PCI DSS 4.0 Payment Card Industry Data Security Standard

Description: Establish firewall and router configurations to protect cardholder data.

Implementation: Create and apply standards for firewall and router configurations.

Monitoring: Regularly review and update firewall and router configurations.

Description: Define and enforce firewall and router settings.

Implementation: Document configuration standards and ensure they are applied.

Monitoring: Review and update configurations regularly. 1.2 Build firewall and router configurations that restrict connections between untrusted networks and system components.

Description: Limit network traffic to necessary and secure connections.

Implementation: Set up firewalls to block unauthorized traffic.

Monitoring: Regularly test firewall rules and configurations. 1.3 Prohibit direct public access between the Internet and any system component in the cardholder data environment.

Description: Prevent direct access to cardholder data from public networks.

Implementation: Use firewalls to block direct connections from the Internet.

Monitoring: Regularly check firewall settings and access logs. 1.4 Implement personal firewall software on mobile and employee-owned devices that connect to the Internet and access the cardholder data environment.

Description: Protect devices that connect to the cardholder data environment.

Implementation: Install and configure personal firewall software.

Monitoring: Ensure firewall software is active and updated. 1.5 Ensure that security policies and operational procedures for managing firewalls are documented, in use, and known to all affected parties.

Description: Maintain comprehensive policies and procedures for firewall management.

Implementation: Document and distribute firewall management policies.

Monitoring: Review and update policies regularly.

Description: Securely configure all system components to protect cardholder data.

Implementation: Establish and apply configuration standards for all systems.

Monitoring: Regularly review and update system configurations.

Description: Replace default settings with secure configurations.

Implementation: Change default passwords and settings on all systems.

Monitoring: Verify settings during system installation and periodically. 2.2 Develop configuration standards for all system components.

Description: Create standards to secure system configurations.

Implementation: Develop and document configuration standards.

Monitoring: Regularly review and update configuration standards. 2.3 Encrypt all non-console administrative access using strong cryptography.

Description: Secure administrative access with encryption.

Implementation: Use encrypted communication protocols for remote admin access.

Monitoring: Check configurations and logs to ensure encryption is used. 2.4 Maintain an inventory of system components that are in scope for PCI DSS.

Description: Keep an updated list of all systems that store, process, or transmit cardholder data.

Implementation: Create and maintain a system inventory.

Monitoring: Regularly update and review the inventory. 2.5 Ensure that security policies and operational procedures for managing system configurations are documented, in use, and known to all affected parties.

Description: Document and disseminate configuration management procedures.

Implementation: Develop and distribute policies and procedures.

Monitoring: Review and update policies and ensure staff awareness.

Description: Protect stored cardholder data through encryption and secure storage practices.

Implementation: Apply encryption and other security measures to stored data.

Monitoring: Regularly audit storage practices and encryption methods.

Description: Retain cardholder data only as long as necessary.

Implementation: Establish and enforce data retention policies.

Monitoring: Periodically review data retention practices. 3.2 Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed).

Description: Ensure only partial PAN is visible when displayed.

Implementation: Configure systems to mask PAN.

Monitoring: Verify masking configurations regularly. 3.3 Render PAN unreadable anywhere it is stored.

Description: Encrypt PAN to protect stored data.

Implementation: Use strong cryptography to render PAN unreadable.

Monitoring: Regularly check encryption status and methods. 3.4 Ensure that security policies and operational procedures for protecting stored cardholder data are documented, in use, and known to all affected parties.

Description: Maintain policies for data protection.

Implementation: Document and distribute policies and procedures.

Monitoring: Review and update policies regularly.

Description: Encrypt cardholder data during transmission to protect it from interception.

Implementation: Use strong encryption protocols for data transmission.

Monitoring: Regularly review encryption configurations and logs.

Description: Encrypt cardholder data during transmission.

Implementation: Implement SSL/TLS or other strong encryption protocols.

Monitoring: Verify encryption methods and check transmission logs. 4.2 Ensure that security policies and operational procedures for encrypting transmissions of cardholder data are documented, in use, and known to all affected parties.

Description: Document encryption policies and procedures.

Implementation: Develop and distribute encryption policies.

Monitoring: Review and update policies regularly.

Description: Deploy anti-virus and anti-malware software to protect systems from threats.

Implementation: Install and configure anti-virus software on all applicable systems.

Monitoring: Regularly update and review anti-virus software and logs.

