. incinerated.10. business or legal reasons as follows: and confirm the following: 9. and the onsite personnel authorizing and data centers where cardholder data is stored or 9. or pulped such that there is that cardholder data cannot be reconstructed.7.a 9.b Verify that visitor badges expire.2.5.9. in accordance with industry-accepted standards for Require Requirement 10: Track and monitor all access to 10 ment network resources and cardholder data Cardholder data is susceptible to unauthorized viewing.2 Test Proc # PCI Requirement Testing Procedure 9. copying. Document the visitor’s name.9.1 9.a Verify that a visitor log is in use to record physical visitor activity. 9.3.2 9.6 Physically secure all media.3. stolen or lost media may not be noticed for a long time or at all.4 Use a visitor log to maintain a physical audit trail of 9.3.1. consider 9.8 that is moved from a secured area (especially when tracking logs for all media. back-up site. verify that a ―to-be9.6 9.2 Render cardholder data on electronic media 9. or paper prior to disposal. PCI SSC Guidance 9.10.2 Send the media by secured courier or other delivery method that can be accurately tracked. 9. or scanning if it is unprotected while it is on removable or portable media.PCI DSS Controls Req Level Three Three Three Two Two Two Two Two Two Three Three Two Two Three Two Three Three Three One Parent Req # 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 10 Req # 9. Media not identified as confidential may not be adequately Media may be lost or stolen if sent via a non-trackable method such as regular postal mail.10.3. printed out.3.

1 Establish a process for linking all access to system components (especially access done with administrative privileges such as root) to each 10. and Malicious individuals could obtain knowledge of a user account with access to systems in the CDE.3.2.3. and review the time-related system10. what.3 Date and time 10.4.1 10.2 Through interviews.2.1 10.1 All individual accesses to cardholder data 10.3.2. system component.3.2.3.2. 10. 10.2.a Verify that time-synchronization technology is implemented and kept current per PCI DSS Requirements 6.2 10. PCI SSC Guidance It is critical to have a process or system that links user access to system components accessed. have the potential to greatly impact the security or operational functionality Malicious users often attempt to alter audit logs to hide their actions.5 Use of identification and authentication mechanisms 10.1 10.4.7 Creation and deletion of system-level objects 10.3 10. sends data to other monitoring mechanisms (like intrusion detection systems).2. such as malware.a Verify that only designated central time 10.3 Through interviews and observation.2.2 10. or they could create a new.6 Initialization of the audit logs 10. for each auditable event (from 10. 10.2.3. and time signals from external sources are based on Time synchronization technology is used to synchronize clocks on multiple systems.5 10.4 Verify success or failure indication is included in log entries. 10.2 10.6 10.3.1 Critical systems have the correct and consistent 10. Initialization of audit logs could Malicious software.2.3 10. system component. 10. for those Generating audit trails of suspect activities alerts the system administrator. this technology can 20 .6 10.3.3. Multiple invalid login attempts may be an Without knowing who was logged on at the time of an incident.2 Type of event 10. Accounts with increased privileges. When properly deployed.2.4 10. perform the following: 10.2. that audit trails are enabled and active for system components. 10.2.2 Verify actions taken by any individual with root or administrative privileges are logged.7 Verify creation and deletion of system level objects are logged.4 Verify invalid logical access attempts are logged. 10.1 Verify all individual access to cardholder data is logged.3 Record at least the following audit trail entries for all system components for each event: 10.4 10. 10. 10.3.3.3 10.4. Additionally.3.2. 10.3.3 10.1.4 Success or failure indication 10.3 Verify date and time stamp is included in log entries.3. 10.5 10.5 Verify use of identification and authentication mechanisms is logged.3 10. or resources is included in log entries.2).3.2.7 10.2.1 10.5 10.2.6 10.5 10.2.1 Verify through observation and interviewing the system administrator.b distributing and storing the correct time within the organization.4 Test Proc # 10.3.2.4.2.4.3 Access to all audit trails 10.2. where. and examination of audit log settings.b Obtain and review the process for acquiring.3. and with sufficient detail to know who.3 Verify access to all audit trails is logged.3.4.1 10. or resource 10.2 All actions taken by any individual with root or administrative privileges 10.4 Using time-synchronization technology.1 10.2 10.1 and 6. and a record of access allows an organization to trace any inconsistencies or potential Malicious individuals will often perform multiple access attempts on targeted systems. synchronize all critical system clocks and times and ensure that the following is implemented for acquiring. 10.2.4 Invalid logical access attempts 10.6 Verify identity or name of affected data.4 10.3.4.3. perform the following: 10. and in particular.5 Origination of event 10.2. it is impossible to identify the accounts which may be used.PCI DSS Controls Req Level Two Two Three Three Three Three Three Three Three Two Three Three Three Three Three Three Two Two Three Parent Req # 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 Req # 10.2.a PCI Requirement 10.1 Verify user identification is included in log entries. 10.2. 10. 10.4. malicious users may Turning the audit logs off prior to performing illicit activities is a common goal for malicious users wishing to avoid detection. 10.2.6 Verify initialization of audit logs is logged.3.3.3.2 Implement automated audit trails for all system components to reconstruct the following events: 10.2.4 10.1 10.2 10. a potential compromise can be quickly identified.5 Verify origination of event is included in log entries.1 User identification 10.2.2 Verify type of event is included in log entries.a servers receive time signals from external sources.7 10.2.6 10.2.6 Identity or name of affected data.2 10. such as the ―administrator‖ or ―root‖ account. often creates or replaces system level objects on the target system in order to control a By recording these details for the auditable events at 10.3 10.3. time.1. examination of audit logs. Testing Procedure 10.

