Document Diff - PCI Watch

Added p. 2

October 28, 2010 2.0 To align content with new PCI DSS v2.0.

PCI DSS requirements apply to all system components. In the context of PCI DSS, “system components” are defined as any network component, server or application that is included in, or connected to, the cardholder data environment. System components” also include any virtualization components such as virtual machines, virtual switches/routers, virtual appliances, virtual applications/desktops, and hypervisors. The cardholder data environment is comprised of people, processes and technology that handle cardholder data or sensitive authentication data.

The first step of a PCI DSS assessment is to accurately determine the scope of the review. At least annually and prior to the annual assessment, the assessed entity should confirm the accuracy of their PCI DSS scope by identifying all locations and flows of cardholder data and ensuring they are included in the PCI DSS scope. To confirm the accuracy and appropriateness of PCI DSS …

Added p. 5

Virtualization If virtualization is implemented, all components within the virtual environment will need to be identified and considered in scope for the review, including the individual virtual hosts or devices, guest machines, applications, management interfaces, central management consoles, hypervisors, etc. All intra-host communications and data flows must be identified and documented, as well as those between the virtual component and other system components.

The implementation of a virtualized environment must meet the intent of all requirements, such that the virtualized systems can effectively be regarded as separate hardware. For example, there must be a clear segmentation of functions and segregation of networks with different security levels; segmentation should prevent the sharing of production and test/development environments; the virtual configuration must be secured such that vulnerabilities in one function cannot impact the security of other functions; and attached devices, such as USB/serial devices, should not be accessible by all virtual instances.

Additionally, all …

Added p. 7

Requirement 3.4 Account Data Cardholder Primary Account Number (PAN) Yes Yes Cardholder Name Yes No Service Code Yes No Expiration Date Yes No Authentication Full Magnetic Stripe Data 2 No Cannot store per Requirement 3.2 CAV2/CVC2/CVV2/CID No Cannot store per Requirement 3.2 PIN/PIN Block No Cannot store per Requirement 3.2

PCI DSS Requirements 3.3 and 3.4 apply only to PAN. If PAN is stored with other elements of cardholder data, only the PAN must be rendered unreadable according to PCI DSS Requirement 3.4.

PCI DSS applies only if PANs are stored, processed and/or transmitted.

Added p. 8

Note: The chip contains track equivalent data as well as other sensitive data, including the Integrated Circuit (IC) Chip Card Verification Value (also referred to Chip CVC, iCVV, CAV3 or iCSC).

Added p. 9

Track 1 Track 2 Contains all fields of both track 1 and track 2 Length up to 79 characters Shorter processing time for older dial-up transmissions Length up to 40 characters

Note: Discretionary Data fields are defined by the card issuer and/or payment card brand. Issuer-defined fields containing data that are not considered by the issuer/payment brand to be sensitive authentication data may be included within the discretionary data portion of the track, and it may be permissible to store this particular data under specific circumstances and conditions, as defined by the issuer and/or payment card brand. However, any data considered to be sensitive authentication data, whether it is contained in a discretionary data field or elsewhere, may not be stored after authorization.

Virtual environments where data flows do not transit a physical network should be assessed to ensure appropriate network segmentation is achieved.

Data flows between virtual machines …

Added p. 13

If firewall functionality is installed but does not have rules that control or limit certain traffic, malicious individuals may still be able to exploit vulnerable protocols and ports to attack your network.

Added p. 14

Firewalls must be installed between all wireless networks and the CDE, regardless of the purpose of the environment to which the wireless network is connected. This may include, but is not limited to, corporate networks, retail stores, warehouse environments, etc.

Added p. 14

Termination of IP connections both inbound and outbound provides opportunity for inspection and restriction of source/destination, and/or inspection / blocking of content, thus preventing unfiltered access between untrusted and trusted environments. This helps prevent, for example, malicious individuals from sending data they've obtained from within your network out to an external untrusted server in an untrusted network.

For more information on packet filtering, consider obtaining information on a corollary technique called “egress filtering.” 1.3.5 Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet.

All traffic outbound from inside the cardholder data environment should be evaluated to ensure that outbound traffic follows established, authorized rules. Connections should be inspected to restrict traffic to only authorized communications (for example by restricting source/destination addresses/ports, and/or blocking of content).

Where environments have no inbound connectivity allowed, outbound connections may be achieved via architectures or system components that interrupt and inspect the IP …

Added p. 15

Note: the intent of this requirement does not include storage in volatile memory.

Added p. 16

Restricting the broadcast of IP addresses is essential to prevent a hacker “learning” the IP addresses of the internal network, and using that information to access the network.

Effective means to meet the intent of this requirement may vary depending on the specific networking technology being used in your environment. For example, the controls used to meet this requirement may be different for IPv4 networks than for IPv6 networks.

For IPv4 networks, the RFC1918 address space is reserved for internal addressing, and should not be routable on the Internet. As such, it is preferred for IP addressing of internal networks. However, organizations may have reasons to utilize non-RFC1918 address space on the internal network. In these circumstances, prevention of route advertisement or other techniques should be used to prevent internal address space being broadcast on the Internet or disclosed to unauthorized parties.

Note: The intent of this requirement applies to remote access computers …

Added p. 18

Note: Where virtualization technologies are in use, implement only one primary function per virtual system component.

This requirement is meant for all servers within the cardholder data environment (usually Unix, Linux, or Windows based). This requirement may not apply to systems which have the ability to natively implement security levels on a single server (e.g. mainframe).

Where virtualization technologies are used, each virtual component (e.g. virtual machine, virtual switch, virtual security appliance, etc.) should be considered a “server” boundary. Individual hypervisors may support different functions, but a single virtual machine should adhere to the “one primary function” rule. Under this scenario, compromise of the hypervisor could lead to the compromise of all system functions. Consequently, consideration should also be given to the risk level when locating multiple functions or components on a single physical system.

Implement security features for any required services, protocols or daemons that are considered to be insecure. For example, …

Added p. 20

Implementing secure deletion methods ensure that the data cannot be retrieved when it is no longer needed. Remember, if you don't need it, don't store it!

Added p. 21

Note: it is permissible for issuers and companies that support issuing services to store sensitive authentication data if there is a business justification and the data is stored securely.

Note: It is allowable for companies that perform, facilitate, or support issuing services to store sensitive authentication data ONLY IF they have a legitimate business need to store such data. It should be noted that all PCI DSS requirements apply to issuers, and the only exception for issuers and issuer processors is that sensitive authentication data may be retained if there is a legitimate reason to do so. A legitimate reason is one that is necessary for the performance of the function being provided for the issuer and not one of convenience. Any such data must be stored securely and in accordance with PCI DSS and specific payment brand requirements.

Added p. 21

Note: In the normal course of business, the following data elements from the magnetic stripe may need to be retained: The cardholder’s name Primary account number (PAN) Expiration date Service code To minimize risk, store only these data elements as needed for business.

Added p. 22

This requirement relates to protection of PAN displayed on screens, paper receipts, etc., and is not to be confused with Requirement 3.4 for protection of PAN when stored in files, databases, etc.

Added p. 22

Note: It is a relatively trivial effort for a malicious individual to reconstruct original PAN data if they have access to both the truncated and hashed version of a PAN. Where hashed and truncated versions of the same PAN are present in an entity’s environment, additional controls should be in place to ensure that the hashed and truncated versions cannot be correlated to reconstruct the original PAN.

By correlating hashed and truncated versions of a given PAN, a malicious individual may easily derive the original PAN value. Controls that prevent the correlation of this data will help ensure that the original PAN remains unreadable.

Added p. 23

To complicate the creation of rainbow tables it is recommended, but not a requirement, that a salt value be input to the hash function in addition to the PAN.

This requirement relates to protection of PAN when stored in files, databases, etc., and is not to be confused with Requirement 3.3 for protection of PAN displayed on screens, paper receipts, etc.

Note: This requirement also applies to key-encrypting keys used to protect data-encrypting keys•such key-encrypting keys must be at least as strong as the data-encrypting key.

Cryptographic keys must be strongly protected because those who obtain access will be able to decrypt data. Key-encrypting keys, if used, must be at least as strong as the data-encrypting key in order to ensure proper protection of the key that encrypts the data as well as the data encrypted with that key. The requirement to protect keys from disclosure and misuse applies to both data- encrypting …

Added p. 25

A cryptoperiod is the time span during which a particular cryptographic key can be used for its defined purpose. Considerations for defining the cryptoperiod include, but are not limited to, the strength of the underlying algorithm, size or length of the key, risk of key compromise, and the sensitivity of the data being encrypted.

Periodic changing of encryption keys when the keys have reached the end of their cryptoperiod is imperative to minimize the risk of someone’s obtaining the encryption keys, and being able to decrypt data.

If provided by encryption application vendor, follow the vendor’s documented processes or recommendations for periodic changing of keys. The designated key owner or custodian can also refer to industry best practices on cryptographic algorithms and key management, for example NIST Special Publication 800-57, for guidance on the appropriate cryptoperiod for different algorithms and key lengths.

