{"id":184,"date":"2014-08-26T23:53:54","date_gmt":"2014-08-26T23:53:54","guid":{"rendered":"http:\/\/outworx.com\/blog\/?p=184"},"modified":"2017-01-19T10:32:41","modified_gmt":"2017-01-19T10:32:41","slug":"summary-of-the-twelve-pci-dss-requirements","status":"publish","type":"post","link":"https:\/\/www.outworx.com\/blog\/summary-of-the-twelve-pci-dss-requirements\/","title":{"rendered":"Summary of the Twelve PCI DSS Requirements"},"content":{"rendered":"

Let’s suppose that you need to handle credit card data in your computing environment.\u00a0 Let’s suppose further than you can’t use something like Point-To-Point encryption to vastly reduce your PCI scope.\u00a0 The<\/span> PCI DSS<\/a> standard defines twelve high level requirements that you need to meet.\u00a0 We will summarize these below.\u00a0 But be careful with the overview.\u00a0 When it comes time to actually implement these requirements, you’ll find that each one actually has many subrequirements that you’ll need to meet.\u00a0 You’ll have to read the standard to find these.<\/span><\/p>\n

In the blog below, the Requirement headings are taken directly from the PCI DSS v3.0 spec.\u00a0 The descriptions below the headings are mine.\u00a0 Please note that the descriptions just include highlights, and are not comprehensive.<\/span><\/p>\n

Requirement 1: Install and maintain a firewall configuration to protect cardholder data.<\/strong><\/span><\/h3>\n

This section regulates your firewalls, routers, and networking configuration in general.\u00a0 Firewalls must be stateful, and protect card holder data.\u00a0 Firewall and router configurations can’t be changed without a formal approval process.\u00a0 You’ll also need network diagrams showing the flow of cardholder data through your systems and networks.<\/span><\/p>\n

You’ll need to formally define who is responsible for network components, and what their role is.<\/span><\/p>\n

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters<\/strong><\/span><\/h3>\n

Don’t use any default passwords or vendor supplied passwords anywhere in your cardholder environment.\u00a0\u00a0 Make sure that your systems are hardened.\u00a0 Disable unneeded services on each machine.\u00a0 Each system should have only 1 primary purpose.\u00a0 Get rid of insecure services, like ftp, or use a secure alternative like s-ftp.\u00a0 Remove unneeded software from the system.\u00a0 Use strong encryption when logging in as an administrator.\u00a0 Create an inventory of each system’s components that are in scope for PCI.<\/span><\/p>\n

Requirement 3: Protect stored cardholder data<\/span><\/h3>\n

Never store full track data from the card.\u00a0 Never store the card verification number or the card’s PIN.\u00a0 The credit card number is called the Personal Account Number (PAN).\u00a0 PAN data, if stored, must be protected by strong encryption or something similar.\u00a0 Define a retention period for the data, and make sure that it is securely destroyed after the retention period ends.\u00a0 For cryptographic keys, have secure key storage and secure key distribution.\u00a0 Limit the number of people who have access to the keys.\u00a0 Have policies and procedures to protect the keys.\u00a0 Key custodians must “formally acknowledge” that they understand their responsibility.\u00a0 Mask the PAN data when it is displayed, showing no more than the first 6 digits and the last 4.<\/span><\/p>\n

Requirement 4: Encrypt transmission of cardholder data across open, public networks.<\/strong><\/span><\/h3>\n

Use strong cryptography to protect data going across a public network, e.g. the Internet, a wireless network, or a cell phone network.\u00a0 Your wireless network can’t use WEP, but must use a secure protocol.\u00a0 Don’t send PAN data in email or instant messaging technologies unless it is protected by strong encryption.<\/span><\/p>\n

Requirement 5: Protect all systems against malware and regularly update anit-virus software or programs<\/strong><\/span><\/h3>\n

This requirement pretty much boils down to running anti-virus software on all of your systems, and keeping it running well with things like regular updates.<\/span><\/p>\n

(Please note that anti-virus software alone is not enough to make a system secure.\u00a0 Custom malware and other attacks can get through.\u00a0 But it is a good starting place, and does filter out many low level threats.)<\/span><\/p>\n

