DataMasque

Capabilities

Data Security

PCI DSS Requirements supported by the software

Requirement 1: Install and Maintain Network Security Controls

1.2.1: Configuration standards defined, implemented, maintained (NSC rulesets)
1.2.7: Configurations reviewed at least once every six months
1.2.8: Configuration files secured, consistent with active configurations
1.3.1: Inbound traffic restricted, denied specifically (CDE)
1.3.2: Outbound traffic restricted, denied specifically (CDE)
1.3.3: NSCs installed between all wireless networks and CDE
1.4.1: NSCs implemented between trusted and untrusted networks
1.4.2: Inbound traffic from untrusted networks restricted/stateful responses
1.4.3: Anti-spoofing measures implemented (detect and block forged IPs)
1.4.4: Components storing CHD not directly accessible from untrusted networks
1.5.1: Security controls actively running (Endpoint protection)

Requirement 2: Apply Secure Configurations to All System Components

2.2.1: Implement, maintain secure configuration standards for all components
2.2.7: All non-console administrative access encrypted (strong cryptography)
2.3.2: Wireless encryption keys changed (personnel changes, compromise)

Requirement: 3 Protect Stored Account Data

3.2.1: Account data storage kept minimum; policies include secure deletion
3.3.1: SAD not stored after authorization, rendered unrecoverable
3.3.2: SAD stored electronically prior to authorization encrypted
3.4.1: PAN masked when displayed (max BIN + last 4 digits)
3.4.2: Technical controls prevent copying/relocating PAN (remote access)
3.5.1: PAN rendered unreadable (hashing, truncation, tokens, strong cryptography)
3.5.1.1: Hashes of PAN are keyed cryptographic hashes
3.5.1.2: Disk/partition encryption limited (PAN secured via another mechanism)
3.6.1: Procedures define protecting cryptographic keys (access restricted, separation)
3.6.1.2: Secret/private keys stored securely (encrypted/SCD/key shares)
3.7.1: Policies implemented for strong key generation
3.7.2: Policies implemented for secure key distribution
3.7.4: Policies implemented for key rotation/change
3.7.5: Policies implemented for key retirement/destruction/replacement
3.7.6: Manual cleartext operations use split knowledge/dual control
3.7.7: Prevention of unauthorized substitution of cryptographic keys
3.7.8: Key custodians formally acknowledge responsibilities
3.7.9: Guidance provided to customers on secure key management (SP only)

Requirement 4: Protect Cardholder Data with Strong Cryptography During Transmission

4.2.1: Strong cryptography safeguards PAN transmission (open, public networks)
4.2.1.1: Inventory maintained of trusted keys and certificates
4.2.2: PAN secured with strong cryptography (end-user messaging technologies)

Requirement 5: Protect All Systems and Networks from Malicious Software

5.3.4: Audit logs enabled and retained (anti-malware solution)
5.3.5: Anti-malware mechanisms cannot be disabled or altered by users

Requirement 6: Develop and Maintain Secure Systems and Software

6.2.1: Bespoke/custom software developed securely
6.2.2: Software development personnel trained
6.2.3: Software reviewed prior to release
6.2.4: Engineering techniques mitigate common software attacks
6.3.1: Security vulnerabilities identified/managed
6.3.2: Inventory of bespoke/third-party software maintained
6.3.3: Applicable security patches/updates installed
6.4.1: Automated technical solution continually detects/prevents web-based attacks
6.4.2: Automated technical solution continually detects/prevents web-based attacks
6.4.3: Payment page scripts managed (authorization, integrity assured, inventory maintained)
6.5.1: Testing verifies changes do not adversely impact system security
6.5.3: Pre-production environments separated
6.5.4: Roles/functions separated (production/pre-production)
6.5.5: Live PANs not used in pre-production

Requirement 7: Restrict Access by Business Need to Know

7.2.1: Access control model defined
7.2.2: Access assigned based on least privilege/job function
7.2.3: Required privileges approved by authorized personnel

Requirement 8: Identify Users and Authenticate Access to System Components

8.2.1: All users assigned a unique ID
8.2.4: Lifecycle of user IDs/auth factors authorized/managed/implemented
8.2.5: Access for terminated users immediately revoked
8.2.6: Inactive user accounts removed/disabled within 90 days
8.2.7: Third-party remote access accounts limited/monitored/disabled
8.3.1: All user access authenticated via at least one factor
8.3.2: Strong cryptography renders authentication factors unreadable
8.3.3: User identity verified before modifying authentication factor
8.3.4: Invalid attempts limited (lockout max 10 attempts, 30 min min)
8.3.5: Passwords reset to unique value, changed immediately after first use
8.3.6: Passwords meet minimum complexity
8.3.7: New password not same as last four used
8.3.9: Single-factor passwords changed every 90 days or dynamically analyzed
8.3.10.1: Single-factor passwords changed every 90 days or dynamically analyzed (SP only)
8.4.1: MFA implemented for non-console administrative access into CDE
8.4.2: MFA implemented for all non-console access into CDE
8.4.3: MFA implemented for all remote access
8.5.1: MFA system configured to prevent replay attacks and bypasses
8.6.3: Passwords/passphrases for application/system accounts managed/complexity

