Requirement 1: Install and Maintain Network Security Controls
- 1.2.1: Configuration standards defined, implemented, maintained (NSC rulesets)
- 1.2.7: Configurations reviewed at least once every six months
- 1.2.8: Configuration files secured, consistent with active configurations
- 1.3.1: Inbound traffic restricted, denied specifically (CDE)
- 1.3.2: Outbound traffic restricted, denied specifically (CDE)
- 1.3.3: NSCs installed between all wireless networks and CDE
- 1.4.1: NSCs implemented between trusted and untrusted networks
- 1.4.2: Inbound traffic from untrusted networks restricted/stateful responses
- 1.4.3: Anti-spoofing measures implemented (detect and block forged IPs)
- 1.4.4: Components storing CHD not directly accessible from untrusted networks
- 1.5.1: Security controls actively running (Endpoint protection)
Requirement 2: Apply Secure Configurations to All System Components
- 2.2.1: Implement, maintain secure configuration standards for all components
- 2.2.7: All non-console administrative access encrypted (strong cryptography)
- 2.3.2: Wireless encryption keys changed (personnel changes, compromise)
Requirement: 3 Protect Stored Account Data
- 3.2.1: Account data storage kept minimum; policies include secure deletion
- 3.3.1: SAD not stored after authorization, rendered unrecoverable
- 3.3.2: SAD stored electronically prior to authorization encrypted
- 3.4.1: PAN masked when displayed (max BIN + last 4 digits)
- 3.4.2: Technical controls prevent copying/relocating PAN (remote access)
- 3.5.1: PAN rendered unreadable (hashing, truncation, tokens, strong cryptography)
- 3.5.1.1: Hashes of PAN are keyed cryptographic hashes
- 3.5.1.2: Disk/partition encryption limited (PAN secured via another mechanism)
- 3.6.1: Procedures define protecting cryptographic keys (access restricted, separation)
- 3.6.1.2: Secret/private keys stored securely (encrypted/SCD/key shares)
- 3.7.1: Policies implemented for strong key generation
- 3.7.2: Policies implemented for secure key distribution
- 3.7.4: Policies implemented for key rotation/change
- 3.7.5: Policies implemented for key retirement/destruction/replacement
- 3.7.6: Manual cleartext operations use split knowledge/dual control
- 3.7.7: Prevention of unauthorized substitution of cryptographic keys
- 3.7.8: Key custodians formally acknowledge responsibilities
- 3.7.9: Guidance provided to customers on secure key management (SP only)
Requirement 4: Protect Cardholder Data with Strong Cryptography During Transmission
- 4.2.1: Strong cryptography safeguards PAN transmission (open, public networks)
- 4.2.1.1: Inventory maintained of trusted keys and certificates
- 4.2.2: PAN secured with strong cryptography (end-user messaging technologies)
Requirement 5: Protect All Systems and Networks from Malicious Software
- 5.3.4: Audit logs enabled and retained (anti-malware solution)
- 5.3.5: Anti-malware mechanisms cannot be disabled or altered by users
Requirement 6: Develop and Maintain Secure Systems and Software
- 6.2.1: Bespoke/custom software developed securely
- 6.2.2: Software development personnel trained
- 6.2.3: Software reviewed prior to release
- 6.2.4: Engineering techniques mitigate common software attacks
- 6.3.1: Security vulnerabilities identified/managed
- 6.3.2: Inventory of bespoke/third-party software maintained
- 6.3.3: Applicable security patches/updates installed
- 6.4.1: Automated technical solution continually detects/prevents web-based attacks
- 6.4.2: Automated technical solution continually detects/prevents web-based attacks
- 6.4.3: Payment page scripts managed (authorization, integrity assured, inventory maintained)
- 6.5.1: Testing verifies changes do not adversely impact system security
- 6.5.3: Pre-production environments separated
- 6.5.4: Roles/functions separated (production/pre-production)
- 6.5.5: Live PANs not used in pre-production
Requirement 7: Restrict Access by Business Need to Know
- 7.2.1: Access control model defined
- 7.2.2: Access assigned based on least privilege/job function
- 7.2.3: Required privileges approved by authorized personnel
Requirement 8: Identify Users and Authenticate Access to System Components
- 8.2.1: All users assigned a unique ID
- 8.2.4: Lifecycle of user IDs/auth factors authorized/managed/implemented
- 8.2.5: Access for terminated users immediately revoked
- 8.2.6: Inactive user accounts removed/disabled within 90 days
- 8.2.7: Third-party remote access accounts limited/monitored/disabled
- 8.3.1: All user access authenticated via at least one factor
