Skip to main content

PCI DSS

logo

Summary

PCI DSS is the global data security standard adopted by payment card brands for all entities that process, store or transmit cardholder data and/or sensitive authentication data. It consists of several steps that mirror security best practices. The version used in this section is PCI DSS v4.0, March 2022.

Definitions

DefinitionRequirements
1_2_2. Network security controls are configured and maintained
266. Disable insecure functionalities
1_2_5. Network security controls are configured and maintained
255. Allow access only to the necessary ports
1_2_6. Network security controls are configured and maintained
266. Disable insecure functionalities
1_3_1. Inbound traffic to the cardholder data environment is restricted
259. Segment the organization network
1_3_2. Outbound traffic to the cardholder data environment is restricted
259. Segment the organization network
1_4_2. Restrict inbound traffic from untrusted networks
255. Allow access only to the necessary ports
1_4_3. Implement anti-spoofing measures
096. Set user's required privileges
173. Discard unsafe inputs
176. Restrict system objects
265. Restrict access to critical processes
1_4_4. Network connections between trusted and untrusted networks are controlled
096. Set user's required privileges
176. Restrict system objects
1_4_5. Do not disclosure of internal IP addresses and routing information
077. Avoid disclosing technical information
261. Avoid exposing sensitive information
1_5_1. Implement security controls on any computing devices
273. Define a fixed security suite
2_2_2. System components are configured and managed securely
034. Manage user accounts
142. Change system default credentials
144. Remove inactive accounts periodically
2_2_4. Remove or disable all unnecessary functionality
154. Eliminate backdoors
266. Disable insecure functionalities
2_2_5. System components are configured and managed securely
330. Verify Subresource Integrity
2_2_6. Configure secure system parameters to prevent misuse
062. Define standard configurations
2_2_7. System components are configured and managed securely
033. Restrict administrative access
185. Encrypt sensitive information
2_3_1. Wireless environments are configured and managed securely
251. Change access point IP
253. Restrict network access
254. Change SSID name
2_3_2. Wireless environments are configured and managed securely
252. Configure key encryption
3_2_1. Retain account data only where necessary and deleted when no longer needed
183. Delete sensitive data securely
360. Remove unnecessary sensitive information
3_3_1. Sensitive authentication data (SAD) is not stored after authorization
314. Provide processing confirmation
315. Provide processed data information
3_3_2. Sensitive authentication data (SAD) is encrypted using strong cryptography
185. Encrypt sensitive information
3_3_3. Sensitive authentication data (SAD) is not stored after authorization
185. Encrypt sensitive information
360. Remove unnecessary sensitive information
3_4_1. Data is masked when displayed
300. Mask sensitive data
3_4_2. Use secure remote-access technologies
181. Transmit data using secure protocols
338. Implement perfect forward secrecy
3_5_1. Primary account number (PAN) is secured wherever it is stored
127. Store hashed passwords
150. Set minimum size for hash functions
3_6_1. Protect cryptographic keys used to protect stored account data
145. Protect system cryptographic keys
3_7_1. Generation of strong cryptographic keys
224. Use secure cryptographic mechanisms
3_7_2. Secure cryptographic key distribution
145. Protect system cryptographic keys
3_7_3. Secure cryptographic key storage
145. Protect system cryptographic keys
146. Remove cryptographic keys from RAM
3_7_7. Prevention of unauthorized substitution of cryptographic keys
095. Define users with privileges
145. Protect system cryptographic keys
176. Restrict system objects
3_7_9. Secure transmission and storage of cryptographic keys
338. Implement perfect forward secrecy
4_2_1. Strong cryptography during transmission
181. Transmit data using secure protocols
338. Implement perfect forward secrecy
4_2_2. Strong cryptography to protect data
224. Use secure cryptographic mechanisms
5_2_1. Deploy an anti-malware solution on system components
273. Define a fixed security suite
5_3_2. Anti-malware mechanisms and processes are active and monitored
266. Disable insecure functionalities
5_3_4. Enable audit logs for the anti-malware solution
075. Record exceptional events in logs
6_2_4. Software engineering techniques to prevent or mitigate common software attacks
029. Cookies with security attributes
169. Use parameterized queries
173. Discard unsafe inputs
174. Transactions without a distinguishable pattern
6_3_3. Security vulnerabilities are identified and addressed
266. Disable insecure functionalities
353. Schedule firmware updates
6_4_1. Public-facing web applications are protected against attacks
029. Cookies with security attributes
175. Protect pages from clickjacking
343. Respect the Do Not Track header
6_4_3. Public-facing web applications are protected against attacks
330. Verify Subresource Integrity
