Professional Documents
Culture Documents
V0.1
V0.2
V0.3
V0.4
V0.5
V0.6
V0.7
V0.8
V0.9
V10
Please feel free to use this compliance dashboard to sustain your PCI comp
with your internal team, QSA and acquiring banks.
Some sheets are protected to prevent accidental changes. You may unprotec
required.
Version history
What's new in this version
PCI 30 seconds newsletters
Table of content
Version History
Requirements and testing procedures
Add merchant type for each requirements
Update the documentation sheet with the list of (required or optional) technical and
non-technical documents together with their associated PCI DSS requirements.
Update Scope sheet with Criticality, Patch level, Scan date and Scan report location
Add a sheet "PCI Crypto Key list" to list all keys used within the scope: KeyId,
Purpose, Key custodians, status.
Add sheet Vulnerability scans (When, By who, results)
Add sheet Penetration Tests (When, By who, resulls)
30
30
30
30
30
30
30
30
30
30
30
30
30
30
30
30
30
30
30
30
30
30
30
30
30
30
30
30
30
30
Other articles
Ebook - Demystifying PCI DSS
Thoughts on the Verizon PCI Compliance Report
Can I use compensating control to resolve vulnerabilities found during a scan?
What to do if my organization can't demonstrate four passing Internal or external scans?
Verizon 2011 PCI Compliance Report
Business and IT security: two worlds that can't talk.
Cyber attack ranked within the top 5 risks in terms of probability
d VERSION 10
e requirements
Contributors
Jan-11
Feb 2011
Peter Hill
Didier Godart
Risk Product Manager Rapid7
+32 498787744
SkypeID Dgozone
didier_godart@rapid7.com
August 2011
Didier Godart
Risk Product Manager Rapid7
+32 498787744
SkypeID Dgozone
didier_godart@rapid7.com
October 2011
Didier Godart
Risk Product Manager Rapid7
+32 498787744
SkypeID Dgozone
didier_godart@rapid7.com
May 2012
Swathy Anand
Vice President - Project
Management
Fuze Network
swathyanand@gmail.com
Didier Godart
Risk Product Manager Rapid7
+32 498787744
SkypeID Dgozone
didier_godart@rapid7.com
Tony Wilson
Managing Director
Indelible Data (a division of
Indelible Designs Limited)
tony@indelible-data.co.uk
July 2012
"Didier Godart
Risk Product Manager Rapid7
+32 498787744
SkypeID Dgozone
didier_godart@rapid7.com
"
About Didier
About Didier
About Swathy
About Didier
About Tony
About Didier
April 2013
June 2013
"Didier Godart
Risk Product Manager Rapid7
+32 498787744
SkypeID Dgozone
"Didier Godart
didier_godart@rapid7.com
Risk Product Manager Rapid7
Founder Dgozone
(www.dgozone.com)
"
+32 498787744
SkypeID Dgozone
d@dgozone.com
"
n victim or a clown?
of "potential" vulnerabilities
of Log management?
Controls: The Sumo match.
ppropriate" scanning tools - What does that mean?
. Get them listening.
About Didier
About Didier
ernal scans?
About Rapid7
About Rapid7
About Rapid7
About Rapid7
About Rapid7
About Rapid7
Access Control
Account Data
Account Number
Acquirer
Adware
AES
ANSI
Anti-Virus
Application
Audit Log
Audit Trail
ASV
Authentication
Authentication Credentials
Authorization
B
Backup
Bluetooth
C
Cardholder
Cardholder Data
Cardholder Data
Environment
CERT
CIS
Column-Level Database
Encryption
Compensating Controls
Compromise
Console
Consumer
Cryptography
D
Database
Database Administrator
Default Accounts
Default Password
Degaussing
Disk Encryption
DMZ
DNS
DSS
Dual Control
ECC
Egress Filtering
Encryption
Encryption Algorithm
Entity
Firewall
Forensics
FTP
G
GPRS
GSM
H
Hashing
Host
Hosting Provider
HTTP
HTTPS
Hypervisor
I
ID
IDS
IETF
Index Token
Information Security
Information System
Ingress Filtering
Insecure
Protocol/Service/Port
IP
IP Address
IP Address Spoofing
IPS
IPSEC
ISO
Issuer
Issuing services
K
Key
Key Management
L
LAN
LDAP
Log
LPAR
M
MAC
MAC Address
Magnetic-Stripe Data
Mainframe
Malicious Software /
Malware
Masking
Merchant
Monitoring
MPLS
NAT
Network
Network Administrator
Network Components
Network Security Scan
Network Segmentation
NIST
NMAP
Non-Consumer Users
NTP
O
Off-the-Shelf
Operating System / OS
OWASP
P
PA-QSA
PAN
Password / Passphrase
Pad
Parameterized Queries
PAT
Patch
Payment Application
Payment Cards
PCI
PDA
PED
Penetration Test
Personnel
Personally Identifiable
Information
PIN
PIN Block
POI
Policy
POS
Private Network
Procedure
Protocol
PTS
Public Network
PVV
Q
QSA
RADIUS
RBAC
Remote Access
Removable Electronic
Media
ROC
Report on Validation
Re-keying
S
Salt
Sampling
SANS
Scoping
SDLC
Secure Coding
Secure Wipe
Security Officer
Security Policy
Security Protocols
SAQ
Sensitive Area
Sensitive Authentication
Data
Separation of Duties
Server
Service Code
Service Provider
SHA-1/SHA-2
Smart Card
SNMP
Spyware
SQL
SQL Injection
SSH
SSL
Stateful Inspection
Strong Cryptography
SysAdmin
System Components
System-level object
T
TACACS
TCP
TDES
TELNET
Threat
TLS
Token
Transaction Data
Trojan
Truncation
Trusted Network
Two-Factor Authentication
U
Untrusted Network
V
Virtualization
Virtual Terminal
VLAN
VPN
Vulnerability
W
WAN
Web Application
Web Server
WEP
Acronym for authentication, authorization, and accounting. Protocol for authenticating a user based on their
verifiable identity, authorizing a user based on their user rights, and accounting for a users consumption of network
resources.
Mechanisms that limit availability of information or information-processing resources only to authorized persons or
applications.
Account data consists of cardholder data plus sensitive authentication data. See Cardholder Data and Sensitive
Authentication Data
See Primary Account Number (PAN).
Also referred to as acquiring bank or acquiring financial institution. Entity that initiates and maintains
relationships with merchants for the acceptance of payment cards.
Type of malicious software that, when installed, forces a computer to automatically display or download
Abbreviation for Advanced Encryption Standard. Block cipher used in symmetric key cryptography adopted by
NIST in November 2001 as U.S. FIPS PUB 197 (or FIPS 197).
Acronym for American National Standards Institute. Private, non-profit organization that administers and
coordinates the U.S. voluntary standardization and conformity assessment system.
Program or software capable of detecting, removing, and protecting against various forms of malicious software
(also called malware) including viruses, worms, Trojans or Trojan horses, spyware, adware, and rootkits.
Includes all purchased and custom software programs or groups of programs, including both internal and external
(for example, web) applications.
Also referred to as audit trail. Chronological record of system activities. Provides an independently verifiable trail
sufficient to permit reconstruction, review, and examination of sequence of environments and activities surrounding
or leading to operation, procedure, or event in a transaction from inception to final results.
See Audit Log.
Acronym for Approved Scanning Vendor. Company approved by the PCI
SSC to conduct external vulnerability scanning services.
Process of verifying identity of an individual, device, or process. Authentication typically occurs through the use of
one or more authentication factors such as:
Granting of access or other rights to a user, program, or process. For a network, authorization defines what an
individual or program can do after successful authentication.
For the purposes of a payment card transaction authorization occurs when a merchant receives transaction approval
after the acquirer validates the transaction with the issuer/processor.
B
Duplicate copy of data made for archiving purposes or for protecting against damage or loss.
Wireless protocol using short-range communications technology to facilitate transmission of data over short
C
Non-consumer or consumer customer to whom a payment card is issued to or any individual authorized to use the
payment card.
At a minimum, cardholder data consists of the full PAN. Cardholder data may also appear in the form of the full PAN
plus any of the following: cardholder name, expiration date and/or service code
See Sensitive Authentication Data for additional data elements that may be transmitted or processed (but not
stored) as part of a payment transaction.
The people, processes and technology that store, process or transmit cardholder data or sensitive authentication
data, including any connected system components.
Compensating controls may be considered when an entity cannot meet a requirement explicitly as stated, due to
legitimate technical or documented business constraints, but has sufficiently mitigated the risk associated with the
requirement through implementation of other controls. Compensating controls must:
(1) Meet the intent and rigor of the original PCI DSS requirement;
(2) Provide a similar level of defense as the original PCI DSS requirement;
(3) Be above and beyond other PCI DSS requirements (not simply in compliance with other PCI DSS
requirements); and
(4) Be commensurate with the additional risk imposed by not adhering to the PCI DSS requirement.
See Compensating Controls Appendices B and C in PCI DSS Requirements and Security Assessment Procedures for
guidance on the use of compensating controls.
Also referred to as data compromise, or data breach. Intrusion into a computer system where unauthorized
disclosure/theft, modification, or destruction of cardholder data is suspected.
Screen and keyboard which permits access and control of a server, mainframe computer or other system type in a
networked environment.
Individual purchasing goods, services, or both.
Discipline of mathematics and computer science concerned with information security, particularly encryption and
authentication. In applications and network security, it is a tool for access control, information confidentiality, and
integrity.
D
Structured format for organizing and maintaining easily retrievable information. Simple database examples are
tables and spreadsheets.
Also referred to as DBA. Individual responsible for managing and administering databases.
Login account predefined in a system, application, or device to permit initial access when system is first put into
service. Additional default accounts may also be generated by the system as part of the installation process.
Password on system administration, user, or service accounts predefined in a system, application, or device; usually
associated with default account. Default accounts and passwords are published and well known, and therefore
easily guessed.
Also called disk degaussing. Process or technique that demagnetizes the disk such that all data stored on the disk
is permanently destroyed.
Technique or technology (either software or hardware) for encrypting all stored data on a device (for example, a
hard disk or flash drive). Alternatively, File- Level Encryption or Column-Level Database Encryption is used to
encrypt contents of specific files or columns.
Abbreviation for demilitarized zone. Physical or logical sub-network that provides an additional layer of security to
an organizations internal private network. The DMZ adds an additional layer of network security between the
Internet and an organizations internal network so that external parties only have direct connections to devices in
the DMZ rather than the entire internal network.
Acronym for Domain Name System or domain name server. System that stores information associated with
domain names in a distributed database on networks such as the Internet.
Acronym for Data Security Standard and also referred to as PCI DSS.
Process of using two or more separate entities (usually persons) operating in concert to protect sensitive functions
or information. Both entities are equally responsible for the physical protection of materials involved in vulnerable
transactions. No single person is permitted to access or use the materials (for example, the cryptographic key). For
manual key generation, conveyance, loading, storage, and retrieval, dual control requires dividing knowledge of the
key among the entities. (See also Split Knowledge.)
See Stateful Inspection.
Acronym for Elliptic Curve Cryptography. Approach to public-key cryptography based on elliptic curves over finite
fields. See Strong Cryptography.
Method of filtering outbound network traffic such that only explicitly allowed traffic is permitted to leave the
Process of converting information into an unintelligible form except to holders of a specific cryptographic key. Use of
encryption protects information between the encryption process and the decryption process (the inverse of
encryption) against unauthorized disclosure. See Strong Cryptography.
A sequence of mathematical instructions used for transforming unencrypted text or data to encrypted text or data,
and back again. See Strong Cryptography.
Term used to represent the corporation, organization or business which is undergoing a PCI DSS review.
Technique or technology under which certain files or logs are monitored to detect if they are modified. When critical
files or logs are modified, alerts should be sent to appropriate security personnel.
Technique or technology (either software or hardware) for encrypting the full contents of specific files. Alternatively,
see Disk Encryption or Column-Level Database Encryption.
Acronym for Federal Information Processing Standards. Standards that are publicly recognized by the U.S. Federal
Government; also for use by non- government agencies and contractors.
Hardware and/or software technology that protects network resources from unauthorized access. A firewall permits
or denies computer traffic between networks with different security levels based upon a set of rules and other
criteria.
Also referred to as computer forensics. As it relates to information security, the application of investigative tools
and analysis techniques to gather evidence from computer resources to determine the cause of data compromises.
Acronym for File Transfer Protocol. Network protocol used to transfer data from one computer to another through a
public network such as the Internet. FTP is widely viewed as an insecure protocol because passwords and file
contents are sent unprotected and in clear text. FTP can be implemented securely via SSH or other technology.
Acronym for General Packet Radio Service. Mobile data service available to users of GSM mobile phones.
Recognized for efficient use of limited bandwidth. Particularly suited for sending and receiving small bursts of data,
such as e-mail and web browsing.
Acronym for Global System for Mobile Communications. Popular standard for mobile phones and networks.
Ubiquity of GSM standard makes international roaming very common between mobile phone operators, enabling
subscribers to use their phones in many parts of the world.
Process of rendering cardholder data unreadable by converting data into a fixed-length message digest via Strong
Cryptography. Hashing is a (mathematical) function in which a non-secret algorithm takes any arbitrary length
message as input and produces a fixed length output (usually called a hash code or message digest). A hash
function should have the following properties:
(1) It is computationally infeasible to determine the original input given only the hash code,
(2) It is computationally infeasible to find two inputs that give the same hash code.
In the context of PCI DSS, hashing must be applied to the entire PAN for the hash code to be considered rendered
unreadable. It is recommended that hashed cardholder data includes a salt value as input to the hashing function
(see Salt).
Main computer hardware on which computer software is resident.
Offers various services to merchants and other service providers. Services range from simple to complex; from
shared space on a server to a whole range of shopping cart options; from payment applications to connections to
payment gateways and processors; and for hosting dedicated to just one customer per server. A hosting provider
may be a shared hosting provider, who hosts multiple entities on a single server.
Acronym for hypertext transfer protocol. Open internet protocol to transfer or convey information on the World
Wide Web.
Acronym for hypertext transfer protocol over secure socket layer. Secure HTTP that provides authentication and
encrypted communication on the World Wide Web designed for security-sensitive communication such as webbased logins.
Software or firmware responsible for hosting and managing virtual machines. For the purposes of PCI DSS, the
hypervisor system component also includes the virtual machine monitor (VMM).
Attack technique used by a malicious individual to gain unauthorized access to computers. The malicious individual
sends deceptive messages to a computer with an IP address indicating that the message is coming from a trusted
host.
Acronym for intrusion prevention system. Beyond an IDS, an IPS takes the additional step of blocking the
attempted intrusion.
Abbreviation for Internet Protocol Security. Standard for securing IP communications by encrypting and/or
authenticating all IP packets. IPSEC provides security at the network layer.
Better known as International Organization for Standardization. Non- governmental organization consisting of a
network of the national standards institutes of over 150 countries, with one member per country and a central
secretariat in Geneva, Switzerland, that coordinates the system.
Entity that issues payment cards or performs, facilitates, or supports issuing services including but not limited to
issuing banks and issuing processors. Also referred to as issuing bank or issuing financial institution.
Examples of issuing services may include but are not limited to authorization and card personalization.
K
In cryptography, a key is a value that determines the output of an encryption algorithm when transforming plain
text to ciphertext. The length of the key generally determines how difficult it will be to decrypt the ciphertext in a
given message. See Strong Cryptography.
In cryptography, it is the set of processes and mechanisms which support key establishment and maintenance,
including replacing older keys with new keys as necessary.
L
Acronym for local area network. A group of computers and/or other devices that share a common communications
line, often in a building or group of buildings.
Acronym for Lightweight Directory Access Protocol. Authentication and authorization data repository utilized for
querying and modifying user permissions and granting access to protected resources.
See Audit Log.
Abbreviation for logical partition. A system of subdividing, or partitioning, a computer's total resources
processors, memory and storageinto smaller units that can run with their own, distinct copy of the operating
system and applications. Logical partitioning is typically used to allow the use of different operating systems and
applications on a single device. The partitions may or may not be configured to communicate with each other or
share some resources of the server, such as network interfaces.
M
Acronym for message authentication code. In cryptography, it is a small piece of information used to authenticate
a message. See Strong Cryptography.
Abbreviation for media access control address. Unique identifying value assigned by manufacturers to network
adapters and network interface cards.
Also referred to as track data. Data encoded in the magnetic stripe or chip used for authentication and/or
authorization during payment transactions. Can be the magnetic stripe image on a chip or the data on the track 1
and/or track 2 portion of the magnetic stripe.
Computers that are designed to handle very large volumes of data input and output and emphasize throughput
computing. Mainframes are capable of running multiple operating systems, making it appear like it is operating as
multiple computers. Many legacy systems have a mainframe design.
Software designed to infiltrate or damage a computer system without the owner's knowledge or consent. Such
software typically enters a network during many business-approved activities, which results in the exploitation of
system vulnerabilities. Examples include viruses, worms, Trojans (or Trojan horses), spyware, adware, and rootkits.
In the context of PCI DSS, it is a method of concealing a segment of data when displayed or printed. Masking is used
when there is no business requirement to view the entire PAN. Masking relates to protection of PAN when displayed
or printed. See Truncation for protection of PAN when stored in files, databases, etc.