The intent of this requirement applies to keys used to encrypt …

Added p. 25

Note: If retired or replaced cryptographic keys need to be retained, these keys must be securely archived (for example, by using a key-encryption key). Archived cryptographic keys should be used only for decryption/verification purposes.

Added p. 25

Note: Examples of manual key management operations include, but are not limited to: key generation, transmission, loading, storage and destruction.

Added p. 26

For example, Secure Sockets Layer (SSL) encrypts web pages and the data entered into them. When using SSL secured websites, ensure “https” is part of the URL.

Note that some protocol implementations (such as SSL version 2.0 and SSH version 1.0) have documented vulnerabilities, such as buffer overflows, that an attacker can use to gain control of the affected system. Whichever security protocol is used, ensure it is configured to use only secure configurations and versions to prevent an insecure connection being used.

Note: The use of WEP as a security control was prohibited as of 30 June 2010.

Strong cryptography for authentication and transmission of cardholder data is required to prevent malicious users from gaining access to the wireless network

• the data on the network

•or utilizing the wireless networks to get to other internal networks or data. WEP encryption should never be used as the sole means of encrypting data over a …

Added p. 29

Audit logs provide the ability to monitor virus activity and anti-virus reactions. Thus, it is imperative that anti-virus software be configured to generate audit logs and that these logs be managed in accordance with Requirement 10.

Requirement Guidance 6.1 Ensure that all system components and software are protected from known vulnerabilities by having the latest vendor- supplied security patches installed. Install critical security patches within one month of release.

Added p. 31

Notes: Risk rankings should be based on industry best practices. For example, criteria for ranking “High” risk vulnerabilities may include a CVSS base score of 4.0 or above, and/or a vendor-supplied patch classified by the vendor as “critical,” and/or a vulnerability affecting a critical system component. The ranking of vulnerabilities as defined in 6.2.a is considered a best practice until June 30, 2012, after which it becomes a requirement.

While it is important to monitor vendor announcements for news of vulnerabilities and patches related to their products, it is equally important to monitor common industry vulnerability news groups and mailing lists for vulnerabilities and potential workarounds that may not yet be known or resolved by the vendor.

Once an organization identifies a vulnerability that could affect their environment, the risk that vulnerability poses must be evaluated and ranked. This implies that the organization has some method in place to evaluate vulnerabilities and …

Added p. 32

The intent of this requirement is to ensure that development/test functions are separated from production functions. For example, a developer may use an administrator-level account with elevated privileges for use in the development environment, and have a separate account with user-level access to the production environment.

In environments where one individual performs multiple roles (for example application development and implementing updates to production systems), duties should be assigned such that no one individual has end-to-end control of a process without an independent checkpoint. For example, assign responsibility for development, authorization and monitoring to separate individuals.

Payment card brands and many acquires are able to provide account numbers suitable for testing in the event that you need realistic PANs to test system functionality prior to release.

Added p. 33

Without proper change controls, security features could be inadvertently or deliberately omitted or rendered inoperable, processing irregularities could occur, or malicious code could be introduced. Likewise, a change may negatively affect security functionality of a system necessitating the change to be backed out.

Added p. 33

Thorough testing should be performed to verify that the security of the environment is not reduced by implementing a change. Testing should validate that all existing security controls remain in place, are replaced with equally strong controls, or are strengthened after any change to the environment.

For custom code changes, testing includes verifying that no coding vulnerabilities have been introduced by the change.

Added p. 34

Note: The vulnerabilities listed at 6.5.1 through 6.5.9 were current with industry best practices when this version of PCI DSS was published. However, as industry best practices for vulnerability management are updated (for example, the OWASP Guide, SANS CWE Top 25, CERT Secure Coding, etc.), the current best practices must be used for these requirements.

As with all PCI DSS requirements, Requirements 6.5.1 through 6.5.5 and 6.5.7 through 6.5.9 are the minimum controls that should be in place. This list is composed of the most common, accepted secure coding practices at the time that this version of the PCI DSS was published. As industry accepted secure coding practices change, organizational coding practices should likewise be updated to match.

The examples of secure coding resources provided (SANS, CERT, and OWASP) are suggested sources of reference and have been included for guidance only. An organization should incorporate the relevant secure coding practices as applicable …

Added p. 35

Note: This requirement is considered a best practice until June 30, 2012, after which it becomes a requirement.

Any high vulnerabilities noted per Requirement 6.2 that could affect the application should be accounted for during the development phase. For example, a vulnerability identified in a shared library or in the underlying operating system should be evaluated and addressed prior to the application being released to production.

For web applications and application interfaces (internal or external), the following additional requirements apply: Web applications, both internally and externally (public) facing, have unique security risks based upon their architecture as well as their relative ease and occurrence of compromise.

Consistently enforce access control in presentation layer and business logic for all URLs. Frequently, the only way an application protects sensitive functionality is by preventing the display of links or URLs to unauthorized users. Attackers can use this weakness to access and perform unauthorized operations by accessing …

Added p. 37

Organizations should create a clear policy and processes for data access control based on need to know and using role-based access control, to define how and to whom access is granted, including appropriate management authorization processes.

Added p. 37

Note: Some access control systems are set by default to “allow-all,” thereby permitting access unless/until a rule is written to specifically deny it.

Note: These requirements are applicable for all accounts, including point-of-sale accounts, with administrative capabilities and all accounts used to view or access cardholder data or to access systems with cardholder data. However, requirements 8.1, 8.2 and 8.5.8 through 8.5.15 are not intended to apply to user accounts within a point-of-sale payment application that only have access to one card number at a time in order to facilitate a single transaction (such as cashier accounts).

A digital certificate is a valid option as a form of the authentication type “something you have” as long as it is unique.

Note: Two-factor authentication requires that two of the three authentication methods (see Req. 8.2 for descriptions of authentication methods) be used for authentication. Using one factor twice (e.g. using two separate passwords) is …

Added p. 43

Without security over access to wireless components and devices, malicious users could use your organization’s unattended wireless devices to access your network resources, or even connect their own devices to your wireless network to gain unauthorized access. Additionally, securing networking and communications hardware prevents malicious users from intercepting network traffic or physically connecting their own devices to your wired network resources.

Consider placing wireless access points, gateways and networking/ communications hardware in secure storage areas, such as within locked closets or server rooms. For wireless networks, ensure strong encryption is enabled. Also consider enabling automatic device lockout on wireless handheld devices after a long idle period, and set your devices to require a password when powering on.

Identifying authorized visitors so they are easily distinguished from onsite personnel prevents unauthorized visitors from being granted access to areas containing cardholder data.

Added p. 45

Examples of methods for securely destroying electronic media include secure wiping, degaussing, or physical destruction (such as grinding or shredding hard disks).

Added p. 47

Please refer to the PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms for definitions of “system-level objects”.

Added p. 48

Note: One example of time synchronization technology is Network Time Protocol (NTP).

Added p. 48

In order to ensure consistent time, ideally there should be only a few internal (central) time servers within an entity. These servers receive UTC (Coordinated Universal Time) data directly from reliable, known external time servers, via special radio, GPS satellites, or other external network source, and peer with each other to ensure they keep accurate time. Other systems then receive the time from these servers.

If a malicious individual has entered the network, they will often attempt to change the time stamps of their actions within the audit logs to prevent detection of their activity. A malicious individual may also try to directly change the clock on a system component to hide their presence

• for example, by changing the system clock to an earlier time. For these reasons, it is important that time is accurate on all systems and that time data is protected against unauthorized access and changes. Time data …

Added p. 50

Note: Methods that may be used in the process include, but are not limited to, wireless network scans, physical/logical inspections of system components and infrastructure, network access control (NAC), or wireless IDS/IPS. Whichever methods are used, they must be sufficient to detect and identify any unauthorized devices.

Unauthorized wireless devices may be hidden within or attached to a computer or other system component, or be attached directly to a network port or network device, such as a switch or router. Any such unauthorized device could result in an unauthorized access point into the environment.

The size and complexity of a particular environment will dictate the appropriate tools and processes to be used to provide sufficient assurance that a rogue wireless access point has not been installed in the environment.

For example: In the case of a single standalone retail kiosk in a shopping mall, where all communication components are contained within tamper-resistant and …

Added p. 51

An established process for identifying vulnerabilities on internal systems within the CDE requires that vulnerability scans be conducted quarterly. Identifying and addressing vulnerabilities in a timely manner reduces the likelihood of a vulnerability being exploited and potential compromise of a system component or cardholder data.

Vulnerabilities posing the greatest risk to the environment (for example, ranked “High” per Requirement 6.2) should be resolved with the highest priority.

As internal networks may be constantly changing during the year, it is possible that an entity may not have consistently clean internal vulnerability scans. The intent is for an entity to have a robust vulnerability management program in place to resolve noted vulnerabilities in a reasonable timeframe. At minimum, “High” vulnerabilities must be addressed in a timely fashion.