(Note that whitelisting products, like the ones from <\/span>Bit9<\/a> can be particularly effective at stopping malware.\u00a0 Anti-virus software allow<\/em> unknown programs to run unless they are on a blacklist.\u00a0 In contrast,\u00a0 products like Bit9 prevent<\/em> unknown programs from running unless they are known to be safe, i.e. on the whitelist.\u00a0 When the Stuxnet virus came out, it was undetected by all the anti-virus programs for over a year.\u00a0 However, Bit9 blocked it since it was not on the whitelist.)<\/span><\/p>\n

Requirement 6: Develop and maintain secure systems and applications<\/strong><\/span><\/h3>\n

If you don’t have security-oriented coding practices and IT processes, then this requirement is going to dramatically change the way you work.\u00a0 You’ll need to train your developers in secure coding practices.\u00a0\u00a0 Your programmers will also need to do code reviews for security before releasing the code.\u00a0 You’ll need to become familiar with coding security pitfalls and avoid them.\u00a0 Lists like the <\/span>OWASP Top Ten<\/a> or the <\/span>CWE\/SANS Top 25 Most Dangerous Software Errors<\/a>, can be very helpful as starting places.\u00a0 However, they don’t cover everything.\u00a0 You’ll almost certainly certainly want to have your developers take training classes from SANS and other organizations that specialize in teaching secure coding practices.<\/span><\/p>\n

About 90% of the code in today’s applications is assembled from other sources.\u00a0 You’ll need to monitor those sources, and when security patches come out, you’ll need to rate is severity, and apply it.\u00a0 IT will need to do the same for the system software on the servers.\u00a0 You’ll need a formal change control process.<\/span><\/p>\n

Never use live PAN data for testing.\u00a0 Remove test accounts before production.\u00a0 Have separate development and production environments.<\/span><\/p>\n

Requirement 7: Restrict access to cardholder data by business need to know<\/strong><\/span><\/h3>\n

This requirement basically says to strongly limit access to card holder data.\u00a0 Give users the least amount of privilege to get their jobs done.\u00a0 By default, deny access unnless someone has a business need to access the data.\u00a0 Document the roles of the people who access the data, and define access for each role.<\/span><\/p>\n

Requirement 8: Identify and authenticate access to system components<\/strong><\/span><\/h3>\n

This requirement has mostly to do with password and credential management.\u00a0 Users need to have individual accounts; shared accounts are forbidden. \u00a0 Passwords must be strong, and passwords must be changed every 90 days.\u00a0 Strong cryptography must protect stored passwords.\u00a0 Two factor authentication is required for remote access.\u00a0 Third party accounts for support must be disabled when not in use.\u00a0 Access to a database with card holder data should be restricted programs and database admins.<\/span><\/p>\n

Requirement 9: Restrict physical access to cardholder data<\/strong><\/span><\/h3>\n

PCI requires you to physically secure your facility.\u00a0 You have to restrict physical access to your computers and network equipment.\u00a0 You’ll need to have badges (or something similar) so you can quickly identify who is a visitor and who is an authorized employee.\u00a0 When someone leaves, you’ll need to revoke their access immediately.<\/span><\/p>\n

You’ll need special protocols for visitors.\u00a0 They will have to be escorted at all time.\u00a0 They will need to wear a badge (or something similar).\u00a0 A visitor log will tell when they entered and left.<\/span><\/p>\n

If backups and other media are stored offsite, then a secure location must be used.\u00a0 A secure courier must be used to transport the media.\u00a0 You’ll need an inventory log of all media.\u00a0 When media is no longer needed, securely destroy it.<\/span><\/p>\n

If you have a POS device that reads the cards, you’ll need to protect it from tampering or from being switched out.\u00a0 You’ll also need to maintain a list of devices.\u00a0 Inspect them periodically to look for skimmers or tampering.\u00a0 Train your people to also look for problems.<\/span><\/p>\n

Requirement 10: Track and monitor all access to network resources and cardholder data<\/strong><\/span><\/h3>\n

PCI requires that you log access to card holder data and many security events, e.g. logins, creating new accounts, deleting accounts, elevating privilege, any action by privileged accounts, and so on.\u00a0 All logs need to be sent to a central logger, and retained for one year.\u00a0 Time must be synchronized on all systems to an industry standard source so the dates in the log files are reliable.\u00a0 You’ll need to review these logs.<\/span><\/p>\n

Requirement 11: Regularly test security systems and processes<\/strong><\/span><\/h3>\n

You need to scan for unauthorized wireless access points, and have a plan to deal with them.\u00a0 You’ll need to maintain an inventory of legitimate access points.<\/span><\/p>\n