5 Verify the use of file-integrity monitoring or change-detection software for logs by examining system settings and monitored files and results from 10.a Obtain and examine security policies and procedures to verify that they include procedures to review security logs at least daily and that follow-up to 10. 10.5 Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts (although 10.5.a 10.5.1.4.5.4.5.b PCI Requirement Testing Procedure 10. Checking logs daily minimizes the amount of time and exposure of a potential breach. industry-accepted external sources (to prevent a malicious individual from changing the 10. wireless. mail) are offloaded or copied onto a secure centralized internal 10.3 Verify that the time servers accept time updates from specific.a Review system configurations and timesynchronization settings to verify that access to time data is restricted to only personnel with a business 10.3 10.5. For file-integrity monitoring purposes.6.b Verify that audit logs are available for at least one year and processes are in place to immediately restore at least the last three months’ logs for analysis.5.c Verify that the documented process to identify unauthorized wireless access points is performed at least quarterly for all system components and facilities.5.7. wireless IDS/IPS.b Verify that the methodology is adequate to detect and identify any unauthorized wireless access points.5. including at least the following: 11. 10. 10.6.5 10.3 10. online.1 11 11.4.2. an entity usually Many breaches occur over days or months before being detected.3 Verify that current audit trail files are promptly backed up to a centralized log server or media that is difficult to alter.5. 10. and other internal servers receive time only from the central time 10.b Verify that the designated central time servers peer with each other to keep accurate time. NAC.b 11.PCI DSS Controls Req Level Three Three Three Three Two Three Three Three Three Three Two Two Two Two One Two Two Two Two Parent Req # 10 10 10 10 10 10 10 10 10 10 10 10 10 10 11 11 11 11 11 Req # Test Proc # 10.5 10. 11. etc.2.7 Retain audit trail history for at least one year.b Review system configurations and time synchronization settings and processes to verify that any changes to time settings on critical systems are 10.1.1. 10.6. 10.4 10.3 10.a Obtain and examine security policies and procedures and verify that they include audit log retention policies and require audit log retention for at 10. and notify when such changes are noted.5 10. Log reviews must include those servers that perform security functions like intrusion-detection Often a malicious individual who has entered the network will attempt to edit the audit logs in order to hide their activity.a 11.4. Without adequate protection of audit Adequate protection of the audit logs includes strong access control (limit access to logs based on ―need to know‖ only) and use of internal segregation (to make File-integrity monitoring systems check for changes to critical files.c 11.b 10. and/or network 10.5. with a minimum of three months immediately available for analysis (for example.b Through observation and interviews.1 Test for the presence of wireless access points and detect unauthorized wireless access points on a quarterly basis.2.5.1. physical segregation.5. 20 .d Requirement 11: Regularly test security systems and processes 11. firewalls.2 10.4. 10.1 10.d If automated monitoring is utilized (for example. 10. 10.6 Review logs for all system components at least daily. verify that regular log reviews are performed for all system components.4. archived.7.4.3 Time settings are received from industryaccepted time sources.2 10. 10.4.2 Protect audit trail files from unauthorized modifications.3 Promptly back up audit trail files to a centralized log server or media that is difficult to alter.5.4 Write logs for external-facing technologies onto a log server on the internal LAN.1.7.5 10.). DNS.5.7.5 Interview system administrator and examine permissions to verify that audit trails are secured so that they cannot be altered as follows: 10.2 Time data is protected.1.1 Verify that only individuals who have a jobrelated need can view audit trail files.2. 11.a 10.4.1.7 10. PCI SSC Guidance 10. and allows investigators Require ment 11.6.2 Verify that current audit trail files are protected from unauthorized modifications via access control mechanisms.b 10.5.6 10.1.a 10.3 10.1 Limit viewing of audit trails to those with a jobrelated need.1.5.4.1.4 10. 10.4 Verify that logs for external-facing technologies (for example. verify the configuration will generate alerts to personnel.5.5.b 10.4.5 Secure audit trails so they cannot be altered.2 10.a Verify that the entity has a documented process Implementation and/or exploitation of wireless technology within a network is one of the most to detect and identify wireless access points on a common paths for malicious users to gain access to quarterly basis.4.5.1 10.5. or restorable Retaining logs for at least a year allows for the fact that it often takes a while to notice that a compromise has occurred or is occurring. 11.