Internal vulnerability scans can be performed by qualified, internal staff that are reasonably independent of the system component(s) being scanned (for example, a firewall administrator should not be …

Added p. 52

Note: Quarterly external vulnerability scans must be performed by an Approved Scanning Vendor (ASV), approved by the Payment Card Industry Security Standards Council (PCI SSC). Scans conducted after network changes may be performed by internal staff.

As external networks are at greater risk of compromise, quarterly external vulnerability scanning must be performed by a PCI SSC Approved Scanning Vendor (ASV).

ASVs are required to follow a set of scanning and reporting criteria set forth by the PCI SSC in the Approved Scanning Vendor Program Guide.

Added p. 52

Note: Scans conducted after changes may be performed by internal staff.

Scanning an environment after any significant changes are made ensures that changes were completed appropriately such that the security of the environment was not compromised as a result of the change. It may not be necessary to scan the entire environment after a change. However, all system components affected by the change will need to be scanned.

Added p. 52

A penetration test differs from a vulnerability scan, as a penetration test is an active process which may include exploiting identified vulnerabilities. Often, performing a vulnerability scan is one of the first steps a penetration tester will perform in order to comprise a strategy of attack, although it is not the only step. Even if a vulnerability scan does not detect any known vulnerabilities, the penetration tester will often gain enough knowledge about the system to identify possible security gaps.

Penetration testing is generally a highly manual process. While some automated tools may be used, the tester must utilize their knowledge of systems to penetrate into an environment. Often the tester will chain several types of exploits together with a goal of breaking through layers of defenses. For example, if the tester finds a means to gain access to an application server, they will then use the compromised server as a …

Added p. 53

Keep all intrusion-detection and prevention engines, baselines, and signatures up-to-date.

IDS/IPS devices should be implemented such that they monitor inbound and outbound traffic at the perimeter of the CDE as well as at critical points within the CDE. Critical points inside the CDE may include database servers storing cardholder data, cryptographic key storage locations, processing networks, or other sensitive system components, as determined by an entity’s environment and as documented in their risk assessment.

While many IDS/IPS devices today are able to monitor multiple points inside of the CDE via one device, it is important to remember the increased exposure that may occur as a result of a failure in that single device. Thus, it is important to incorporate appropriate redundancy in the IDS/IPS infrastructure.

There are thousands of compromise types, with more being discovered on a daily basis. Stale signatures and scanning engines on IDS/IPS devices will not have the ability to …

Added p. 53

Note: For file-integrity monitoring purposes, critical files are usually those that do not regularly change, but the modification of which could indicate a system compromise or risk of compromise. File-integrity monitoring products usually come pre-configured with critical files for the related operating system. Other critical files, such as those for custom applications, must be evaluated and defined by the entity (that is, the merchant or service provider).

Requirement 12: Maintain a policy that addresses information security for all personnel A strong security policy sets the security tone for the whole entity and informs personnel what is expected of them. All personnel should be aware of the sensitivity of data and their responsibilities for protecting it. For the purposes of this Requirement 12, “personnel” refers to full-time and part- time employees, temporary employees, contractors and consultants who are “resident” on the entity’s site or otherwise have access to the cardholder data environment.

Added p. 54

Performing risk assessments at least annually allows the organization to keep up to date with organizational changes and evolving threats, trends and technologies, 12.1.3 Includes a review at least annually and updates when the environment changes. Security threats and protection methods evolve rapidly throughout the year. Without updating the security policy to reflect relevant changes, new protection measures to fight against these threats are not addressed.

Daily operational security procedures act as “desk instructions” for personnel to use in their day-to-day system administrative and maintenance activities. Undocumented operational security procedures will lead to personnel who are not aware of the full scope of their tasks, processes that cannot be repeated easily by new workers, and potential gaps in these processes that may allow a malicious individual to gain access to critical systems and resources.

Added p. 56

To ensure all personnel are aware of their responsibilities to not store or copy cardholder data onto their local personal computer or other media, your policy should clearly prohibit such activities except for personnel that have been explicitly authorized to do so. Any such authorized personnel are responsible for ensuring that cardholder data in their possession is handled in accordance with all PCI DSS requirements, as that remote personnel’s environment is now considered a part of the organization’s cardholder data environment.

Added p. 57

Note: Methods can vary depending on the role of the personnel and their level of access to the cardholder data.

If the security awareness program does not include periodic refresher sessions, key security processes and procedures may be forgotten or bypassed, resulting in exposed critical resources and cardholder data. The focus and depth of the initial and refresher training can vary depending on the role of the personnel, and should be tailored as appropriate for the particular audience. For example, sessions for database administrators may be focused on specific technical controls and processes, while training for retail cashiers may focus on secure transaction procedures Consider including ongoing awareness updates to keep employees up to date with current policies and procedures. The method of delivery may also vary to suit the particular audience or training being delivered. For example, initial and annual training may be delivered via a formal hands-on or computer-based …

Added p. 57

To be effective, the level of background checking should be appropriate for the particular position. For example, positions requiring greater responsibility or that have administrative access to critical data or systems may warrant more detailed background checks than positions with less responsibility and access. It may also be appropriate for the process to cover internal transfers, where personnel in lower risk positions, and who have not already undergone a detailed background check, are promoted or transferred to positions of greater responsibility or access.

If the service provider offers a variety of services, this requirement applies only to those services actually delivered to the client, and only those services in scope for the client’s PCI DSS assessment. For example, if a provider offers firewall/IDS and ISP services, a client who utilizes only the firewall/IDS service would only include that service in the scope of their PCI DSS assessment.

Added p. 59

If within the last year the incident response plan was activated in its entirety, covering all components of the plan, a detailed review of the actual incident and its response may be sufficient to provide a suitable test. If only some components of the plan were recently activated, the remaining components would still need to be tested. If no components of the plan were activated in the last 12 months, the annual test would need to encompass all components of the plan.

PCI Data Security Standard: Self-Assessment Questionnaire C and Attestation Eligible Merchants9

Modified p. 1

Payment Card Industry (PCI) Data Security Standard Navigating PCI DSS Understanding the Intent of the Requirements Version ~~1.2~~

Payment Card Industry (PCI) Data Security Standard Navigating PCI DSS Understanding the Intent of the Requirements Version 2.0

Removed p. 4

PCI DSS requirements apply to all system components that are included in or connected to the cardholder data environment. The cardholder data environment is that part of the network that possesses cardholder data or sensitive authentication data, including network components, servers and applications.

Adequate network segmentation, which isolates systems that store, process, or transmit cardholder data from those that do not, may reduce the scope of the cardholder data environment. A Qualified Security Assessor (QSA) can assist in determining scope within an entity’s cardholder data environment along with providing guidance about how to narrow the scope of a PCI DSS assessment by implementing proper network segmentation. For questions that pertain to whether a specific implementation is consistent with the standard or is 'compliant' with a specific requirement, PCI SSC recommends companies consult a Qualified Security Assessor (QSA) to validate their implementation of technology and processes, and compliance with the PCI Data …

Modified p. 4

NOTE: Navigating PCI DSS: Understanding the Intent of the Requirements is for guidance only. When completing a PCI DSS ~~on-site~~ assessment or Self Assessment Questionnaire (SAQ), the PCI DSS Requirements and Security Assessment Procedures and the PCI DSS Self-Assessment Questionnaires ~~v1.2~~ are the documents of record.

NOTE: Navigating PCI DSS: Understanding the Intent of the Requirements is for guidance only. When completing a PCI DSS onsite assessment or Self Assessment Questionnaire (SAQ), the PCI DSS Requirements and Security Assessment Procedures and the PCI DSS Self-Assessment Questionnaires 2.0 are the documents of record.

Modified p. 4

 Network components may include but are not limited to firewalls, switches, routers, wireless access points, network appliances, and other security appliances.

Network components may include but are not limited to firewalls, switches, routers, wireless access points, network appliances, and other security appliances.

Modified p. 4

 Server types may include but are not limited to the following: web, database, authentication, mail, proxy, network time protocol (NTP), and domain name server (DNS).

Server types may include but are not limited to the following: web, application, database, authentication, mail, proxy, network time protocol (NTP), and domain name server (DNS).

Modified p. 4

 Applications may include but not limited to all purchased and custom applications, including internal and external ~~(Internet)~~ applications.

Applications may include but not limited to all purchased and custom applications, including internal and external (for example, Internet) applications.

Removed p. 5

Cardholder data is defined as the primary account number (“PAN,” or credit card number) and other data obtained as part of a payment transaction, including the following data elements (see more detail below in the table):

 PAN  Cardholder Name  Expiration Date  Service Code  Sensitive Authentication Data: (1) full magnetic stripe data, (2) CAV2/CVC2/CVV2/CID, and (3) PINs/PIN blocks) The Primary Account Number (PAN) is the defining factor in the applicability of PCI DSS requirements and PA-DSS. If PAN is not stored, processed, or transmitted, PCI DSS and PA-DSS do not apply.

