PCI DSS Compliance and Security

4.

The 12 Requirements of PCI DSS

4.1.

Requirement 1: Install and Maintain Network Security Controls

4.1.1.

Firewall Configuration Standards

4.1.1.1.

Configuration Documentation

4.1.1.2.

Change Management Procedures

4.1.1.3.

Review and Approval Processes

4.1.1.4.

Version Control

4.1.2.

Network Architecture

4.1.2.1.

Network Topology Documentation

4.1.2.2.

DMZ Implementation

4.1.2.3.

Internal Network Segmentation

4.1.2.4.

Wireless Network Isolation

4.1.3.

Traffic Control Rules

4.1.3.1.

Inbound Traffic Restrictions

4.1.3.2.

Outbound Traffic Controls

4.1.3.3.

Default Deny Policies

4.1.3.4.

Business Justification Requirements

4.1.4.

Router Security

4.1.4.1.

Router Hardening Standards

4.1.4.2.

Access Control Configuration

4.1.4.3.

Logging and Monitoring

4.1.4.4.

Firmware Management

4.1.5.

Personal Firewalls

4.1.5.1.

Mobile Device Requirements

4.1.5.2.

Remote Access Controls

4.1.5.3.

BYOD Policy Implementation

4.1.6.

Cloud and Virtualized Environments

4.1.6.1.

Virtual Firewall Configuration

4.1.6.2.

Container Security Controls

4.1.6.3.

Cloud Security Groups

4.2.

Requirement 2: Apply Secure Configurations to All System Components

4.2.1.

Configuration Standards Development

4.2.1.1.

Baseline Security Configurations

4.2.1.2.

Industry Best Practices Integration

4.2.1.3.

Vendor Security Guides

4.2.1.4.

Custom Configuration Requirements

4.2.2.

System Hardening

4.2.2.1.

Operating System Hardening

4.2.2.2.

Database Hardening

4.2.2.3.

Application Server Hardening

4.2.2.4.

Network Device Hardening

4.2.3.

Default Settings Management

4.2.3.1.

Default Password Changes

4.2.3.2.

Default Account Management

4.2.3.3.

Unnecessary Service Removal

4.2.3.4.

Sample File Removal

4.2.4.

Wireless Security

4.2.4.1.

Encryption Protocol Configuration

4.2.4.2.

Access Point Security

4.2.4.3.

Wireless Key Management

4.2.4.4.

Guest Network Isolation

4.2.5.

System Component Inventory

4.2.5.1.

Asset Discovery Processes

4.2.5.2.

Inventory Management Systems

4.2.5.3.

Configuration Management Databases

4.2.5.4.

Regular Inventory Updates

4.2.6.

Vulnerability Management Integration

4.2.6.1.

Configuration Vulnerability Scanning

4.2.6.2.

Patch Management Coordination

4.2.6.3.

Security Configuration Monitoring

4.3.

Requirement 3: Protect Stored Account Data

4.3.1.

Data Retention and Disposal

4.3.1.1.

Data Retention Policies

4.3.1.2.

Business Justification Documentation

4.3.1.3.

Secure Deletion Procedures

4.3.1.4.

Media Sanitization Standards

4.3.2.

Sensitive Authentication Data Prohibitions

4.3.2.1.

Full Track Data Storage Prohibition

4.3.2.2.

CAV2/CVC2/CVV2/CID Storage Prohibition

4.3.2.3.

PIN and PIN Block Storage Prohibition

4.3.2.4.

Verification and Testing Procedures

4.3.3.

PAN Protection Methods

4.3.3.1.

Display Masking Requirements

4.3.3.2.

Masking Implementation

4.3.3.3.

Log File Protection

4.3.3.4.

Report Generation Controls

4.3.4.

Cryptographic Protection

4.3.4.1.

Encryption Standards

4.3.4.2.

Key Management Requirements

4.3.4.3.

Tokenization Implementation

4.3.4.4.

Hashing Methods

4.3.5.

Cryptographic Key Management

4.3.5.1.

Key Generation Procedures

4.3.5.2.

Key Distribution Methods

4.3.5.3.

Key Storage Requirements

4.3.5.4.

Key Rotation Policies

4.3.5.5.

Key Destruction Procedures

4.3.5.6.

Key Recovery Processes

4.3.6.

Database Security

4.3.6.1.