For the purposes of the PCI DSS, a merchant is defined as any entity that accepts payment cards bearing the logos
of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods
and/or services. Note that a merchant that accepts payment cards as payment for goods and/or services can also be
a service provider, if the services sold result in storing, processing, or transmitting cardholder data on behalf of
other merchants or service providers. For example, an ISP is a merchant that accepts payment cards for monthly
billing, but also is a service provider if it hosts merchants as customers.
Use of systems or processes that constantly oversee computer or network resources for the purpose of alerting
personnel in case of outages, alarms, or other predefined events.
Acronym for multi protocol label switching. Network or telecommunications mechanism designed for connecting a
group of packet-switched networks.
Acronym for network address translation. Known as network masquerading or IP masquerading. Change of an IP
address used within one network to a different IP address known within another network.
Two or more computers connected together via physical or wireless means.
Personnel responsible for managing the network within an entity. Responsibilities typically include but are not
limited to network security, installations, upgrades, maintenance and activity monitoring.
Include, but are not limited to firewalls, switches, routers, wireless access points, network appliances, and other
security appliances.
Process by which an entitys systems are remotely checked for vulnerabilities through use of manual or automated
tools. Security scans that include probing internal and external systems and reporting on services exposed to the
network. Scans may identify vulnerabilities in operating systems, services, and devices that could be used by
malicious
individuals. isolates system components that store, process, or transmit cardholder data from systems
Network segmentation
that do not. Adequate network segmentation may reduce the scope of the cardholder data environment and thus
reduce the scope of the PCI DSS assessment. See the Network Segmentation section in the PCI DSS Requirements
and Security Assessment Procedures for guidance on using network segmentation. Network segmentation is not a
PCI DSS requirement. See System Components.
Acronym for National Institute of Standards and Technology. Non-regulatory federal agency within U.S. Commerce
Department's Technology Administration. Their mission is to promote U.S. innovation and industrial competitiveness
by advancing measurement science, standards, and technology to enhance economic security and improve quality
of
life.
Security-scanning
software that maps networks and identifies open ports in network resources.
Individuals, excluding cardholders, who access system components, including but not limited to employees,
administrators, and third parties.
Acronym for Network Time Protocol. Protocol for synchronizing the clocks of computer systems, network devices
and other system components.
O
Description of products that are stock items not specifically customized or designed for a specific customer or user
and are readily available for use.
Software of a computer system that is responsible for the management and coordination of all activities and the
sharing of computer resources. Examples of operating systems include Microsoft Windows, Mac OS, Linux and Unix.
Acronym for Open Web Application Security Project. A non-profit organization focused on improving the security of
application software. OWASP maintains a list of critical vulnerabilities for web applications. (See
http://www.owasp.org).
P
Acronym for Payment Application Qualified Security Assessor, company approved by the PCI SSC to conduct
assessments on payment applications against the PA-DSS.
Acronym for primary account number and also referred to as account number. Unique payment card number
(typically for credit or debit cards) that identifies the issuer and the particular cardholder account.
A string of characters that serve as an authenticator of the user.
In cryptography, the one-time pad is an encryption algorithm with text combined with a random key or "pad" that is
as long as the plain-text and used only once. Additionally, if key is truly random, never reused, and, kept secret, the
one-time pad is unbreakable
A means of structuring SQL queries to limit escaping and thus prevent injection attacks.
Acronym for port address translation and also referred to as network address port translation. Type of NAT that
also translates the port numbers.
Update to existing software to add functionality or to correct a defect.
Any application that stores, processes, or transmits cardholder data as part of authorization or settlement
For purposes of PCI DSS, any payment card/device that bears the logo of the founding members of PCI SSC, which
are American Express, Discover Financial Services, JCB International, MasterCard Worldwide, or Visa, Inc.
Acronym for Payment Card Industry.
Acronym for personal data assistant or personal digital assistant. Handheld mobile devices with capabilities
such as mobile phones, e-mail, or web browser.
PIN entry device
Penetration tests attempt to exploit vulnerabilities to determine whether unauthorized access or other malicious activity is
possible. Penetration testing includes network and application testing as well as controls and processes around the networks
and applications, and occurs from both outside the network trying to come in (external testing) and from inside the network.
Full-time and part-time employees, temporary employees, contractors, and consultants who are resident on the
entitys site or otherwise have access to the cardholder data environment.
Information that can be utilized to identify an individual including but not limited to name, address, social security
number, phone number, etc.
Acronym for personal identification number. Secret numeric password known only to the user and a system to
authenticate the user to the system. The user is only granted access if the PIN the user provided matches the PIN in
the system. Typical PINs are used for automated teller machines for cash advance transactions. Another type of PIN
is one used in EMV chip cards where the PIN replaces the cardholders signature.
A block of data used to encapsulate a PIN during processing. The PIN block format defines the content of the PIN block and how
it is processed to retrieve the PIN. The PIN block is composed of the PIN, the PIN length, and may contain subset of the PAN.
Acronym for Point of Interaction, the initial point where data is read from a card. An electronic transaction-acceptance
product, a POI consists of hardware and software and is hosted in acceptance equipment to enable a cardholder to perform a
card transaction. The POI may be attended or unattended. POI transactions are typically integrated circuit (chip) and/or
magnetic-stripe card-based payment transactions.
Organization-wide rules governing acceptable use of computing resources, security practices, and guiding
development of operational procedures
Acronym for point of sale. Hardware and/or software used to process payment card transactions at merchant
Network established by an organization that uses private IP address space. Private networks are commonly
designed as local area networks. Private network access from public networks should be properly protected with the
use of firewalls and routers.
Descriptive narrative for a policy. Procedure is the how to for a policy and describes how the policy is to be
implemented.
Agreed-upon method of communication used within networks. Specification describing rules and procedures that
computer products should follow to perform activities on a network.
Acronym for PIN Transaction Security, PTS is a set of modular evaluation requirements managed by PCI Security
Standards Council, for PIN acceptance POI terminals. Please refer to www.pcisecuritystandards.org.
Network established and operated by a telecommunications provider, for specific purpose of providing data
transmission services for the public. Data over public networks can be intercepted, modified, and/or diverted while
in transit. Examples of public networks in scope of the PCI DSS include, but are not limited to, the Internet, wireless,
and
mobile
Acronym
fortechnologies.
PIN verification value. Discretionary value encoded in magnetic stripe of payment card.
Q
Acronym for Qualified Security Assessor, company approved by the PCI SSC to conduct PCI DSS on-site
Abbreviation for Remote Authentication Dial-In User Service. Authentication and accounting system. Checks if
information such as username and password that is passed to the RADIUS server is correct, and then authorizes
access to the system. This authentication method may be used with a token, smart card, etc., to provide two-factor
authentication.
Acronym for role-based access control. Control used to restrict access by specific authorized users based on their
job responsibilities.
Access to computer networks from a remote location, typically originating from outside the network. An example of
technology for remote access is VPN.
Media that store digitized data and which can be easily removed and/or transported from one computer system to
another. Examples of removable electronic media include CD-ROM, DVD-ROM, USB flash drives and removable hard
drives.
Report on Compliance - Report containing details documenting an entitys compliance status with the PCI DSS.
Also referred to as ROV. Report containing details documenting a payment applications compliance with the PCI
Process of changing cryptographic keys. Periodic re-keying limits the amount of data encrypted by a single key.
A lab that is not maintained by the PA-QSA.
An entity that sells and/or integrates payment applications but does not develop them.
The standard identified by the Internet Engineering Task Force (IETF) that defines the usage and appropriate
address ranges for private (non-internet routable) networks.
Process that identifies valuable system resources and threats; quantifies loss exposures (that is, loss potential)
based on estimated frequencies and costs of occurrence; and (optionally) recommends how to allocate resources to
countermeasures so as to minimize total exposure.
Type of malicious software that when installed without authorization, is able to conceal its presence and gain
administrative control of a computer system.
Hardware or software that connects two or more networks. Functions as sorter and interpreter by looking at
addresses and passing bits of information to proper destinations. Software routers are sometimes referred to as
gateways.
Algorithm for public-key encryption described in 1977 by Ron Rivest, Adi Shamir, and Len Adleman at
Massachusetts Institute of Technology (MIT); letters RSA are the initials of their surnames.
S
Random string that is concatenated with other data prior to being operated on by a hash function. See also Hash.
The process of selecting a cross-section of a group that is representative of the entire group. Sampling may be used
by assessors to reduce overall testing efforts, when it is validated that an entity has standard, centralized PCI DSS
security and operational processes and controls in place. Sampling is not a PCI DSS requirement.
Acronym for SysAdmin, Audit, Networking and Security, an institute that provides computer security training and
professional certification. (See www.sans.or
Process of identifying all system components, people, and processes to be included in a PCI DSS assessment. The
first step of a PCI DSS assessment is to accurately determine the scope of the review.
Acronym for system development life cycle. Phases of the development of a software or computer system that
includes planning, analysis, design, testing, and implementation.
The process of creating and implementing applications that are resistant to tampering and/or compromise.
Also called secure delete, a program utility used to delete specific files permanently from a computer system.
Also called secure delete, a program utility used to delete specific files permanently from a computer system.
Set of laws, rules, and practices that regulate how an organization manages, protects, and distributes sensitive
Network communications protocols designed to secure the transmission of data. Examples of security protocols
include, but are not limited to SSL/TLS, IPSEC, SSH, etc.
Acronym for Self-Assessment Questionnaire. Tool used by any entity to validate its own compliance with the PCI
Any data center, server room or any area that houses systems that stores, processes, or transmits cardholder data.
This excludes the areas where only point-of-sale terminals are present such as the cashier areas in a retail store.
Security-related information (including but not limited to card validation codes/values, full magnetic-stripe data,
PINs, and PIN blocks) used to authenticate cardholders and/or authorize payment card transactions.
Practice of dividing steps in a function among different individuals, so as to keep a single individual from being able
to subvert the process.
Computer that provides a service to other computers, such as processing communications, file storage, or accessing
a printing facility. Servers include, but are not limited to web, database, application, authentication, DNS, mail,
proxy, and NTP.
Three-digit or four-digit value in the magnetic-stripe that follows the expiration date of the payment card on the
track data. It is used for various things such as defining service attributes, differentiating between international and
national interchange, or identifying usage restrictions.
Business entity that is not a payment brand, directly involved in the processing, storage, or transmission of
cardholder data. This also includes companies that provide services that control or could impact the security of
cardholder data. Examples include managed service providers that provide managed firewalls, IDS and other
services as well as hosting providers and other entities. Entities such as telecommunications companies that only
provide communication links without access to the application layer of the communication link are excluded.
Acronym for Secure Hash Algorithm. A family or set of related cryptographic hash functions including SHA-1 and
SHA-2. See Strong Cryptography.
Also referred to as chip card or IC card (integrated circuit card). A type of payment card that has integrated
circuits embedded within. The circuits, also referred to as the chip, contain payment card data including but not
limited to data equivalent to the magnetic-stripe data.
Acronym for Simple Network Management Protocol. Supports monitoring of network attached devices for any
conditions that warrant administrative attention.
Type of malicious software that when installed, intercepts or takes partial control of the users computer without the
users consent.
Acronym for Structured Query Language. Computer language used to create, modify, and retrieve data from
relational database management systems.
Form of attack on database-driven web site. A malicious individual executes unauthorized SQL commands by taking
advantage of insecure code on a system connected to the Internet. SQL injection attacks are used to steal
information from a database from which the data would normally not be available and/or to gain access to an
organizations host computers through the computer that is hosting the database.
Abbreviation for Secure Shell. Protocol suite providing encryption for network services like remote login or remote
file transfer.
Acronym for Secure Sockets Layer. Established industry standard that encrypts the channel between a web
browser and web server to ensure the privacy and reliability of data transmitted over this channel.
Also called dynamic packet filtering, it is a firewall capability that provides enhanced security by keeping track of
communications packets. Only incoming packets with a proper response (established connections) are allowed
through the firewall.
Cryptography based on industry-tested and accepted algorithms, along with strong key lengths and proper keymanagement practices. Cryptography is a method to protect data and includes both encryption (which is reversible)
and hashing (which is not reversible, or one way). Examples of industry-tested and accepted standards and
algorithms for encryption include AES (128 bits and higher), TDES (minimum double-length keys), RSA (1024 bits
and higher), ECC (160 bits and higher), and ElGamal (1024 bits and higher).
See NIST Special Publication 800-57 (http://csrc.nist.gov/publications/) for more information.
Abbreviation for system administrator. Individual with elevated privileges who is responsible for managing a
computer system or network.
Any network component, server, or application included in or connected to the cardholder data environment.
Anything on a system component that is required for its operation, including but not limited to application
executable and configuration files, system configuration files, static and shared libraries & DLL's, system
executables, device drivers and device configuration files, and added third-party components.
T
Acronym for Terminal Access Controller Access Control System. Remote authentication protocol commonly used in
networks that communicates between a remote access server and an authentication server to determine user
access rights to the network. This authentication method may be used with a token, smart card, etc., to provide
two-factor authentication.
Acronym for Transmission Control Protocol. Basic communication language or protocol of the Internet.
Acronym for Triple Data Encryption Standard and also known as 3DES or Triple DES. Block cipher formed from
the DES cipher by using it three times. See Strong Cryptography.
Abbreviation for telephone network protocol. Typically used to provide user- oriented command line login sessions
to devices on a network. User credentials are transmitted in clear text.
Condition or activity that has the potential to cause information or information processing resources to be
intentionally or accidentally lost, modified, exposed, made inaccessible, or otherwise affected to the detriment of
the
organization
Acronym
for Transport Layer Security. Designed with goal of providing data secrecy and data integrity between
two communicating applications. TLS is successor of SSL.
A value provided by hardware or software that usually works with an authentication server or VPN to perform
dynamic or two-factor authentication. See RADIUS, TACACS, and VPN.
Data related to electronic payment card transaction.
Also referred to as Trojan horse. A type of malicious software that when installed, allows a user to perform a
normal function while the Trojan performs malicious functions to the computer system without the users
knowledge.
Method of rendering the full PAN unreadable by permanently removing a segment of PAN data. Truncation relates to
protection of PAN when stored in files, databases, etc. See Masking for protection of PAN when displayed on screens,
paper receipts, etc.
Network of an organization that is within the organizations ability to control or manage.
Method of authenticating a user whereby two or more factors are verified. These factors include something the user
has (such as hardware or software token), something the user knows (such as a password, passphrase, or PIN) or
something the user is or does (such as fingerprints or other forms of biometrics).
U
Network that is external to the networks belonging to an organization and which is out of the organizations ability
to control or manage.
V
Virtualization refers to the logical abstraction of computing resources from physical constraints. One common
abstraction is referred to as virtual machines or VMs, which takes the content of a physical machine and allows it to
operate on different physical hardware and/or along with other virtual machines on the same physical hardware. In
addition to VMs, virtualization can be performed on many other computing resources, including applications,
desktops, networks, and storage.
The VMM is included with the hypervisor and is software that implements virtual machine hardware abstraction. It
manages the system's processor, memory, and other resources to allocate what each guest operating system
requires.
A self-contained operating environment that behaves like a separate computer. It is also known as the Guest, and
runs on top of a hypervisor.
A VA takes the concept of a pre-configured device for performing a specific set of functions and run this device as a
workload. Often, an existing network device is virtualized to run as a virtual appliance, such as a router, switch, or
firewall.
A virtual switch or router is a logical entity that presents network infrastructure level data routing and switching
functionality. A virtual switch is an integral part of a virtualized server platform such as a hypervisor driver, module,
or plug-in.
A virtual terminal is web-browser-based access to an acquirer, processor or third party service provider website to
authorize payment card transactions, where the merchant manually enters payment card data via a securely
connected web browser. Unlike physical terminals, virtual terminals do not read data directly from a payment card.
Because payment card transactions are entered manually, virtual terminals are typically used instead of physical
terminals in merchant environments with low transaction volumes.
Abbreviation for virtual LAN or virtual local area network. Logical local area network that extends beyond a
single traditional physical local area network.
Acronym for virtual private network. A computer network in which some of connections are virtual circuits within
some larger network, such as the Internet, instead of direct connections by physical wires. The end points of the
virtual network are said to be tunneled through the larger network when this is the case. While a common
application consists of secure communications through the public Internet, a VPN may or may not have strong
security features such as authentication or content encryption.
A VPN may be used with a token, smart card, etc., to provide two-factor authentication.
Flaw or weakness which, if exploited, may result in an intentional or unintentional compromise of a system.
W
Acronym for wide area network. Computer network covering a large area, often a regional or company wide
computer system.
An application that is generally accessed via a web browser or through web services. Web applications may be
available via the Internet or a private, internal network.
Computer that contains a program that accepts HTTP requests from web clients and serves the HTTP responses
(usually web pages).
Acronym for Wired Equivalent Privacy. Weak algorithm used to encrypt wireless networks. Several serious
weaknesses have been identified by industry experts such that a WEP connection can be cracked with readily
available software within minutes. See WPA.
Network that connects computers without a physical connection to wires.
Acronym for wireless local area network. Local area network that links two or more computers or devices without
Acronym for WiFi Protected Access. Security protocol created to secure wireless networks. WPA is the successor to
WEP.. WPA2 was also released as the next generation of WPA.
Scope Definition
Return to Table of content
Scope:
Area of computer system network that possesses cardholder data or sensitive authentication data
systems and segments that directly attach or support cardholder processing"
Perimeter
IP address/URL
Name
Type
Internal
IP address/URL
Name
Type
Scope Definition
Purpose
Owner
System Admin
Criticality
Patch level
Purpose
Owner
System Admin
Criticality
Patch level
Scope Definition
ORGANIZATION NAME:
Merchant Type:
PCI-DSS REQUIREMENTS
1
2
3
4
5
6
7
8
9
10
11
12
Click on above
requirements to
access the
associated sheet.
