PCI - Key IT Requirements Summary
1 Answer
  • You must have a written security policy. It must be communicated to new employees, and have management sponsorship, as well as designating contact information for hosts and emergencies.
  • Annual assessment are required.
  • Quarterly vulnerability scans (annual for level 4 merchants), are required (internal and external).
  • Do not store un-necessary cardholder information.
  • Do not store authentication information (CVV2, PIN) .
  • Encrypt and obscure card information.
  • Systems must be "hardened" to industry standards (SANS, NIST, or CIS)

    a) Patch operating systems and software

    b) Disable unnecessary services.

    c) Change default and vendor passwords and accounts.

  • Firewalls are required, and there are specific policies required for DMZ to Internal, and Internal to External traffic, with both ingress and egress filters.

  • Wireless networks must use their highest possible encryption standard (WPA/WPA2, WEP has been phased out).
  • Protocols should be restricted to HTTP, SSL, SSH, and VPN, except as otherwise noted and justified in a separate written policy.
  • Limit and Encrypt Administrative/Console access.
  • Implement only one function per server (i.e Do not run file service and DNS on the same host).
  • Anti-virus software is required for windows systems (not required on Unix hosts).
  • Applications must follow a Secure Development Life Cycle (SDLC), model with code review.
  • Change control is required.
  • Individual unique accounts, with complex passwords are required.
  • Physical access controls are required (cameras, visitor logs, document shredding...)
  • System auditing (login/logout/system changes....), must be enabled, and backed up to a centralized log server, with 3 months online and one year offline retention.
  • Penetration testing must be done annually or after significant changes (both network and application layer pen testing).
Please log in to add an answer.