Database Encryption

4.3.6.2.

Access Controls

4.3.6.3.

Database Activity Monitoring

4.3.6.4.

Backup Protection

4.4.

Requirement 4: Protect Cardholder Data with Strong Cryptography During Transmission

4.4.1.

Encryption in Transit

4.4.1.1.

TLS Configuration Requirements

4.4.1.2.

Certificate Management

4.4.1.3.

Cipher Suite Selection

4.4.1.4.

Protocol Version Management

4.4.2.

Wireless Transmission Security

4.4.2.1.

Wireless Encryption Standards

4.4.2.2.

WPA3 Implementation

4.4.2.3.

Wireless Key Management

4.4.2.4.

Wireless Network Monitoring

4.4.3.

End-User Messaging Restrictions

4.4.3.1.

Email Transmission Prohibitions

4.4.3.2.

Instant Messaging Controls

4.4.3.3.

Chat Application Restrictions

4.4.3.4.

SMS/Text Message Policies

4.4.4.

Public Network Considerations

4.4.4.1.

Internet Transmission Security

4.4.4.2.

VPN Requirements

4.4.4.3.

Public Wi-Fi Restrictions

4.4.4.4.

Mobile Network Security

4.4.5.

Legacy Protocol Management

4.4.5.1.

SSL Deprecation

4.4.5.2.

Early TLS Versions

4.4.5.3.

Migration Planning

4.4.5.4.

Exception Management

4.5.

Requirement 5: Protect All Systems and Networks from Malicious Software

4.5.1.

Anti-Malware Solution Deployment

4.5.1.1.

Endpoint Protection Systems

4.5.1.2.

Server Protection

4.5.1.3.

Gateway Protection

4.5.1.4.

4.5.2.

Anti-Malware Management

4.5.2.1.

Centralized Management Platforms

4.5.2.2.

Signature Updates

4.5.2.3.

4.5.2.4.

Policy Management

4.5.3.

Scanning and Detection

4.5.3.1.

Real-Time Scanning

4.5.3.2.

Scheduled Scans

4.5.3.3.

On-Demand Scans

4.5.3.4.

Behavioral Analysis

4.5.4.

Incident Response Integration

4.5.4.1.

Malware Detection Alerts

4.5.4.2.

Quarantine Procedures

4.5.4.3.

Remediation Processes

4.5.4.4.

Reporting Requirements

4.5.5.

Alternative Protection Methods

4.5.5.1.

Application Whitelisting

4.5.5.2.

Behavioral Monitoring

4.5.5.3.

Sandboxing Technologies

4.5.5.4.

Network-Based Protection

4.6.

Requirement 6: Develop and Maintain Secure Systems and Software

4.6.1.

Secure Software Development Lifecycle

4.6.1.1.

SDLC Framework Implementation

4.6.1.2.

Security Requirements Integration

4.6.1.3.

Threat Modeling

4.6.1.4.

Security Architecture Review

4.6.2.

Vulnerability Management

4.6.2.1.

Vulnerability Identification

4.6.2.2.

Risk Assessment Procedures

4.6.2.3.

Remediation Prioritization

4.6.2.4.

Patch Management Integration

4.6.3.

Software Development Security

4.6.3.1.

Secure Coding Standards

4.6.3.2.

Code Review Processes

4.6.3.3.

Static Application Security Testing

4.6.3.4.

Dynamic Application Security Testing

4.6.4.

Change Control Procedures

4.6.4.1.

Change Request Management

4.6.4.2.

Impact Assessment

4.6.4.3.

Testing Requirements

4.6.4.4.

Approval Workflows

4.6.4.5.

Deployment Procedures

4.6.5.

Web Application Security

4.6.5.1.

OWASP Top 10 Mitigation

4.6.5.2.

Web Application Firewalls

4.6.5.3.

Input Validation

4.6.5.4.

Output Encoding

4.6.5.5.

Session Management

4.6.6.

Third-Party Software Management

4.6.6.1.

Vendor Assessment

4.6.6.2.

Software Inventory

4.6.6.3.

Update Management

4.6.6.4.

End-of-Life Planning

4.7.

Requirement 7: Restrict Access to System Components and Cardholder Data by Business Need to Know

4.7.1.

Access Control Principles

4.7.1.1.

Principle of Least Privilege

4.7.1.2.