Data Element Storage Permitted Protection

PCI DSS Req. 3, 4 Primary Account Number Yes Yes Yes Cardholder Name 1 Yes Yes 1 No Service Code 1 Yes Yes 1 No Cardholder Data Expiration Date 1 Yes Yes 1 No Full Magnetic Stripe Data 3 No N/A N/A CAV2/CVC2/CVV2/CID No N/A N/A Sensitive Authentication Data 2 PIN/PIN Block No …

Modified p. 8 → 10

Requirement 5: Use and regularly update anti-virus software

Requirement 5: Use and regularly update anti-virus software or programs

Modified p. 9 → 11

Requirement 1: Install and maintain a firewall configuration to protect cardholder data Firewalls are ~~computer~~ devices that control computer traffic allowed between ~~a company’s network~~ (internal) and untrusted networks (external), as well as traffic into and out of more sensitive areas within ~~a company’s~~ internal trusted ~~network.~~ The cardholder data environment is an example of a more sensitive area within ~~the~~ trusted ~~network of a company~~ A firewall examines all network traffic and blocks those transmissions that do not meet …

Requirement 1: Install and maintain a firewall configuration to protect cardholder data Firewalls are devices that control computer traffic allowed between an entity’s networks (internal) and untrusted networks (external), as well as traffic into and out of more sensitive areas within an entity’s internal trusted networks. The cardholder data environment is an example of a more sensitive area within an entity’s trusted network. A firewall examines all network traffic and blocks those transmissions that do not meet the specified security …

Modified p. 11 → 13

It is essential to install network protection, namely a ~~firewall,~~ between the internal, trusted network and any other untrusted network that is external and/or out of the entity’s ability to control or manage. Failure to implement this measure correctly means that the entity will be vulnerable to unauthorized access by malicious individuals or software. ~~If a firewall is installed but does not have rules that control or limit certain traffic, malicious individuals may still be able to exploit vulnerable protocols …~~

It is essential to install network protection, namely a system component with (at a minimum) stateful inspection firewall capability, between the internal, trusted network and any other untrusted network that is external and/or out of the entity’s ability to control or manage. Failure to implement this measure correctly means that the entity will be vulnerable to unauthorized access by malicious individuals or software.

Removed p. 12

The DMZ also should evaluate all traffic outbound from inside the network to ensure that all outbound traffic follows established rules. For the DMZ to serve this function effectively, connections from inside the network to any addresses outside the network should not be allowed unless they first go through and are evaluated for legitimacy by the DMZ.

Modified p. 12 → 14

~~These requirements are~~ intended to prevent malicious individuals from accessing the organization's network via unauthorized IP addresses or from using services, protocols, or ports in an unauthorized ~~manner (for example, to send data they've obtained from within your network out to an external untrusted server in an untrusted network).~~

This functionality is intended to prevent malicious individuals from accessing the organization's network via unauthorized IP addresses or from using services, protocols, or ports in an unauthorized manner.

Modified p. 12 → 14

The DMZ is ~~the~~ part of the ~~firewall~~ that ~~faces the public Internet and~~ manages connections between the Internet and internal services that an organization needs to have available to the public (like a web server). It is the first line of defense in isolating and separating traffic that needs to communicate with the internal network from traffic that does not.

The DMZ is that part of the network that manages connections between the Internet (or other untrusted networks), and internal services that an organization needs to have available to the public (like a web server). It is the first line of defense in isolating and separating traffic that needs to communicate with the internal network from traffic that does not.

Modified p. 12 → 15

Ingress filtering is a technique you can use on your firewall to filter packets coming into your network to, among other things, ensure packets are not “spoofed” to look like they are coming from your own internal network. For more information on packet filtering, consider obtaining information on a corollary technique called “egress filtering.” 1.3.5 Restrict outbound traffic from the cardholder data environment to the Internet such that outbound traffic can only access IP addresses within the DMZ.

Ingress filtering is a technique you can use on your firewall to filter packets coming into your network to, among other things, ensure packets are not “spoofed” to look like they are coming from your own internal network.

Modified p. 13 → 16

IP ~~masquerading,~~ which is managed by the firewall, allows an organization to have internal addresses that are only ~~visible~~ inside the network and external address that are visible externally. If a firewall does not “hide” or mask the IP addresses of the internal network, a malicious individual could discover internal IP addresses and attempt to access the network with a spoofed IP address.

One technique to prevent IP address information from being discovered on an IPv4 network is to implement Network Address translation (NAT). NAT, which is typically managed by the firewall, allows an organization to have internal addresses that are visible only inside the network and external address that are visible externally. If a firewall does not “hide” or mask the IP addresses of the internal network, a malicious individual could discover internal IP addresses and attempt to access the network with …

Modified p. 13 → 16

If a computer does not have a firewall or anti-virus program installed, spyware, Trojans, viruses, worms and rootkits (malware) may be downloaded and/or installed unknowingly. The computer is even more vulnerable when directly connected to the Internet and not behind the corporate firewall. Malware loaded on a computer when not behind the corporate firewall can then maliciously target information within the network when the computer is ~~re- connected~~ to the corporate network.

If a computer does not have a firewall or anti-virus program installed, spyware, Trojans, viruses, worms and rootkits (malware) may be downloaded and/or installed unknowingly. The computer is even more vulnerable when directly connected to the Internet and not behind the corporate firewall. Malware loaded on a computer when not behind the corporate firewall can then maliciously target information within the network when the computer is re-connected to the corporate network.

Removed p. 14

• an attacker will be able to use multiple, known exploits to attack vulnerable services and protocols, and thereby gain access to your organization's network. Visit these three examples of websites where you can learn more about industry best practices that can help you implement configuration standards: www.nist.gov, www.sans.org, www.cisecurity.org.

Modified p. 14 → 17

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Malicious individuals (external and internal to ~~a company)~~ often use vendor default passwords and other vendor default settings to compromise systems. These passwords and settings are well known in hacker communities and easily determined via public information.

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Malicious individuals (external and internal to an entity) often use vendor default passwords and other vendor default settings to compromise systems. These passwords and settings are well known by hacker communities and are easily determined via public information.

Modified p. 14 → 17

Requirement Guidance 2.1 Always change vendor-supplied defaults before installing a system on the ~~network (for example, include~~ passwords, simple network management protocol (SNMP) community strings, and elimination of unnecessary ~~accounts).~~

Requirement Guidance 2.1 Always change vendor-supplied defaults before installing a system on the network, including but not limited to passwords, simple network management protocol (SNMP) community strings, and elimination of unnecessary accounts.

Modified p. 14 → 17

Many users install these devices without management approval and do not change default settings or configure security settings. If wireless networks are not implemented with sufficient security configurations (including changing default settings), wireless sniffers can eavesdrop on the traffic, easily capture data and passwords, and easily enter and attack your network. In addition, the key exchange protocol for the older version of 802.11x encryption (WEP) has been broken and can render the encryption useless. Verify that firmware for devices are …

Modified p. 14 → 17

There are known weaknesses with many operating systems, databases, and enterprise applications, and there are also known ways to configure these systems to fix security vulnerabilities. To help those that are not security experts, security organizations have established system-hardening recommendations, which advise how to correct these weaknesses. If systems are left with these weaknesses

•for example, weak file settings or default services and protocols (for services or protocols that are often not needed)

Sources of industry-accepted system hardening standards may include, but are not limited to: Center for Internet Security (CIS) International Organization for Standardization (ISO) SysAdmin Audit Network Security (SANS) National Institute of Standards Technology (NIST) There are known weaknesses with many operating systems, databases, and enterprise applications, and there are also known ways to configure these systems to fix security vulnerabilities. To help those that are not security experts, security organizations have established system-hardening recommendations, which advise …

Modified p. 15 → 18

As stated ~~at 1.1.7,~~ there are many protocols that a business may need (or have enabled by default) that are commonly used by malicious individuals to compromise a network. To ensure that ~~these~~ services and protocols are ~~always disabled when~~ new servers are deployed, this requirement should be part of your organization's configuration standards and related processes.

As stated in Requirement 1.1.5, there are many protocols that a business may need (or have enabled by default) that are commonly used by malicious individuals to compromise a network. To ensure that only the necessary services and protocols are enabled and that all insecure services and protocols are adequately secured before new servers are deployed, this requirement should be part of your organization's configuration standards and related processes.

