PCI DSS v3.2 Implementation - Bliss or Nightmare
Download as PPTX, PDF3 likes462 views
The document outlines the requirements and processes for implementing PCI DSS v3.2 for entities dealing with cardholder data, emphasizing the need for security measures across various systems and applications. It details 12 high-level requirements ranging from firewall maintenance to encryption, access control, and regular audits to ensure compliance and protect sensitive data. Additionally, the document stresses the importance of documentation and establishing policies to safeguard cardholder information and mitigate risks.
PCI DSS v3.2 Implementation - Bliss or Nightmare
- 1. PCI DSS v3.2 Implementation - Bliss or Nightmare
- 2. Requirements & Scope ● Scope includes Security Devices, Virtual Servers, Network Devices, Server forms, Applications which are connected to the Card holder data environment (CDE) ● Isolation of CDE from rest of the environment is not mandatory but recommended ● Any third party service provider involved in CDE will need annual and/or on deman PCI DSS assessments ● There are 12 high level requirements that are to be met for the entity to get PCI Certified
- 3. Steps in PCI DSS assessment process ● To confirm the scope of the PCI DSS assessment ● To perform the environment assessment for all 12 requirements. ● To complete assessment reports, documentation viz., Self-Assessment Questionnaire (SAQ), Report on Compliance (ROC), compensating control documentations ● To complete the compliance attestation for service providers (PA-DSS) or merchants ● To complete other requested documentation such as ASV scan reports for the service providers or merchants ● To do remediation if any of the requirements are not in place and provide report
- 4. Req 1: Install & maintain a firewall configuration protecting cardholder data ● Establish formal process for testing and approving any firewall/routing configuration changes ● Secure & Synchronize Router & Firewall configuration files ● Use features viz., NAT to hide private IP addresses ● Implement personal firewall or softwares for portable devices ● Limit inbound internet traffic to servers in the DMZ ● Implement anti-spoofing to detect & block fourced IP-addresses traffic entering the network
- 5. Req 2: Do not use vendor-supplied defaults for system passwords and other security parameters ● To remove/change all vendor supplied default passwords in the system before connecting to the network ● To harden the devices based on industry standard viz., CIS/SANS/NIST before installation ● Enable only necessary function & services in the servers ● Ensure Security policy & procedure have details on changing the vendor default credentials
- 6. Req 3: Protect stored cardholder data ● To implement data retention & disposal policies for storing card holder data for business, legal & regulatory purposes ● Not to store full track data, cvv or full pin after authorization even if encrypted ● To mask full card number with first six and last 4 digits visible in the PAN number ● Encrypt full PAN number anywhere if it’s stored ● Decryption keys for the above encryption to be separately stored and not to be associated with accounts ● Fully document all the key management procedures for the decryption keys used in the system
- 7. Req 4: Encrypt transmission of cardholder data across open, public networks ● To implement data retention & disposal policies for storing card holder data for business, legal & regulatory purposes ● Not to store full track data, cvv or full pin after authorization even if encrypted ● To mask full card number with first six and last 4 digits visible in the PAN number ● Encrypt full PAN number anywhere if it’s stored ● Decryption keys for the above encryption to be separately stored and not to be associated with accounts ● Fully document all the key management procedures for the decryption keys used in the systems
- 8. Req 5: Protect all systems against malware and regularly update anti-virus software or programs ● Deploy AV for all Servers & Desktops. Don’t forget Linux Servers ● AV solution to be running up to date on new releases ● System owner shouldn’t be allowed to turn-off the AV program at his/her discretion ● AV scan logs to be centralized and available for PCI audit ● Procedure and policies in place for management approval in case of any alteration required on the scan or updates
- 9. Req 6: Develop and maintain secure systems and applications ● Procedure and policy in place to update the security patches provided by system vendor ● Security patches to be updated within a month of release ● Conduct code review for custom codes for application vulnerabilities ● Change control process in place to seperate Production & Development environments ● To ensure production data not used in development environment ● Change control process in place for approvals, roll-back & testing for any system change requests ● To conduct Security Vulnerability Assessment for public facing webservers periodically ● To have coding practice/training in place to avoid DB, OS, Actve directory level injection
- 10. Req 7: Restrict access to cardholder data by business need to know ● Restrict access to cardholder data, system components, Privileged Userids ● Documented procedure for approvals of any changes on the above ● To have a default deny all setting for any privileges for users/roles ● To open only those based on the Business/System need ● Documentation of policy and procedure in place for restricting the cardholder data access only for those in need
- 11. Req 8: Identify and authenticate access to system components ● Unique user id for individual users ● Approvals and monitoring in place for privileged user-ids ● Revoke access to terminated/resigned users immediately ● Disable inactive users within 90 days ● Remote access to be enabled for third party only when required ● Lock out user ids with invalid attempts maximum of 6 attempts ● Implement idle session timeout within 15 minutes ● Enable 2FA for the privileged user-ids ● Strict password controls viz., password history, complex password, encryption etc., ● Any application IDs to be used only by systems and not by individual users
- 12. Req 9: Restrict physical access to cardholder data ● Enable physical access control to cardholder data environment ● Restrict access to public available jacks ● Implement visitor access controls including badges/log book etc., ● Maintain strict control on securing and distribution of media ● Approvals and monitoring in place for privileged user-ids ● Destroy media securely after business required period ● Maintain list of systems and do periodical monitoring for any tampering ● Security policies and procedure in place for restricting physical access to the cardholder data environment
- 13. Req 10: Track and monitor all access to network resources and cardholder data ● Automated audit trails to monitor user access, invalid attempts, stopping and pausing of audit logs ● Do time synchronization for all the systems ● Audit trails to be secured and non-alterable ● Review logs and security events to identify suspicious activities ● Review the security events daily ● Process for responding to security controls
- 14. Req 11: Regularly test security systems and processes ● Implement process in place for quarterly review of Wireless access points ● To maintain an inventory of wireless access points ● To have a incident response procedure if any unauthorized access points are identified ● To run quarterly internal/external vulnerability scans and clear high vulnerability results ● To run PEN tests with industry accepted standards ● To implement intrusion-detection/prevention systems
- 15. Req 12: Maintain a policy that addresses information security for all personnel ● Publish and implement a organization wide security policy which is to be reviewed annually ● To implement an annual risk assessment process ● To develop usage policies for critical systems & technologies ● Owner and contact information of critical system to be available as part of documentation ● Hiring process to include security policy implementation ● To implement a incident response plan for any system breach ● Designate persons available to respond 24/7 to alerts