Need-to-Know Basis

4.7.1.3.

Separation of Duties

4.7.1.4.

Defense in Depth

4.7.2.

Role-Based Access Control

4.7.2.1.

Role Definition and Documentation

4.7.2.2.

Role Assignment Procedures

4.7.2.3.

Role Review Processes

4.7.2.4.

Role Modification Controls

4.7.3.

Access Rights Management

4.7.3.1.

Access Request Procedures

4.7.3.2.

Approval Workflows

4.7.3.3.

Access Provisioning

4.7.3.4.

Access Review and Recertification

4.7.4.

Privileged Access Management

4.7.4.1.

Administrative Account Controls

4.7.4.2.

Privileged Session Management

4.7.4.3.

Just-in-Time Access

4.7.4.4.

Privileged Account Monitoring

4.7.5.

Data Classification

4.7.5.1.

Data Sensitivity Levels

4.7.5.2.

Access Control Matrices

4.7.5.3.

Data Handling Procedures

4.7.5.4.

Classification Review Processes

4.8.

Requirement 8: Identify Users and Authenticate Access to System Components

4.8.1.

User Identification

4.8.1.1.

Unique User IDs

4.8.1.2.

Account Naming Conventions

4.8.1.3.

Shared Account Restrictions

4.8.1.4.

Generic Account Management

4.8.2.

Authentication Methods

4.8.2.1.

Password-Based Authentication

4.8.2.2.

Multi-Factor Authentication

4.8.2.3.

Biometric Authentication

4.8.2.4.

Certificate-Based Authentication

4.8.3.

Password Management

4.8.3.1.

Password Complexity Requirements

4.8.3.2.

Password Length Standards

4.8.3.3.

Password Expiration Policies

4.8.3.4.

Password History Requirements

4.8.3.5.

Password Storage Protection

4.8.4.

Multi-Factor Authentication Implementation

4.8.4.1.

MFA for Remote Access

4.8.4.2.

MFA for Administrative Access

4.8.4.3.

MFA for CDE Access

4.8.4.4.

MFA Technology Options

4.8.5.

Account Management

4.8.5.1.

Account Provisioning

4.8.5.2.

Account Modification

4.8.5.3.

Account Deprovisioning

4.8.5.4.

Account Monitoring

4.8.6.

Service Account Management

4.8.6.1.

Service Account Inventory

4.8.6.2.

Service Account Security

4.8.6.3.

Service Account Monitoring

4.8.6.4.

Service Account Review

4.9.

Requirement 9: Restrict Physical Access to Cardholder Data

4.9.1.

Physical Access Controls

4.9.1.1.

Facility Entry Controls

4.9.1.2.

Badge Access Systems

4.9.1.3.

Biometric Access Controls

4.9.1.4.

Mantrap Implementation

4.9.2.

Visitor Management

4.9.2.1.

Visitor Registration

4.9.2.2.

Escort Requirements

4.9.2.3.

Visitor Badge Systems

4.9.2.4.

4.9.3.

Physical Media Controls

4.9.3.1.

Media Storage Security

4.9.3.2.

Media Transport Procedures

4.9.3.3.

Media Access Controls

4.9.3.4.

Media Inventory Management

4.9.4.

Media Destruction

4.9.4.1.

Destruction Procedures

4.9.4.2.

Destruction Documentation

4.9.4.3.

Destruction Verification

4.9.4.4.

Third-Party Destruction Services

4.9.5.

Point-of-Sale Device Security

4.9.5.1.

Device Inventory Management

4.9.5.2.

Device Inspection Procedures

4.9.5.3.

Tamper Detection

4.9.5.4.

Device Replacement Procedures

4.9.6.

Surveillance Systems

4.9.6.1.

Camera Placement

4.9.6.2.

Recording Requirements

4.9.6.3.

Footage Retention

4.9.6.4.

Access to Surveillance Data

4.10.

Requirement 10: Log and Monitor All Access to System Components and Cardholder Data

4.10.1.

Logging Requirements

4.10.1.1.

4.10.1.2.

Log Content Requirements

4.10.1.3.

Log Format Standards

4.10.1.4.

Log Completeness

4.10.2.

Log Management Infrastructure

4.10.2.1.

Centralized Logging

4.10.2.2.

Log Collection Methods

4.10.2.3.

Log Storage Requirements

4.10.2.4.