Description: Protect systems with anti-virus software.

Implementation: Install anti-virus software on all applicable systems.

Monitoring: Ensure anti-virus software is active and updated. 5.2 Ensure that anti-virus mechanisms are kept current, perform periodic scans, and generate audit logs.

Description: Maintain and monitor anti-virus software.

Implementation: Configure software to update automatically and perform regular scans.

Monitoring: Review scan results and audit logs regularly. 5.3 Ensure that security policies and operational procedures for protecting systems against malware are documented, in use, and known to all affected parties.

Description: Maintain malware protection policies.

Implementation: Document and distribute malware protection policies.

Monitoring: Review and update policies regularly.

Description: Ensure that systems and software are secure through regular updates and secure coding practices.

Implementation: Apply patches, use secure coding practices, and manage changes carefully.

Monitoring: Regularly review and update software and systems.

Description: Proactively identify security vulnerabilities.

Implementation: Use tools and resources to identify vulnerabilities.

Monitoring: Regularly review vulnerability reports. 6.2 Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches.

Description: Apply security patches to protect systems.

Implementation: Regularly apply vendor-supplied patches.

Monitoring: Track and verify patch installation. 6.3 Develop internal and external software applications securely.

Description: Ensure secure development of software.

Implementation: Follow secure coding guidelines and best practices.

Monitoring: Conduct regular code reviews and security testing. 6.4 Ensure that change control procedures include the following:

Testing of all changes.

Change approval by authorized personnel.

Back-out procedures.

Description: Manage changes to systems securely.

Implementation: Establish and follow change control procedures.

Monitoring: Review change logs and test change control processes. 6.5 Ensure that security policies and operational procedures for managing system vulnerabilities and software changes are documented, in use, and known to all affected parties.

Description: Document and maintain procedures for managing vulnerabilities and changes.

Implementation: Develop and distribute relevant policies and procedures.

Monitoring: Regularly review and update policies.

Description: Limit access to system components and cardholder data to only those individuals whose job requires such access.

Implementation: Establish access control policies and implement technical controls.

Monitoring: Regularly review access control policies and user access rights.

Description: Restrict access based on job roles.

Implementation: Configure systems to enforce access controls.

Monitoring: Regularly review access control lists. 7.2 Establish an access control system for systems in the cardholder data environment.

Description: Implement access control systems.

Implementation: Use access control technologies like ACLs and IAM.

Monitoring: Monitor access control system logs.

Description: Ensure each user has a unique identifier and use multi-factor authentication for accessing system components.

Implementation: Implement user identification and authentication mechanisms.

Monitoring: Regularly review user accounts and authentication logs.

Description: Manage user identification for all system users.

Implementation: Assign unique IDs and manage user credentials.

Monitoring: Regularly review user ID assignments and changes. 8.2 Ensure proper user authentication and secure access to system components.

Description: Authenticate users securely.

Implementation: Implement multi-factor authentication.

Monitoring: Monitor authentication logs and configurations. 8.3 Implement strong cryptography to protect authentication credentials during transmission.

Description: Encrypt authentication credentials.

Implementation: Use strong encryption protocols for credential transmission.

Monitoring: Verify encryption settings and monitor transmission logs. 8.4 Ensure that security policies and operational procedures for identifying and authenticating access to system components are documented, in use, and known to all affected parties.

Description: Maintain policies for user identification and authentication.

Implementation: Document and distribute policies and procedures.

Monitoring: Review and update policies regularly.

Description: Limit physical access to systems and locations where cardholder data is stored, processed, or transmitted.

Implementation: Implement physical access controls.

Monitoring: Regularly review physical access logs and controls.

Description: Control physical access to secure areas.

Implementation: Use badges, biometric systems, or other access control mechanisms.

Monitoring: Monitor and review physical access logs. 9.2 Develop procedures to ensure that all physical access to data centers and other physical locations containing cardholder data is authorized and monitored.

Description: Authorize and monitor physical access.

Implementation: Establish access authorization procedures.

Monitoring: Regularly review access logs and authorization records. 9.3 Ensure that physical access to cardholder data is restricted and that only authorized personnel have access.

Description: Restrict access to cardholder data.

Implementation: Use locked cabinets, secure rooms, and access controls.

Monitoring: Regularly audit physical access controls and logs. 9.4 Ensure that security policies and operational procedures for restricting physical access to cardholder data are documented, in use, and known to all affected parties.