2. Scanning an environment after any significant changes 11.2 11.b Confirm IDS and/or IPS are configured to alert personnel of suspected compromises.4.11. and if applicable.4.1.2.c 11.1.2.3.1.2.1. scan reports to verify that system components subject are made ensures that changes were completed appropriately such that the security of the environment to any significant change were scanned.3. and if applicable.b 11.b Verify that noted exploitable vulnerabilities were corrected and testing repeated.1 11. 11.c Validate that the scan was performed by a qualified internal resource(s) or qualified external third party.c Review the scan reports to verify that the scans were completed by an Approved Scanning Vendor (ASV). maintained.2.2.2.3.3.b 11.2.a 11.2 Application-layer penetration tests application-layer penetration tests.2 11.2 11.3.e Verify the organization’s incident response plan (Requirement 12.1 Network-layer penetration tests layer penetration tests.c 11.a Verify the use of intrusion-detection systems prevention systems to monitor all traffic at the and/or intrusion-prevention systems and that all traffic (IDS/IPS) compare the traffic coming into the network perimeter of the cardholder data environment as well at the perimeter of the cardholder data environment as with known ―signatures‖ and/or behaviors of thousands 11.2.a Review the scan reports and verify that four 11.c 11. quarterly internal scans occurred in the most recent 12.1.2 11.1 11.PCI DSS Controls Req Level Two Two Three Three Three Three Three Three Three Three Three Two Two Two Three Three Two Two Two Parent Req # 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 Req # Test Proc # 11.2.3.3. 11.2 11.4 11. Identifying month period.c Verify that the test was performed by a qualified internal resource or qualified external third party.2. organizational independence of The intent of a penetration test is to simulate a real 11.3 Perform external and internal penetration testing at least once a year and after any significant infrastructure or application upgrade or modification 11.b 11.4.a 11.2.3 11.a Obtain and examine the results from the most recent penetration test to verify that penetration testing world attack situation with a goal of identifying how far is performed at least annually and after any significant an attacker would be able to penetrate into an 11.2.1 Verify that the penetration test includes network11. organizational independence of As external networks are at greater risk of 11.2 Verify that internal and external vulnerability scans are performed as follows: PCI SSC Guidance 11.2. and if applicable. and updated per vendor instructions to ensure optimal 20 .2.1 Perform quarterly internal vulnerability scans.2.a 11. no vulnerabilities rated 11. 11. organizational independence of the tester 11.3. 11.1.2 Perform quarterly external vulnerability scans 11.3.9) includes a response in the event unauthorized wireless devices are detected. the vulnerabilities listed in Intrusion detection and/or intrusion prevention systems 11.b Review the scan reports and verify that the scan process includes rescans until passing results are obtained.b Review the results of each quarterly scan to ensure that they satisfy the ASV Program Guide requirements (for example.3.4.2.c A vulnerability scan is an automated tool run against external and internal network devices and servers.3.4 Use intrusion-detection systems.b 11.3.2.3. at a minimum.c Validate that the scan was performed by a qualified internal resource(s) or qualified external third party. approved by quarters of external vulnerability scans and verify that compromise.3 11.1.a 11.internal systems within the CDE requires that vulnerability scans be conducted quarterly.3.2.b Review scan reports and verify that the scan process includes rescans until: 11.e PCI Requirement Testing Procedure 11. 11.3.2.c 11. The tests should include.2 Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system 11.4.2.2.b 11.3.2.1.a Inspect change control documentation and significant change. quarterly external vulnerability scanning must be performed by a PCI SSC Approved Scanning the Payment Card Industry Security Standards Council four quarterly scans occurred in the most recent 1211.2. These tests should include components that support network functions as well as 11.a 11.3. and/or intrusion.3.1 11.3 Perform internal and external scans after any 11.2.3. designed to expose potential vulnerabilities in networks An established process for identifying vulnerabilities on 11.2. approved by the PCI SSC.4.c Examine IDS/IPS configurations and confirm IDS/IPS devices are configured.2. or all ―High‖ vulnerabilities as defined in PCI 11.2 Verify that the penetration test includes 11.a Review output from the four most recent via an Approved Scanning Vendor (ASV).2.2.3.2.