28
26
37
9
7
36
9
33
29
33
25
44
21
0
2
2
0
0
0
0
0
0
0
0
7
26
35
7
7
36
9
33
29
33
25
44
#
Compensating
Controls
0
0
0
0
0
0
0
0
0
0
0
0
Severity
24
67
135
14
14
129
36
111
111
132
64
216
t type (A, B, C, C-
Documentation
Return to table of content
Make the list of all your documentation related to your PCI project.
Techical documentation
Ref
Ref1
Ref2
Ref3
Title/Topic
Description
1.1
Ref4
Firewall/router rule sets
Ref5
1.1.5
1.2
1.2.1
1.3.4
1.3.6
1.3.7
2.2
Ref6
Encryption / Transmission
Ref7
Ref8
Patch inventory
IDS/IPS config
Ref9
2.2.3
2.2.4
2.3
5.1
7.2
8.2
11.5
11.5
4.1
6.1
11.4
Title
Description
Documentation
Firewall/router configuration and
change management process
Protection of Laptop/Desktop in
scope
1.1
1.1.6
1.2
1.3.8
10.1
2.2
2.1
2.2.1
2.2.2
2.2.3
2.2.4
2.3
2.3
10.1
1.4
Documentation
Data retention and disposal policy
and process
3.5/3.6
3.6.8
Documentation
Tokenization Process
Anti-virus
6.4
6.4.2
Documentation
Secure coding/Testing
Data control/
Access Control/
6.5-6.5.9
6.5
6.6
6.4.3
6.4.4
6.4.5
6.4.5
7.1.1
Data control/
Access Control/
Documentation
7.1.2
8.1
8.5.2
8.5.5
8.5.6
7.1.3
7.1.4
7.2.1
7.2.2
7.2.3
8.2
8.3
8.5
Documentation
Job Classification
Security classification
User access inventory
Physical access protection
8.5.8
8.5.10
9.7/9.8
8.5.8
8.5.9
8.5.11
8.5.11
8.5.12
8.5.13
8.5.14
9.1
9.2/9.3/9.4
9.5/9.6
Documentation
Media Distribution, Classification
and destruction
Monitoring/logging
Detection of WAP
9.9/9.10
10.1
10.2.1
10.2.2
10.2.3
10.2.4
10.2.5
10.2.6
10.2.7
10.3
10.4
10.5
10.6/12.2
10.7
11.1
Documentation
ASV Scan process and scan reports Procedures associated to quarterly ASV scans and
internal scans + remediation
Includes a list of past scans, results + reports
Penetration testing
Procedures associated to the execution of pen tests
Includes a statement requiring execution of penetration
testing at least annually and after any significant
changes to the environment.
Includes a list of past pen tests, results + Reports
Intrusion detection
Procedures associated to the use and configuration of
process/configuration
IDS/IPS
Includes a statement enforcing the use IDS at entry
points and other critical points
Lists IDS/IPS and location
File-integrity tools used
Procedures and configuration associated to the FileIntegrity tools
Lists file-integrity tools used and the critical files they
are protecting.
-System executables
- Application executables
- Configuration and parameter files
- Centrally stored, historical or archived, log and audit
files
11.2
12.1
12.1
12.3
11.3
11.4
11.4
11.5
12.3
12.3.1
Security Policy
12.3.2
12.3.10
12.1
12.4
12.3.3
12.3.4
12.3.5
12.3.6
12.3.7
12.3.8
12.3.9
12.5
Security Policy
Documentation
Includes assignment of responsibility for creating and
12.5.1
distributing security policies and procedures
Includes assignment of responsibility for monitoring and 12.5.2
analyzing security alerts and distributing information to
appropriate information security and business unit
management personnel is formally assigned.
HR Screening process
Service Provider management
policies and procedures
12.5.3
12.5.4
12.5.5
12.6
12.6.1
12.6.2
12.6.1
12.7
12.8
12.8.3
12.8.4
12.8.2
12.8.1
12.9
12.9.1
12.9.3
12.9.2
12.9.4
12.9.1
Documentation
Version
Owner
Location
Published/DRAFT
Documentation
Version
Owner
Location
Published/DRAFT
Documentation
Documentation
Documentation
Documentation
Documentation
Documentation
Documentation
Documentation
Documentation
Documentation
Documentation
0%
1
10
ent
10
11
12
300
200
100
0
24
67
135
129
14
14
36
111
111
132
64
216
132
64
Tel
Function
Areas of expertize
Types
A
B
C-VT
C
D
Merchant types
Description
Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would
never apply to face-to-face merchants.
Imprint-only merchants with no electronic cardholder data storage, or standalone, dial- out terminal merchants with no
electronic cardholder data storage
Merchants using only web-based virtual terminals, no electronic cardholder data storage
Merchants with payment application systems connected to the Internet, no electronic cardholder data storage
All other merchants not included in descriptions for SAQ types A through C above, and all service providers defined by a payment
brand as eligible to complete an SAQ.
Objective
Identified Risk
Maintenance
Define process and controls
in place to maintain
compensating controls
Purpose
Location
Key custodians
Status (date)
Key Length
C1
C1.1
C1.2
C1.3
C1.4
Matching
PCI Reqs
If Any
16.67%
Matching Score
level
1.5
Scoping
0.5
11.1
11.2
0.5
Scoping
0.5
The asset inventory created must also include data on whether the
device is a portable device. Devices such as mobile phones, tablets,
laptops, and other portable electronic devices that store or process
data must be identified, regardless of whether or not they are
attached to the organizations network.
C1.5
C1.6
C1.7
C1.8
C1.9
C2
C2.1
0.00%
-
0
N
C2.2
C2.3
C2.4
C2.5
C3
45.45%
C3.1
2.2
C3.2
2.2
C3.3
C3.4
C3.5
C3.6
2.1
2.2
2.2.2
2.2.3
2.2.4
6.1
-
F
N
1
0
C3.7 Run the last version of software and make sure it is fully patched.
C3.7.1 Remove outdated or older software from the system.
C3.8
C3.9
C4
C4.1
11.5
20.00%
11.2
11.2.1
11.2.2
11.2.3
0.5
6.1
0.5
C4.3
C4.4
C4.5
C4.6
C4.7
C4.8
C4.9
6.2
C5
C5.1
C5.1.3 All malware detection events should be sent to enterprise antimalware administration tools and event log servers.
C5.2
3
0.5
11.4
F
P
1
0.5
5.2
37.50%
5.1
1.4
C5.5
C5.6
C5.7
C5.8
C6
C6.1
C6.2
50.00%
6.6
4.5
0.5
C6.3
Organizations should test in-house-developed and third-partyprocured web and other application software for coding errors and
malware insertion, including backdoors prior to deployment using
automated static code analysis software. If source code is not
available, these organizations should test compiled code using static
binary analysis tools. In particular, input validation and output
encoding routines of application software should be carefully
reviewed and tested.
Organizations should test in-house-developed and third-partyprocured web applications for common security weaknesses using
automated remote web application scanners prior to deployment,
whenever updates are made to the application
and on a regular recurring basis.
6.3.2
6.4.5.3
6.6
11.2
11.2.3
11.3.2
C6.5
C6.6
6.3
C6.7
6.5
C6.4
C6.8
C6.9
C7
C7.1
C7.2
C7.3
C7.4
C7.5
C7.6
C7.7
C7.8
28.13%
2.1.1
4.1.1
11.1
4.5
0.5
11.1
C7.9
C8
11.1
4.1.1.
1.2.3
40.00%
C8.1
C8.2
C8.3
C8.4
C8.5
C9
C9.1
C9.2
3.4
9.5
9.5
33.33%
Critical Control 9: Security Skills Assessment and
Appropriate
Training
tosecurity
Fill Gaps
Organizations should
develop
awareness training for various
12.6
12.6
C9.3
C9.4
C9.5
C9.6
C10
50.00%
1.2.2
1.1.5
1.1.6
2.2
C10.2 At network interconnection pointssuch as Internet gateways, interorganization connections, and internal network segments with
different security controlsimplement ingress and egress filtering to
allow only those ports and protocols with an explicit and
documented business need. All other ports and protocols should be
blocked with default-deny rules by firewalls, network-based IPS,
and/or routers.
1.2
1.2.1
1.1.5
1.1
1.1.1
1.1.2
1.1.4
1.1.5
1.1.6
2.3
8.3
C11
C12
41.67%
2.5
11.2.1
11.2.2
11.2.3
0.5
1.1.5
0.5
2.2.1
6.6
0.5
53.57%
-
7.5
N
7.1
0.5
8.5.10
0.5
2.1
8.5.9
8.4
C13
8.5.12
0.5
10.2.2
10.2.2
0.5
12.8.2
7.2
7.2.2
0.5
50.00%
6.5
C13.1 Organizations should deny communications with (or limit data flow
to) known malicious IP addresses (black lists) or limit access to
trusted sites (white lists). Lists of bogon addresses (unroutable or
otherwise unused IP addresses) are publicly available on the Internet
from various sources, and indicate a series of IP addresses that
should not be used for legitimate traffic traversing the Internet.
1.1.1
0.5
11.4
11.4
1.1.3
1.3.7
C13.6 Design and implement network perimeters so that all outgoing web,
file transfer protocol (FTP), and secure shell traffic to the Internet
must pass through at least one proxy on a DMZ network. The proxy
should support logging individual TCP sessions; blocking specific
URLs, domain names, and IP addresses to implement a black list;
and applying white lists of allowed sites that can be accessed
through the proxy while blocking all other sites. Organizations
should force outbound traffic to the Internet through an
authenticated proxy server on the enterprise perimeter. Proxies can
also be used to encrypt all traffic leaving an organization.
C13.7 Require all remote login access (including VPN, dial-up, and other
forms of access that allow login to internal systems) to use twofactor authentication.
C13.8 All devices remotely logging into the internal network should be
managed by the enterprise, with remote control of their
configuration, installed software,
and patch levels.
8.3
11.1
11.2
11.3
1.3.7
0.5
C14
C14.1 Validate audit log settings for each hardware device and the
software installed on it, ensuring that logs include a date,
timestamp, source addresses, destination addresses, and various
other useful elements of each packet and/or transaction.
6.6
0.5
68.75%
5.5
10.2
10.3
C.14.2 Ensure that all systems that store logs have adequate storage space
for the logs generated on a regular basis, so that log files will not fill
up between log rotation intervals.
C14.2.1The logs must be archived and digitally signed on a periodic basis.
10.5
10.5.3
-
0.5
C14.2 All remote access to a network, whether to the DMZ or the internal
network (i.e., VPN, dial-up, or other mechanism), should be logged
verbosely.
10.2.1 10.2.7
10.3.4
10.6
10.4
(10.4.3)
0.5
10.2
10.6
0.5
10.5.4
C15
28.57%
C15.2 Organizations should ensure that file shares have defined controls
(such as Windows share access control lists) that specify at least
that only authenticated users can access the share.
C15.3 Organizations should enforce detailed audit logging for access to
nonpublic data and special authentication for sensitive data.
C15.4 The network should be segmented based on the trust levels of the
information stored on the servers.
C15.4.1Whenever information flows over a network of lower trust level, the
information should be encrypted.
C15.5 The use of portable USB drives should either be limited or data
should automatically be encrypted before it is written to a portable
C15.6 drive.
Host-based data loss prevention (DLP) should be used to enforce
ACLs even when data is copied off a server. In most organizations,
access to the data is controlled by ACLs that are implemented on the
server. Once the data have been copied to a desktop system the
ACLs are no longer enforced and the users can send the data to
whomever they want.
C15.7 Deploy honeytokens on key servers to identify users who might be
trying to access information that they should not access.
7.2
0.5
1.2
1.3
4.1
0.5
68.18%
-
7.5
0
C16
C16.1 Review all system accounts and disable any account that cannot be
associated with a business process and owner.
C16.2 Systems should automatically create a report on a daily basis that
includes a list of locked-out accounts, disabled accounts, accounts
with passwords that exceed the maximum password age, and
accounts with passwords that never expire. This list should be sent
to the associated system administrator in a secure fashion.
8.5.4
8.5.6
8.5.15
8.5.5
8.5.10
0.5
8.5.11
0.5
8.5.9
8.5.12
F
P
1
0.5
8.5.13
8.5.14
0.5
12.2
0.5
C17
30.00%
-
3
0
10.0
4.00
3.4
C17.1 Monitor all traffic leaving the organization and detect any
0
unauthorized use of encryption. Attackers often use an encrypted
channel to bypass network security devices. Therefore it is essential
that organizations are able to detect rogue connections, terminate
the connection, and remediate the infected system.
100.00%
12.5.3
12.9
6
1
12.9.1
12.9.1
C18
12.9.1
12.9.4
12.9.4
2.5
1
C19
50.00%
1.3
1.3.1
1.3.2
1.3.3
C19.4 Security should be built into all phases of the software development
lifecycle, ensuring that any security issues are addressed as early as
possible.
C19.5 Organizations should segment the enterprise network into multiple,
separate trust zones to provide more granular control of system
access and additional intranet boundary defenses.
6.3
1.3
0.5
C20
35.71%
2.5
11.3
C20.2 Organizations should perform periodic red team exercises to test the
readiness of organizations to identify and stop attacks or to respond
quickly and effectively.
C20.3 Organizations should ensure that systemic problems discovered in
penetration tests and red team exercises are fully mitigated.
11.3b
C20.4
0.5
Notes
No mention of documented
configuration
Discovery
Resource = CC data
No mention of SEIM
Int/Ext
Scanning solution
Operator or ASV's
IPs
(FAIL/PASS)
Report
location
Int/Ext
Tests provider
IPs
# exploitable
vulnerabilities
Report location
Firewalls are devices that control computer traffic allowed between an entitys networks (internal) and untrusted
Return to Table of content
A firewall examines all network traffic and blocks those transmissions that do not meet the specified security cri
All systems must be
from unauthorized
from untrusted
networks,to
whether
entering
the systemd
Requirement
1:protected
Install and
maintain aaccess
firewall
configuration
protect
cardholder
Other system components may provide firewall functionality, provided they meet the minimum requirements fo
raffic allowed between an entitys networks (internal) and untrusted networks (external), as well as traffic into and out of m
ocks those transmissions that do not meet the specified security criteria.
orized
from untrusted
networks,to
whether
entering
the systemdata
via the Internet as e-commerce, employee Internet ac
ain aaccess
firewall
configuration
protect
cardholder
wall functionality, provided they meet the minimum requirements for firewalls as provided in Requirement 1. Where other s
CI Compliance Report:
percent who were found compliant in previous report
ement is the documentation of network device configurations, with only 63 percent of companies meeting Requirement 1.1
utdated.
t 1.2.1) continues to be an issue for many being audited, with 23 percent of businesses found to be non-compliant at the ti
ill flowing through many networks.
time to dig into every rule in the firewalls to understand the complete rule sets.
Guidance
SANS
Top 20 Critical
Security
Controls
C10.4
C10.4
C13.1.1
C10.4
C13.5
C10.4
C10.1
C10.2
C10.4
C11.4
C10.1
C10.4
C10.2
C15.4
C10.2
C10.1
C15.4
C7.15
C19.1
C19.5
C19.1
C19.1
C19.1
C13.5
C10.2
NC
C13.5
C13.10
NC
C5.1.1
external), as well as traffic into and out of more sensitive areas within an entitys internal trusted networks. The cardholder
rnet as e-commerce, employee Internet access through desktop browsers, employee e-mail access, dedicated connections
provided in Requirement 1. Where other system components are used within the cardholder data environment to provide fi
Testing Procedure
1.1 Obtain and inspect the firewall and router configuration standards and other
documentation specified below to verify that standards are complete. Complete the
following:
1.1.1 Verify that there is a formal process for testing and approval of all network
connections and changes to firewall and router configurations.
1.1.2.a Verify that a current network diagram (for example, one that shows cardholder
data flows over the network) exists and that it documents all connections to
cardholder data, including any wireless networks.
1.1.3.a Verify that firewall configuration standards include requirements for a firewall
at each Internet connection and between any DMZ and the internal network zone.
1.1.3.b Verify that the current network diagram is consistent with the firewall
configuration standards.
1.1.4 Verify that firewall and router configuration standards include a description of
groups, roles, and responsibilities for logical management of network components.
1.1.5.a Verify that firewall and router configuration standards include a documented
list of services, protocols and ports necessary for businessfor example, hypertext
transfer protocol (HTTP) and Secure Sockets Layer (SSL), Secure Shell (SSH), and
Virtual Private Network (VPN) protocols.
1.1.5.b Identify insecure services, protocols, and ports allowed; and verify they are
necessary and that security features are documented and implemented by examining
firewall and router configuration standards and settings for each service.
1.1.6.a Verify that firewall and router configuration standards require review of
firewall and router rule sets at least every six months.
1.1.6.b Obtain and examine documentation to verify that the rule sets are reviewed
at least every six months.
1.2 Examine firewall and router configurations to verify that connections are restricted
between untrusted networks and system components in the cardholder data
environment, as follows:
1.2.1.a Verify that inbound and outbound traffic is limited to that which is necessary
for the cardholder data environment, and that the restrictions are documented.
