PCI Requirements

What follows are some high level requirements that companies face when becoming PCI compliant. Please note, this should not be considered an exhaustive list. Contact us for a comprehensive set of requirements based on your specific needs.

Requirement 1: “Install and maintain a firewall configuration to protect data.”

Requirement 2: “Do not use vendor-supplied defaults for system passwords and other security parameters.”

Requirement 3: “Protect stored data.”

Requirement 4: “Encrypt transmission of cardholder data and sensitive information across public networks.”

Requirement 5: “Use and regularly update anti-virus software.”

Requirement 6: “Develop and maintain secure systems and applications.”

Requirement 7: “Restrict access to data by business need-to-know.”

Requirement 8: “Assign a unique ID to each person with computer access.”

Requirement 9: “Restrict physical access to cardholder data.”

Requirement 10: “Track and monitor all access to network resources and cardholder data.”

Requirement 11: “Regularly test security systems and processes.”

Requirement 12: “Maintain a policy that addresses information security.”

---

Requirement 1: “Install and maintain a firewall configuration to protect data”?

To accomplish this you should consider the following:

• You should continuously monitor your firewall settings and if required change the firewall rule setting.
• You should perform rule audits of your firewall from external independent entity. Also, if architecture changes are required, such should be done immediately.
• You should review your router configurations periodically.

---

Requirement 2: “Do not use vendor-supplied defaults for system passwords and other security parameters.”

To accomplish this you should consider the following:

• Disable passwords as soon as something is installed. Also, consider keeping screen shots reflecting this that can be used as evidence for third parties doing audits.
• Harden your systems and constantly monitor them for new vulnerabilities.
• Implement secure communications protocols like SSH, SSL, etc.

---

Requirement 3: “Protect stored data.”

To accomplish this you should consider the following:

• Implement a Public Key Infrastructure (PKI).
• Review your data classification.
• Review your storage methods.
• Reviewing your data retention policies.

---

Requirement 4: “Encrypt transmission of cardholder data and sensitive information across public networks.”

To accomplish this you should consider the following:

• Implement a secure communications protocol like SSL or IPSec.
• Use encryption if you have a wireless network.
• Encrypt and regularly audit your email.

---

Requirement 5: “Use and regularly update anti-virus software.”

To accomplish this you should consider the following:

• Develop a procedure to deploy/update anti-virus technology. Anti-virus updates are generally automated procedures. However, ensure they are so and capture evidence that you receive regular updates.
• Carry out anti-virus audit on a regular basis.

---

Requirement 6:“Develop and maintain secure systems and applications.”

To accomplish this you should consider the following:

• Implement and enforce patch management.
• Implement SDLC security (testing, separate test & production environments, etc.).
• Implement stringent change control procedures.
• Review and thoroughly test Web application code.

---

Requirement 7: “Restrict access to data by business need-to-know.”

To accomplish this you should consider the following:

• Classify information in the organization.
• Implement and regularly update a strong data and system-level access control that aligns with how your information is classified.

---

Requirement 8: “Assign a unique ID to each person with computer access.”

To accomplish this you should consider the following:

• Eliminate group/batch logon IDs.
• Implement tokens, smartcards, and biometrics for accessing data.
• Implement 2-factor remote authentication methods.
• Implement strong user account security (password strength, account expiration, etc.).

---

Requirement 9: “Restrict physical access to cardholder data.”

To accomplish this you should consider the following:

• Add/upgrade facility access controls like swipe card entry to PCI environment, etc.
• Use off-site media storage.
• Add/update media storage and access controls/policies.

---

Requirement 10: “Track and monitor all access to network resources and cardholder data.”

To accomplish this you should consider the following:

• Implement log management.
• Implement file integrity monitors.
• Implement IDS/IPS with logging.
• Update log data review/retention procedures.

---

Requirement 11: “Regularly test security systems and processes.”

To accomplish this you should consider the following:

• Conduct vulnerability assessment scanning.
• Conduct penetration testing.
• Implement file integrity monitoring.

---

Requirement 12: “Maintain a policy that addresses information security.”

To accomplish this you should consider the following:

• Add and/or change as needed required policies.
• Conduct security awareness training.
• Add and/or update incident response procedures.