Skip to main content

PCI DSS

logo

Summary

PCI DSS is the global data security standard adopted by payment card brands for all entities that process, store or transmit cardholder data and/or sensitive authentication data. It consists of several steps that mirror security best practices. The version used in this section is PCI DSS v3.2.1.

Definitions

DefinitionRequirements
1_2_1. Restrict inbound and outbound traffic033. Restrict administrative access
259. Segment the organization network
1_2_2. Secure and synchronize router configuration files033. Restrict administrative access
062. Define standard configurations
176. Restrict system objects
1_2_3. Install perimeter firewalls259. Segment the organization network
1_3_1. Implement a DMZ255. Allow access only to the necessary ports
259. Segment the organization network
1_3_2. Limit inbound Internet traffic255. Allow access only to the necessary ports
259. Segment the organization network
1_3_3. Implement anti-spoofing measures173. Discard unsafe inputs
259. Segment the organization network
1_3_4. Do not allow unauthorized outbound traffic062. Define standard configurations
253. Restrict network access
259. Segment the organization network
1_3_5. Permit only “established” connections062. Define standard configurations
255. Allow access only to the necessary ports
1_3_6. Place system components that store cardholder data033. Restrict administrative access
259. Segment the organization network
1_3_7. Do not disclose private IP addresses and routing information077. Avoid disclosing technical information
261. Avoid exposing sensitive information
2_1_1. For wireless environments connected142. Change system default credentials
251. Change access point IP
2_2_2. Enable only necessary services255. Allow access only to the necessary ports
266. Disable insecure functionalities
2_2_3. Implement additional security features062. Define standard configurations
2_2_4. Configure system security parameters062. Define standard configurations
235. Define credential interface
2_2_5. Remove all unnecessary functionality266. Disable insecure functionalities
2_3. Encrypt all non-console administrative access185. Encrypt sensitive information
224. Use secure cryptographic mechanisms
302. Declare dependencies explicitly
3_1. Keep cardholder data storage to a minimum183. Delete sensitive data securely
360. Remove unnecessary sensitive information
3_2_1. Do not store the full contents of any track335. Define out of band token lifespan
360. Remove unnecessary sensitive information
3_2_2. Do not store the card verification code or value360. Remove unnecessary sensitive information
3_2_3. Do not store the personal identification number (PIN)360. Remove unnecessary sensitive information
3_3. Mask PAN when displayed300. Mask sensitive data
3_4. Render PAN unreadable anywhere it is stored185. Encrypt sensitive information
3_4_1. Disk encryption145. Protect system cryptographic keys
186. Use the principle of least privilege
3_5_2. Restrict access to cryptographic keys145. Protect system cryptographic keys
186. Use the principle of least privilege
3_5_3. Store secret and private keys used to encrypt or decrypt145. Protect system cryptographic keys
185. Encrypt sensitive information
333. Store salt values separately
3_5_4. Store cryptographic keys145. Protect system cryptographic keys
146. Remove cryptographic keys from RAM
3_6_1. Generation of strong cryptographic keys224. Use secure cryptographic mechanisms
3_6_2. Secure cryptographic key distribution145. Protect system cryptographic keys
3_6_3. Secure cryptographic key storage145. Protect system cryptographic keys
146. Remove cryptographic keys from RAM
3_6_4. Cryptographic key changes for keys338. Implement perfect forward secrecy
361. Replace cryptographic keys
3_6_5. Retirement or replacement of keys361. Replace cryptographic keys
3_6_7. Prevention of unauthorized substitution of cryptographic keys145. Protect system cryptographic keys
176. Restrict system objects
4_1. Use strong cryptography and security protocols088. Request client certificates
181. Transmit data using secure protocols
224. Use secure cryptographic mechanisms
252. Configure key encryption
336. Disable insecure TLS versions
4_1_1. Ensure wireless networks transmitting cardholder data147. Use pre-existent mechanisms
181. Transmit data using secure protocols
252. Configure key encryption
4_2. Never send unprotected PANs181. Transmit data using secure protocols
5_1. Deploy anti-virus software273. Define a fixed security suite
5_1_1. Ensure that anti-virus programs are capable of detecting041. Scan files for malicious code
118. Inspect attachments
5_2. Ensure anti-virus mechanisms maintenance262. Verify third-party components
5_3. Ensure that anti-virus mechanisms are actively running186. