PCI - Key IT Requirements Summary

3views

written 5.3 years ago by

teamques10 ★ 68k

You must have a written security policy. It must be communicated to new employees, and have management sponsorship, as well as designating contact information for hosts and emergencies.
Annual assessment are required.
Quarterly vulnerability scans (annual for level 4 merchants), are required (internal and external).
Do not store un-necessary cardholder information.
Do not store authentication information (CVV2, PIN) .
Encrypt and obscure card information.
Systems must be "hardened" to industry standards (SANS, NIST, or CIS)

a) Patch operating systems and software

b) Disable unnecessary services.

c) Change default and vendor passwords and accounts.
Firewalls are required, and there are specific policies required for DMZ to Internal, and Internal to External traffic, with both ingress and egress filters.
Wireless networks must use their highest possible encryption standard (WPA/WPA2, WEP has been phased out).
Protocols should be restricted to HTTP, SSL, SSH, and VPN, except as otherwise noted and justified in a separate written policy.
Limit and Encrypt Administrative/Console access.
Implement only one function per server (i.e Do not run file service and DNS on the same host).
Anti-virus software is required for windows systems (not required on Unix hosts).
Applications must follow a Secure Development Life Cycle (SDLC), model with code review.
Change control is required.
Individual unique accounts, with complex passwords are required.
Physical access controls are required (cameras, visitor logs, document shredding...)
System auditing (login/logout/system changes....), must be enabled, and backed up to a centralized log server, with 3 months online and one year offline retention.
Penetration testing must be done annually or after significant changes (both network and application layer pen testing).

ADD COMMENT EDIT