Run external and internal vulnerability scans at least once a quarter.\u00a0 The external scan requires a PCI Approved Scanning Vendor (ASV).\u00a0 Fix high risk problems, and rescan until there aren’t any more.<\/span><\/p>\n

Penetration, external and internal, must also be done at least annually, and problems remediated.<\/span><\/p>\n

If you make a significant change to your network or environment, do new scans and penetration testing.<\/span><\/p>\n

Have an Intrusion Detection and\/or Intrusion Prevention system.<\/span><\/p>\n

Critical files on servers should have file integrity monitoring, so changes can be detected and personnel alerted.<\/span><\/p>\n

Requirement 12: Maintain a policy that addresses information security for all personnel.<\/strong><\/span><\/h3>\n

Write up your security policy, and review it annually\u00a0 This has many details that are given in the PCI spec.\u00a0 Give it to everyone involved in the cardholder environment.<\/span><\/p>\n

Have a risk assessment plan, and perform a formal risk assessment at least once per year.<\/span><\/p>\n

Have an Incident Response plan to respond to breaches.\u00a0 Test it at least annually.\u00a0 You’ll also need designated personnel to be available to respond 24×7.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"

Let’s suppose that you need to handle credit card data in your computing environment.\u00a0 Let’s suppose further than you can’t use something like Point-To-Point encryption to vastly reduce your PCI scope.\u00a0 The PCI DSS standard defines twelve high level requirements that you need to meet.\u00a0 We will summarize these below.\u00a0 But be careful with the … Continue reading “Summary of the Twelve PCI DSS Requirements”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"xn-wppe-expiration":[],"xn-wppe-expiration-action":[],"xn-wppe-expiration-prefix":[],"_bbp_topic_count":0,"_bbp_reply_count":0,"_bbp_total_topic_count":0,"_bbp_total_reply_count":0,"_bbp_voice_count":0,"_bbp_anonymous_reply_count":0,"_bbp_topic_count_hidden":0,"_bbp_reply_count_hidden":0,"_bbp_forum_subforum_count":0},"categories":[14],"tags":[],"acf":[],"yoast_head":"\nSummary of the Twelve PCI DSS Requirements | OutworX<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.outworx.com\/blog\/summary-of-the-twelve-pci-dss-requirements\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Summary of the Twelve PCI DSS Requirements | OutworX\" \/>\n<meta property=\"og:description\" content=\"Let’s suppose that you need to handle credit card data in your computing environment.\u00a0 Let’s suppose further than you can’t use something like Point-To-Point encryption to vastly reduce your PCI scope.\u00a0 The PCI DSS standard defines twelve high level requirements that you need to meet.\u00a0 We will summarize these below.\u00a0 But be careful with the … Continue reading "Summary of the Twelve PCI DSS Requirements"\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.outworx.com\/blog\/summary-of-the-twelve-pci-dss-requirements\/\" \/>\n<meta property=\"og:site_name\" content=\"OutworX\" \/>\n<meta property=\"article:published_time\" content=\"2014-08-26T23:53:54+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2017-01-19T10:32:41+00:00\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"admin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.outworx.com\/blog\/#website\",\"url\":\"https:\/\/www.outworx.com\/blog\/\",\"name\":\"OutworX\",\"description\":\"Blogs, News and Updates of IT Industry | OutworX\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.outworx.com\/blog\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.outworx.com\/blog\/summary-of-the-twelve-pci-dss-requirements\/#webpage\",\"url\":\"https:\/\/www.outworx.com\/blog\/summary-of-the-twelve-pci-dss-requirements\/\",\"name\":\"Summary of the Twelve PCI DSS Requirements | OutworX\",\"isPartOf\":{\"@id\":\"https:\/\/www.outworx.com\/blog\/#website\"},\"datePublished\":\"2014-08-26T23:53:54+00:00\",\"dateModified\":\"2017-01-19T10:32:41+00:00\",\"author\":{\"@id\":\"https:\/\/www.outworx.com\/blog\/#\/schema\/person\/4a222258173fdc00e104b30c5fc10632\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.outworx.com\/blog\/summary-of-the-twelve-pci-dss-requirements\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.outworx.com\/blog\/summary-of-the-twelve-pci-dss-requirements\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.outworx.com\/blog\/summary-of-the-twelve-pci-dss-requirements\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.outworx.