Requirement 9: Restrict Physical Access to Cardholder Data

9.2.1: Facility entry controls restrict physical access
9.2.1.1: Individual physical access to sensitive areas monitored
9.2.2: Physical/logical controls restrict publicly accessible network jacks
9.2.3: Physical access to wireless APs/networking hardware restricted
9.3.1.1: Physical access to sensitive areas controlled
9.3.2: Visitor access managed
9.3.3: Visitor badges surrendered/deactivated upon leaving/expiration
9.3.4: Visitor logs maintained
9.4.6: Hard-copy materials destroyed
9.4.7: Electronic media destroyed or data rendered unrecoverable
9.5.1: POI devices protected from tampering/unauthorized substitution
9.5.1.1: Up-to-date list of POI devices maintained
9.5.1.2: POI device surfaces periodically inspected
9.5.1.3: Personnel training provided

Requirement 10: Log and Monitor All Access to System Components and Cardholder Data

10.2.1: Audit logs enabled/active
10.2.2: Audit logs record required details
10.3.2: Audit logs protected to prevent modifications
10.3.3: Logs backed up promptly to secure central server
10.3.4: FIM/change-detection mechanisms used on audit logs
10.4.1: Critical audit logs reviewed at least daily
10.4.1.1: Automated mechanisms used to perform audit log reviews
10.5.1: Audit log history retained
10.6.1: System clocks synchronized
10.7.2: Failures of critical security controls detected, alerted, addressed promptly
10.7.3: Response promptly to failures of critical security controls (SP only)

Requirement 11: Test Security of Systems and Networks Regularly

11.3.1: Internal vulnerability scans performed at least quarterly
11.3.2: External vulnerability scans performed at least quarterly
11.4.1: Penetration testing methodology defined/documented
11.4.2: Internal penetration testing performed
11.4.3: External penetration testing performed
11.4.4: Exploitable vulnerabilities corrected, repeat testing to verify
11.4.5: Penetration tests validate segmentation controls
11.4.6: Penetration tests validate segmentation controls (SP only)
11.4.7: Support customers for external penetration testing (SP Multi-Tenant only)
11.5.1: Intrusion-detection/prevention techniques used
11.5.2: Change-detection mechanism deployed on critical files
11.6.1: Change/tamper-detection mechanism deployed

Requirement 12: Support Information Security with Organizational Policies and Programs

12.1.1: Overall information security policy established, maintained, disseminated
12.1.2: Information security policy reviewed at least annually, updated
12.1.3: Security policy defines roles, personnel acknowledge responsibilities
12.1.4: Responsibility formally assigned to CISO/executive management
12.2.1: Acceptable use policies defined for end-user technologies
12.3.3: Cryptographic cipher suites reviewed annually, plan documented
12.5.2: PCI DSS scope documented/confirmed

Appendix A3: Designated Entities Supplemental Validation (DESV)

A3.1.1: Executive management establishes accountability for PCI DSS program
A3.1.2: Formal PCI DSS compliance program defined, continuously monitored
A3.1.3: PCI DSS compliance roles specifically defined, formally assigned
A3.2.4: Penetration testing validates segmentation controls
A3.2.5.1: Effectiveness of data discovery methods tested annually
A3.2.6: Mechanisms detecting/preventing cleartext PAN leaving CDE
A3.2.6.1: Response procedures initiated upon attempted removal of PAN
A3.5.1: Methodology for prompt identification of attack patterns/undesirable behavior

PCI DSS SCOPE CLASSIFICATION

Software is considered part of the cardholder data environment (CDE)

Stores, processes, or transmits cardholder data (CHD) and/or sensitive authentication data (SAD)
Performs security or processing functions directly supporting CDE systems.

Software connected to the CDE

Does not store, process, or transmit CHD/SAD
Has unrestricted or trusted connectivity to CDE systems
Can impact the confidentiality, integrity, or availability of the CDE

System components applicable to the software within PCI DSS scope

Systems storing, processing, transmitting account data (CDE)
Payment terminals, gateways, middleware, and back-office
Systems providing security services like authentication or SIEM
Access control, CCTV, MFA, and anti-malware
Segmentation systems like internal network security controls
Systems impacting CDE security or web redirection
Name resolution servers and e-commerce redirects
Virtualization: VMs, virtual switches, appliances, and hypervisors
Cloud: containers, VPCs, IAM, and service meshes
Orchestration tools and images, on-premises or external
Network components: switches, routers, VoIP, and wireless
Security appliances and various network security controls
Servers: web, application, database, mail, and proxy
Critical services: NTP, DNS, and authentication servers
End-user devices: laptops, workstations, tablets, and mobile
Printers and multi-function devices (scan, print, fax)
Account data storage: paper, digital, audio, video
Applications: bespoke, custom, SaaS, and serverless components
Software development tools and code repositories
Configuration management and deployment systems for CDE

Software Out of Scope (Not Applicable)

Does not store, process, or transmit CHD/SAD
Has no unrestricted connectivity to CDE systems
Has no security impact on the CDE

PCI DSS Impact

In scope by impact
Applicable PCI DSS requirements depend on access and role (Req. 1, 7, 8, 10, 11)
Fully in scope
Subject to all applicable PCI DSS requirements
Considered Not Applicable to PCI DSS scope

DataMasque

by DataMasque

What is DataMasque?

Cybersecurity Regulations, Standards and Frameworks Supported

Deployment

Environment

Region

Industry

Capabilities

PCI DSS Requirements supported by the software

PCI DSS SCOPE CLASSIFICATION

Security

Software Security Development

(focuses on software security properties, design principles, and functional features)

Vendor Security Practices

(focuses on lifecycle processes, policies, and the software publisher’s environment)

Compliance Evaluation

Alternatives

Privitar Data Privacy Platform

by Privitar

Tonic

by Tonic.ai

DBSEC Data Masking System (DMS)

by Beijing DBSEC Technology (DBSEC)

We promise we won’t spam you.

By proceeding, you agree to our Terms of Use and Privacy Policy. You may unsubscribe at any time.