CHAPTER 7: PCI DSS – THE STANDARD

The PCI DSS has 12 requirements, organised into six control objectives. Please note that this pocket guide is no substitute for obtaining your own copy of the Standard, which is freely downloadable from www.pcisecuritystandards.org/security_standards/documents.php.

PCI DSS version 1.0 was originally published in January 2005, with subsequent updates to version 1.1 in September 2006 and version 1.2 in October 2008. PCI DSS v2.0 was released on 28 October 2010, and v3.0 was published on 7 November 2013. The most recent version, v3.2, was released in April 2016.

With the release of PCI DSS v2.0, the PCI Security Standards Council introduced a new three-year lifecycle for standards development. This ensures a gradual and phased introduction of new versions, and helps to prevent organisations from becoming non-compliant when a new Standard is published. Since version 3.2, however, the PCI Security Standards Council has abandoned the three-year cycle in favour of more frequent incremental updates to help the Standard keep up with a faster pace of change within the security industry.

Version 3.0 of the PCI DSS introduces more flexibility in implementing the requirements, and increases the focus on education, awareness and security as a shared responsibility.

Version 3.1 of the PCI DSS is an out-of-band update created in response to the repeated vulnerabilities discovered in the SSL security protocol throughout early 2015. It removes SSL and early versions of TLS as secure technologies, and dictates that they are replaced with TLS 1.2 and beyond, or IPsec.

Version 3.2 of the PCI DSS is a new incremental update introducing business-as-usual (BAU) requirements. Organisations have typically focused on the annual assessment rather than continually managing their compliance state. Compliance is often only at its peak following the annual assessment and this trails off over time. Service providers have been targeted by adding guidance for maintaining card security as part of their business-as-usual activities.

Appendix A3 has been added to state the requirements for designated entities, and Appendix A2 has been added to provide clear guidance on transitioning from using SSL and early TLS, with extended timescales provided for transitions supported by formal risk assessments and mitigation plans.

The six control objectives and 12 PCI DSS requirements that address these are as follows:

Build and maintain a secure network and systems

Requirement 1: Install and maintain a firewall configuration to protect cardholder data.

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.

Protect cardholder data

Requirement 3: Protect stored cardholder data.

Requirement 4: Encrypt transmission of cardholder data across open, public networks.

Maintain a vulnerability management programme

Requirement 5:Protect all systems against malware and regularly update anti-virus software or programs.

Requirement 6: Develop and maintain secure systems and applications.

Implement strong access control measures

Requirement 7: Restrict access to cardholder data by business need-to-know.

Requirement 8:Identify and authenticate access to system components.

Requirement 9: Restrict physical access to cardholder data.

Regularly monitor and test networks

Requirement 10: Track and monitor all access to network resources and cardholder data.

Requirement 11: Regularly test security systems and processes.

Maintain an information security policy

Requirement 12: Maintain a policy that addresses information security for all personnel.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.223.106.79