Required actions

There are 12 requirements of PCI DSS, designed to maintain security on systems within the scope of PCI DSS. These are outlined in more detail within the PIC DSS v3.2.1 document, which is linked in the Further reading section. These 12 requirements are as follows:

  • Build and maintain a secure network and systems:
    • Install and maintain a firewall configuration to protect cardholder data because public systems (for example, the internet) is out of scope for PCI DSS, and organizations must, therefore, take steps to isolate the internal network from publicly accessible systems.
    • Do not use vendor-supplied defaults for system passwords and other security parameters because these are well known by hacker communities and may be determined via public information. This will then expose the systems and information the equipment was designed to protect.
  • Protect cardholder data:
    • Protect stored cardholder data so that any successful intrusion doesn't expose the data to the attackers. Does the cardholder data even need to be stored? Can it be truncated, encrypted, or masked? How secure is the software being used to carry out any masking or encryption?
    • Encrypt transmission of cardholder data across open, public networks to prevent interception of the data. This is particularly true of wireless-enabled devices (for example, a card reader used at the table in a restaurant, or a phone app-based card reader).
  • Maintain a vulnerability management program:
    • Protect all systems against malware and regularly update antivirus software or programs in order to keep system vulnerabilities as few and as minor as possible.
    • Develop and maintain secure systems and applications including the timely application of patches and updates in order to minimize exposure to vulnerabilities.
  • Implement strong access control measures:
    • Restrict access to cardholder data by the business's need to know to ensure critical data can only be accessed by authorized personnel, systems, and processes. This will limit the scope of PCI DSS by segmenting the system based on sharing the minimum data and privileges needed to perform the job.
    • Identify and authenticate access to system components to reinforce the idea of individual accountability for actions.
    • Restrict physical access to cardholder data so that cardholder data cannot be viewed accidentally or in passing.
  • Regularly monitor and test networks:
    • Track and monitor all access to network resources and cardholder data to reinforce access control measures and to determine the cause of and contributing actions toward a breach for future procedure review.
    • Regularly test security systems and processes to ensure security controls continue to reflect the changing environment.
  • Maintain an information security policy:
    • Maintain a policy that addresses information security for all personnel to ensure that they are aware of the sensitivity of data and their responsibility for protecting it. 

These 12 requirements are a minimum and may need to be augmented and evolved over time. The PCI Security Standards Council, therefore, also lists 10 recommended best practices for Maintaining PCI DSS as of January 2019. These are outlined as follows:

  • Develop and maintain a sustainable compliance program, which is designed to maintain the security of cardholder data, not simply attaining compliance.
  • Develop program, policy, and procedures that includes people, process, and technology to help drive proper behavior and repeatable, sustainable business practice.
  • Define performance metrics to measure success, which allocates the right resources in the right areas to minimize risk occurrence.
  • Assign ownership for coordinating security activities at an appropriate level to maintain accountability, resource allocation, and buy-in from other departments.
  • Emphasize security and risk management to attain and maintain compliance in order to focus minds on the security of cardholder data and not just compliance. 
  • Continuously monitor controls to ensure that policies remain able to secure cardholder's data.
  • Detect and respond to control failures to minimize the impact of an incident, restore controls, repair the system, and ensure future defense.
  • Maintain security awareness throughout the organization to defend against the changing threat landscape.
  • Monitoring compliance of third party service providers to ensure they remain compliant and that the systems remain secure.
  • Evolve the compliance program to address changes in business structure, new innovations, and changes to the threat landscape.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.145.179.252