Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This section can have over 290 questions that must be answered by the customerincludes around 300 questions. There are main 6 sections.

  1. Build and Maintain a Secure Network and System
    1. Install and maintain a firewall configuration to protect cardholder data.
    2. Are firewall and router configuration standards established and implemented.
    3. Do firewall and router configurations restrict connections between untrusted networks and any system in the cardholder data environment.
    4. Is direct public access prohibited between the Internet and any system component in the cardholder data environment.
    5. Do not use vendor-supplied defaults for system passwords and other security parameters.
    6. For wireless environments connected to the cardholder data environment or transmitting cardholder data, are ALL wireless vendor defaults changed at installations.
  2. Protect Cardholder Data
    1. Are data-retention and disposal policies, procedures, and processes implemented.
    2. Do all systems adhere to the following requirements regarding non-storage of sensitive authentication data after authorization (even if encrypted).
    3. If disk encryption (rather than file- or column-level database encryption) is used, is access managed.
    4. Are keys used to secure stored cardholder data protected against disclosure and misuse.
    5. Are key-management processes and procedures implemented.
    6. Encrypt transmission of cardholder data across open, public networks.
  3. Maintain a Vulnerability Management Program
    1. Protect all systems against malware and regularly update anti-virus software or programs.
    2. Are all anti-virus mechanisms maintained.
    3. Develop and maintain secure systems and applications.
    4. Do software development processes ensure all custom code reviewed prior to release.
      1. Are code changes reviewed by individuals other than the originating code author, and by individuals who are knowledgeable about code review techniques and secure coding practices?
      2. Do code reviews ensure code is developed according to secure coding guidelines?
      3. Are appropriate corrections implemented prior to release?
      4. Are code review results reviewed and approved by management prior to release?
    5. Are change control processes and procedures followed for all changes to system components.
    6. Are applications developed based on secure coding guidelines to protect applications from vulnerabilities.
    7. For web applications and application interfaces (internal or external), are applications developed based on secure coding guidelines to protect applications from the following additional vulnerabilities
      1. Do coding techniques address cross-site scripting (XSS) vulnerabilities?
      2. Do coding techniques address cross-site request forgery (CSRF)?
      3. Do coding techniques address broken authentication and session management?
      4. Are security policies and operational procedures for developing and maintaining secure systems and applications.
  4. Implement Strong Access Control Measures
    1. Restrict access to cardholder data by business need to know.
    2. Is access to system components and cardholder data limited to only those individuals whose jobs require such access.
    3. Is an access control system(s) in place for system components to restrict access based on a user's need to know, and is it set to "deny all" unless specifically allowed.
    4. Are policies and procedures for user identification management controls defined and in place for non-consumer users and administrators on all system components.
    5. Is all individual non-console administrative access and all remote access to the CDE secured using multi-factor authentication.
    6. Is all access to any database containing cardholder data (including access by applications, administrators, and all other users) restricted.
    7. Restrict physical access to cardholder data.
    8. Is visitor identification and access handled.
    9. Do controls include the following.
    10. Is media destruction performed as follows.
    11. Are devices that capture payment card data via direct physical interaction with the card protected against tampering and substitution as follows?
    12. Are personnel trained to be aware of attempted tampering or replacement of devices?
  5. Regularly Monitor and Test Networks
    1. Track and monitor all access to network resources and cardholder data.
    2. Are automated audit trails implemented for all system components to reconstruct the following events?
    3. Are the following audit trail entries recorded for all system components for each event?
    4. Are the following processes implemented for critical systems to have the correct and consistent time?
    5. Is time data protected as follows?
    6. Are audit trails secured so they cannot be altered, as follows.
    7. Are logs and security events for all system components reviewed to identify anomalies or suspicious activity as follows?
    8. Regularly test security systems and processes.
    9. Are internal and external network vulnerability scans run at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades).
    10. Is segmentation is used to isolate the CDE from other networks.
  6. Maintain an Information Security Policy
    1. Maintain a policy that addresses information security for all personnel.
    2. Are usage policies for critical technologies developed to define proper use of these technologies and require the following?
    3. Are the following information security management responsibilities formally assigned to an individual or team?
    4. Do security awareness program procedures include the following?
    5. Are policies and procedures maintained and implemented to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data, as follows?
    6. Has an incident response plan been implemented in preparation to respond immediately to a system breach, as follows?

...