PCI DSS

Summary

PCI DSS is the global data security standard adopted by payment card brands for all entities that process, store or transmit cardholder data and/or sensitive authentication data. It consists of several steps that mirror security best practices. The version used in this section is PCI DSS v4.0, March 2022.

Definitions

Definition	Requirements
1_2_2. Network security controls are configured and maintained	266. Disable insecure functionalities
1_2_5. Network security controls are configured and maintained	255. Allow access only to the necessary ports
1_2_6. Network security controls are configured and maintained	266. Disable insecure functionalities
1_3_1. Inbound traffic to the cardholder data environment is restricted	259. Segment the organization network
1_3_2. Outbound traffic to the cardholder data environment is restricted	259. Segment the organization network
1_4_2. Restrict inbound traffic from untrusted networks	255. Allow access only to the necessary ports
1_4_3. Implement anti-spoofing measures	096. Set user's required privileges 173. Discard unsafe inputs 176. Restrict system objects 265. Restrict access to critical processes
1_4_4. Network connections between trusted and untrusted networks are controlled	096. Set user's required privileges 176. Restrict system objects
1_4_5. Do not disclosure of internal IP addresses and routing information	077. Avoid disclosing technical information 261. Avoid exposing sensitive information
1_5_1. Implement security controls on any computing devices	273. Define a fixed security suite
2_2_2. System components are configured and managed securely	034. Manage user accounts 142. Change system default credentials 144. Remove inactive accounts periodically
2_2_4. Remove or disable all unnecessary functionality	154. Eliminate backdoors 266. Disable insecure functionalities
2_2_5. System components are configured and managed securely	330. Verify Subresource Integrity
2_2_6. Configure secure system parameters to prevent misuse	062. Define standard configurations
2_2_7. System components are configured and managed securely	033. Restrict administrative access 185. Encrypt sensitive information
2_3_1. Wireless environments are configured and managed securely	251. Change access point IP 253. Restrict network access 254. Change SSID name
2_3_2. Wireless environments are configured and managed securely	252. Configure key encryption
3_2_1. Retain account data only where necessary and deleted when no longer needed	183. Delete sensitive data securely 360. Remove unnecessary sensitive information
3_3_1. Sensitive authentication data (SAD) is not stored after authorization	314. Provide processing confirmation 315. Provide processed data information
3_3_2. Sensitive authentication data (SAD) is encrypted using strong cryptography	185. Encrypt sensitive information
3_3_3. Sensitive authentication data (SAD) is not stored after authorization	185. Encrypt sensitive information 360. Remove unnecessary sensitive information
3_4_1. Data is masked when displayed	300. Mask sensitive data
3_4_2. Use secure remote-access technologies	181. Transmit data using secure protocols 338. Implement perfect forward secrecy
3_5_1. Primary account number (PAN) is secured wherever it is stored	127. Store hashed passwords 150. Set minimum size for hash functions
3_6_1. Protect cryptographic keys used to protect stored account data	145. Protect system cryptographic keys
3_7_1. Generation of strong cryptographic keys	224. Use secure cryptographic mechanisms
3_7_2. Secure cryptographic key distribution	145. Protect system cryptographic keys
3_7_3. Secure cryptographic key storage	145. Protect system cryptographic keys 146. Remove cryptographic keys from RAM
3_7_7. Prevention of unauthorized substitution of cryptographic keys	095. Define users with privileges 145. Protect system cryptographic keys 176. Restrict system objects
3_7_9. Secure transmission and storage of cryptographic keys	338. Implement perfect forward secrecy
4_2_1. Strong cryptography during transmission	181. Transmit data using secure protocols 338. Implement perfect forward secrecy
4_2_2. Strong cryptography to protect data	224. Use secure cryptographic mechanisms
5_2_1. Deploy an anti-malware solution on system components	273. Define a fixed security suite
5_3_2. Anti-malware mechanisms and processes are active and monitored	266. Disable insecure functionalities
5_3_4. Enable audit logs for the anti-malware solution	075. Record exceptional events in logs
6_2_4. Software engineering techniques to prevent or mitigate common software attacks	029. Cookies with security attributes 169. Use parameterized queries 173. Discard unsafe inputs 174. Transactions without a distinguishable pattern
6_3_3. Security vulnerabilities are identified and addressed	266. Disable insecure functionalities 353. Schedule firmware updates
6_4_1. Public-facing web applications are protected against attacks	029. Cookies with security attributes 175. Protect pages from clickjacking 343. Respect the Do Not Track header
6_4_3. Public-facing web applications are protected against attacks	330. Verify Subresource Integrity