3.6 Acceptable network locations for the technologies 12.3.3 Verify that the information security policy is 12.).3.4 12.3. 12. and results in a formal risk assessment. Security threats and protection methods evolve rapidly throughout the year. reflect changes to business objectives or the risk 12.3.2.1 12. 12.9 Verify that the usage policies require activation vendors and business partners only when needed by of remote-access technologies used by vendors and vendors and business partners. There are both off-the-shelf and open source system settings and monitored files.3.b PCI Requirement 11.5 Test Proc # 11. Require ment 12. company is better able to manage and control gaps in 12.5 Acceptable uses of the technology uses for the technology.1. VPNs.1.3. 12. contact devices with information that can be correlated to information and purpose owner. configuration files.3. and notify when such changes are within the cardholder data environment by observing detected.1.8 12. maintain.1 Requirement 12: Maintain a policy that addresses information security for all personnel 12. By access technologies after a specific period of inactivity disconnecting remote-access technologies when not in after a specific period of inactivity.3.2.1 Explicit approval by authorized parties approval from authorized parties to use the technologies.3.3.5 12. etc.3 12.9 12. vulnerabilities.3.3.3. 12.2. as well as 11.3.a Verify the use of file-integrity monitoring tools to critical files.2 12. and disseminate a security policy that accomplishes the following: 12.4 12. 12. 12.3 (for example.9 12.3. and results in a formal risk assessment. and include administrative and technical 12.3.7 12.1 12.3. the 12.3 12.7 12. and to perform critical file comparisons at least weekly.1 Examine the information security policy and verify A company's information security policy creates the roadmap for implementing that the policy is published and disseminated to all security measures to protect its most valuable assets.3.1 Verify that the policy addresses all PCI DSS requirements. relevant personnel (including vendors and business 12. Without updating the security policy to reflect relevant Daily operational security procedures act as ―desk instructions‖ for personnel to use in their day-to-day system administrative and maintenance activities.1 Establish.3. user account maintenance procedures.3.1 12.2 Authentication for use of the technology technology use be authenticated with user ID and password or other authentication item (for example.5.3 12.3. 12. tokens. By defining acceptable business use and location of 12.3.2 Examine the daily operational security 12. contact information and purpose.3.5.8 12.1 12. Verify that they are consistent with this (for example. Personnel usage policies can either prohibit use of certain devices and other technologies if that is company policy. specification.3.b verify that the risk assessment process is performed at least annually. 12.1.3. individual personnel may innocently implement a If technology is implemented without proper authentication (user IDs and passwords.3.6 12. or content files.3.8 Verify that the usage policies require automatic Remote-access technologies are frequent "back doors" 12.1.1.a Verify that an annual risk assessment process is documented that identifies threats.1. laptops. 12.2 12.3 Verify that the usage policies require a list of all 12.7 List of company-approved products 12. removable electronic media.4 Verify that the usage policies require labeling of 12. publish.a 11.5.2 12 12.3.3.3.PCI DSS Controls Req Level Two Two One Two Three Three Three Three Two Two Three Three Three Three Three Three Three Three Three Parent Req # 11 11 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 Req # 11.5 Deploy file-integrity monitoring tools to alert personnel to unauthorized modification of critical system files.3.2.1.2 Develop daily operational security procedures that 12.3 Develop usage policies for critical technologies 12. with immediate business partners only when needed by vendors and 20 . 12.8 Automatic disconnect of sessions for remotedisconnect of sessions for remote-access technologies to critical resources and cardholder data.3 A list of all such devices and personnel with 12.4 Labeling of devices to determine owner.1.1 Verify that the usage policies require explicit 12.1.3.7 Verify that the usage policies require a list of company-approved products.3.1.5. and Testing Procedure PCI SSC Guidance File-integrity monitoring (FIM) tools check for changes 11.2 Includes an annual process that identifies 12.2 Verify that the usage policies require that all 12.5 Verify that the usage policies require acceptable company-approved devices and technology.1. and vulnerabilities.‖ Personnel may also bypass procedures and 12.6 12.2 are consistent with requirements in this specification procedures.9 Activation of remote-access technologies for 12.6 Verify that the usage policies require acceptable network locations for the technology.1.1.b Review risk assessment documentation to 12.3 Includes a review at least annually and updates 12.a threats.3. or provide Without requiring proper approval for implementation of these technologies.3 Obtain and examine the usage policies for critical 12. remote-access technologies.3 reviewed at least annually and updated as needed to when the environment changes.5 12.3. 12. malicious individuals Malicious individuals may breach physical security and place their own devices on the network as a ―back door.3 access devices and personnel authorized to use the devices.b Verify the tools are configured to alert personnel to unauthorized modification of critical files. wireless technologies and perform the following: technologies. A risk assessment enables an organization to identify threats and the associated vulnerabilities which have the potential to negatively impact their business.1 12.2 12.1 Addresses all PCI DSS requirements.