1.2.1.b Verify that all other inbound and outbound traffic is specifically denied, for
example by using an explicit deny all or an implicit deny after allow statement.
1.2.2 Verify that router configuration files are secure and synchronizedfor example,
running configuration files (used for normal running of the routers) and start-up
configuration files (used when machines are re-booted), have the same, secure
configurations.
1.2.3 Verify that there are perimeter firewalls installed between any wireless networks
and systems that store cardholder data, and that these firewalls deny or control (if
such traffic is necessary for business purposes) any traffic from the wireless
environment into the cardholder data environment.
1.3 Examine firewall and router configurationsincluding but not limited to the choke
router at the Internet, the DMZ router and firewall, the DMZ cardholder segment, the
perimeter router, and the internal cardholder network segmentto determine that there
is no direct access between the Internet and system components in the internal
cardholder network segment, as detailed below.
1.3.1 Verify that a DMZ is implemented to limit inbound traffic to only system
components that provide authorized publicly accessible services, protocols, and ports.
1.3.2 Verify that inbound Internet traffic is limited to IP addresses within the DMZ.
1.3.3 Verify direct connections inbound or outbound are not allowed for traffic
between the Internet and the cardholder data environment.
1.3.4 Verify that internal addresses cannot pass from the Internet into the DMZ.
1.3.5 Verify that outbound traffic from the cardholder data environment to the
Internet is explicitly authorized
1.3.6 Verify that the firewall performs stateful inspection (dynamic packet filtering).
(Only established connections should be allowed in, and only if they are associated
with a previously established session.)
1.3.7 Verify that system components that store cardholder data are on an internal
network zone, segregated from the DMZ and other untrusted networks.
1.3.8.a Verify that methods are in place to prevent the disclosure of private IP
addresses and routing information from internal networks to the Internet.
1.3.8.b Verify that any disclosure of private IP addresses and routing information to
external entities is authorized.
1.4.a Verify that mobile and/or employee-owned computers with direct connectivity to
the Internet (for example, laptops used by employees), and which are used to access the
organizations network, have personal firewall software installed and active.
1.4.b Verify that the personal firewall software is configured by the organization to
specific standards and is not alterable by users of mobile and/or employee-owned
computers.
rusted networks. The cardholder data environment is an example of a more sensitive area within an entitys trusted netwo
ail access, dedicated connections such as business-to-business connections, via wireless networks, or via other sources. Oft
der data environment to provide firewall functionality, these devices must be included within the scope and assessment of
.Identify the document requiring that the network diagram is kept current.
Describe the documented process for keeping the network diagram current.
Identify the responsible personnel interviewed who confirm the documented
process is followed.
Identify the firewall configuration standards that define requirements for:
i. A firewall at each Internet connection
ii. A firewall between any DMZ and the internal network zone
.Identify the current network diagrams and firewall configuration standards reviewed.
Describe how the reviewed documents were confirmed to be consistent with one
another.
Identify the firewall configuration standards that include descriptions of the following
for logical management of components:
i. Groups ii. Roles
iii. Responsibilities
Identify the router configuration standards that include descriptions of the following
for logical management of components:
i. Groups ii. Roles
iii. Responsibilities
Identify the personnel holding those roles and responsibilities who were
interviewed, and who confirm that the roles and responsibilities are assigned as
documented for:
i. Logical management of router components
ii. Logical management of firewall components
For each of the following identify the firewall configuration standards which define
those necessary for business, including a business justification for each:
Services
Protocols
Ports
For each of the following identify the router configuration standards which define those
necessary for business, including a business justification for each:
Services
Protocols
Ports
Identify whether any insecure services, protocols or ports are allowed. For each
insecure service, protocol and port allowed:
i. Identify the documented justification.
ii. Identify the responsible personnel interviewed who confirm that each insecure
service/protocol/port is necessary.
iii. Identify the firewall and router configuration standards which define the security
features
required for each insecure service/protocol/port.
iv. Describe how observed firewall configurations verify the security features are
implemented.
v. Describe how observed router configurations verify the security features are
implemented
Identify the firewall configuration standards that require a review of firewall rule sets
at least every six months.
Identify the router configuration standards that require a review of router rule sets
at least every six months.
Describe how firewall and router configuration were observed to specifically deny all
other traffic: inboud and outbound.
Describe how the router configuration files were observed to be secured
Describe how the router configuration files were observed to be synchronized.
Describe how firewalls were observed to be in place between any wireless networks
and systems that store cardholder data.
Describe how firewall configurations were observed to deny or control all traffic
from any wireless environment into the cardholder data environment.
Identify the responsible personnel interviewed who confirm that any permitted
traffic from the wireless environment into the cardholder data environment is
necessary for business purposes
Identify the document defining system components that provide authorized publicly
accessible services, protocols, and ports.
Describe how observed firewall/router configurations ensure that the DMZ limits
inbounds traffic to only those system components
Identify the network documents/diagrams specifying that direct connections are not
allowed for traffic between the Internet and the cardholder data environment:
i. Inbound ii. Outbound
Describe how observed firewall/router configurations prevent direct connections
between the Internet and the cardholder data environment:
i. Inbound ii. Outbound
Describe how observed traffic between the Internet and the cardholder data
environment confirms that direct connections are not permitted:
i. Inbound ii. Outbound
Describe how observed firewall/router configurations prevent internal addresses
passing from the Internet into the DMZ.
Describe how observed traffic from the Internet into the DMZ confirms that internal
addresses cannot pass from the Internet into the DMZ.
Identify the document that explicitly defines authorized outbound traffic from the
cardholder data environment to the Internet.
Describe how firewall/router configurations were observed to allow only explicitly
authorized traffic.
Describe how observed outbound traffic from the cardholder data environment to
the Internet confirms that only explicitly authorized traffic is allowed.
Identify the documents that specifies whether any disclosure of private IP addresses
and routing information to external parties is permitted
For each permitted disclosure, identify the repsonsible personnel interviewed who
confirmed that disclosure is authorized
Describe how observed configurations ensure that any disclosure of private IP
addresses and routing information to external entities is authorized.
etworks, or via other sources. Often, seemingly insignificant paths to and from untrusted networks can provide unprotected
in the scope and assessment of Requirement 1.
Merchant TYPES
Priority
C-VT
In Place ?
Severity in case of
non compliance
28
Y
N
C
24
74
10
ks can provide unprotected pathways into key systems. Firewalls are a key protection mechanism for any computer networ
Proofs /
Stage of implementation
Documentation links
Remediation plan
Comments
Owner
Name
Requirement 2: Do not use vendor-supplied defaults for system passwords and oth
Malicious individuals (external and internal to an entity) often use vendor default passwords and other vendor d
o an entity) often use vendor default passwords and other vendor default settings to compromise systems. These passwor
CI Compliance Report
cent the year before.
ement to change vendor-supplied default passwords, which was up to 82 percent from 48 percent.
uration) and 2.2.4 (remove unnecessary services) both remain low, at 74 percent and 67 percent respectively.
know how to configure a system to be secure (Requirement 2.2.3a), but when it comes down to building and maintaining
Guidance
SANS
Top 20 Critical
Security Controls
C3.3
C12.2
C11.5
C7.1
C3.1
C3.2
C3.3
C10.1
NC
C3.3
C10.1
C3.3
C10.6
C3.3
C10.6
NC
y parameters
s to compromise systems. These passwords and settings are well known by hacker communities and are easily determined
from 48 percent.
and 67 percent respectively.
comes down to building and maintaining a system in a compliant manner (Requirement 2.2.3c), were still failing in over a
Testing Procedure
2.1 Choose a sample of system components, and attempt to log on (with system
administrator help) to the devices using default vendor-supplied accounts and
passwords, to verify that default accounts and passwords have been changed. (Use
vendor manuals and sources on the Internet to find vendor-supplied
accounts/passwords.)
2.1.1 Verify the following regarding vendor default settings for wireless environments:
2.1.1.a Verify encryption keys were changed from default at installation, and are
changed anytime anyone with knowledge of the keys leaves the company or changes
positions
2.1.1.b Verify default SNMP community strings on wireless devices were changed.
2.2.a Examine the organizations system configuration standards for all types of system
components and verify the system configuration standards are consistent with industryaccepted hardening standards.
2.2.b Verify that system configuration standards are updated as new vulnerability issues
are identified, as defined in Requirement 6.2.
2.2.c Verify that system configuration standards are applied when new systems are
configured.
2.2.d Verify that system configuration standards include each item below (2.2.1 2.2.4).
2.2.1.a For a sample of system components, verify that only one primary function is
implemented per server.
2.2.1.b If virtualization technologies are used, verify that only one primary function is
implemented per virtual system component or device.
2.2.2.b Identify any enabled insecure services, daemons, or protocols. Verify they are
justified and that security features are documented and implemented.
2.2.3.a Interview system administrators and/or security managers to verify that they
have knowledge of common security parameter settings for system components.
2.2.3.b Verify that common security parameter settings are included in the system
configuration standards.
2.2.3.c For a sample of system components, verify that common security parameters
are set appropriately.
2.2.4.a For a sample of system components, verify that all unnecessary functionality
(for example, scripts, drivers, features, subsystems, file systems, etc.) is removed.
2.2.4.b Verify enabled functions are documented and support secure configuration.
2.2.4.c Verify that only documented functionality is present on the sampled system
components.
2.3 For a sample of system components, verify that non-console administrative access is
encrypted by performing the following:
2.3.a Observe an administrator log on to each system to verify that a strong encryption
method is invoked before the administrators password is requested.
2.3.b Review services and parameter files on systems to determine that Telnet and
other remote login commands are not available for use internally.
2.3.c Verify that administrator access to the web-based management interfaces is
encrypted with strong cryptography.
2.4 Perform testing procedures A.1.1 through A.1.4 detailed in Appendix A: Additional
PCI DSS Requirements for Shared Hosting Providers for PCI DSS assessments of shared
hosting providers, to verify that shared hosting providers protect their entities
(merchants and service providers) hosted environment and data.
Identify the document requiring that wireless encryption keys must be changed: i.
From default at installation
ii. Anytime anyone with knowledge of the keys leaves the organization or changes
positions
Identify the responsible personnel interviewed who confirm the documented
processes for changing keys are followed:
i. At installation
ii. Anytime anyone with knowledge of the keys leaves the organization or changes
positions
Describe how observed wireless configurations confirm that key changes are
completed as required.
Identify the document requiring that default SNMP community strings must be
changed.
Describe how observed wireless configurations confirm that default SNMP
community strings are changed.
Identify personnel interviewed and describe how systems were observed to determine
whether virtualization technologies are used.
If virtualization technologies are used:
Identify the functions for which virtualization technologies are used.
Identify the sample of virtual system components or devices observed.
For each sampled virtual system component and device, describe how the observed
configurations confirm only one primary function is implemented per virtual system
component or device.
Identify the sample of system components observed. For each sampled system
component:
Describe how system configurations were inspected to identify all enabled: o Services
o Daemons
o Protocols
Identify the document specifying that each enabled service, daemon and protocol is
necessary for that system component.
From the sample of system components observed in 2.2.2.a, identify if any insecure
services, daemons, or protocols are enabled.
For each insecure service, daemon, or protocol identified:
i. Briefly describe why it is considered to be insecure.
ii. Identify the documented business justification.
iii. Identify the document defining security features for the insecure service, daemon
or
protocol.
iv. Describe how the observed system configurations confirm that security features are
implemented in accordance with documentation.
Identify the sample of system components observed For each sampled system
component:
i. Identify the strong encryption method used for non-console administrative access.
ii. Describe how strong encryption was observed to be invoked before the administrator
password is requested.
For each sampled system component, describe how the observed services and
parameter files confirm that the following are not available for use internally:
Telnett and other remote-login command
For each sampled system component:
i. Describe how administrator access to web-based management interfaces is configured
to
require strong cryptography.
ii. Describe how administrator access to the web-based management interfaces was
observed to confirm that all such access is encrypted with strong cryptography.
Priority
A B C-VT
In place?
Severity
3
3
26
Y
N
C
67
67
0 0
12
Stage of implementation
Remediation plan
Comments
Owner
Protection methods such as encryption, truncation, masking, and hashing are critical components of cardholder
data if full PAN is not needed, and not sending unprotected PANs using end-user messaging technologies, such a
Please refer to the PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms for definitions of strong
Major observations from the 2011 Verizon PCI Compliance report
Keeping stored cardholder data to a minimum seems to be a particularly difficult task for many companies.
Organizations rarely adhere to their retention policy
33 percent of businesses were unable to meet with Requirement 3.1
Requirement 3.4, encrypt cardholder data, is met only 63 percent of the time.
Requirement 3.6.4 is met in only 61 percent of cases,
data
- A quarterly automatic or manual process for
identifying and securely deleting stored cardholder
data that exceeds defined retention requirements
3.3 Mask PAN when displayed (the first six and last
four digits are the maximum number of digits to be
displayed).
Notes:
- This requirement does not apply to employees and
other parties with a legitimate business need to see
the full PAN.
- This requirement does not supersede stricter
requirements in place for displays of cardholder data
for example, for point-of-sale (POS) receipts.
3.6 Fully document and implement all keymanagement processes and procedures for
cryptographic keys used for encryption of cardholder
data, including the following:
Note: Numerous industry standards for key
management are available from various resources
including NIST, which can be found at
http://csrc.nist.gov.
ardholder data
cation, masking, and hashing are critical components of cardholder data protection. If an intruder circumvents other securi
ng unprotected PANs using end-user messaging technologies, such as e-mail and instant messaging.
sary of Terms, Abbreviations, and Acronyms for definitions of strong cryptography and other PCI DSS terms.
CI Compliance report
m seems to be a particularly difficult task for many companies.
n policy
et with Requirement 3.1
s met only 63 percent of the time.
of cases,
Guidance
SANS
Top 20 Critical
Security Controls
NC
NA
NA
NA
NA
NA
C17.7
C8.4
NC
NC
NC
NC
NC
NC
NC
NC
NC
NC
NC
NC
NC
ction. If an intruder circumvents other security controls and gains access to encrypted data, without the proper cryptograp
nd instant messaging.
Testing Procedure
3.1 Obtain and examine the policies, procedures and processes for data retention and
disposal, and perform the following:
3.1.1.a Verify that policies and procedures are implemented and include legal,
regulatory, and business requirements for data retention, including specific
requirements for retention of cardholder data (for example, cardholder data needs to
be held for X period for Y business reasons).
3.1.1.b Verify that policies and procedures include provisions for secure disposal of
data when no longer needed for legal, regulatory, or business reasons, including
disposal of cardholder data.
3.1.1.c Verify that policies and procedures include coverage for all storage of
cardholder data.
3.1.1.d Verify that policies and procedures include at least one of the following:
- A programmatic process (automatic or manual) to remove, at least quarterly, stored
cardholder data that exceeds requirements defined in the data retention policy
- Requirements for a review, conducted at least quarterly, to verify that stored
cardholder data does not exceed requirements defined in the data retention policy.
3.1.1.e For a sample of system components that store cardholder data, verify that the
data stored does not exceed the requirements defined in the data retention policy.
3.2.a For issuers and/or companies that support issuing services and store sensitive
authentication data, verify there is a business justification for the storage of sensitive
authentication data, and that the data is secured.
3.2.b For all other entities, if sensitive authentication data is received and deleted,
obtain and review the processes for securely deleting the data to verify that the data is
unrecoverable.
3.2.c For each item of sensitive authentication data below, perform the following steps:
3.2.1 For a sample of system components, examine data sources, including but not
limited to the following, and verify that the full contents of any track from the
magnetic stripe on the back of card or equivalent data on a chip are not stored under
any circumstance:
-
3.2.2 For a sample of system components, examine data sources, including but not
limited to the following, and verify that the threedigit or four-digit card verification
code or value printed on the front of the card or the signature panel (CVV2, CVC2, CID,
CAV2 data) is not stored under any circumstance:
-
3.2.3 For a sample of system components, examine data sources, including but not
limited to the following and verify that PINs and encrypted PIN blocks are not stored
under any circumstance:
-
3.3 Obtain and examine written policies and examine displays of PAN (for example, on
screen, on paper receipts) to verify that primary account numbers (PANs) are masked
when displaying cardholder data, except for those with a legitimate business need to
see full PAN.
3.4.a Obtain and examine documentation about the system used to protect the PAN,
including the vendor, type of system/process, and the encryption algorithms (if
applicable). Verify that the PAN is rendered unreadable using any of the following
methods:
-
3.4.b Examine several tables or files from a sample of data repositories to verify the
PAN is rendered unreadable (that is, not stored in plain-text).
3.4.c Examine a sample of removable media (for example, back-up tapes) to confirm
that the PAN is rendered unreadable.
3.4.d Examine a sample of audit logs to confirm that the PAN is rendered unreadable or
removed from the logs.
3.4.1.a If disk encryption is used, verify that logical access to encrypted file systems
is implemented via a mechanism that is separate from the native operating systems
mechanism (for example, not using local user account databases).
3.4.1.b Verify that cryptographic keys are stored securely (for example, stored on
removable media that is adequately protected with strong access controls).
3.4.1.c Verify that cardholder data on removable media is encrypted wherever stored.
Note: If disk encryption is not used to encrypt removable media, the data stored on
this media will need to be rendered unreadable through some other method.
3.5 Verify processes to protect keys used for encryption of cardholder data against
disclosure and misuse by performing the following:
3.5.1 Examine user access lists to verify that access to keys is restricted to the fewest
number of custodians necessary.