- 8.3.2: Strong cryptography renders authentication factors unreadable
- 8.3.3: User identity verified before modifying authentication factor
- 8.3.4: Invalid attempts limited (lockout max 10 attempts, 30 min min)
- 8.3.5: Passwords reset to unique value, changed immediately after first use
- 8.3.6: Passwords meet minimum complexity
- 8.3.7: New password not same as last four used
- 8.3.9: Single-factor passwords changed every 90 days or dynamically analyzed
- 8.3.10.1: Single-factor passwords changed every 90 days or dynamically analyzed (SP only)
- 8.4.1: MFA implemented for non-console administrative access into CDE
- 8.4.2: MFA implemented for all non-console access into CDE
- 8.4.3: MFA implemented for all remote access
- 8.5.1: MFA system configured to prevent replay attacks and bypasses
- 8.6.3: Passwords/passphrases for application/system accounts managed/complexity
Requirement 9: Restrict Physical Access to Cardholder Data
- 9.2.1: Facility entry controls restrict physical access
- 9.2.1.1: Individual physical access to sensitive areas monitored
- 9.2.2: Physical/logical controls restrict publicly accessible network jacks
- 9.2.3: Physical access to wireless APs/networking hardware restricted
- 9.3.1.1: Physical access to sensitive areas controlled
- 9.3.2: Visitor access managed
- 9.3.3: Visitor badges surrendered/deactivated upon leaving/expiration
- 9.3.4: Visitor logs maintained
- 9.4.6: Hard-copy materials destroyed
- 9.4.7: Electronic media destroyed or data rendered unrecoverable
- 9.5.1: POI devices protected from tampering/unauthorized substitution
- 9.5.1.1: Up-to-date list of POI devices maintained
- 9.5.1.2: POI device surfaces periodically inspected
- 9.5.1.3: Personnel training provided
Requirement 10: Log and Monitor All Access to System Components and Cardholder Data
- 10.2.1: Audit logs enabled/active
- 10.2.2: Audit logs record required details
- 10.3.2: Audit logs protected to prevent modifications
- 10.3.3: Logs backed up promptly to secure central server
- 10.3.4: FIM/change-detection mechanisms used on audit logs
- 10.4.1: Critical audit logs reviewed at least daily
- 10.4.1.1: Automated mechanisms used to perform audit log reviews
- 10.5.1: Audit log history retained
- 10.6.1: System clocks synchronized
- 10.7.2: Failures of critical security controls detected, alerted, addressed promptly
- 10.7.3: Response promptly to failures of critical security controls (SP only)
Requirement 11: Test Security of Systems and Networks Regularly
- 11.3.1: Internal vulnerability scans performed at least quarterly
- 11.3.2: External vulnerability scans performed at least quarterly
- 11.4.1: Penetration testing methodology defined/documented
- 11.4.2: Internal penetration testing performed
- 11.4.3: External penetration testing performed
- 11.4.4: Exploitable vulnerabilities corrected, repeat testing to verify
- 11.4.5: Penetration tests validate segmentation controls
- 11.4.6: Penetration tests validate segmentation controls (SP only)
- 11.4.7: Support customers for external penetration testing (SP Multi-Tenant only)
- 11.5.1: Intrusion-detection/prevention techniques used
- 11.5.2: Change-detection mechanism deployed on critical files
- 11.6.1: Change/tamper-detection mechanism deployed
Requirement 12: Support Information Security with Organizational Policies and Programs
- 12.1.1: Overall information security policy established, maintained, disseminated
- 12.1.2: Information security policy reviewed at least annually, updated
- 12.1.3: Security policy defines roles, personnel acknowledge responsibilities
- 12.1.4: Responsibility formally assigned to CISO/executive management
- 12.2.1: Acceptable use policies defined for end-user technologies
- 12.3.3: Cryptographic cipher suites reviewed annually, plan documented
- 12.5.2: PCI DSS scope documented/confirmed
Appendix A3: Designated Entities Supplemental Validation (DESV)
- A3.1.1: Executive management establishes accountability for PCI DSS program
- A3.1.2: Formal PCI DSS compliance program defined, continuously monitored
- A3.1.3: PCI DSS compliance roles specifically defined, formally assigned
- A3.2.4: Penetration testing validates segmentation controls
- A3.2.5.1: Effectiveness of data discovery methods tested annually
- A3.2.6: Mechanisms detecting/preventing cleartext PAN leaving CDE
- A3.2.6.1: Response procedures initiated upon attempted removal of PAN
- A3.5.1: Methodology for prompt identification of attack patterns/undesirable behavior