Modified p. 17 → 20

Requirement 3: Protect stored cardholder data Protection ~~measures~~ such as encryption, truncation, masking, and hashing are critical components of cardholder data protection. If an intruder circumvents other ~~network~~ security controls and gains access to encrypted data, without the proper cryptographic keys, the data is unreadable and unusable to that person. Other effective methods of protecting stored data should be considered as potential risk mitigation opportunities. For example, methods for minimizing risk include not storing cardholder data unless absolutely necessary, truncating …

Requirement 3: Protect stored cardholder data Protection methods such as encryption, truncation, masking, and hashing are critical components of cardholder data protection. If an intruder circumvents other security controls and gains access to encrypted data, without the proper cryptographic keys, the data is unreadable and unusable to that person. Other effective methods of protecting stored data should be considered as potential risk mitigation opportunities. For example, methods for minimizing risk include not storing cardholder data unless absolutely necessary, truncating cardholder …

Modified p. 17 → 20

Please refer to the PCI DSS ~~and PA-DSS~~ Glossary of Terms, Abbreviations, and Acronyms for definitions of “strong cryptography” and other PCI DSS terms.

Please refer to the PCI DSS Glossary of Terms, Abbreviations, and Acronyms for definitions of “strong cryptography” and other PCI DSS terms.

Modified p. 17 → 20

Requirement Guidance 3.1 Keep cardholder data storage to a ~~minimum. Develop a~~ data retention and disposal ~~policy. Limit storage amount~~ and ~~retention time to that which is required for business, legal, and/or regulatory purposes,~~ as ~~documented in the data retention policy.~~

Requirement Guidance 3.1 Keep cardholder data storage to a minimum by implementing data retention and disposal policies, procedures and processes, as follows.

Modified p. 17 → 20

Extended storage of cardholder data that exceeds business need creates an unnecessary risk. The only cardholder data that may be stored is the primary account number or PAN (rendered unreadable), expiration date, name, and service code. ~~Remember, if you don't need it, don't store it!~~

Extended storage of cardholder data that exceeds business need creates an unnecessary risk. The only cardholder data that may be stored after authorization is the primary account number or PAN (rendered unreadable), expiration date, cardholder name, and service code.

Modified p. 17 → 21

Sensitive authentication data consists of magnetic stripe (or track) ~~data7,~~ card validation code or ~~value8,~~ and PIN ~~data9.~~ Storage of sensitive authentication data after authorization is prohibited! This data is very valuable to malicious individuals as it allows them to generate counterfeit payment cards and create fraudulent transactions. See PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms for the full definition of “sensitive authentication data.” ~~7 Data encoded in the magnetic stripe used for authorization during a card-present …~~

Sensitive authentication data consists of magnetic stripe (or track) data6, card validation code or value7, and PIN data8. Storage of sensitive authentication data after authorization is prohibited! This data is very valuable to malicious individuals as it allows them to generate counterfeit payment cards and create fraudulent transactions. See PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms for the full definition of “sensitive authentication data.”

Removed p. 18

Note: See PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms for additional information.

Removed p. 18

• where the consumer and the card are not present. These types of transactions can be authenticated as coming from the card owner only by requesting this card validation code, since the card owner has the card in-hand and can read the value. If this prohibited data is stored and subsequently stolen, malicious individuals can execute fraudulent Internet and MO/TO transactions.

Modified p. 18 → 21

If full track data is stored, malicious individuals who obtain that data can reproduce and sell payment ~~cards around the world.~~

If full track data is stored, malicious individuals who obtain that data can reproduce and sell payment cards.

Modified p. 18 → 22

The purpose of the card validation code is to protect "card-not-present" transactions

•Internet or mail order/telephone order (MO/TO) transactions

The purpose of the card validation code is to protect "card-not-present" transactions

•Internet or mail order/telephone order (MO/TO) transactions •where the consumer and the card are not present. These types of transactions can be authenticated as coming from the card owner only by requesting this card validation code, since the card owner has the card in-hand and can read the value. If this prohibited data is stored and subsequently stolen, malicious individuals can execute fraudulent Internet and MO/TO transactions.

Modified p. 19 → 22

Lack of protection of PANs can allow malicious individuals to view or download this data. PANs stored in primary storage (databases, or flat files such as text files spreadsheets) as well as non-primary storage (backup, audit logs, exception or troubleshooting logs) must all be protected. Damage from theft or loss of backup tapes during transport can be reduced by ensuring PANs are rendered unreadable via encryption, truncation, or hashing. Since audit, troubleshooting, and exception logs have to be retained, you …

Modified p. 19 → 23

 Truncation The intent of truncation is that only a portion (not to exceed the first six and last four digits) of the PAN is stored. This is different from masking, where the whole PAN is stored but the PAN is masked when displayed (i.e., only part of the PAN is displayed on screens, reports, receipts, etc.).

Truncation (hashing cannot be used to replace the truncated segment of PAN) The intent of truncation is that only a portion (not to exceed the first six and last four digits) of the PAN is stored. This is different from masking, where the whole PAN is stored but the PAN is masked when displayed (i.e., only part of the PAN is displayed on screens, reports, receipts, etc.).

Modified p. 19 → 23

 Index tokens and pads (pads must be securely stored) Index tokens and pads may also be used to render cardholder data unreadable. An index token is a cryptographic token that replaces the PAN based on a given index for an unpredictable value. A one-time pad is a system in which a private key, generated randomly, is used only once to encrypt a message that is then decrypted using a matching one-time pad and key.

Index tokens and pads (pads must be securely stored) Index tokens and pads may also be used to render cardholder data unreadable. An index token is a cryptographic token that replaces the PAN based on a given index for an unpredictable value. A one-time pad is a system in which a private key, generated randomly, is used only once to encrypt a message that is then decrypted using a matching one-time pad and key.

Removed p. 20

The MINIMUM account information that must be rendered unreadable is the PAN. Notes:  If for some reason, a company is unable to render the PAN unreadable, refer to “Appendix B: Compensating Controls.”  “Strong cryptography” is defined in the PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms.

Modified p. 20 → 23

The intent of strong cryptography (see definition and key lengths in the PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms) is that the encryption be based on an industry-tested and accepted algorithm (not a proprietary or "home-grown" algorithm).

Strong cryptography with associated key-management processes and procedures The intent of strong cryptography (see definition and key lengths in the PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms) is that the encryption be based on an industry-tested and accepted algorithm (not a proprietary or "home-grown" algorithm).

Modified p. 20 → 23

The intent of this requirement is to address the acceptability of disk encryption for rendering cardholder data unreadable. Disk encryption encrypts data stored on a computer's mass storage and automatically decrypts the information when an authorized user requests it. ~~Disk encryption~~ systems intercept operating system read and write operations and carry out the appropriate cryptographic transformations without any special action by the user other than supplying a password or pass phrase at the beginning of a session. Based on these …

The intent of this requirement is to address the acceptability of disk encryption for rendering cardholder data unreadable. Disk encryption encrypts data stored on a computer's mass storage and automatically decrypts the information when an authorized user requests it. Disk-encryption systems intercept operating system read and write operations and carry out the appropriate cryptographic transformations without any special action by the user other than supplying a password or pass phrase at the beginning of a session. Based on these characteristics …

Removed p. 21

• Split knowledge and establishment of dual control of cryptographic keys

Modified p. 21 → 24

The manner in which cryptographic keys are managed is a critical part of the continued security of the encryption solution. A good key management process, whether it is manual or automated as part of the encryption product, addresses all key elements at 3.6.1 through 3.6.8.

The manner in which cryptographic keys are managed is a critical part of the continued security of the encryption solution. A good key management process, whether it is manual or automated as part of the encryption product, is based on industry standards and addresses all key elements at 3.6.1 through 3.6.8.

Modified p. 21 → 25

• Split knowledge and dual control of keys are used to eliminate the possibility of one person’s having access to the whole key. This control is ~~usually~~ applicable for manual ~~key-encryption systems,~~ or where key management is not implemented by the encryption product. ~~This type of control is usually implemented within hardware security modules.~~

Split knowledge and dual control of keys are used to eliminate the possibility of one person’s having access to the whole key. This control is applicable for manual key management operations, or where key management is not implemented by the encryption product.

Modified p. 22 → 25

This process will ensure ~~the individual commits~~ to the ~~key-custodian~~ role and ~~understands his/her~~ responsibilities.

This process will ensure individuals that act as key custodians commit to the key- custodian role and understand the responsibilities.

Removed p. 23

 The Internet,  Wireless technologies,  Global System for Mobile Communications (GSM), and  General Packet Radio Service (GPRS.

• the data on the network

•or utilizing the wireless networks to get to other internal networks or data. WEP does not utilize strong encryption. WEP encryption should never be used alone since it is vulnerable due to weak initial vectors (IV) in the WEP key-exchange process, and lack of required rotation of keys. An attacker can use freely available brute-force cracking tools to penetrate WEP encryption. Current wireless devices should be upgraded (example: upgrade access point firmware to WPA) to support strong encryption. If current devices cannot be upgraded, new equipment should be purchased. If wireless networks are utilizing WEP, they should not have access to cardholder data environments.

Modified p. 23 → 26

Requirement 4: Encrypt transmission of cardholder data across open, public networks Sensitive information must be encrypted during transmission over networks that are easily accessed by malicious individuals. Misconfigured wireless networks and vulnerabilities in legacy encryption and authentication protocols ~~can~~ be ~~continued~~ targets of malicious individuals who exploit these vulnerabilities to gain privileged access to cardholder data environments.