10. or storing of cardholder data onto storage of cardholder data onto local hard drives and local hard drives and removable electronic media when 12.1 Verify that a list of service providers is maintained. security safeguards and processes that have been 12.8.5.5. 12.10. 12.5. verify that usage policies require the protection of cardholder data in accordance with PCI DSS 12. prohibit copy. maintain and implement policies and procedures to manage service providers. 12.3 Verify that responsibility for creating and 12.5.4 Verify that responsibility for administering user 12.5 12. personnel.8.2 Monitor and analyze security alerts and 12.3 12. Requiring an acknowledgement by personnel in writing or electronically helps ensure that they have read and understood the Performing thorough background investigations prior to hiring potential personnel who are expected to be given access to cardholder data reduces the risk of If a merchant or service provider shares cardholder data with a service provider.5.3 Establish. to include the 12.5.a Verify the existence of a formal security awareness program for all personnel.1 Maintain a list of service providers.6.3 incident response and escalation procedures to ensure distributing security incident response and escalation timely and effective handling of all situations. back-up tape storage facilities.a annually.b Obtain and examine security awareness program procedures and documentation and perform the following: 12. there could be inconsistent interaction with the security group.3.b Verify that personnel attend awareness training upon hire and at least annually.6 12.4 Verify that information security policies clearly 12.8.5.2 Require personnel to acknowledge at least annually that they have read and understood the security policy and procedures.PCI DSS Controls Req Level Three Three Two Two Three Three Three Three Three Two Two Three Three Three Two Two Three Three Three Parent Req # 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 Req # 12.6.5.6.5 12. and distribute to appropriate personnel.3.6.1 Establish.a Verify that the security awareness program provides multiple methods of communicating awareness and educating personnel (for example.3. including additions.5 security to a Chief Security Officer or other securityinformation security management responsibilities: knowledgeable member of management.2 Verify that the security awareness program requires personnel to acknowledge.10 Test Proc # PCI Requirement Testing Procedure PCI SSC Guidance To ensure all personnel are aware of their responsibilities to not store or copy cardholder data onto their local personal computer or 12.8.5. 12.6 Implement a formal security awareness program to make all personnel aware of the importance of cardholder data security.5. 12.8. assigned. move.6.7 Inquire with Human Resource department management and verify that background checks are conducted (within the constraints of local laws) on 12.5.6. 12.5.8 12.1.6.8.10.7 12. 12.1.5 Verify that responsibility for monitoring and 12.b For personnel with proper authorization.1. and distribute security 12. leading to Each person or team with responsibilities for information security management should be clearly aware of their responsibilities and If personnel are not educated about their security responsibilities. 12.6. key security processes and procedures may be forgotten or bypassed.3 Verify that policies and procedures are documented and were followed including proper due diligence prior to engaging any service provider.3 12.5 Assign to an individual or team the following 12.4 Administer user accounts.6. 12. then certain requirements apply to ensure continued Keeping track of all service providers identifies where potential risk extends to outside of the organization. document.8.8. at least annually that they have read and 12.4 12.5.5. moving. Without clearly defined security roles and responsibilities assigned.2 12.10. The acknowledgement of the service providers evidences their commitment to maintaining proper security of cardholder data that it The process ensures that any engagement of a service provider is thoroughly vetted internally by an organization.3 12.6.b 12.8 12.4 clearly define information security responsibilities for all define information security responsibilities for all personnel.5 Monitor and control all access to data.5.3.7 Screen potential personnel prior to hire to minimize the risk of attacks from internal sources.8.6.1 12.8. 