Description: Maintain policies for physical access control.

Implementation: Document and distribute policies and procedures.

Monitoring: Review and update policies regularly.

Description: Track and monitor all access to network resources and cardholder data.

Implementation: Implement logging mechanisms and regularly review logs.

Monitoring: Continuously monitor access logs and investigate anomalies.

Description: Ensure audit trails can link user actions to individual users.

Implementation: Configure systems to generate audit trails.

Monitoring: Regularly review audit trails and ensure linkage. 10.2 Implement automated audit trails for all system components to reconstruct the following events:

All individual user accesses to cardholder data.

All actions taken by any individual with root or administrative privileges.

Access to all audit trails.

Invalid logical access attempts.

Use of identification and authentication mechanisms.

Initialization of the audit logs.

Creation and deletion of system-level objects.

Description: Reconstruct key events using audit trails.

Implementation: Configure audit trails for specified events.

Monitoring: Review and maintain audit trails. 10.3 Record at least the following audit trail entries for all system components for each event:

User identification.

Type of event.

Date and time.

Success or failure indication.

Origination of event.

Identity or name of affected data, system component, or resource.

Description: Log specific details for each event.

Implementation: Ensure audit logs include required information.

Monitoring: Regularly review and verify log entries. 10.4 Using time-synchronization technology, synchronize all critical system clocks and times.

Description: Synchronize system clocks.

Implementation: Use NTP or similar protocols to synchronize clocks.

Monitoring: Regularly verify time synchronization. 10.5 Secure audit trails so they cannot be altered.

Description: Protect audit trails from tampering.

Implementation: Use mechanisms to secure audit logs.

Monitoring: Regularly check the integrity of audit trails. 10.6 Review logs and security events for all system components to identify anomalies or suspicious activity.

Description: Regularly review logs for unusual activity.

Implementation: Implement automated and manual log review processes.

Monitoring: Investigate and respond to identified anomalies. 10.7 Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis.

Description: Maintain log history for a specified period.

Implementation: Implement log retention policies.

Monitoring: Ensure logs are retained as required and are accessible for analysis.

Description: Regularly test security systems and processes to ensure they are functioning properly.

Implementation: Conduct vulnerability scans, penetration testing, and other security assessments.

Monitoring: Regularly review test results and address identified issues.

Description: Test for unauthorized wireless access points.

Implementation: Use wireless scanning tools and techniques.

Monitoring: Regularly review scan results and investigate unauthorized devices. 11.2 Run internal and external network vulnerability scans at least quarterly and after any significant change in the network.

Description: Conduct regular vulnerability scans.

Implementation: Use scanning tools to identify vulnerabilities.

Monitoring: Review scan results and remediate vulnerabilities. 11.3 Implement a methodology for penetration testing that includes the following:

Testing from both inside and outside the network.

Testing to validate any segmentation and scope-reduction controls.

Description: Conduct penetration testing to identify and exploit vulnerabilities.

Implementation: Follow a structured penetration testing methodology.

Monitoring: Review test results and address identified vulnerabilities. 11.4 Use intrusion-detection and/or intrusion-prevention techniques to detect and/or prevent intrusions into the network.

Description: Implement IDS/IPS to detect and prevent intrusions.

Implementation: Deploy and configure IDS/IPS technologies.

Monitoring: Regularly review IDS/IPS alerts and logs. 11.5 Deploy a change-detection mechanism (for example, file-integrity monitoring) to alert personnel to unauthorized modification of critical system files, configuration files, or content files.

Description: Detect unauthorized changes to critical files.

Implementation: Use file integrity monitoring tools.

Monitoring: Review alerts and logs from change-detection mechanisms. 11.6 Ensure that security policies and operational procedures for testing security systems and processes are documented, in use, and known to all affected parties.

Description: Maintain policies for testing security systems.

Implementation: Document and distribute testing policies and procedures.

Monitoring: Review and update policies regularly.

Description: Establish and maintain an information security policy that addresses information security for employees and contractors.

Implementation: Develop, document, and distribute security policies.

Monitoring: Regularly review and update security policies and ensure compliance.

Description: Create and share a comprehensive security policy.

Implementation: Develop and distribute the security policy.

Monitoring: Regularly review and update the policy. 12.2 Implement a risk assessment process that is performed at least annually and upon significant changes to the environment.

Description: Conduct regular risk assessments.

Implementation: Establish and follow a risk assessment process.