Requirement 4: Encrypt transmission of cardholder data across open, public networks Sensitive information must be encrypted during transmission over networks that are easily accessed by malicious individuals. Misconfigured wireless networks and vulnerabilities in legacy encryption and authentication protocols continue to be targets of malicious individuals who exploit these vulnerabilities to gain privileged access to cardholder data environments.

Modified p. 23 → 26

Requirement Guidance 4.1 Use strong cryptography and security protocols ~~such as SSL/TLS or IPSEC~~ to safeguard sensitive cardholder data during transmission over open, public networks. Examples of open, public networks that are in scope of the PCI DSS ~~are:~~

Requirement Guidance 4.1 Use strong cryptography and security protocols (for example, SSL/TLS, IPSec, SSH, etc.) to safeguard sensitive cardholder data during transmission over open, public networks. Examples of open, public networks that are in scope of the PCI DSS include but are not limited to: The Internet Wireless technologies, Global System for Mobile communications (GSM) General Packet Radio Service (GPRS).

Modified p. 23 → 26

Sensitive information must be encrypted during transmission over public networks, because it is easy and common for a malicious individual to intercept and/or divert data while in transit. Secure Sockets Layer encrypts web pages and the data entered into them. When using SSL secured websites, ensure “https” is part of the URL. Note that SSL versions prior to v3.0 contain documented vulnerabilities, such as buffer overflows, that an attacker can use to gain control of the affected system.

Sensitive information must be encrypted during transmission over public networks, because it is easy and common for a malicious individual to intercept and/or divert data while in transit.

Modified p. 23 → 26

Malicious users use free and widely available tools to eavesdrop on wireless communications. Use of ~~appropriate encryption~~ can ~~prevent eavesdropping and~~ disclosure of sensitive information across the network. Many known compromises of cardholder data stored only in the wired network originated when a malicious user expanded access from an insecure wireless network. ~~Strong encryption for authentication~~ and ~~transmission of cardholder data is required to prevent malicious users from gaining access to the wireless network~~

Malicious users use free and widely available tools to eavesdrop on wireless communications. Use of strong cryptography can limit disclosure of sensitive information across the network. Many known compromises of cardholder data stored only in the wired network originated when a malicious user expanded access from an insecure wireless network. Examples of wireless implementations requiring strong cryptography include but are not limited to GPRS, GSM, WIFI, satellite, and Bluetooth.

Removed p. 24

E-mail, instant messaging, and chat can be easily intercepted by packet- sniffing during delivery traversal across internal and public networks. Do not utilize these messaging tools to send PAN unless they can provide encryption capabilities.

Modified p. 25 → 28

Requirement 5: Use and regularly update anti-virus software or programs Malicious software, commonly referred to as “malware”

•including viruses, worms, and Trojans

•enters the network during many business- approved activities including ~~employees’~~ e-mail and use of the Internet, mobile computers, and storage devices, resulting in the exploitation of system vulnerabilities. Anti-virus software must be used on all systems commonly affected by malware to protect systems from current and evolving malicious software threats.

Requirement 5: Use and regularly update anti-virus software or programs Malicious software, commonly referred to as “malware”

•including viruses, worms, and Trojans

•enters the network during many business- approved activities including employee e-mail and use of the Internet, mobile computers, and storage devices, resulting in the exploitation of system vulnerabilities. Anti-virus software must be used on all systems commonly affected by malware to protect systems from current and evolving malicious software threats.

Modified p. 25 → 28

There is a constant stream of attacks using widely published exploits, often "0 day" (published and spread throughout networks within an hour of discovery) against otherwise secured systems. Without anti-virus software that is updated regularly, these new forms of malicious software can attack and disable your network. Malicious software may be unknowingly downloaded and/or installed from the internet, but computers are also vulnerable when using removable storage devices such as CDs and DVDs, USB memory sticks and hard drives, digital …

Malicious software may be unknowingly downloaded and/or installed from the internet, but computers are also vulnerable when using removable storage devices such as CDs and DVDs, USB memory sticks and hard drives, digital cameras, personal digital assistants (PDAs) and other peripheral devices. Without anti-virus software installed, these computers may become access points into your network, and/or maliciously target information within the network.

Modified p. 25 → 28

While systems that are commonly affected by malicious software typically do not include mainframes and most Unix systems (see more detail below), each entity must have a process according to PCI DSS Requirement 6.2 to identify and address new security vulnerabilities and update their configuration standards and processes accordingly. ~~Trends in malicious software related~~ to ~~operating systems an entity uses should be included in~~ the ~~identification of new security vulnerabilities, and methods to address new trends should be incorporated into …~~

While systems that are commonly affected by malicious software typically do not include mainframes and most Unix systems (see more detail below), each entity must have a process according to PCI DSS Requirement 6.2 to identify and address new security vulnerabilities and update their configuration standards and processes accordingly. If another type of solution addresses the identical threats with a different methodology than a signature-based approach, it may still be acceptable to meet the requirement.

Removed p. 26

The best anti-virus software is limited in effectiveness if it does not have current anti-virus signatures or if it isn't active in the network or on an individual's computer. Audit logs provide the ability to monitor virus activity and anti-virus reactions.

Modified p. 27 → 30

~~Requirement Guidance 6.1 Ensure that all system components and software have the latest vendor-supplied security patches installed. Install critical security patches within one month of release.~~ Note: An organization may consider applying a ~~risk- based~~ approach to prioritize their patch installations. For example, by prioritizing critical infrastructure (for example, public-facing devices and systems, databases) higher than less-critical internal devices, to ensure high-priority systems and devices are addressed within one month, and addressing less critical devices and systems within three months.

Note: An organization may consider applying a risk-based approach to prioritize their patch installations. For example, by prioritizing critical infrastructure (for example, public-facing devices and systems, databases) higher than less-critical internal devices, to ensure high-priority systems and devices are addressed within one month, and addressing less critical devices and systems within three months.

Modified p. 27 → 30

There are a considerable amount of attacks using widely published exploits, often "0 day" (published within the hour) against otherwise secured systems. Without implementing the most recent patches on critical systems as soon as possible, a malicious individual can use these exploits to attack and disable the network. Consider prioritizing changes such that critical security patches on critical or at-risk systems can be installed within 30 days, and other ~~less- risky~~ changes are installed within 2-3 months.

There are a considerable amount of attacks using widely published exploits, often "0 day" (published within the hour) against otherwise secured systems. Without implementing the most recent patches on critical systems as soon as possible, a malicious individual can use these exploits to attack and disable the network. Consider prioritizing changes such that critical security patches on critical or at-risk systems can be installed within 30 days, and other less-risky changes are installed within 2-3 months.

Modified p. 27 → 31

The intention of this requirement is that organizations ~~are kept~~ up-to-date with new vulnerabilities ~~so they can appropriately protect~~ their ~~network, and incorporate newly discovered and relevant vulnerabilities into their configuration standards.~~

The intention of this requirement is that organizations keep up-to-date with new vulnerabilities that may impact their environment.

Removed p. 29

Without proper software change controls, security features could be inadvertently or deliberately omitted or rendered inoperable, processing irregularities could occur, or malicious code could be introduced. If related personnel policies for background checks and system access controls are not adequate, there is a risk that untrustworthy and untrained individuals may have unrestricted access to software code, terminated employees may have the opportunity to compromise systems, and unauthorized actions may not be detected.

Modified p. 29 → 32

Security vulnerabilities in custom code are commonly exploited by malicious individuals to gain access to a network and compromise cardholder data. ~~Those with knowledge of secure coding techniques should review code to identify vulnerabilities.~~

Security vulnerabilities in custom code are commonly exploited by malicious individuals to gain access to a network and compromise cardholder data.

Modified p. 30 → 34

Validate input to verify user data cannot modify meaning of commands and queries. Injection flaws, particularly SQL injection, are ~~common in web~~ applications. Injection occurs when user-supplied data is sent to an interpreter as part of a command or query. The attacker's hostile data tricks the interpreter into executing unintended commands or changing data, and allows the attacker to attack components inside the network through the application, to initiate attacks such as buffer overflows, or to reveal both confidential information …

Validate input to verify user data cannot modify meaning of commands and queries. Injection flaws, particularly SQL injection, are a commonly used method for compromising applications. Injection occurs when user-supplied data is sent to an interpreter as part of a command or query. The attacker's hostile data tricks the interpreter into executing unintended commands or changing data, and allows the attacker to attack components inside the network through the application, to initiate attacks such as buffer overflows, or to reveal …

Modified p. 34 → 38

Requirement Guidance 8.1 Assign all users a unique ID before allowing them to access system components or cardholder data. By ensuring each user is uniquely identified

•instead of using one ID for several employees

•an organization can maintain individual responsibility for actions and an effective audit trail per employee. This will help speed issue resolution and containment when misuse or malicious intent occurs.

