A walk-through of the requirements that are to be met by the Merchants and Banks from the PCI-DSS v3.2 Standard

1. PCI DSS v3.2
Implementation - Bliss or Nightmare

2. Requirements & Scope
● Scope includes Security Devices, Virtual Servers, Network Devices, Server
forms, Applications which are connected to the Card holder data
environment (CDE)
● Isolation of CDE from rest of the environment is not mandatory but
recommended
● Any third party service provider involved in CDE will need annual and/or on
deman PCI DSS assessments
● There are 12 high level requirements that are to be met for the entity to get
PCI Certified

3. Steps in PCI DSS assessment process
● To confirm the scope of the PCI DSS assessment
● To perform the environment assessment for all 12 requirements.
● To complete assessment reports, documentation viz., Self-Assessment
Questionnaire (SAQ), Report on Compliance (ROC), compensating control
documentations
● To complete the compliance attestation for service providers (PA-DSS) or
merchants
● To complete other requested documentation such as ASV scan reports for
the service providers or merchants
● To do remediation if any of the requirements are not in place and provide
report

4. Req 1: Install & maintain a firewall configuration protecting
cardholder data
● Establish formal process for testing and approving any firewall/routing
configuration changes
● Secure & Synchronize Router & Firewall configuration files
● Use features viz., NAT to hide private IP addresses
● Implement personal firewall or softwares for portable devices
● Limit inbound internet traffic to servers in the DMZ
● Implement anti-spoofing to detect & block fourced IP-addresses traffic
entering the network

5. Req 2: Do not use vendor-supplied defaults for system
passwords and other security parameters
● To remove/change all vendor supplied default passwords in the system
before connecting to the network
● To harden the devices based on industry standard viz., CIS/SANS/NIST
before installation
● Enable only necessary function & services in the servers
● Ensure Security policy & procedure have details on changing the vendor
default credentials

6. Req 3: Protect stored cardholder data
● To implement data retention & disposal policies for storing card holder data
for business, legal & regulatory purposes
● Not to store full track data, cvv or full pin after authorization even if
encrypted
● To mask full card number with first six and last 4 digits visible in the PAN
number
● Encrypt full PAN number anywhere if it’s stored
● Decryption keys for the above encryption to be separately stored and not to
be associated with accounts
● Fully document all the key management procedures for the decryption keys
used in the system

7. Req 4: Encrypt transmission of cardholder data across open,
public networks
● To implement data retention & disposal policies for storing card holder data
for business, legal & regulatory purposes
● Not to store full track data, cvv or full pin after authorization even if
encrypted
● To mask full card number with first six and last 4 digits visible in the PAN
number
● Encrypt full PAN number anywhere if it’s stored
● Decryption keys for the above encryption to be separately stored and not to
be associated with accounts
● Fully document all the key management procedures for the decryption keys
used in the systems

8. Req 5: Protect all systems against malware and regularly update
anti-virus software or programs
● Deploy AV for all Servers & Desktops. Don’t forget Linux Servers
● AV solution to be running up to date on new releases
● System owner shouldn’t be allowed to turn-off the AV program at his/her
discretion
● AV scan logs to be centralized and available for PCI audit
● Procedure and policies in place for management approval in case of any
alteration required on the scan or updates

9. Req 6: Develop and maintain secure systems and applications
● Procedure and policy in place to update the security patches provided by system
vendor
● Security patches to be updated within a month of release
● Conduct code review for custom codes for application vulnerabilities
● Change control process in place to seperate Production & Development environments
● To ensure production data not used in development environment
● Change control process in place for approvals, roll-back & testing for any system
change requests
● To conduct Security Vulnerability Assessment for public facing webservers
periodically
● To have coding practice/training in place to avoid DB, OS, Actve directory level
injection

10. Req 7: Restrict access to cardholder data by business need to
know
● Restrict access to cardholder data, system components, Privileged
Userids
● Documented procedure for approvals of any changes on the above
● To have a default deny all setting for any privileges for users/roles
● To open only those based on the Business/System need
● Documentation of policy and procedure in place for restricting the
cardholder data access only for those in need

11. Req 8: Identify and authenticate access to system components
● Unique user id for individual users
● Approvals and monitoring in place for privileged user-ids
● Revoke access to terminated/resigned users immediately
● Disable inactive users within 90 days
● Remote access to be enabled for third party only when required
● Lock out user ids with invalid attempts maximum of 6 attempts
● Implement idle session timeout within 15 minutes
● Enable 2FA for the privileged user-ids
● Strict password controls viz., password history, complex password,
encryption etc.,
● Any application IDs to be used only by systems and not by individual users

12. Req 9: Restrict physical access to cardholder data
● Enable physical access control to cardholder data environment
● Restrict access to public available jacks
● Implement visitor access controls including badges/log book etc.,
● Maintain strict control on securing and distribution of media
● Approvals and monitoring in place for privileged user-ids
● Destroy media securely after business required period
● Maintain list of systems and do periodical monitoring for any
tampering
● Security policies and procedure in place for restricting physical
access to the cardholder data environment

13. Req 10: Track and monitor all access to network resources and
cardholder data
● Automated audit trails to monitor user access, invalid attempts,
stopping and pausing of audit logs
● Do time synchronization for all the systems
● Audit trails to be secured and non-alterable
● Review logs and security events to identify suspicious activities
● Review the security events daily
● Process for responding to security controls

14. Req 11: Regularly test security systems and processes
● Implement process in place for quarterly review of Wireless access
points
● To maintain an inventory of wireless access points
● To have a incident response procedure if any unauthorized access
points are identified
● To run quarterly internal/external vulnerability scans and clear high
vulnerability results
● To run PEN tests with industry accepted standards
● To implement intrusion-detection/prevention systems

15. Req 12: Maintain a policy that addresses information security for
all personnel
● Publish and implement a organization wide security policy which is
to be reviewed annually
● To implement an annual risk assessment process
● To develop usage policies for critical systems & technologies
● Owner and contact information of critical system to be available as
part of documentation
● Hiring process to include security policy implementation
● To implement a incident response plan for any system breach
● Designate persons available to respond 24/7 to alerts