Monitoring: Review and update risk assessments regularly. 12.3 Develop usage policies for critical technologies and define proper use of these technologies.

Description: Define and document proper use of critical technologies.

Implementation: Create usage policies for technologies.

Monitoring: Ensure compliance with usage policies. 12.4 Ensure that the security policy and procedures clearly define information security responsibilities for all personnel.

Description: Assign security responsibilities to personnel.

Implementation: Document and communicate security responsibilities.

Monitoring: Verify adherence to assigned responsibilities. 12.5 Assign to an individual or team the responsibility for managing information security and ensure that the results of the risk assessment process are incorporated into the risk management process.

Description: Appoint a security management team.

Implementation: Define roles and responsibilities for security management.

Monitoring: Review the effectiveness of the security management team. 12.6 Implement a formal security awareness program to make all personnel aware of the importance of cardholder data security.

Description: Educate personnel on security best practices.

Implementation: Develop and conduct security awareness training.

Monitoring: Track training participation and effectiveness. 12.7 Screen potential personnel prior to hire to minimize the risk of attacks from internal sources.

Description: Conduct background checks for new hires.

Implementation: Implement screening procedures for new employees.

Monitoring: Verify completion of background checks. 12.8 Maintain and implement policies and procedures to manage service providers with whom cardholder data is shared.

Description: Manage third-party service providers securely.

Implementation: Establish and enforce service provider management policies.

Monitoring: Regularly review service provider agreements and performance. 12.9 Implement an incident response plan. Be prepared to respond immediately to a system breach.

Description: Prepare for and respond to security incidents.

Implementation: Develop and test an incident response plan.

Monitoring: Regularly review and update the incident response plan. 12.10 Ensure that security policies and operational procedures for maintaining a secure environment are documented, in use, and known to all affected parties.

Description: Document and maintain security policies and procedures.

Implementation: Develop and distribute relevant policies and procedures.

Monitoring: Regularly review and update policies.

Restrict Access: Ensure that only authorized personnel have access to cardholder data based on business need to know. This includes implementing role-based access controls.

Unique IDs: Assign a unique ID to each person with computer access to track and monitor access.

Multi-Factor Authentication: Use multi-factor authentication for accessing systems that store, process, or transmit cardholder data.

Physical Access: Restrict physical access to systems where cardholder data is stored and ensure that access logs are maintained and monitored.

Data Minimization: Retain cardholder data only as long as necessary for business, legal, or regulatory purposes. Ensure that unnecessary data is securely deleted.

Encryption: Encrypt stored cardholder data using strong cryptography. Ensure that encryption keys are securely managed and rotated regularly.

Masking: Mask the primary account number (PAN) when displayed, showing only the first six and last four digits as necessary.

Encryption During Transmission: Use strong cryptography and security protocols such as TLS to protect cardholder data during transmission over open, public networks.

Avoid Sending via Unsecure Channels: Do not send cardholder data via unencrypted email or other unsecure messaging channels.

Firewall Configuration: Establish and maintain a firewall configuration to protect cardholder data by segregating the cardholder data environment (CDE) from untrusted networks.

Regular Updates: Regularly update firewall and router configurations to address new security vulnerabilities.

Anti-Malware Protection: Deploy anti-virus and anti-malware software on all systems commonly affected by malicious software. Ensure that these solutions are regularly updated.

Patching: Regularly apply security patches to all system components and software to protect against known vulnerabilities.

Vulnerability Scans: Conduct internal and external network vulnerability scans at least quarterly and after any significant change in the network.

Audit Logs: Implement automated audit trails for all system components to track user access and other critical activities. Ensure that logs are reviewed regularly to identify and respond to suspicious activity.

Penetration Testing: Perform penetration testing annually and after any significant changes to the network to identify and address security weaknesses.

Document Policies: Develop and maintain a comprehensive information security policy that addresses the protection of cardholder data. Ensure that all personnel are aware of and adhere to these policies.

Security Awareness Training: Implement a formal security awareness program to educate all employees on the importance of cardholder data security and their role in maintaining it.

Incident Response Plan: Develop and regularly test an incident response plan to ensure readiness to respond to a security breach involving cardholder data.

Periodic Assessments: Conduct regular risk assessments to identify potential threats to cardholder data and evaluate the effectiveness of existing security controls.

Adapt to Changes: Update security measures and practices based on the results of risk assessments and changes in the threat landscape.