3.5.2.a Examine system configuration files to verify that keys are stored in encrypted
format and that key-encrypting keys are stored separately from data-encrypting keys.
3.5.2.b Identify key storage locations to verify that keys are stored in the fewest
possible locations and forms.
3.6.a Verify the existence of key-management procedures for keys used for encryption
of cardholder data.
3.6.b For service providers only: If the service provider shares keys with their customers
for transmission or storage of cardholder data, verify that the service provider provides
documentation to customers that includes guidance on how to securely transmit, store
and update customers keys, in accordance with Requirements 3.6.1 through 3.6.8
below.
3.6.2 Verify that key-management procedures are implemented to require secure key
distribution.
3.6.3 Verify that key-management procedures are implemented to require secure key
storage.
3.6.5.b Verify that the key-management procedures are implemented to require the
replacement of known or suspected compromised keys.
3.6.5.c If retired or replaced cryptographic keys are retained, verify that these keys
are not used for encryption operations.
a, without the proper cryptographic keys, the data is unreadable and unusable to that person. Other effective methods of p
For all instances where sensitive authentication data is received and deleted:
i. Identify the document defining the processes for securely deleting sensitive
authentication
data.
ii. Describe how the processes for securely deleting the data were verified to render the
data unrecoverable.
Identify the documents defining key-management procedures for keys used for
encryption of cardholder data.
Identify the document that defines procedures for the generation of strong keys.
Describe how the procedures for the generation of strong keys were observed to be
implemented.
Identify the document that defines procedures for secure key distribution.
Describe how the procedures for secure key distribution were observed to be
implemented.
Identify the document that defines procedures for secure key storage.
Describe how the procedures for secure key storage were observed to be
implemented.
Identify the document that defines procedures for the retirement of keys when the
integrity of the key has been weakened (for example, departure of an employee with
knowledge of a clear- text key).
Describe how the procedures for retirement of keys when the integrity of the key has
been weakened were observed to be implemented.
Identify the document that defines procedures for the replacement of known or
suspected compromised keys.
Describe how the procedures for replacement of known or suspected compromised
keys were observed to be implemented.
Identify whether retired or replaced cryptographic keys are retained. If retired or
replaced cryptographic keys are retained:
i. Identifythedocumentwhichrequiresthatthesekeys: o Are securely archived
o Are not used for encryption operations
ii. Describehowthekeyswereobservedtobe: o Securely archived
o Not used for encryption operations
dentify whether manual clear-text cryptographic key management operations are used.
If manual clear-text cryptographic key management operations are used:
Identify the document that defines procedures requiring: o Split knowledge of keys
o Dual control of keys
Describe how the following procedures were observed to be implemented for manual
clear-text cryptographic key operations:
o Split knowledge of keys o Dual control of keys
son. Other effective methods of protecting stored data should be considered as potential risk mitigation opportunities. For e
Priority
C-VT
In Place ?
Severity
###
###
###
###
###
###
###
###
###
###
###
###
###
###
###
###
###
###
###
###
###
###
###
###
###
###
###
###
###
###
###
###
###
###
###
###
###
137
###
0
37
Y
N
C
135
l risk mitigation opportunities. For example, methods for minimizing risk include not storing cardholder data unless absolut
Proofs /
Documentation
links
Stage of implementation
minimizing risk include not storing cardholder data unless absolutely necessary, truncating cardholder
Remediation plan
Comments
Owner
Name 1
Sensitive information must be encrypted during transmission over networks that are easily accessed by maliciou
The Internet
Wireless technologies,
Global System for Mobile communications (GSM)
General Packet Radio Service (GPRS).
ring transmission over networks that are easily accessed by malicious individuals. Misconfigured wireless networks and vul
CI Compliance Report:
from 63 percent to 72 percent.
less networks and no longer allow any PCI- regulated traffic containing sensitive cardholder data to flow over the airwaves
Guidance
SANS
Top 20 Critical
Security Controls
C15.4.1
C17.6
C7.1
C7.10
NA
s. Misconfigured wireless networks and vulnerabilities in legacy encryption and authentication protocols continue to be tar
Testing Procedure
4.1 Verify the use of security protocols wherever cardholder data is transmitted or
received over open, public networks. Verify that strong cryptography is used during data
transmission, as follows:
4.1.a Select a sample of transactions as they are received and observe transactions as
they occur to verify that cardholder data is encrypted during transit.
4.1.b Verify that only trusted keys and/or certificates are accepted.
4.1.c Verify that the protocol is implemented to use only secure configurations, and
does not support insecure versions or configurations.
4.1.d Verify that the proper encryption strength is implemented for the encryption
methodology in use. (Check vendor recommendations/best practices.)
4.2.a Verify that PAN is rendered unreadable or secured with strong cryptography
whenever it is sent via end-user messaging technologies.
4.2.b Verify the existence of a policy stating that unprotected PANs are not to be sent
via end-user messaging technologies.
ation protocols continue to be targets of malicious individuals who exploit these vulnerabilities to gain privileged access to c
For all instances where SSL/TLS is used to encrypt cardholder data over open, public
networks: i. Describe how observed configurations and processes confirm that:
HTTPS appears as a part of the browser URL.
There is no cardholder data required when HTTPS does not appear in the URL.
Identify all wireless networks transmitting cardholder data or connected to the
cardholder data environment.
For each identified wireless network:
i. Identify the industry best practices used to implement:
o Strong encryption for authentication
o Strong encryption for transmission
ii. Describe how observed wireless configurations and processes confirm that industry
best
practices are implemented for:
o Strong encryption for authentication o Strong encryption for transmission
Identify all instances where PAN is sent via end-user messaging technologies. For
each identified instance:
i. Describe the method used for securing PAN or rendering it unreadable for each enduser messaging technology used.
ii. Describe how the method was observed to be implemented whenever PAN is sent via
these technologies.
Identify the policy document which states that unprotected PANs must not be sent via
end-user messaging technologies.
Priority
C-VT
In Place?
Severity
18
Y
N
C
14
Proofs /
Documentation links
Stage of implementation
Remediation plan
Comments
Owner
Malicious software, commonly referred to as malwareincluding viruses, worms, and Trojansenters the netw
malwareincluding viruses, worms, and Trojansenters the network during many business approved activities including
Requirement 5 (Use
Guidance
SANS
Top 20 Critical
Security Controls
C5.1
C5.1
C5.2
C5.3
C5.4
C5.5
C5.2
many business approved activities including employee e-mail and use of the Internet, mobile computers, and storage device
Testing Procedure
5.1 For a sample of system components including all operating system types commonly
affected by malicious software, verify that anti-virus software is deployed if applicable
anti-virus technology exists.
5.1.1 For a sample of system components, verify that all anti-virus programs detect,
remove, and protect against all known types of malicious software (for example,
viruses, Trojans, worms, spyware, adware, and rootkits).
5.2 Verify that all anti-virus software is current, actively running, and generating logs by
performing the following:
5.2.a Obtain and examine the policy and verify that it requires updating of anti-virus
software and definitions.
5.2.b Verify that the master installation of the software is enabled for automatic updates
and periodic scans.
5.2.c For a sample of system components including all operating system types
commonly affected by malicious software, verify that automatic updates and periodic
scans are enabled.
5.2.d For a sample of system components, verify that anti-virus software log generation
is enabled and that such logs are retained in accordance with PCI DSS Requirement 10.7.
e computers, and storage devices, resulting in the exploitation of system vulnerabilities. Anti-virus software must be used
Identify the policy document that requires updating of anti-virus software and definitions.
For i.
ii. iii. iv.
each master installation, describe how observed configurations and processes confirm
that: Anti-virus software is configured for automatic updates.
Anti-virus software is configured for periodic scans.
Automatic updates are performed.
Periodic scans are performed.
Identify the sample of system components observed (include all operating system types
commonly affected by malicious software).
For each sampled system component, describe how observed configurations and
processes confirm that:
i. Anti-virus software is configured for automatic updates.
ii. Anti-virus software is configured for periodic scans.
iii. Automatic updates are performed.
iv. Periodic scans are performed.
Identify the sample of system components observed
For each of these samples:
Describe how anti-vuris software log generation was observed to be enabled
Describe how antivirus logs were observed to be retained in accordance with PCI-DSS
10.7.
Audit logs are available for at least one year
Processes are in place to immediately restore at least the last three months'slogs for
analysis.
Anti-virus software must be used on all systems commonly affected by malware to protect systems from current and evolvin
Priority
A B C-VT
In Place?
Severity
###
###
###
###
###
###
###
###
0 0
Y
N
C
14
14
Proofs /
Documentation links
Stage of implementation
e threats.
Remediation plan
Comments
Owner
Unscrupulous individuals use security vulnerabilities to gain privileged access to systems. Many of these vulnera
Note: Appropriate software patches are those patches that have been evaluated and tested sufficiently to deter
Notes:
- Risk rankings should be based on industry best
practices. For example, criteria for ranking High
risk vulnerabilities may include a CVSS base score of
4.0 or above, and/or a vendor-supplied patch
classified by the vendor as critical, and/or a
vulnerability affecting a critical system component.
- The ranking of vulnerabilities as defined in 6.2.a is
considered a best practice until June 30, 2012, after
which it becomes a requirement.
rabilities to gain privileged access to systems. Many of these vulnerabilities are fixed by vendorprovided security patches, w
e patches that have been evaluated and tested sufficiently to determine that the patches do not conflict with existing secu
CI Compliance Report:
e systems and applications) is up from 48 percent overall compliance to 53 percent.
rcent of businesses were able to make certain that all systems were properly patched at the time of the IROC.
Guidance
SANS
Top 20 Critical
Security Controls
C3.7
C4.1.1
C4.5
C6.6
C19.4
C3.3
C6.3
C20.7
NC
NC
NC
NC
NC
NC
C6.3
NC
C6.7
C6.1
NC
NC
NC
NA
C6.1
NC
C6.1
C13.12
C6.1
C6.3
C11.6
fixed by vendorprovided security patches, which must be installed by the entities that manage the systems. All critical syste
e patches do not conflict with existing security configurations. For in-house developed applications, numerous vulnerabilitie
ent.
ched at the time of the IROC.
Testing Procedure
6.1.a For a sample of system components and related software, compare the list of
security patches installed on each system to the most recent vendor security patch list,
to verify that current vendor patches are installed.
6.1.b Examine policies related to security patch installation to verify they require
installation of all critical new security patches within one month.
6.2.b Verify that processes to identify new security vulnerabilities include using outside
sources for security vulnerability information.
6.3.a Obtain and examine written software development processes to verify that the
processes are based on industry standards and/or best practices.
6.3.2.a Obtain and review policies to confirm that all custom application code
changes must be reviewed (using either manual or automated processes) as follows:
- Code changes are reviewed by individuals other than the originating code author,
and by individuals who are knowledgeable in code review techniques and secure
coding practices.
- Code reviews ensure code is developed according to secure coding guidelines (see
PCI DSS Requirement 6.5).
- Appropriate corrections are implemented prior to release.
- Code review results are reviewed and approved by management prior to release.
6.3.2.b Select a sample of recent custom application changes and verify that custom
application code is reviewed according to 6.3.2.a, above.
6.4 From an examination of change control processes, interviews with system and
network administrators, and examination of relevant data (network configuration
documentation, production and test data, etc.), verify the following:
6.4.1 The development/test environments are separate from the production
environment, with access control in place to enforce the separation.
6.4.3 Production data (live PANs) are not used for testing or development.
6.4.4 Test data and accounts are removed before a production system becomes
active.
6.4.5.2 Verify that documented approval by authorized parties is present for each
sampled change.
6.4.5.3.a For each sampled change, verify that functionality testing is performed to
verify that the change does not adversely impact the security of the system.
6.4.5.3.b For custom code changes, verify that all updates are tested for compliance
with PCI DSS Requirement 6.5 before being deployed into production.
6.4.5.4 Verify that back-out procedures are prepared for each sampled change.
6.5.a Obtain and review software development processes. Verify that processes require
training in secure coding techniques for developers, based on industry best practices
and guidance.
6.5.b Interview a sample of developers and obtain evidence that they are
knowledgeable in secure coding techniques.
6.5.c. Verify that processes are in place to ensure that applications are not vulnerable
to, at a minimum, the following:
6.5.1 Injection flaws, particularly SQL injection. (Validate input to verify user data
cannot modify meaning of commands and queries, utilize parameterized queries, etc.)
6.5.2 Buffer overflow (Validate buffer boundaries and truncate input strings.)
6.5.5 Improper error handling (Do not leak information via error messages)
6.5.7 Cross-site scripting (XSS) (Validate all parameters before inclusion, utilize
context-sensitive escaping, etc.)
6.5.8 Improper Access Control, such as insecure direct object references, failure to
restrict URL access, and directory traversal (Properly authenticate users and sanitize
input. Do not expose internal object references to users.)
6.5.9 Cross-site request forgery (CSRF). (Do not reply on authorization credentials and
tokens automatically submitted by browsers.)
6.6 For public-facing web applications, ensure that either one of the following methods
are in place as follows:
- Verify that public-facing web applications are reviewed (using either manual or
automated vulnerability security assessment tools or methods), as follows:
- At least annually
- After any changes
- By an organization that specializes in application security
- That all vulnerabilities are corrected
- That the application is re-evaluated after the corrections
- Verify that a web-application firewall is in place in front of public-facing web
applications to detect and prevent web-based attacks.
Note: An organization that specializes in application security can be either a thirdparty company or an internal organization, as long as the reviewers specialize in
application security and can demonstrate independence from the development team.
age the systems. All critical systems must have the most recently released, appropriate software patches to protect agains
lications, numerous vulnerabilities can be avoided by using standard system development processes and secure coding te
Identify the document requiring that outside sources are used to identify new security
vulnerabilities.
Identify the outside sources used.
Describe how processes were observed to use outside sources to identify new
security
vulnerabilities.
Identify the document that defines software development processes based on industry
standards and/or best practice.
Identify the industry standards and/or best practices used.
Identify the documented software development processes that include information
security throughout the software development life cycle.
Identify the documented software development processes that specify how software
applications are developed in accordance with PCI DSS.
Identify the document requiring removal of custom application accounts, user IDs
and/or passwords before the system goes into production or is released to customers.
Identify the responsible personnel interviewed who confirm that custom application
accounts, user IDs and/or passwords are removed before the system goes into
production or is released to customers.
Identify the policy document requiring that all custom application code changes must
be reviewed.
Describe the documented processes used for reviewing custom application code
changes (for example, manual or automated, or a combination of both).
Identify the documents which define processes for custom application code reviews,
and confirm the documented processes require the following:
i. All custom application code changes are reviewed.
ii. Code changes are reviewed by individuals other than the original author.
iii. Code changes are reviewed by individuals who are knowledgeable in code review
techniques.
iv. Code changes are reviewed by individuals who are knowledgeable in secure coding
practices.
v. Code reviews ensure secure coding guidelines have been followed.
vi. Any corrections identified during the code review are implemented prior to release.
vii. Code review results are reviewed by management prior to release.
viii. Code review results are approved by management prior to release.
Identify the document that defines separation of duties between personnel assigned to
the development/test environment and those assigned to the production environment.
Briefly describe how separation of duties is implemented.
Identify the personnel assigned to the development/test environments and those
assigned to the production environment who were interviewed to confirm that
separation of duties is in place.
Describe how separation of duties was observed to be implemented
Identify the document that defines change control procedures for implementation of
security patches and software modifications.
Confirm that the documented procedures require the following for all changes:
i. Documentation of impact
ii. Documented approval by authorized parties
iii. Testing of functionality to ensure the change does not adversely impact the security
of the
system
iv. Testing of all custom code updates for compliance with PCI DSS Requirement 6.5 (to
address the vulnerabilities identified in 6.5.1 6.5.9)
v. Back-out procedures
Identify the document that defines the process for ensuring all applications are not
vulnerable to injection flaws, particularly SQL injection.
Describe the processes observed to be in place for ensuring that all applications are
not vulnerable to injection flaws, particularly SQL injection.
Identify the document that defines the process for ensuring all applications are not
vulnerable to buffer overflow.
Describe the processes observed to be in place for ensuring that all applications are
not vulnerable to buffer overflow.
Identify the document that defines the process for ensuring all applications are not
vulnerable to insecure cryptographic storage.
Describe the processes observed to be in place for ensuring that all applications are
not vulnerable to insecure cryptographic storage.
Identify the document that defines the process for ensuring all applications are not
vulnerable to insecure communications.
Describe the processes observed to be in place for ensuring that all applications are
not vulnerable to insecure communications.
Identify the document that defines the process for ensuring all applications are not
vulnerable to improper error handling.
Describe the processes observed to be in place for ensuring that all applications are
not vulnerable to improper error handling.
Identify whether a process is in place to ensure all applications are not vulnerable to
High vulnerabilities as identified in PCI DSS Requirement 6.2.
If there is a process in place:
i. Identify the document that defines the process for ensuring that all applications are
not
vulnerable to High vulnerabilities as identified in PCI DSS Requirement 6.2.
ii. Describe the processes observed to be in place for ensuring that applications are
not vulnerable to all High vulnerabilities, as identified in PCI DSS Requirement 6.2.
Identify the document that defines the process for ensuring web applications and
application interfaces are not vulnerable to cross-site scripting (XSS).
Describe the processes observed to be in place for ensuring that web applications
and application interfaces are not vulnerable to cross-site scripting (XSS).