Log Backup Procedures

4.10.3.

Time Synchronization

4.10.3.1.

NTP Configuration

4.10.3.2.

Time Source Management

4.10.3.3.

Time Accuracy Requirements

4.10.3.4.

Time Zone Considerations

4.10.4.

Log Review and Analysis

4.10.4.1.

Daily Log Review Procedures

4.10.4.2.

Automated Log Analysis

4.10.4.3.

Exception Handling

4.10.4.4.

Alert Management

4.10.5.

4.10.5.1.

Log Access Controls

4.10.5.2.

Log Integrity Protection

4.10.5.3.

Log Retention Requirements

4.10.5.4.

Log Archival Procedures

4.10.6.

Security Information and Event Management (SIEM)

4.10.6.1.

SIEM Implementation

4.10.6.2.

Correlation Rules

4.10.6.3.

Alerting Configuration

4.10.6.4.

Incident Response Integration

4.11.

Requirement 11: Test Security of Systems and Networks Regularly

4.11.1.

Vulnerability Scanning

4.11.1.1.

Internal Vulnerability Scans

4.11.1.2.

External Vulnerability Scans

4.11.1.3.

Authenticated vs Unauthenticated Scans

4.11.1.4.

Scan Frequency Requirements

4.11.2.

Approved Scanning Vendor (ASV) Program

4.11.2.1.

ASV Selection Criteria

4.11.2.2.

ASV Scan Process

4.11.2.3.

Scan Report Review

4.11.2.4.

Remediation Requirements

4.11.3.

Penetration Testing

4.11.3.1.

Internal Penetration Testing

4.11.3.2.

External Penetration Testing

4.11.3.3.

Testing Methodologies

4.11.3.4.

Tester Qualifications

4.11.4.

Wireless Security Testing

4.11.4.1.

Wireless Access Point Detection

4.11.4.2.

Rogue Access Point Identification

4.11.4.3.

Wireless Security Assessment

4.11.4.4.

Wireless Monitoring Tools

4.11.5.

Intrusion Detection and Prevention

4.11.5.1.

IDS/IPS Deployment

4.11.5.2.

Signature Management

4.11.5.3.

4.11.5.4.

Response Procedures

4.11.6.

File Integrity Monitoring

4.11.6.1.

Critical File Identification

4.11.6.2.

Change Detection Methods

4.11.6.3.

Alert Generation

4.11.6.4.

Change Analysis Procedures

4.11.7.

Security Testing Integration

4.11.7.1.

Testing Schedule Coordination

4.11.7.2.

Results Correlation

4.11.7.3.

Remediation Tracking

4.11.7.4.

Continuous Monitoring

4.12.

Requirement 12: Support Information Security with Organizational Policies and Programs

4.12.1.

Information Security Policy Framework

4.12.1.1.

Policy Development Process

4.12.1.2.

Policy Approval Procedures

4.12.1.3.

Policy Communication

4.12.1.4.

Policy Review and Updates

4.12.2.

Risk Management Program

4.12.2.1.

Risk Assessment Methodology

4.12.2.2.

Risk Identification Procedures

4.12.2.3.

Risk Analysis and Evaluation

4.12.2.4.

Risk Treatment Planning

4.12.2.5.

Risk Monitoring and Review

4.12.3.

Security Awareness and Training

4.12.3.1.

Training Program Development

4.12.3.2.

Training Content Requirements

4.12.3.3.

Training Delivery Methods

4.12.3.4.

Training Effectiveness Measurement

4.12.4.

Incident Response Program

4.12.4.1.

Incident Response Plan

4.12.4.2.

Incident Classification

4.12.4.3.

Response Team Structure

4.12.4.4.

Communication Procedures

4.12.4.5.

Evidence Handling

4.12.4.6.

Post-Incident Activities

4.12.5.

Service Provider Management

4.12.5.1.

Due Diligence Procedures

4.12.5.2.

Contract Requirements

4.12.5.3.

Ongoing Monitoring

4.12.5.4.

Performance Management

4.12.6.

Business Continuity Planning

4.12.6.1.

Business Impact Analysis

4.12.6.2.

Recovery Strategies

4.12.6.3.

4.12.6.4.

Plan Maintenance

Previous

3. Scoping for PCI DSS Compliance

Go to top

Next

5. Validation and Assessment Methods