12.8.3 Ensure there is an established process for engaging service providers including proper due diligence prior to engagement.6.2 analyzing security alerts and distributing information to information.2 Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the 12. (Examples of background checks include previous 12.1 12.a Verify that the usage policies prohibit 12. in writing or electronically. 12.2 12.b If the security awareness program does not include periodic refresher sessions.8. 12.1 12. 12. 12.1 Verify that responsibility for creating and 12. appropriate information security and business unit 12.8 If cardholder data is shared with service providers.1.5. which should 20 . 12.2 Verify that responsibility for monitoring and 12.5.4 12.5.2 12.7 12. controlling all access to data is formally assigned.2 Verify that the written agreement includes an acknowledgement by the service providers of their responsibility for securing cardholder data.10 For personnel accessing cardholder data via 12. and modifications assigned. remote-access technologies.3. 12.1 distributing security policies and procedures is formally policies and procedures. and copying. and distribute security 12.1 12. 12.2 12.8 If the entity shares cardholder data with service providers (for example. 12. managed service providers such as Web hosting 12.5 12.4 Ensure that the security policy and procedures 12.3.6.2 12.6.4 account and authentication management is formally deletions.1 Educate personnel upon hire and at least 12.5. document. procedures is formally assigned.a 12.5 Verify the formal assignment of information 12.5.

5 Verify through observation and review of 12. at a minimum: 12.1.9.1.9.2 Test the plan at least annually.6 Develop a process to modify and evolve the 12. are critical in taking quick action to prevent a breach.4 Maintain a program to monitor service providers’ monitor its service providers’ PCI DSS compliance PCI DSS compliance status at least annually. 12.4 Verify through observation and review of 12. and file-integrity monitoring systems. 12.9.9.9.6 Verify through observation and review of incident response plan according to lessons learned policies that there is a process to modify and evolve and to incorporate industry developments.3 12.4 12.9.9.9.9.9.8.2 12.9. read.9.9. 12.8.9.6 Without proper testing.9.a implemented in the event of system breach.9.8. and Incorporating ―lessons learned‖ into the incident response plan after an incident helps keep the plan current and able to react to 20 .4 12.1 Create the incident response plan to be 12.9.5 Include alerts from intrusion-detection.9.8.2 12.9.9 PCI Requirement Testing Procedure PCI SSC Guidance Knowing your service providers’ PCI DSS compliance status provides assurance that they comply with the same requirements that your organization is subject to. that designated personnel are available for a 24/7 basis to respond to alerts.1.3 Designate specific personnel to be available on policies.6 12.9.4 12. Without a thorough security incident response plan that is properly disseminated.9 Obtain and examine the Incident Response Plan and related procedures and perform the following: 12. and critical data and systems may become 12. breach response are periodically trained.9 Implement an incident response plan. 12.5 12.9 12.1.9. and understood by the parties responsible. Ensure the includes: plan addresses the following.9. 12. confusion and lack of a unified The incident response plan should be thorough and contain all the key elements to allow your company to respond effectively in the event of a breach that could 12. from security systems including detection of 12.1 Test Proc # 12.4 12.b reported incident or alert to verify that the documented incident response plan and procedures were followed.9.5 12.9.9.2 Verify that the plan is tested at least annually.a Verify that the incident response plan 12.3 12.4 Provide appropriate training to staff with security policies that staff with responsibilities for security breach response responsibilities.9. the incident response plan according to lessons These monitoring systems are designed to focus on potential risk to data. Without a trained and readily available incident response team.3 Verify through observation and review of 12. 24/7 incident response and monitoring coverage for 12. key steps may be missed which could result in increased exposure during an incident. status at least annually.4 Verify that the entity maintains a program to 12. extended damage to the network could occur. Be prepared to respond immediately to a system breach. intrusionprocesses that monitoring and responding to alerts prevention. 12.PCI DSS Controls Req Level Three Two Three Three Three Three Three Three Three Parent Req # 12 12 12 12 12 12 12 12 12 Req # 12.b Review documentation from a previously 12.