Identify the document that defines the process for ensuring web applications and
application interfaces are not vulnerable to improper access control.
Describe the processes observed to be in place for ensuring that web applications and
application interfaces are not vulnerable to improper access control.
Identify the document that defines the process for ensuring web applications and
application interfaces are not vulnerable to cross-site request forgery.
Describe the processes observed to be in place for ensuring that web applications and
application interfaces are not vulnerable to cross-site request forgery.
oftware patches to protect against exploitation and compromise of cardholder data by malicious individuals and malicious s
Priority
A B C-VT
In Place?
Severity
3
3
3
36
Y
N
C
129
129
0 0
Proofs /
Stage of implementation
Documentation links
Remediation plan
Comments
Owner
To ensure critical data can only be accessed by authorized personnel, systems and processes must be in place t
Need to know is when access rights are granted to only the least amount of data and privileges needed to per
by authorized personnel, systems and processes must be in place to limit access based on need to know and according to
anted to only the least amount of data and privileges needed to perform a job.
Guidance
SANS
Top 20 Critical
Security Controls
C12.1.1
C12.6
C12.7
NC
C12.1.1
NC
Without a mechanism to restrict access based on
users need to know, a user may unknowingly be
granted access to cardholder data. Use of an
automated access control system or mechanism is
essential to manage multiple users. This system
should be established in accordance with your
organizations access control policy and processes
(including need to know and role-based access
control), should manage access to all system
components, and should have a default deny-all
setting to ensure no one is granted access until and
unless a rule is established specifically granting such
access.
C12.14
C15.3
NC
C12.14
NC
b.
Testing Procedure
7.1 Obtain and examine written policy for data control, and verify that the policy
incorporates the following:
7.1.1 Confirm that access rights for privileged user IDs are restricted to least
privileges necessary to perform job responsibilities.
7.1.2 Confirm that privileges are assigned to individuals based on job classification
and function (also called role-based access control or RBAC).
7.1.3 Confirm that documented approval by authorized parties is required (in writing
or electronically) for all access, and that it must specify required privileges.
7.1.4 Confirm that access controls are implemented via an automated access control
system.
7.2 Examine system settings and vendor documentation to verify that an access control
system is implemented as follows:
7.2.1 Confirm that access control systems are in place on all system components.
7.2.2 Confirm that access control systems are configured to enforce privileges
assigned to individuals based on job classification and function.
7.2.3 Confirm that the access control systems have a default deny-all setting.
Identify the data control policy document which requires that access rights for
privileged user IDs are restricted to the least privileges necessary to perform job
responsibilities.
Identify the data control policy document requiring that privileges are assigned to
individuals based on job classification and function.
Identify the data control policy document that requires the following:
i. Documented approval by authorized parties for all access.
ii. That documented approval must specify the required privileges.
Identify the data control policy document requiring that access controls are
implemented using an automated access control system
horized personnel.
Priority
C-VT
In place?
Severity
###
###
###
###
###
###
###
###
###
36
###
0
Y
N
C
36
Proofs /
Documentation links
Stage of implementation
Remediation plan
Comments
Owner
Sub-requirement 8.3 (Ensure proper user authentication and password management for non-consumer u
Sub-requirements 8.4 (Render all passwords unreada
Major
More than half
Of all the compliance validation te
user authentication and password management for non-consumer users and administrators on all system components) an
Sub-requirements 8.4 (Render all passwords unreadable during transmission and storage on all system com
Most organizations do communicate their password po
Guidance
SANS
Top 20 Critical
Security Controls
C12.7
C12.7
C10.6
C13.7
C12.5
C16.9
NC
NC
C16.3
C16.5
C16.4
NC
NC
C12.3
C16.7.2
C12.1.2
C16.7
C16.7.1
C12.8
C1.7.3
C16.8
C16.8.1
C16.4
NC
accountable for his or her actions. When such accountability is in place, actions taken on critical data
Testing Procedure
8.1 Verify that all users are assigned a unique ID for access to system components or
cardholder data.
8.2 To verify that users are authenticated using unique ID and additional authentication
(for example, a password) for access to the cardholder data environment, perform the
following:
- Obtain and examine documentation describing the authentication method(s) used.
- For each type of authentication method used and for each type of system component,
observe an authentication to verify authentication is functioning consistent with
documented
authentication method(s).
8.3 To verify that two-factor authentication is implemented for all remote network
access, observe an employee (for example, an administrator) connecting remotely to
the network and verify that two of the three authentication methods are used.
8.4.a For a sample of system components, examine password files to verify that
passwords are unreadable during transmission and storage.
8.4.b For service providers only, observe password files to verify that customer
passwords are encrypted.
8.5 Review procedures and interview personnel to verify that procedures are
implemented for user identification and authentication management, by performing the
following:
8.5.1 Select a sample of user IDs, including both administrators and general users.
Verify that each user is authorized to use the system according to policy by performing
the following:
- Obtain and examine an authorization form for each ID.
- Verify that the sampled user IDs are implemented in accordance with the
authorization form (including with privileges as specified and all signatures obtained),
by tracing information from the authorization form to the system.
8.5.3 Examine password procedures and observe security personnel to verify that
first-time passwords for new users, and reset passwords for existing users, are set to a
unique value for each user and changed after first use.
8.5.4 Select a sample of users terminated in the past six months, and review current
user access lists to verify that their IDs have been deactivated or removed.
8.5.5 Verify that inactive accounts over 90 days old are either removed or disabled.
8.5.6.a Verify that any accounts used by vendors to access, support and maintain
system components are disabled, and enabled only when needed by the vendor.
8.5.6.b Verify that vendor remote access accounts are monitored while being used.
8.5.7 Interview the users from a sample of user IDs, to verify that they are familiar
with authentication procedures and policies.
8.5.8.a For a sample of system components, examine user ID lists to verify the
following:
- Generic user IDs and accounts are disabled or removed
- Shared user IDs for system administration activities and other critical functions do
not exist
- Shared and generic user IDs are not used to administer any system components
8.5.9.a For a sample of system components, obtain and inspect system configuration
settings to verify that user password parameters are set to require users to change
passwords at least every 90 days.
8.5.9.b For service providers only, review internal processes and customer/user
documentation to verify that non-consumer user passwords are required to change
periodically and that nonconsumer users are given guidance as to when, and under
what circumstances, passwords must change.
8.5.10.b For service providers only, review internal processes and customer/user
documentation to verify that that non-consumer user passwords are required to meet
minimum length requirements.
8.5.11.b For service providers only, review internal processes and customer/user
documentation to verify that non-consumer user passwords are required to contain
both numeric and alphabetic characters.
8.5.12.b For service providers only, review internal processes and customer/user
documentation to verify that new non-consumer user passwords cannot be the same
as the previous four passwords.
8.5.13.b For service providers only, review internal processes and customer/user
documentation to verify that non-consumer user accounts are temporarily locked-out
after not more than six invalid access attempts.
8.5.14 For a sample of system components, obtain and inspect system configuration
settings to verify that password parameters are set to require that once a user account
is locked out, it remains locked for a minimum of 30 minutes or until a system
administrator resets the account.
8.5.15 For a sample of system components, obtain and inspect system configuration
settings to verify that system/session idle time out features have been set to 15
minutes or less.
8.5.16.a Review database and application configuration settings and verify that all
users are authenticated prior to access.
8.5.16.b Verify that database and application configuration settings ensure that all
user access to, user queries of, and user actions on (for example, move, copy, delete),
the database are through programmatic methods only (for example, through stored
procedures).
8.5.16.c Verify that database and application configuration settings restrict user
direct access or queries to databases to database administrators.
8.5.16.d Review database applications and the related application IDs to verify that
application IDs can only be used by the applications (and not by individual users or
other processes).
tions taken on critical data and systems are performed by, and can be traced to, known and authorize
ce report:
time of the IROC.
age of 77 percent at the time of IROC.
policies to all users who have access to cardholder data) rate among the best implemented compliance test procedures wit
Require a minimum password length of at least seven characters) were the least compliant at the time of IROC.
e difficulty enforcing them across all computing devices.
Identify the document that requires two-factor authentication for remote access by:
i. Employees (users)
ii. Administrators
iii. Third parties
Describe the two-factor authentication technologies implemented for remote access to
the network.
For each identified technology:
Identify the personnel (for example, an administrator) observed connecting remotely to
the network.
Describe how two-factor authentication was observed to be required for remote access
to the network.
Identify which two factors are used:
Something you know, Something you are, Something you have.
Describe the non-face-to-face methods used for requesting password resets. For each
of these method:
Identify therelated documented procedures and confirmthe procedures requires the
userId's identity to be verified before the password is reset.
Describe how security personnel responsible for resetting passwords were observed to
verify user identities beforesetting the passwords.
Identify the documented procedures for issuing first-time passwords for new users,
and confirm the procedures require:
i. First-time passwords must be set to a unique value for each user.
ii. First-time passwords must be changed after the first use.
Describe how security personnel responsible for assigning first-time passwords were
observed to:
i. Set first-time passwords to a unique value for each new user.
ii. Set first-time passwords to be changed after first use.
Identify the documented procedures for resetting passwords for existing users, and
confirm the procedures require:
Reset passwords must be set to a unique value for each user.
ii. Reset passwords must be changed after the first use.
Describe how security personnel responsible for resetting passwords were observed
to:
i. Set reset passwords to a unique value for each existing user.
ii. Set reset passwords to be changed after first use.
Identify the document requiring that access be immediately revoked for any
terminated users. Identify the sample of users terminated in the past six months.
For each sampled user, describe how the user account was observed to be
deactivated or removed from user access lists.
Identify the document requiringthat inactive user accounts over 90 daysold are either
removed or disabled.
Describe how user accounts inactive over 90 days old were observed to be disabled or
removed.
dentify the document requiring that accounts used by vendors to access, support and
maintain system components are:
i. Disabled when not being used
ii. Enabled only when needed
Briefly describe the implemented processes for:
i. Disabling vendor accounts when not being used.
ii. Enabling vendor accounts only when needed.
Describe how vendor accounts were observed to be enabled or disabled according
to the documented processes.
Identify the document requiring that accounts used by vendors are monitored while
being used. Describe how vendor accounts were observed to be monitored while being
used.
Identify the sample of user IDs.
For each user ID in the sample, describe how the interviewed users demonstrated that
they are familiar with authentication procedures and policies.
Identify the sample of system components observed. For each sampled system
component:
Describe the system configuration settings inspected.
Identify the number of previously used passwords that cannot be the same as a new
password, as observed in the system configuration settings.
If the entity being assessed is a service provider:
Identify the customer/user documentation that requires new non-consumer user
passwords to not be the same as the previous four passwords.
Describe how the observed processes confirm that new non-consumer user
passwords cannot be the same as the previous four passwords.
Identify the sample of system components observed. For each sampled system
component:
i. Describe the system configuration settings inspected.
ii. Identify the number of invalid logon attempts that result in user accounts being
locked out, as observed in the system configuration settings.
If the entity being assessed is a service provider:
Identify the customer/user documentation that requires non-consumer user
passwords to be temporarily locked out after not more than six invalid access
attempts.
Describe how the observed processes confirm that non-consumer user passwords
are temporarily locked out after no more than six invalid access attempts.
Identify the sample of system components observed. For each sampled system
component:
i. Describe the system configuration settings inspected.
Identify which of the following was observed to be required once a user account is
locked out:
The user account remains locked for a minimum of 30 minutes; or
The user account remains locked until a system administrator resets the account.
Identify the sample of system components observed. For each sampled system
component:
i. Describe the system configuration settings which were inspected.
ii. Identify to what time (in minutes) that system and/or session idle time-out features
are set,
as observed in the system configuration settings.
iii. Describe how the system and/or session idle time-out features were observed to
require
the user to re-authenticate to re-activate the terminal or session.
Identify all databases containing cardholder data. For each database containing
cardholder data:
i. Describe how authentication is managed (for example, via application and/or
database interfaces).
ii. Describe how database and/or application configuration settings were observed to
authenticate all users prior to access.
Priority
A B C-VT
In Place?
Severity
###
###
###
###
###
###
###
###
###
###
###
33
Y
N
C
132
132
###
0 0
Proofs /
Documentation links
Stage of implementation
Remediation plan
Comments
Owner
Sub-r
The m
Guidance
SANS
Top 20 Critical
Security Controls
NC
NC
NC
NC
NC
NC
NC
NC
A visitor log documenting minimum information on
the visitor is easy and inexpensive to maintain and
will assist, during a potential data breach
investigation, in identifying physical access to a
building or room, and potential access to cardholder
data. Consider implementing logs at the entry to
facilities and especially into zones where cardholder
data is present.
NC
C8.4
C8.4
NC
NC
NC
Media may be lost or stolen if sent via a nontrackable method such as regular postal mail. Use
the services of a secure courier to deliver any
media that contains cardholder data, so that you
can use their tracking systems to maintain
inventory and location of shipments.
Cardholder data leaving secure areas without a
process approved by management can lead to lost or
stolen data. Without a firm process, media locations
are not tracked, nor is there a process for where the
data goes or how it is protected.
NC
NC
NC
NC
NC
iduals to access devices or data and to remove systems or hardcopies, and should be appropriately res
Majorrefers
Observations
from the
2011
Verizon Compliance
Report:
more than one day. Media
to all paper
and
electronic
media containing
cardholder data
nts 9.3, 9.4 (employee/visitor controls), and 9.6 (secure physical delivery) rate among the best implemented compliance te
Only about half (55 percent) of organizations fully met Requirement 9 at the time of IROC.
erage, 84 percent of tests were fully met in Requirement 9 at the time of IROC, a seven percent reduction from our 2010 re
nging sub-control, at time of IROC, is 9.9.1: Properly maintain inventory logs of all media and conduct media inventories at
Testing Procedure
Verify the existence of physical security controls for each computer room, data center,
and other physical areas with systems in the cardholder data environment.
- Verify that access is controlled with badge readers or other devices including
authorized badges and lock and key.
- Observe a system administrators attempt to log into consoles for randomly selected
systems in the cardholder environment and verify that they are locked to prevent
unauthorized use.
9.1.1.a Verify that video cameras and/or access control mechanisms are in place to
monitor the entry/exit points to sensitive areas.
9.1.1.b Verify that video cameras and/or access control mechanisms are protected
from tampering or disabling.
9.1.1.c Verify that video cameras and/or access control mechanisms are monitored
and that data from cameras or other mechanisms is stored for at least three months.
9.1.3 Verify that physical access to wireless access points, gateways, handheld
devices, networking/communications hardware, and telecommunication lines is
appropriately restricted.
9.2.a Review processes and procedures for assigning badges to onsite personnel and
visitors, and verify these processes include the following:
- Granting new badges,
- Changing access requirements, and
- Revoking terminated onsite personnel and expired visitor badges
9.2.b Verify that access to the badge system is limited to authorized personnel.
9.2.c Examine badges in use to verify that they clearly identify visitors and it is easy to
distinguish between onsite personnel and visitors.
9.3.1 Observe the use of visitor ID badges to verify that a visitor ID badge does not
permit unescorted access to physical areas that store cardholder data.
9.3.2.a Observe people within the facility to verify the use of visitor ID badges, and
that visitors are easily distinguishable from onsite personnel.
9.3.2.b Verify that visitor badges expire.
9.3.3 Observe visitors leaving the facility to verify visitors are asked to surrender their
ID badge upon departure or expiration.
9.4.a Verify that a visitor log is in use to record physical access to the facility as well as
for computer rooms and data centers where cardholder data is stored or transmitted.
9.4.b Verify that the log contains the visitors name, the firm represented, and the
onsite personnel authorizing physical access, and is retained for at least three months.
9.5.a Observe the storage locations physical security to confirm that backup media
storage is secure.
9.5.b Verify that the storage location security is reviewed at least annually.
9.6 Verify that procedures for protecting cardholder data include controls for physically
securing all media (including but not limited to computers, removable electronic media,
paper receipts, paper reports, and faxes).
9.7 Verify that a policy exists to control distribution of media, and that the policy covers
all distributed media including that distributed to individuals.
9.7.1 Verify that all media is classified so the sensitivity of the data can be
determined.
9.7.2 Verify that all media sent outside the facility is logged and authorized by
management and sent via secured courier or other delivery method that can be
tracked.
9.8 Select a recent sample of several days of offsite tracking logs for all media, and
verify the presence in the logs of tracking details and proper management authorization.
9.9 Obtain and examine the policy for controlling storage and maintenance of all media
and verify that the policy requires periodic media inventories.
9.9.1 Obtain and review the media inventory log to verify that periodic media
inventories are performed at least annually.
9.10 Obtain and examine the periodic media destruction policy and verify that it covers
all media, and confirm the following:
9.10.1.a Verify that hard-copy materials are crosscut shredded, incinerated, or pulped
such that there is reasonable assurance the hard-copy materials cannot be
reconstructed.
9.10.1.b Examine storage containers used for information to be destroyed to verify
that the containers are secured. For example, verify that a to-be-shredded container
has a lock preventing access to its contents.