Requirement Guidance 8.1 Assign all users a unique ID before allowing them to access system components or cardholder data.

Modified p. 34 → 39

Two-factor authentication requires two forms of authentication for higher-risk accesses, such as those originating from outside your network. For additional security, your organization can also consider using two-factor authentication when accessing networks of higher security from networks of lower ~~security• for~~ example, from corporate desktops (lower security) to production servers/databases with cardholder data (high security).

Two-factor authentication requires two forms of authentication for higher-risk accesses, such as those originating from outside your network. For additional security, your organization can also consider using two-factor authentication when accessing networks of higher security from networks of lower security•for example, from corporate desktops (lower security) to production servers/databases with cardholder data (high security).

Modified p. 34 → 39

Since one of the first steps a malicious individual will take to compromise a system is to exploit weak or nonexistent passwords, it is important to implement good processes for user authentication ~~and password~~ management.

Since one of the first steps a malicious individual will take to compromise a system is to exploit weak or nonexistent passwords, it is important to implement good processes for user identification and authentication management.

Modified p. 35 → 40

Allowing vendors (like POS vendors) to have 24/7 access into your network in case they need to support your systems increases the chances of unauthorized access, either from a user in the vendor’s environment or from a malicious individual who finds and uses this always-ready external entry point into your network. ~~Please also see 12.3.8 and 12.3.9 for more on this topic.~~

Allowing vendors (like POS vendors) to have 24/7 access into your network in case they need to support your systems increases the chances of unauthorized access, either from a user in the vendor’s environment or from a malicious individual who finds and uses this always-ready external entry point into your network.

Modified p. 35 → 40

Communicating ~~password~~ procedures to all users helps those users understand and abide by the policies, and to be alert for any malicious individuals who may attempt to exploit their passwords to gain access to cardholder data (for example, by calling an employee and asking for their password so the caller can “troubleshoot a problem”).

Communicating password/authentication procedures to all users helps those users understand and abide by the policies, and to be alert for any malicious individuals who may attempt to exploit their passwords to gain access to cardholder data (for example, by calling an employee and asking for their password so the caller can “troubleshoot a problem”).

Modified p. 38 → 43

Requirement 9: Restrict physical access to cardholder data Any physical access to data or systems that house cardholder data provides the opportunity for individuals to access devices or data and to remove systems or hardcopies, and should be appropriately restricted.

Requirement 9: Restrict physical access to cardholder data Any physical access to data or systems that house cardholder data provides the opportunity for individuals to access devices or data and to remove systems or hardcopies, and should be appropriately restricted. For the purposes of Requirement 9, “onsite personnel” refers to full-time and part-time employees, temporary employees, contractors and consultants who are physically present on the entity’s premises. A “visitor” refers to a vendor, guest of any onsite personnel, service workers, …

Modified p. 38 → 43

Requirement Guidance 9.1 Use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment.

Requirement Guidance 9.1 Use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment. Without physical access controls, unauthorized persons could potentially gain access to the building and to sensitive information, and could alter system configurations, introduce vulnerabilities into the network, or destroy or steal equipment.

Modified p. 38 → 43

When investigating physical breaches, these controls can help identify individuals that physically access those areas storing cardholder data.

When investigating physical breaches, these controls can help identify individuals that physically access those sensitive areas storing cardholder data. Examples of sensitive areas include corporate database server rooms, back-end server room of a retail location that stores cardholder data, and storage areas for large quantities of cardholder data, 9.1.2 Restrict physical access to publicly accessible network jacks. For example, areas accessible to visitors should not have network ports enabled unless network access is explicitly authorized.

Removed p. 39

Visitor controls are important to ensure visitors only enter areas they are authorized to enter, that they are identifiable as visitors so employees can monitor their activities, and that their access is restricted to just the duration of their legitimate visit.

Removed p. 40

If media is not inventoried, stolen or lost media may not be noticed for a long time. Include development of a process for media inventories and secure storage in the procedures recommended above in Requirement 9.6.

Modified p. 40 → 45

Cardholder data leaving secure areas without a process approved by management can lead to lost or stolen data. Without a firm process, media locations are not tracked, nor is there a process for where the data goes or how it is protected. ~~Include development of a management-approved process for moving media in the procedures recommended in Requirement 9.6 above.~~

Cardholder data leaving secure areas without a process approved by management can lead to lost or stolen data. Without a firm process, media locations are not tracked, nor is there a process for where the data goes or how it is protected.

Removed p. 41

If steps are not taken to destroy information contained on PC hard disks and CDs, and on paper, disposal of such information may result in compromise and lead to financial or reputation loss. For example, malicious individuals may use a technique known as “dumpster diving,” where they search through trashcans and recycle bins, and use found information to launch an attack. Include development of a process for properly destroying media with cardholder data, including proper storage of such media prior to destruction, in the procedures recommended above in Requirement 9.6.

Modified p. 42 → 46

Requirement 10: Track and monitor all access to network resources and cardholder data Logging mechanisms and the ability to track user activities are critical in preventing, detecting, or minimizing the impact of a data compromise. The presence of logs in all environments allows thorough tracking, alerting, and analysis when something does go wrong. Determining the cause of a compromise is very ~~difficult~~ without system activity logs.

Requirement 10: Track and monitor all access to network resources and cardholder data Logging mechanisms and the ability to track user activities are critical in preventing, detecting, or minimizing the impact of a data compromise. The presence of logs in all environments allows thorough tracking, alerting, and analysis when something does go wrong. Determining the cause of a compromise is very difficult, if not impossible, without system activity logs.

Modified p. 43 → 48

Adequate protection of the audit logs includes strong access control (limit access to logs based on “need to know” only) and use of internal segregation (to make the logs harder to find and modify). By writing logs from ~~external- facing~~ technologies such as wireless, firewalls, DNS, and mail servers, the risk of those logs being lost or altered is lowered, as they are more secure within the internal network.

Adequate protection of the audit logs includes strong access control (limit access to logs based on “need to know” only) and use of internal segregation (to make the logs harder to find and modify). By writing logs from external-facing technologies such as wireless, firewalls, DNS, and mail servers, the risk of those logs being lost or altered is lowered, as they are more secure within the internal network.

Modified p. 44 → 49

Many breaches occur over days or months before being detected. Checking logs daily minimizes the amount of time and exposure of a potential breach. The ~~log-review~~ process does not have to be manual. Especially for those entities with a large number of servers, consider use of log harvesting, parsing, and alerting tools.

Many breaches occur over days or months before being detected. Checking logs daily minimizes the amount of time and exposure of a potential breach. The log- review process does not have to be manual. Especially for those entities with a large number of servers, consider use of log harvesting, parsing, and alerting tools.

Removed p. 45

Note: Quarterly external vulnerability scans must be performed by an Approved Scanning Vendor (ASV) qualified by Payment Card Industry Security Standards Council (PCI SSC). Scans conducted after network changes may be performed by the company’s internal staff.

Modified p. 45 → 50

Requirement Guidance 11.1 Test for the presence of wireless access points ~~by using~~ a ~~wireless analyzer at least~~ quarterly ~~or deploying a wireless IDS/IPS to identity all wireless devices in use.~~

Requirement Guidance 11.1 Test for the presence of wireless access points and detect unauthorized wireless access points on a quarterly basis.

Modified p. 45 → 50

Implementation and/or exploitation of wireless technology within a network is one of the most common paths for malicious users to gain access to the network and cardholder data. If a wireless device or network is installed without a company’s knowledge, it can allow an attacker to easily and “invisibly” enter the network. ~~In addition to wireless analyzers, port scanners, and other network tools that detect wireless devices can be used.~~

Implementation and/or exploitation of wireless technology within a network is one of the most common paths for malicious users to gain access to the network and cardholder data. If a wireless device or network is installed without a company’s knowledge, it can allow an attacker to easily and “invisibly” enter the network.

Modified p. 45 → 50

Due to the ease with which a wireless access point can be attached to a network, the difficulty in detecting their presence, and the increased risk presented by unauthorized wireless devices, these ~~scans~~ must be performed even when a policy exists prohibiting the use of wireless technology.

Due to the ease with which a wireless access point can be attached to a network, the difficulty in detecting their presence, and the increased risk presented by unauthorized wireless devices, these processes must be performed even when a policy exists prohibiting the use of wireless technology.

Modified p. 45 → 51

A vulnerability scan is an automated tool run against external and internal network devices and servers, designed to expose potential vulnerabilities ~~and identify ports~~ in networks that could be found and exploited by malicious individuals. Once these weaknesses are identified, the entity corrects them, and repeats the scan to verify the vulnerabilities have been corrected.

A vulnerability scan is an automated tool run against external and internal network devices and servers, designed to expose potential vulnerabilities in networks that could be found and exploited by malicious individuals. Once these weaknesses are identified, the entity corrects them, and repeats the scan to verify the vulnerabilities have been corrected.