6_5_4. Changes to all system components are managed securely	095. Define users with privileges
6_5_5. Changes to all system components are managed securely	156. Source code without sensitive information 180. Use mock data 261. Avoid exposing sensitive information
6_5_6. Changes to all system components are managed securely	171. Remove commented-out code 360. Remove unnecessary sensitive information
7_2_2. Access to system components and data is appropriately defined and assigned	096. Set user's required privileges
7_2_3. Required privileges are approved by authorized personnel	035. Manage privilege modifications
7_2_5. Access to system components and data is defined and assigned	176. Restrict system objects 186. Use the principle of least privilege
7_2_6. Access to system components and data is defined and assigned	229. Request access credentials
7_3_1. Access to system components and data is managed via an access control system	229. Request access credentials
7_3_2. Access to system components and data is managed via an access control system	096. Set user's required privileges 229. Request access credentials
7_3_3. Access control system is set to deny by default	341. Use the principle of deny by default
8_2_1. Assign a unique ID before access to system components	143. Unique access credentials
8_2_3. User identification for users and administrators are strictly managed	176. Restrict system objects
8_2_4. User identification for users and administrators are strictly managed	034. Manage user accounts 095. Define users with privileges
8_2_5. Access for terminated users is immediately revoked	023. Terminate inactive user sessions
8_2_6. Inactive user accounts are removed within 90 days of inactivity	144. Remove inactive accounts periodically
8_2_8. User identification for users and administrators are strictly managed	141. Force re-authentication
8_3_1. Strong authentication for users and administrators is established	229. Request access credentials
8_3_2. Strong authentication for users and administrators is established	338. Implement perfect forward secrecy
8_3_3. Strong authentication for users and administrators is established	264. Request authentication
8_3_5. Initial or reset password or passphrase used by authorized user	140. Define OTP lifespan 347. Invalidate previous OTPs
8_3_6. Passwords or passphrases with minimum level of complexity	132. Passphrases with at least 4 words 133. Passwords with at least 20 characters 139. Set minimum OTP length
8_3_7. A previously used password cannot be used to gain access to an account	129. Validate previous passwords
8_3_9. A password or passphrase cannot be used indefinitely	130. Limit password lifespan
8_3_11. An authentication factor cannot be used by anyone other than the user assigned	362. Assign MFA mechanisms to a single account
8_4_1. Multi-factor authentication (MFA) is implemented to secure access	328. Request MFA for critical systems
8_4_2. Multi-factor authentication (MFA) is implemented to secure access	328. Request MFA for critical systems
8_4_3. Multi-factor authentication (MFA) is implemented to secure access	328. Request MFA for critical systems
8_5_1. Multi-factor authentication (MFA) systems are configured to prevent misuse	319. Make authentication options equally secure
8_6_3. Use of application and associated authentication factors is strictly managed	130. Limit password lifespan
9_2_2. Physical access controls manage entry into systems containing data	255. Allow access only to the necessary ports
9_2_3. Physical access controls manage entry into systems containing data	249. Locate access points 253. Restrict network access
9_4_1. Media with cardholder data is securely stored and accessed	231. Implement a biometric verification component
9_4_3. Media is secured and tracked when transported	147. Use pre-existent mechanisms 181. Transmit data using secure protocols
9_4_7. Media is secured and tracked when transported	183. Delete sensitive data securely
10_2_1. Audit logs are enabled and active for all system components	075. Record exceptional events in logs
10_3_2. Audit logs are protected from destruction and unauthorized modifications	080. Prevent log modification
10_6_1. System clocks and time are synchronized	363. Synchronize system clocks
10_7_2. Failures of critical security control systems are detected and responded to promptly	266. Disable insecure functionalities
11_2_1. Wireless access points are identified and monitored	249. Locate access points
12_9_1. Third-party service providers support their customers	315. Provide processed data information
3_6_1_1. Protect cryptographic keys used to protect stored account data	351. Assign unique keys to each device 361. Replace cryptographic keys
3_6_1_2. Protect cryptographic keys used to protect stored account data	151. Separate keys for encryption and signatures
10_2_1_3. Audit logs are enabled and active for all system components	085. Allow session history queries
10_2_1_4. Audit logs are enabled and active for all system components	075. Record exceptional events in logs

free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.