9.10.2 Verify that cardholder data on electronic media is rendered unrecoverable via a
secure wipe program in accordance with industry-accepted standards for secure
deletion, or otherwise physically destroying the media (for example, degaussing).
should be appropriately restricted. For the purposes of Requirement 9, onsite personnel refers to ful
rt:
ining
cardholder data
Identify the documented processes and procedures for assigning badges to onsite
personnel, and verify the processes include:
i. Granting new badges
ii. Changing access requirements
iii. Revoking badges for terminated onsite personnel
Describe how the documented procedures for assigning badges to onsite personnel
were observed to be implemented, including:
i. Granting new badges
ii. Changing access requirements
iii. Revoking badges for terminated onsite personnel
Identify the documented processes and procedures for assigning badges to visitors,
and verify the processes include:
i. Granting new badges
ii. Changing access requirements
iii. Expiration of visitor badges
Describe how the documented procedures for assigning badges to visitors were
observed to be implemented, including:
i. Granting new badges
ii. Changing access requirements
iii. Expiration of visitor badges
Identify the document which identifies personnel who are authorized to access the
badge system.
Describe how access to the badge system was observed to be restricted to authorized
personnel.
Briefly describe the badges observed for onsite personnel and visitors. Describe how
badges clearly identify visitors.
Describe how badges distinguish onsite personnel from visitors.
Describe how the use of visitor badges was observed to verify that the visitor ID badge
does not permit unescorted access to physical areas that store cardholder data.
Describe how people within the facility were observed to use visitor ID badges.
Describe how observed visitors within the facility are easily distinguished from
onsite personnel.
Describe how visitor badges were observed to expire.
Describe how observed visitors were asked to surrender their ID badge upon departure
or expiration.
Describe how a visitor log was observed to be in use to record physical access to:
The facility
Computer rooms and data centers where cardholder data is stored or transmitted
Describe how the visitor log was observed to contain: i. Visitor name
ii. Firm represented
iii. Onsite personnel authorizing physical access
Identify the defined retention period for visitor logs.
Describe how visitor logs were observed to be retained for at least three months.
Identify all locations where backup media is stored.
Describe how the observed physical security of each storage area ensures that
backup media is
stored securely.
Identify the document that defines the process for reviewing the security of each
storage location at least annually.
Describe how it was observed that reviews of the security of each storage location are
performed at least annually.
Identify the documented procedures for protecting cardholder data, and confirm that the
procedures include controls for physically securing all media.
For each type of media used:
i. Briefly describe the controls for physically securing the media.
ii. Describe how the documented controls were observed to be implemented
Identify the policy document that defines controls for distribution of media. Describe
how the policy covers all distributed media.
Describe how the policy covers media distributed to individuals.
Describe the documented process for destruction of electronic media, including details
of methods used for:
i. Secure wiping of media, and/or
ii. Physical destruction of media
Describe how the observed processes ensure that data is rendered unrecoverable.
If data is rendered unrecoverable via secure deletion or a secure wipe program,
identify the industry-accepted standards used.
site personnel refers to full-time and part-time employees, temporary employees, contractors and con
Priority
C-VT
In Place?
I
n
t
e
N
r
m
e
d
i
a
r
y
C
N
o
n
t
r
o
l
N
5
5
1
1
N
N
29
Y
N
C
111
orary employees, contractors and consultants who are physically present on the entitys premises. A v
Severity
Proofs /
Documentation links
Stage of implementation
5
5
5
111
Remediation plan
Commen
ts
Owner
Requirement 10: Track and monitor all access to network resources and cardholder
Logging mechanisms and the ability to track user activities are critical in preventing, detecting, or minimizing th
10.5.5 Use file-integrity monitoring or changedetection software on logs to ensure that existing
log data cannot be changed without generating
alerts (although new data being added
should not cause an alert).
user activities are critical in preventing, detecting, or minimizing the impact of a data compromise. The presence of logs in
CI Compliance Report:
st challenging key controls to meet.
ement 10 at the time of IROC, representing a 13 percent increase from last years data set.
f tests in Requirement 10 at time of IROC, a five percent decrease from 2010.
o be 10.5.5: Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be ch
irement 10 are the failure or inability to invest in a capable automated tool (log aggregator) to monitor logs on a daily basi
Guidance
SANS
Top 20 Critical
Security Controls
C17.2
C14.1
C14.6
C.14.3
C12.9
C12.10
NC
C14.3
NC
NC
C.14.3
C14.1
NC
NC
NC
C14.3
NC
NC
C.14.5
C6.5
NC
C14.5
C14.2.1
C14.7
NC
C14.2.1
C14.7
NC
C14.4
C14.6
NC
a data compromise. The presence of logs in all environments allows thorough tracking, alerting, and analysis when someth
s data set.
o ensure that existing log data cannot be changed without generating alerts. File- integrity monitoring can be extremely com
aggregator) to monitor logs on a daily basis, not maintaining security procedures to trigger a response to an exception rep
Testing Procedure
10.1 Verify through observation and interviewing the system administrator, that audit
trails are enabled and active for system components.
10.2 Through interviews, examination of audit logs, and examination of audit log
settings, perform the following:
10.2.2 Verify actions taken by any individual with root or administrative privileges are
logged.
10.2.7 Verify creation and deletion of system level objects are logged.
10.3 Through interviews and observation, for each auditable event (from 10.2), perform
the following:
10.4.a Verify that time-synchronization technology is implemented and kept current per
PCI DSS Requirements 6.1 and 6.2.
10.4.b Obtain and review the process for acquiring, distributing and storing the correct
time within the organization, and review the time-related system-parameter settings for
a sample of system components. Verify the following is included in the process and
implemented:
10.4.1.a Verify that only designated central time servers receive time signals from
external sources, and time signals from external sources are based on International
Atomic Time or UTC.
10.4.3 Verify that the time servers accept time updates from specific, industryaccepted external sources (to prevent a malicious individual from changing the clock).
Optionally, those updates can be encrypted with a symmetric key, and access control
lists can be created that specify the IP addresses of client machines that will be
provided with the time updates (to prevent unauthorized use of internal time servers).
10.5 Interview system administrator and examine permissions to verify that audit trails
are secured so that they cannot be altered as follows:
10.5.1 Verify that only individuals who have a job-related need can view audit trail
files.
10.5.2 Verify that current audit trail files are protected from unauthorized
modifications via access control mechanisms, physical segregation, and/or network
segregation.
10.5.3 Verify that current audit trail files are promptly backed up to a centralized log
server or media that is difficult to alter.
10.5.4 Verify that logs for external-facing technologies (for example, wireless,
firewalls, DNS, mail) are offloaded or copied onto a secure centralized internal log
server or media.
10.5.5 Verify the use of file-integrity monitoring or change- detection software for logs
by examining system settings and monitored files and results from monitoring
activities.
10.6.a Obtain and examine security policies and procedures to verify that they include
procedures to review security logs at least daily and that follow-up to exceptions is
required.
10.6.b Through observation and interviews, verify that regular log reviews are
performed for all system components.
10.7.a Obtain and examine security policies and procedures and verify that they include
audit log retention policies and require audit log retention for at least one year.
10.7.b Verify that audit logs are available for at least one year and processes are in
place to immediately restore at least the last
three months logs for analysis.
erting, and analysis when something does go wrong. Determining the cause of a compromise is very difficult, if not impossi
Identify the responsible personnel interviewed who confirm that all individual access to
cardholder data is logged.
Describe how configuration settings were observed to log all individual access to
cardholder data.
Describe how observed audit logs include all individual access to cardholder data.
Identify the responsible personnel interviewed who confirm that actions taken by any
individual with root or administrative privileges are logged.
Describe how configuration settings were observed to log all actions taken by any
individual with root or administrative privileges.
Describe how observed audit logs include all actions taken by any individual with
root or administrative privileges.
Identify the responsible personnel interviewed who confirm that access to all audit
trails is logged.
Describe how configuration settings were observed to log access to all audit trails.
Describe how observed audit logs include access to all audit trails.
Identify the responsible personnel interviewed who confirm that invalid logical access
attempts are logged.
Describe how configuration settings were observed to log invalid logical access
attempts. Describe how observed audit logs include invalid logical access attempts.
Identify the responsible personnel interviewed who confirm that the use of
identification and authentication mechanisms is logged.
Describe how configuration settings were observed to log the use of identification
and authentication mechanisms.
Describe how observed audit logs include use of identification and authentication
mechanisms.
Identify the responsible personnel interviewed who confirm that the initialization of
audit logs is logged.
Describe how configuration settings were observed to log the initialization of audit
logs. Describe how observed audit logs include initialization of audit logs.
Identify the responsible personnel interviewed who confirm that the following are
logged:
i. Creation of system level objects
ii. Deletion of system level objects
Describe how configuration settings were observed to log:
i. Creation of system level objects
ii. Deletion of system level objects
Describe how observed audit logs include:
Creation of system level objects and Deletion of system level objects
Identify the document that defines processes for acquiring, distributing, and storing
the correct time within the organization, and confirm the processes require that:
i. Only designated central time servers receive time signals from external sources.
ii. Time signals from external sources are based on International Atomic Time or UTC.
Identify the sample of system components observed.
Describe how configuration settings observed on the sampled system components
confirm that:
i. Only designated central time servers receive time signals from external sources.
ii. Time signals from external sources are based on International Atomic Time or UTC.
Describe how time synchronization processes were observed to verify:
Only designated central time servers receive time signals from external sources.
Identify
the document
requiring
that:
Time signals
from external
sources
are based on International Atomic Time or UTC.
the designated central time servers peer each other to keep accurate time
Other internal time servers received time from central time servers
Identify the sample of system components observed
Describe how configuration settingsobserved on the sample system components
confirm the above.
Describe how time synchronization processes were observed to verify the above.
Identify the document that:
i. Requires that access to time data is restricted to only personnel with a business
need to
access time data.
ii. Defines which personnel have a business need to access time data.
Identify the authorized personnel interviewed who confirm that personnel with
access to time data have a business need to access time data.
Identify the sample of system components observed.
Describe how configuration settings on the sampled system components were
observed to restrict access to time data to only personnel with a documented business
need.
Identify the document that defines how time settings are received from industryaccepted time sources
Describe how configuration settings on time servers were observed to receive time
updates from specific, industry-accepted external sources.
Describe how time synchronization processes were observed to verify that the time
servers receive time updates from specific, industry-accepted external sources.
Optionnally:
Identify the document that defines how time updates are encrypted with a symmetric
key, and access control lists specify the IP addresses of client machines to be provided
with the time updates.
Describe how configuration settings on time servers were observed to encrypt time
updates with a symmetric key.
Describe how access control lists were observed to specify the IP addresses of client
machines to be provided with the time updates.
Describe how time synchronization processes were observed to verify that time
updates are encrypted with a symmetric key, and access control lists are implemented
to specify the IP addresses of client machines.
Identify the document defining which personnel have a job-related need to view audit
trail files. Identify the authorized personnel interviewed who confirm that all
personnel with access to
view audit trail files have a business need to do so.
Describe how observed system and audit log permission settings restrict viewing of
audit trail files to only individuals who have a documented job-related need.
Describe how observed access to audit logs confirms that only individuals with a
job-related need can view the audit trail files.
Describe the methods used to protect audit trail files from unauthorized modifications
(e.g., via access control mechanisms, physical segregation, and/or network
segregation).
Describe how system configurations and audit log settings were observed to protect
audit trail files from unauthorized modifications.
Describe how observed access to audit logs confirms that audit trail files are protected
from unauthorized modifications.
Identify and briefly describe:
i. The centralized log server or media that audit trail files are backed up to
ii. How frequently the audit trail files are backed up, and how the frequency Is
appropriate
iii. How the centralized log server or media is difficult to alter
Identify the responsible personnel interviewed who confirm:
i. That current audit trail files are promptly backed up to the centralized log server or
media.
ii. The frequency that audit trail files are backed up
iii. That the centralized log server or media is difficult to alter.
Describe how observed system and audit log settings are configured to promptly
back up audit trail files to the centralized log server or media.
Describe how audit logs were observed to be promptly backed up to the centralized
log server or media.
Describe how logs for external-facing technologies (for example, wireless, firewalls,
DNS, mail) are offloaded or copied onto a secure centralized internal log server or
media.
Identify the responsible personnel interviewed who confirm that logs for externalfacing technologies are offloaded or copied onto a secure, centralized internal log
server or media.
Describe how observed external-facing system and audit log settings are configured
to offload or copy logs onto a secure centralized internal log server or media.
Describe how logs for external-facing technologies were observed to be located on
the centralized internal log server or media.
Identify the file-integrity monitoring (FIM) or change-detection software in use.
Identify the personnel responsible for monitoring FIM and/or change detection
software, who
were interviewed to confirm that audit log files are monitored.
Describe how system settings were observed to monitor logs to ensure that existing
log data cannot be changed without generating alerts.
Describe how observed results from monitoring activities confirm that log data
cannot be changed without generating alerts.
al
Priority
A B C-VT C
In Place?
Severity
I
n
t
N
e
r
m
e
d
i
a
r
y
N
C
o
n
t
r
o
lN
###
###
###
###
###
###
###
###
###
###
###
###
###
###
###
###
###
###
###
###
###
###
###
###
###
###
###
###
###
###
###
###
###
33
Y
N
C
132
###
0 0
132
Proofs /
Documentation links
Stage of implementation
Remediation plan
Comments
Owner
Vulnerabilities are being discovered continually by malicious individuals and researchers, and being introduced b
ally by malicious individuals and researchers, and being introduced by new software. System components, processes, and c
CI Compliance Report:
equirement 11 at the time of IROC
CI DSS standard
of tests in Requirement 11 at time of IROC, a five percent drop, from 2010.
eting the sub-requirements regarding network vulnerability scanning (11.2), penetration testing (11.3), and file integrity m
requirements of 11.2.
uarterly) combined with the expectation that findings are remediated and re- tested.
e in our sample from being able to present four passing external and internal scans.
l and internal penetration testing at least once a year and after any significant infrastructure or application upgrade or mod
Guidance
SANS
Top 20 Critical
Security
Controls
C1.2
C13.9
C7.1
C7.3
C7.9
C1.2
C13.9
C6.4
C4.1
C11.2
C4.1
C11.2
vulnerability scanning.
C6.4
C4.1
C11.2
C13.9
C20.1
C20.1
C20.4
C13.2
C13.3
C5.1.2
C3.9
oftware. System components, processes, and custom software should be tested frequently to ensure security controls conti
tested.
al scans.
nt infrastructure or application upgrade or modification (Requirement 11.3).
Testing Procedure
11.1.a Verify that the entity has a documented process to detect and identify wireless
access points on a quarterly basis.
11.1.b Verify that the methodology is adequate to detect and identify any unauthorized
wireless access points, including at least the following:
- WLAN cards inserted into system components
- Portable wireless devices connected to system components (for example, by USB, etc.)
- Wireless devices attached to a network port or network device
11.1.c Verify that the documented process to identify unauthorized wireless access
points is performed at least quarterly for all system components and facilities.
11.1.d If automated monitoring is utilized (for example, wireless IDS/IPS, NAC, etc.),
verify the configuration will generate alerts to personnel.
11.1.e Verify the organizations incident response plan (Requirement 12.9) includes a
response in the event unauthorized wireless devices are detected.
11.2 Verify that internal and external vulnerability scans are performed as follows:
11.2.1.a Review the scan reports and verify that four quarterly internal scans
occurred in the most recent 12-month period.
11.2.1.b Review the scan reports and verify that the scan process includes rescans
until passing results are obtained, or all High vulnerabilities as defined in PCI DSS
Requirement 6.2 are resolved.
11.2.1.c Validate that the scan was performed by a qualified internal resource(s) or
qualified external third party, and if applicable, organizational independence of the
tester exists (not required to be a QSA or ASV).
11.2.2.a Review output from the four most recent quarters of external vulnerability
scans and verify that four quarterly scans occurred in the most recent 12-month
period.
11.2.2.b Review the results of each quarterly scan to ensure that they satisfy the ASV
Program Guide requirements (for example, no vulnerabilities rated higher than a 4.0
by the CVSS and no automatic failures).
11.2.2.c Review the scan reports to verify that the scans were completed by an
Approved Scanning Vendor (ASV), approved by the PCI SSC.
11.2.3.a Inspect change control documentation and scan reports to verify that system
components subject to any significant change were scanned.
11.2.3.b Review scan reports and verify that the scan process includes rescans until:
- For external scans, no vulnerabilities exist that are scored greater than a 4.0 by the
CVSS,
- For internal scans, a passing result is obtained or all High vulnerabilities as defined
in PCI DSS Requirement 6.2 are resolved.
11.2.3.c Validate that the scan was performed by a qualified internal resource(s) or
qualified external third party, and if applicable, organizational independence of the
tester exists (not required to be a QSA or ASV).
11.3.a Obtain and examine the results from the most recent penetration test to verify
that penetration testing is performed at least annually and after any significant changes
to the environment.
11.3.b Verify that noted exploitable vulnerabilities were corrected and testing repeated.
(SANS C17.3)
11.3.c Verify that the test was performed by a qualified internal resource or qualified
external third party, and if applicable, organizational independence of the tester exists
(not required to be a QSA or ASV).
11.3.1 Verify that the penetration test includes network-layer penetration tests. These
tests should include components that support network functions as well as operating
systems.
11.3.2 Verify that the penetration test includes application-layer penetration tests.
The tests should include, at a minimum, the vulnerabilities listed in Requirement 6.5.
11.4.b Confirm IDS and/or IPS are configured to alert personnel of suspected
compromises.
11.4.c Examine IDS/IPS configurations and confirm IDS/IPS devices are configured,
maintained, and updated per vendor instructions to ensure optimal protection.