6_5_4. Changes to all system components are managed securely
095. Define users with privileges
6_5_5. Changes to all system components are managed securely
156. Source code without sensitive information
180. Use mock data
261. Avoid exposing sensitive information
6_5_6. Changes to all system components are managed securely
171. Remove commented-out code
360. Remove unnecessary sensitive information
7_2_2. Access to system components and data is appropriately defined and assigned
096. Set user's required privileges
7_2_3. Required privileges are approved by authorized personnel
035. Manage privilege modifications
7_2_5. Access to system components and data is defined and assigned
176. Restrict system objects
186. Use the principle of least privilege
7_2_6. Access to system components and data is defined and assigned
229. Request access credentials
7_3_1. Access to system components and data is managed via an access control system
229. Request access credentials
7_3_2. Access to system components and data is managed via an access control system
096. Set user's required privileges
229. Request access credentials
7_3_3. Access control system is set to deny by default
341. Use the principle of deny by default
8_2_1. Assign a unique ID before access to system components
143. Unique access credentials
8_2_3. User identification for users and administrators are strictly managed
176. Restrict system objects
8_2_4. User identification for users and administrators are strictly managed
034. Manage user accounts
095. Define users with privileges
8_2_5. Access for terminated users is immediately revoked
023. Terminate inactive user sessions
8_2_6. Inactive user accounts are removed within 90 days of inactivity
144. Remove inactive accounts periodically
8_2_8. User identification for users and administrators are strictly managed
141. Force re-authentication
8_3_1. Strong authentication for users and administrators is established
229. Request access credentials
8_3_2. Strong authentication for users and administrators is established
338. Implement perfect forward secrecy
8_3_3. Strong authentication for users and administrators is established
264. Request authentication
8_3_5. Initial or reset password or passphrase used by authorized user
140. Define OTP lifespan
347. Invalidate previous OTPs
8_3_6. Passwords or passphrases with minimum level of complexity
132. Passphrases with at least 4 words
133. Passwords with at least 20 characters
139. Set minimum OTP length
8_3_7. A previously used password cannot be used to gain access to an account
129. Validate previous passwords
8_3_9. A password or passphrase cannot be used indefinitely
130. Limit password lifespan
8_3_11. An authentication factor cannot be used by anyone other than the user assigned
362. Assign MFA mechanisms to a single account
8_4_1. Multi-factor authentication (MFA) is implemented to secure access
328. Request MFA for critical systems
8_4_2. Multi-factor authentication (MFA) is implemented to secure access
328. Request MFA for critical systems
8_4_3. Multi-factor authentication (MFA) is implemented to secure access
328. Request MFA for critical systems
8_5_1. Multi-factor authentication (MFA) systems are configured to prevent misuse
319. Make authentication options equally secure
8_6_3. Use of application and associated authentication factors is strictly managed
130. Limit password lifespan
9_2_2. Physical access controls manage entry into systems containing data
255. Allow access only to the necessary ports
9_2_3. Physical access controls manage entry into systems containing data
249. Locate access points
253. Restrict network access
9_4_1. Media with cardholder data is securely stored and accessed
231. Implement a biometric verification component
9_4_3. Media is secured and tracked when transported
147. Use pre-existent mechanisms
181. Transmit data using secure protocols
9_4_7. Media is secured and tracked when transported
183. Delete sensitive data securely
10_2_1. Audit logs are enabled and active for all system components
075. Record exceptional events in logs
10_3_2. Audit logs are protected from destruction and unauthorized modifications
080. Prevent log modification
10_6_1. System clocks and time are synchronized
363. Synchronize system clocks
10_7_2. Failures of critical security control systems are detected and responded to promptly
266. Disable insecure functionalities
11_2_1. Wireless access points are identified and monitored
249. Locate access points
12_9_1. Third-party service providers support their customers
315. Provide processed data information
3_6_1_1. Protect cryptographic keys used to protect stored account data
351. Assign unique keys to each device
361. Replace cryptographic keys
3_6_1_2. Protect cryptographic keys used to protect stored account data
151. Separate keys for encryption and signatures
10_2_1_3. Audit logs are enabled and active for all system components
085. Allow session history queries
10_2_1_4. Audit logs are enabled and active for all system components
075. Record exceptional events in logs
free trial

Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.

Last updated on