topleft
USA: 703.483.6383
India: +91.9820293399
contact@controlcase.com
SITE NAVIGATION
   
Overview | FAQ | PCI Requirements | PCI Methodology | Regional Contacts
 
Site Search
 
 
bookmark
contact us
 
c1
 

What follows are some high level requirements that companies face when becoming PCI compliant. Please note, this should not be considered an exhaustive list. Contact ControlCase at contact@controlcase.com for a comprehensive set of requirements based on your specific needs.

Requirement 1: “Install and maintain a firewall configuration to protect data.”

Requirement 2: “Do not use vendor-supplied defaults for system passwords and other security parameters.”

Requirement 3: “Protect stored data.”

Requirement 4: “Encrypt transmission of cardholder data and sensitive information across public networks.”

Requirement 5: “Use and regularly update anti-virus software.”

Requirement 6: “Develop and maintain secure systems and applications.”

Requirement 7: “Restrict access to data by business need-to-know.”

Requirement 8: “Assign a unique ID to each person with computer access.”

Requirement 9: “Restrict physical access to cardholder data.”

Requirement 10: “Track and monitor all access to network resources and cardholder data.”

Requirement 11: “Regularly test security systems and processes.”

Requirement 12: “Maintain a policy that addresses information security.”

Requirement 1: “Install and maintain a firewall configuration to protect data”?

To accomplish this you should consider the following:

  • You should continuously monitor your firewall settings and if required change the firewall rule setting.
  • You should perform rule audits of your firewall from external independent entity. Also, if architecture changes are required, such should be done immediately.
  • You should review your router configurations periodically.

^Top

Requirement 2: “Do not use vendor-supplied defaults for system passwords and other security parameters.”

To accomplish this you should consider the following:

  • Disable passwords as soon as something is installed. Also, consider keeping screen shots reflecting this that can be used as evidence for third parties doing audits.
  • Harden your systems and constantly monitor them for new vulnerabilities.
  • Implement secure communications protocols like SSH, SSL, etc.

^Top

Requirement 3: “Protect stored data.”

To accomplish this you should consider the following:

  • Implement a Public Key Infrastructure (PKI).
  • Review your data classification.
  • Review your storage methods.
  • Reviewing your data retention policies.

^Top

Requirement 4: “Encrypt transmission of cardholder data and sensitive information across public networks.”

To accomplish this you should consider the following:

  • Implement a secure communications protocol like SSL or IPSec.
  • Use encryption if you have a wireless network.
  • Encrypt and regularly audit your email.

^Top

Requirement 5: “Use and regularly update anti-virus software.”

To accomplish this you should consider the following:

  • Develop a procedure to deploy/update anti-virus technology. Anti-virus updates are generally automated procedures. However, ensure they are so and capture evidence that you receive regular updates.
  • Carry out anti-virus audit on a regular basis.

^Top

Requirement 6:“Develop and maintain secure systems and applications.”

To accomplish this you should consider the following:

  • Implement and enforce patch management.
  • Implement SDLC security (testing, separate test & production environments, etc.).
  • Implement stringent change control procedures.
  • Review and thoroughly test Web application code.

^Top

Requirement 7: “Restrict access to data by business need-to-know.”

To accomplish this you should consider the following:

  • Classify information in the organization.
  • Implement and regularly update a strong data and system-level access control that aligns with how your information is classified.

^Top

Requirement 8: “Assign a unique ID to each person with computer access.”

To accomplish this you should consider the following:

  • Eliminate group/batch logon IDs.
  • Implement tokens, smartcards, and biometrics for accessing data.
  • Implement 2-factor remote authentication methods.
  • Implement strong user account security (password strength, account expiration, etc.).

^Top

Requirement 9: “Restrict physical access to cardholder data.”

To accomplish this you should consider the following:

  • Add/upgrade facility access controls like swipe card entry to PCI environment, etc.
  • Use off-site media storage.
  • Add/update media storage and access controls/policies.

^Top

Requirement 10: “Track and monitor all access to network resources and cardholder data.”

To accomplish this you should consider the following:

  • Implement log management.
  • Implement file integrity monitors.
  • Implement IDS/IPS with logging.
  • Update log data review/retention procedures.

^Top

Requirement 11: “Regularly test security systems and processes.”

To accomplish this you should consider the following:

  • Conduct vulnerability assessment scanning.
  • Conduct penetration testing.
  • Implement file integrity monitoring.

^Top

Requirement 12: “Maintain a policy that addresses information security.”

To accomplish this you should consider the following:

  • Add and/or change as needed required policies.
  • Conduct security awareness training.
  • Add and/or update incident response procedures.

^Top
c8
 
Legal Notice | Privacy Policy | © 2005-2008 ControlCase, LLC. All Rights Reserved.
 
topright