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Summary of the Twelve PCI DSS Requirements\"}]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.outworx.com\/blog\/#\/schema\/person\/4a222258173fdc00e104b30c5fc10632\",\"name\":\"admin\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.outworx.com\/blog\/#personlogo\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/91f39a5ea2f90d0d957945f581465a21?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/91f39a5ea2f90d0d957945f581465a21?s=96&d=mm&r=g\",\"caption\":\"admin\"},\"description\":\"Outworx@Admin\",\"url\":\"https:\/\/www.outworx.com\/blog\/author\/admin\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Summary of the Twelve PCI DSS Requirements | OutworX","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.outworx.com\/blog\/summary-of-the-twelve-pci-dss-requirements\/","og_locale":"en_US","og_type":"article","og_title":"Summary of the Twelve PCI DSS Requirements | OutworX","og_description":"Let’s suppose that you need to handle credit card data in your computing environment.\u00a0 Let’s suppose further than you can’t use something like Point-To-Point encryption to vastly reduce your PCI scope.\u00a0 The PCI DSS standard defines twelve high level requirements that you need to meet.\u00a0 We will summarize these below.\u00a0 But be careful with the … Continue reading \"Summary of the Twelve PCI DSS Requirements\"","og_url":"https:\/\/www.outworx.com\/blog\/summary-of-the-twelve-pci-dss-requirements\/","og_site_name":"OutworX","article_published_time":"2014-08-26T23:53:54+00:00","article_modified_time":"2017-01-19T10:32:41+00:00","twitter_misc":{"Written by":"admin","Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebSite","@id":"https:\/\/www.outworx.com\/blog\/#website","url":"https:\/\/www.outworx.com\/blog\/","name":"OutworX","description":"Blogs, News and Updates of IT Industry | OutworX","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.outworx.com\/blog\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.outworx.com\/blog\/summary-of-the-twelve-pci-dss-requirements\/#webpage","url":"https:\/\/www.outworx.com\/blog\/summary-of-the-twelve-pci-dss-requirements\/","name":"Summary of the Twelve PCI DSS Requirements | OutworX","isPartOf":{"@id":"https:\/\/www.outworx.com\/blog\/#website"},"datePublished":"2014-08-26T23:53:54+00:00","dateModified":"2017-01-19T10:32:41+00:00","author":{"@id":"https:\/\/www.outworx.com\/blog\/#\/schema\/person\/4a222258173fdc00e104b30c5fc10632"},"breadcrumb":{"@id":"https:\/\/www.outworx.com\/blog\/summary-of-the-twelve-pci-dss-requirements\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.outworx.com\/blog\/summary-of-the-twelve-pci-dss-requirements\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.outworx.com\/blog\/summary-of-the-twelve-pci-dss-requirements\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.outworx.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Summary of the Twelve PCI DSS Requirements"}]},{"@type":"Person","@id":"https:\/\/www.outworx.com\/blog\/#\/schema\/person\/4a222258173fdc00e104b30c5fc10632","name":"admin","image":{"@type":"ImageObject","@id":"https:\/\/www.outworx.com\/blog\/#personlogo","inLanguage":"en-US","url":"https:\/\/secure.gravatar.com\/avatar\/91f39a5ea2f90d0d957945f581465a21?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/91f39a5ea2f90d0d957945f581465a21?s=96&d=mm&r=g","caption":"admin"},"description":"Outworx@Admin","url":"https:\/\/www.outworx.com\/blog\/author\/admin\/"}]}},"_links":{"self":[{"href":"https:\/\/www.outworx.com\/blog\/wp-json\/wp\/v2\/posts\/184"}],"collection":[{"href":"https:\/\/www.outworx.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.outworx.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.outworx.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.outworx.com\/blog\/wp-json\/wp\/v2\/comments?post=184"}],"version-history":[{"count":11,"href":"https:\/\/www.outworx.com\/blog\/wp-json\/wp\/v2\/posts\/184\/revisions"}],"predecessor-version":[{"id":871,"href":"https:\/\/www.outworx.com\/blog\/wp-json\/wp\/v2\/posts\/184\/revisions\/871"}],"wp:attachment":[{"href":"https:\/\/www.outworx.com\/blog\/wp-json\/wp\/v2\/media?parent=184"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.outworx.com\/blog\/wp-json\/wp\/v2\/categories?post=184"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.outworx.com\/blog\/wp-json\/wp\/v2\/tags?post=184"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}