11.5.a Verify the use of file-integrity monitoring tools within the cardholder data
environment by observing system settings and monitored files, as well as reviewing
results from monitoring activities. Examples of files that should be monitored:
-
System executables
Application executables
Configuration and parameter files
Centrally stored, historical or archived, log and audit files
11.5.b Verify the tools are configured to alert personnel to unauthorized modification of
critical files, and to perform critical file comparisons at least weekly.
Identify the personnel who perform the process who were interviewed to confirm that:
i. The process is performed at least quarterly
ii. The process covers all system components
iii. The process covers all facilities
Describe how observed results of previously performed processes confirm that:
The process is performed at least quarterly
The process covers all system components
The process covers all facilities
Identify and describe any automated monitoring technologies in use (for example,
wireless IDS/IPS, NAC, etc.)
For each automated monitoring technology in use:
i. Describe how the observed technology is configured to generate alerts to personnel.
ii. Describe how alerts to personnel were observed to be generated.
iii. Identify the personnel responsible for receiving the alerts, who were interviewed to
confirm that the generated alerts are received as intended.
Identify the Incident Response Plan document that defines response procedures in the
event unauthorized wireless devices are detected.
Identify the responsible personnel interviewed who confirm that, in the event
unauthorized wireless devices are detected, the documented response is followed.
Identify the internal scan report documents that verify four quarterly internal scans
occurred in the most recent 12-month period.
For each of the four internal quarterly scans performed in the most recent 12-month
period, identify the following:
i. Date quarterly scan was performed
ii. Result of scan
Identify the document that defines the process for performing rescans as part of the
quarterly internal scan process.
Identify personnel interviewed who confirm that the documented rescan process is
followed for quarterly internal scans.
For each of the four internal quarterly scans identified in 11.2.1.a, identify the
following:
i. Whether a rescan was required
ii. Details of how rescans were performed until either:
o Passing results are obtained, or
o All High vulnerabilities as defined in PCI DSS Requirement 6.2 are resolved.
From the scan reports, indetify whether internal and/or external resources perform
internal scans
Indetify the interviwed personnel who performed the scans, and describe how the
personnel demonstrated they are qualified to perform the scans
Describe how organizational independence of the tester was observed to exist.
Identify the external scan report documents that verify four quarterly external scans
occurred in the most recent 12-month period.
Describe how the external scan reports verify that the scans satisfy the ASV Program
Guide
requirements (for example, no vulnerabilities rated higher than a 4.0 by the CVSS and
no
automatic failures).
Describe how the external scan reports verify that the scans were completed by a PCI
SSC- Approved Scanning Vendor (ASV).
Identify the document that defines the process for performing internal and external
scans after any significant change.
Identify whether any significant changes were made to internal and/or external
system components during the past 12 months.
Identify change control documentation containing details of the identified changes.
Describe how the change control documentation and scan reports confirm that all
system
components subject to significant change were scanned after the change.
For all scans reviewed in 11.2.3.a, identify the following:
i. Whether a rescan was required
ii. Details of how rescans were performed until:
o For external scans No vulnerabilities with a CVSS score greater than 4.0 exist.
o For internal scans Either passing results were obtained, or all High vulnerabilities
as defined in PCI DSS Requirement 6.2 were resolved.
Identify personnel interviewed to confirm that the process for performing scans
after significant changes includes rescans as defined.
From the scan reports, identify whether internal and/or external resources perform the
scans. Identify the interviewed personnel who perform the scans, and describe how
the personnel
demonstrated they are qualified to perform the scans.
Describe how organizational independence of the tester was observed to exist.
Identify the documented penetration test results which confirm:
i. Internal penetration tests are performed annually.
ii. External penetration tests are performed annually.
Identify whether any significant infrastructure or application upgrade or modification
occurred during the past 12 months.
Identify the documented penetration test results confirming that penetration tests are
performed after:
i. Significant internal infrastructure or application upgrade. ii. Significant external
infrastructure or application upgrade.
Identify whether any exploitable vulnerabilities were noted in the most recent:
i. Internal penetration test results
ii. External penetration test results
Identify the interviewed personnel who confirm that all noted exploitable
vulnerabilities were corrected.
Identify the documented penetration test results confirming that:
i. Testing was repeated.
ii. All noted exploitable vulnerabilities were corrected.
Indetify wheter internal or external resources performed the penetration tests
Indentify the interviewed personnel who performed the tests and describehow the
personnel demonstrated that they are qualified for such tests
Describe how organizational independence is ensured.
Identify the documented results from the most recent penetration tests confirming
that: i. Internal penetration testing includes network-layer penetration tests.
ii. External penetration testing includes network-layer penetration tests.
iii. The network-layer penetration tests include:
o Components that support network functions o Operating systems
Identify the responsible personnel interviewed who confirm that:
i. Internal penetration testing includes network-layer penetration tests.
ii. External penetration testing includes network-layer penetration tests.
iii. The network-layer penetration tests include:
o Components that support network functions o Operating systems
Identify the documented results from the most recent penetration tests confirming
that:
i. ii.
Internal penetration testing includes application-layer penetration tests. External
penetration testing includes application-layer penetration tests.
The application-layer tests include, at a minimum, the vulnerabilities listed in PCI DSS
Requirement 6.5.
Identify the responsible personnel interviewed who confirm that:
Priotity
A B C-VT
###
In Place?
Severity
###
###
###
###
###
###
###
###
###
###
###
###
###
###
###
###
###
###
###
###
###
###
###
###
25
Y
N
C
64
64
###
0 0
15
Proofs /
Documentation links
Stage of implementation
Remediation plan
Comments
Owner
Requirement 12: Maintain a policy that addresses information security for all perso
A strong security policy sets the security tone for the whole entity and informs personnel what is expected of th
ne for the whole entity and informs personnel what is expected of them. All personnel should be aware of the sensitivity of
CI Compliance Report:
ement 12 at the time of IROC. This is a five percent drop in comparison to the 2010 report findings.
of tests in Requirement 12 at the time of IROC.
equisite work; thus they lack critical content, and fail to identify the information assets that must be protected.
ment 12 at the time of the IROC is 12.4
er Requirement 12 are 12.8.2 and 12.8.4.
nowledgement from service providers of their commitment to maintain proper security of cardholder data obtained from cli
Maintain a program to monitor service providers PCI DSS compliance status) contributed towards its low compliance rating
Guidance
SANS
Top 20 Critical
Security Controls
NC
NA
A risk assessment enables an organization to identify
threats and the associated vulnerabilities which have
the potential to negatively impact their business.
Resources can then be effectively allocated to
implement controls that reduce the likelihood and/or
the potential impact of the threat being realized.
Performing risk assessments at least annually allows
the organization to keep up to date with
organizational changes and evolving threats, trends
and technologies,
NC
NC
C16.9
NC
NC
NC
NC
device labeling allows for quick identification of nonapproved installations. Consider establishing an
official naming convention for devices, and label and
log all devices in concert with established inventory
controls. Also, logical labeling may be employed with
information such as codes that can correlate the
device to its owner, contact information and purpose.
NC
NC
NC
NC
NC
NC
NC
NC
NC
NC
NC
C18.1
NC
NC
C9.1
C9.2
NC
NC
NC
NC
C12.13
NC
NA
C18.1
C18.2
C18.4
C18.2
NC
C18.5
C18.6
NC
NC
nnel should be aware of the sensitivity of data and their responsibilities for protecting it. For the purposes of Requirement 1
10 report findings.
curity of cardholder data obtained from clientsand accepting accountability for the protection of that data remains a tax
ntributed towards its low compliance rating.
Testing Procedure
12.1 Examine the information security policy and verify that the policy is published and
disseminated to all relevant personnel (including vendors and business partners).
12.1.1 Verify that the policy addresses all PCI DSS requirements.
12.1.2.a Verify that an annual risk assessment process is documented that identifies
threats, vulnerabilities, and results in a formal risk assessment.
12.1.2.b Review risk assessment documentation to verify that the risk assessment
process is performed at least annually.
12.1.3 Verify that the information security policy is reviewed at least annually and
updated as needed to reflect changes to business objectives or the risk environment.
12.2 Examine the daily operational security procedures. Verify that they are consistent
with this specification, and include administrative and technical procedures for each of
the requirements.
12.3 Obtain and examine the usage policies for critical technologies and perform the
following:
12.3.1 Verify that the usage policies require explicit approval from authorized parties to
use the technologies.
12.3.2 Verify that the usage policies require that all technology use be authenticated
with user ID and password or other authentication item (for example, token).
12.3.3 Verify that the usage policies require a list of all devices and personnel
authorized to use the devices.
12.3.4 Verify that the usage policies require labeling of devices with information that
can be correlated to owner, contact information and purpose.
12.3.5 Verify that the usage policies require acceptable uses for the technology.
12.3.6 Verify that the usage policies require acceptable network locations for the
technology.
12.3.7 Verify that the usage policies require a list of company- approved products.
12.3.8 Verify that the usage policies require automatic disconnect of sessions for
remote-access technologies after a specific period of inactivity.
12.3.9 Verify that the usage policies require activation of remote- access technologies
used by vendors and business partners only when needed by vendors and business
partners, with immediate deactivation after use.
12.3.10.a Verify that the usage policies prohibit copying, moving, or storing of
cardholder data onto local hard drives and removable electronic media when
accessing such data via remote-access technologies.
12.3.10.b For personnel with proper authorization, verify that usage policies require
the protection of cardholder data in accordance with PCI DSS Requirements.
12.4 Verify that information security policies clearly define information security
responsibilities for all personnel.
12.5 Verify the formal assignment of information security to a Chief Security Officer or
other security-knowledgeable member of management.
Obtain and examine information security policies and procedures to verify that the
following information security responsibilities are specifically and formally assigned:
12.5.1 Verify that responsibility for creating and distributing security policies and
procedures is formally assigned.
12.5.2 Verify that responsibility for monitoring and analyzing security alerts and
distributing information to appropriate information security and business unit
management personnel is formally assigned.
12.5.3 Verify that responsibility for creating and distributing security incident
response and escalation procedures is formally assigned.
12.5.4 Verify that responsibility for administering user account and authentication
management is formally assigned.
12.5.5 Verify that responsibility for monitoring and controlling all access to data is
formally assigned.
12.6.a Verify the existence of a formal security awareness program for all personnel.
12.6.b Obtain and examine security awareness program procedures and documentation
and perform the following:
12.6.1.a Verify that the security awareness program provides multiple methods of
communicating awareness and educating personnel (for example, posters, letters,
memos, web based training, meetings, and promotions).
12.6.1.b Verify that personnel attend awareness training upon hire and at least
annually.
12.6.2 Verify that the security awareness program requires personnel to acknowledge,
in writing or electronically, at least annually that they have read and understand the
information security policy.
12.7 Inquire with Human Resource department management and verify that background
checks are conducted (within the constraints of local laws) on potential personnel prior
to hire who will have access to cardholder data or the cardholder data environment.
12.8 If the entity shares cardholder data with service providers (for example, back-up
tape storage facilities, managed service providers such as Web hosting companies or
security service providers, or those that receive data for fraud modeling purposes),
through observation, review of policies and procedures, and review of supporting
documentation, perform the following:
12.8.1 Verify that a list of service providers is maintained.
12.8.2 Verify that the written agreement includes an acknowledgement by the service
providers of their responsibility for securing cardholder data.
12.8.3 Verify that policies and procedures are documented and were followed
including proper due diligence prior to engaging any service provider.
12.8.4 Verify that the entity maintains a program to monitor its service providers PCI
DSS compliance status at least annually.
12.9 Obtain and examine the Incident Response Plan and related procedures and
perform the following:
12.9.3 Verify through observation and review of policies, that designated personnel
are available for 24/7 incident response and monitoring coverage for any evidence of
unauthorized activity, detection of unauthorized wireless access points, critical IDS
alerts, and/or reports of unauthorized critical system or content file changes.
12.9.4 Verify through observation and review of policies that staff with responsibilities
for security breach response are periodically trained.
12.9.5 Verify through observation and review of processes that monitoring and
responding to alerts from security systems including detection of unauthorized
wireless access points are covered in the Incident Response Plan.
12.9.6 Verify through observation and review of policies that there is a process to
modify and evolve the incident response plan according to lessons learned and to
incorporate industry developments.
or the purposes of Requirement 12, personnel refers to full-time and part-time employees, temporary employees, contra
Identify the documented daily operational security procedures. Describe how the
documented procedures:
i. Are consistent with PCI DSS requirements
ii. Include administrative procedures for each requirement
iii. Include technical procedures for each requirement
Describe how the daily operational security procedures were observed to be
implemented including:
i. Administrative procedures for each requirement
ii. Technical procedures for each requirement
Describe how the documented policies prohibit the following for personnel accessing
cardholder data via remote-access technologies:
i. Copying of cardholder data onto local hard drives and removable electronic media ii.
Moving of cardholder data onto local hard drives and removable electronic media iii.
Storage of cardholder data onto local hard drives and removable electronic media
Describe how it was observed that the following are implemented for personnel
accessing cardholder data via remote-access technologies:
Prohibit the copying of cardholder data onto local hard drives and removable electronic
media
Prohibit the moving of cardholder data onto local hard drives and removable electronic
media
Prohibit the storage of cardholder data onto local hard drives and removable electronic
media
Identify the documentation that defines whether any authorized business need for
copying, moving, or storing cardholder data onto local hard drives or removable
electronic media via remote-access technologies exists.
For each defined business need:
Identify how explicit authorization was observed to be implemented for the copying,
moving, or storage of cardholder data onto local hard drives or removable electronic
media.
Describe how the documented policies require the protection of cardholder data in
accordance with PCI DSS Requirements, for all personnel with proper authorization.
Describe how the protection of cardholder data was observed to be implemented in
accordance with PCI DSS Requirements.
Describe how the security policy and procedures clearly define information security
responsibilities for all personnel.
Describe how interviewed personnel demonstrated they are aware of their
information security responsibilities.
Identify the document that formally assigns responsibility for information security to a
Chief Security Officer or other security-knowledgeable member of management.
Describe how the assignment of responsibility for information security was observed
to be implemented.
Identify the document requiring that all personnel attend awareness training:
i. Upon hire
ii. At least annually
Describe how it was observed that all personnel attend awareness training:
Upon hire
At least annually
Identify the document that defines procedures for proper due diligence prior to
engaging any service provider.
Describe how the procedures for proper due diligence were observed to be
implemented.
Identify the incident response plan and procedure document(s). Describe how the
document includes:
i. Roles and responsibilities
ii. Communication strategies
iii. Requirement for notification of the payment brands
iv. Specific incident response procedures
v. Business recovery and continuity procedures
vi. Data back-up processes
vii. Analysis of legal requirements for reporting compromises
viii. Coverage for all critical system components
ix. Responses for all critical system components
x. Reference or inclusion of incident response procedures from the payment brands
Identify the document that designates personnel to be available for: i. 24/7 incident
monitoring
ii. 24/7 incident response
Identify the document requiring 24/7 incident response and monitoring coverage
for:
i. Any evidence of unauthorized activity
ii. Detection of unauthorized wireless access points
iii. Critical IDS alerts
iv. Reports of unauthorized critical system or content file changes
Describe how it was observed that 24/7 incident response and monitoring coverage
is provided for:
i. Evidence of unauthorized activity
ii. Detection of unauthorized wireless access points
iii. Critical IDS alerts
iv. Reports of unauthorized critical system or content file changes
Identify the document requiring that staff with security breach responsibilities are
periodically trained.
Describe how it was observed that staff with security breach responsibilities are
periodically trained.
Identify the document that defines how the following are monitored: i. Alerts from
intrusion-detection/intrusion-prevention
ii. Alerts from file-integrity monitoring systems
iii. Detection of unauthorized wireless access points
Identify the document that defines how the following are responded to:
i. Alerts from intrusion-detection/intrusion-prevention
ii. Alerts from file-integrity monitoring systems
iii. Detection of unauthorized wireless access points
Describe how processes for monitoring the following were observed to be
implemented:
i. Alerts from intrusion-detection / intrusion-prevention
ii. Alerts from file-integrity monitoring systems.
iii. Detection of unauthorized wireless access points
Describe how processes for responding to the following were observed to be
implemented:
i. Alerts from intrusion-detection/intrusion-prevention
ii. Alerts from file-integrity monitoring systems
iii. Detection of unauthorized wireless access points
Identify the document which defines the processes to mofify ane evolve the incident
response plan:
According to lessons learned
To incorporate industry development
Describe how the above processes were observed to be implemented.
es, temporary employees, contractors and consultants who are resident on the entitys site or otherwise have access to t
Priority
###
C-VT
In Place?
N
6
###
###
I
n
t
e
N
r
m
e
d
i
a
r
N
y
N
C
o
n
t
r
o
l
Severity
6
1
N
1
###
1
N
###
###
N
6
###
N
6
###
N
6
###
###
###
N
6
###
N
6
###
N
6
###
N
6
###
N
6
###
###
N
6
###
N
6
###
N
6
###
N
6
###
###
N
###
4
N
6
###
N
6
###
N
6
###
1
N
###
###
1
N
###
N
6
###
N
6
###
###1
2
N
###1
N
###1
2
N
###1
2
N
###1
N
###
###
N
###
4
N
###
N
###
###
4
N
###
N
###
4
N
216
###5
14
14
18
44
Y
N
C
216
Proofs /
Documentation links
Stage of implementation
Remediation plan
Comments
Owner
IT Types
Server
Firewall & Router
Switches
Mail
DNS
Database
Application
Web application
Web server
WAP
POS
Others
Criticality
High
Medium
Low