Removed p. 46

Network and application penetration tests are different from vulnerability scans in that penetration tests are more manual, attempt to actually exploit some of the vulnerabilities identified in scans, and include techniques used by malicious individuals to take advantage of weak security systems or processes. Before applications, network devices, and systems are released into production, they should be hardened and secured using security best practices (per Requirement 2.2). Vulnerability scans and penetration tests will expose any remaining vulnerabilities that could later be found and exploited by an attacker.

Modified p. 46 → 52

• added to the environment). These penetration tests must include the following: ~~11.3.1 Network-layer penetration tests 11.3.2 Application-layer penetration tests.~~

• added to the environment). These penetration tests must include the following:

Modified p. 46 → 53

~~These tools~~ compare the traffic coming into the network with known “signatures” of thousands of compromise types (hacker tools, Trojans and other malware), and send alerts and/or stop the attempt as it happens. Without a proactive approach to unauthorized activity detection via these tools, attacks on (or misuse of) computer resources could go unnoticed in real time. Security alerts generated by these tools should be monitored, so that the attempted intrusions can be stopped. ~~There are thousands of compromise types, …~~

Intrusion detection and/or intrusion prevention systems (IDS/IPS) compare the traffic coming into the network with known “signatures” and/or behaviors of thousands of compromise types (hacker tools, Trojans and other malware), and send alerts and/or stop the attempt as it happens. Without a proactive approach to unauthorized activity detection via these tools, attacks on (or misuse of) computer resources could go unnoticed in real time. Security alerts generated by these tools should be monitored, so that the attempted intrusions can be …

Modified p. 46 → 53

File-integrity monitoring (FIM) ~~systems~~ check for changes to critical files, and notify when such changes are detected. There are both off-the-shelf and open source tools available for file integrity monitoring. If not implemented properly and the output of the FIM monitored, a malicious individual could alter configuration file contents, operating system programs, or application executables. Such unauthorized changes, if undetected, could render existing security controls ineffective and/or result in cardholder data being stolen with no perceptible impact to normal processing.

File-integrity monitoring (FIM) tools check for changes to critical files, and notify when such changes are detected. There are both off-the-shelf and open source tools available for file integrity monitoring. If not implemented properly and the output of the FIM monitored, a malicious individual could alter configuration file contents, operating system programs, or application executables. Such unauthorized changes, if undetected, could render existing security controls ineffective and/or result in cardholder data being stolen with no perceptible impact to normal processing.

Removed p. 47

Requirement 12: Maintain a policy that addresses information security for employees and contractors A strong security policy sets the security tone for the whole company and informs employees what is expected of them. All employees should be aware of the sensitivity of data and their responsibilities for protecting it. For purposes of this requirement, “employees” refers to full-time and part- time employees, temporary employees and personnel, and contractors and consultants who are “resident” on the company’s site Requirement Guidance 12.1 Establish, publish, maintain, and disseminate a security policy that accomplishes the following: 12.1.1 Addresses all PCI DSS requirements. 12.1.2 Includes an annual process that identifies threats and vulnerabilities, and results in a formal risk assessment. 12.1.3 Includes a review at least once a year and updates when the environment changes.

Daily operational security procedures act as “desk instructions” for workers to use in their day-to-day system administrative and maintenance activities. Undocumented …

Modified p. 47 → 54

A company's information security policy creates the roadmap for implementing security measures to protect its most valuable assets. A strong security policy sets the security tone for the whole company, and lets ~~employees~~ know what is expected of them. All ~~employees~~ should be aware of the sensitivity of data and their responsibilities for protecting it. ~~Security threats and protection methods evolve rapidly throughout the year. Without updating the security policy to reflect these changes, new protection measures to fight against …~~

A company's information security policy creates the roadmap for implementing security measures to protect its most valuable assets. A strong security policy sets the security tone for the whole company, and lets personnel know what is expected of them. All personnel should be aware of the sensitivity of data and their responsibilities for protecting it.

Modified p. 47 → 55

~~Employee~~ usage policies can either prohibit use of certain devices and other technologies if that is company policy, or provide guidance for ~~employees~~ as to correct usage and implementation. If usage policies are not in place, ~~employees~~ may use the technologies in violation of company policy, thereby allowing malicious individuals to gain access to critical systems and cardholder data. An example can be unknowingly setting up wireless networks with no security. To ensure that company standards are followed and only …

Personnel usage policies can either prohibit use of certain devices and other technologies if that is company policy, or provide guidance for personnel as to correct usage and implementation. If usage policies are not in place, personnel may use the technologies in violation of company policy, thereby allowing malicious individuals to gain access to critical systems and cardholder data. An example can be unknowingly setting up wireless networks with no security. To ensure that company standards are followed and only …

Removed p. 48

To ensure your employees are aware of their responsibilities to not store or copy cardholder data onto their local personal computer or other media, your company should have a policy that clearly prohibits such activities.

Removed p. 49

If users are not educated about their security responsibilities, security safeguards and processes that have been implemented may become ineffective through employee errors or intentional actions.

Modified p. 49 → 57

Requiring an acknowledgement by ~~employees (example:~~ in writing or ~~electronically)~~ helps ensure that they have read and understood the security policies/procedures, and that they have made a commitment to comply with these policies.

Requiring an acknowledgement by personnel in writing or electronically helps ensure that they have read and understood the security policies/procedures, and that they have made and will continue to make a commitment to comply with these policies.

Modified p. 49 → 57

Performing thorough background investigations prior to hiring ~~employees~~ who are expected to be given access to cardholder data reduces the risk of unauthorized use of PANs and other cardholder data by individuals with questionable or criminal backgrounds. It is expected that a company would have a policy and process for background checks, including their own decision process for which background check results would have an impact on their hiring decisions (and what that impact would be).

Performing thorough background investigations prior to hiring potential personnel who are expected to be given access to cardholder data reduces the risk of unauthorized use of PANs and other cardholder data by individuals with questionable or criminal backgrounds. It is expected that a company would have a policy and process for background checks, including their own decision process for which background check results would have an impact on their hiring decisions (and what that impact would be).

Modified p. 53 → 60

If a merchant or service provider is allowed to run their own applications on the shared server, these should run with the user ID of the merchant or service provider, rather than as a privileged user. A privileged user would have access to all other merchants’ and service providers’ cardholder data environments as well as their own.

A.1.1 Ensure that each entity only runs processes that have access to that entity’s cardholder data environment. If a merchant or service provider is allowed to run their own applications on the shared server, these should run with the user ID of the merchant or service provider, rather than as a privileged user. A privileged user would have access to all other merchants’ and service providers’ cardholder data environments as well as their own.

Modified p. 53 → 60

A.1.2 Restrict each entity’s access and privileges to own cardholder data environment only. To ensure that access and privileges are restricted such that each merchant or service provider ~~only~~ has access to their own cardholder data environment, consider the following: (1) privileges of the merchant’s or service provider’s web server user ID; (2) permissions granted to read, write, and execute files; (3) permissions granted to write to system binaries; (4) permissions granted to merchant’s and service provider’s log files; and …

A.1.2 Restrict each entity’s access and privileges to own cardholder data environment only. To ensure that access and privileges are restricted such that each merchant or service provider has access only to their own cardholder data environment, consider the following: (1) privileges of the merchant’s or service provider’s web server user ID; (2) permissions granted to read, write, and execute files; (3) permissions granted to write to system binaries; (4) permissions granted to merchant’s and service provider’s log files; and …

Modified p. 55 → 61

PCI Data Security Standard: Self-Assessment Questionnaire A and Attestation ~~Merchants10~~

PCI Data Security Standard: Self-Assessment Questionnaire A and Attestation Eligible Merchants9

Modified p. 55 → 61

PCI Data Security Standard: Self-Assessment Questionnaire B and Attestation ~~Merchants10~~

PCI Data Security Standard: Self-Assessment Questionnaire B and Attestation Eligible Merchants9

Modified p. 55 → 61

PCI Data Security Standard: Self-Assessment Questionnaire C and Attestation ~~Merchants10~~

PCI Data Security Standard: Self-Assessment Questionnaire C-VT and Attestation Eligible Merchants9

Modified p. 55 → 61

PCI Data Security Standard: Self-Assessment Questionnaire D and Attestation ~~Merchants10~~ and ~~all~~ service ~~providers~~

PCI Data Security Standard: Self-Assessment Questionnaire D and Attestation Eligible Merchants and service providers9

Modified p. 55 → 61

PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms All merchants and service providers 10 To determine the appropriate Self-Assessment Questionnaire, see PCI Data Security Standard: Self-Assessment Questionnaire Guidelines and Instructions, “Selecting the SAQ and Attestation ~~That~~ Best Apply to Your Organization.”

PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms All merchants and service providers 9 To determine the appropriate Self-Assessment Questionnaire, see PCI Data Security Standard: Self-Assessment Questionnaire Guidelines and Instructions, “Selecting the SAQ and Attestation that Best Apply to Your Organization.”

Document Comparison

Content Changes