PCI DSS

pci_dss.markdown

	Storage Permitted	Storage Permitted	Render Stored Data Unreadable per Requirement 3.4
Cardholder Data	Primary Account Number (PAN)	Yes	Yes
	Cardholder Name	Yes	No
	Service Code	Yes	No
	Expiration Date	Yes	No
Sensitive Authentication Data	Full Track Data	No	Cannot store per Requirement 3.2
	CAV2/CVC2/CVV2/CID	No	Cannot store per Requirement 3.2
	PIN/PIN Block	No	Cannot store per Requirement 3.2

PCI DSS Requirements 3.3 and 3.4 apply only to PAN. If PAN is stored with other elements of cardholder data, only the PAN must be rendered unreadable according to PCI DSS Requirement 3.4.

Sensitive authentication data must not be stored after authorization, even if encrypted. This applies even where there is no PAN in the environment. Organizations should contact their acquirer or the individual payment brands directly to understand whether SAD is permitted to be stored prior to authorization, for how long, and any related usage and protection requirements

Requirement 11: Regularly test security systems and processes.

• Implement processes to test for the presence of wireless access points (802.11), and detect and identify all authorized and unauthorized wireless access points on a quarterly basis

  1. Maintain an inventory of authorized wireless access points including a documented business justification
  2. Implement incident response procedures in the event unauthorized wireless access points are detected

• Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades)

  1. Perform quarterly internal vulnerability scans. Address vulnerabilities and perform rescans to verify all “high risk” vulnerabilities are resolved in accordance with the entity’s vulnerability ranking (per Requirement 6.1). Scans must be performed by qualified personnel
  2. Perform quarterly external vulnerability scans, via an Approved Scanning Vendor (ASV) approved by the Payment Card Industry Security Standards Council (PCI SSC). Perform rescans as needed, until passing scans are achieved
  3. Perform internal and external scans, and rescans as needed, after any significant change. Scans must be performed by qualified personnel

• Implement a methodology for penetration testing that includes the following:

  1. Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115)
  2. Includes coverage for the entire CDE perimeter and critical systems
  3. Includes testing from both inside and outside the network
  4. Includes testing to validate any segmentation and scope-reduction controls
  5. Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5
  6. Defines network-layer penetration tests to include components that support network functions as well as operating systems

• Use intrusion-detection and/or intrusion-prevention techniques to detect and/or prevent intrusions into the network. Monitor all traffic at the perimeter of the cardholder data environment as well as at critical points in the cardholder data environment, and alert personnel to suspected compromises. Keep all intrusion-detection and prevention engines, baselines, and signatures up to date

• Deploy a change-detection mechanism (for example, file-integrity monitoring tools) to alert personnel to unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly

• Ensure that security policies and operational procedures for security monitoring and testing are documented, in use, and known to all affected parties

Requirement 12: Maintain a policy that addresses information security for all personnel.

• Establish, publish, maintain, and disseminate a security policy
  1. Review the security policy at least annually and update the policy when the environment changes
• Implement a risk-assessment process that:
  1. Is performed at least annually and upon significant changes to the environment (for example, acquisition, merger, relocation, etc.),
  2. Identifies critical assets, threats, and vulnerabilities, and
  3. Results in a formal, documented analysis of risk.
• Develop usage policies for critical technologies and define proper use of these technologies
  1. Explicit approval by authorized parties
  2. Authentication for use of the technology
  3. A list of all such devices and personnel with access
  4. A method to accurately and readily determine owner, contact information, and purpose (for example, labeling, coding, and/or inventorying of devices)
  5. Acceptable uses of the technology
  6. Acceptable network locations for the technologies
  7. List of company-approved products
  8. Automatic disconnect of sessions for remote-access technologies after a specific period of inactivity
  9. Activation of remote-access technologies for vendors and business partners only when needed by vendors and business partners, with immediate deactivation after use
  10. For personnel accessing cardholder data via remote-access technologies, prohibit the copying, moving, and storage of cardholder data onto local hard drives and removable electronic media, unless explicitly authorized for a defined business need.
      Where there is an authorized business need, the usage policies must require the data be protected in accordance with all applicable PCI DSS Requirements
• Ensure that the security policy and procedures clearly define information security responsibilities for all personnel
• Assign to an individual or team the following information security management responsibilities:
  1. Establish, document, and distribute security policies and procedures
  2. Monitor and analyze security alerts and information, and distribute to appropriate personnel
  3. Establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations
  4. Administer user accounts, including additions, deletions, and modifications
  5. Monitor and control all access to data
• Implement a formal security awareness program to make all personnel aware of the cardholder data security policy and procedures
  1. Educate personnel upon hire and at least annually
  2. Require personnel to acknowledge at least annually that they have read and understood the security policy and procedures
• Screen potential personnel prior to hire to minimize the risk of attacks from internal sources. (Examples of background checks include previous employment history, criminal record, credit history, and reference checks.)
• Maintain and implement policies and procedures to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data, as follows:
  1. Maintain a list of service providers including a description of the service provided
  2. Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess or otherwise store, process or transmit on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment
  3. Ensure there is an established process for engaging service providers including proper due diligence prior to engagement
  4. Maintain a program to monitor service providers’ PCI DSS compliance status at least annually
  5. Maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity
• Additional requirement for service providers only: Service providers acknowledge in writing to customers that they are responsible for the security of cardholder data the service provider possesses or otherwise stores, processes, or transmits on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment
• Implement an incident response plan. Be prepared to respond immediately to a system breach
  1. Create the incident response plan to be implemented in the event of system breach. Ensure the plan addresses the following, at a minimum:
     i. Roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum
     ii. Specific incident response procedures
     iii. Business recovery and continuity procedures
     iv. Data backup processes
     v. Analysis of legal requirements for reporting compromises
     vi. Coverage and responses of all critical system components
     vii. Reference or inclusion of incident response procedures from the payment brands
  2. Review and test the plan, including all elements listed in Requirement 12.10.1, at least annually
  3. Designate specific personnel to be available on a 24/7 basis to respond to alerts
  4. Provide appropriate training to staff with security breach response responsibilities
  5. Include alerts from security monitoring systems, including but not limited to intrusion-detection, intrusion-prevention, firewalls, and file-integrity monitoring systems
  6. Develop a process to modify and evolve the incident response plan according to lessons learned and to incorporate industry developments
• Additional requirement for service providers only: Perform reviews at least quarterly to confirm personnel are following security policies and operational procedures. Reviews must cover the following processes:
  1. Daily log reviews
  2. Firewall rule-set reviews
  3. Applying configuration standards to new systems
  4. Responding to security alerts
  5. Change management processes
• Additional requirement for service providers only: Maintain documentation of quarterly review process to include:
  1. Documenting results of the reviews
  2. Review and sign-off of results by personnel assigned responsibility for the PCI DSS compliance program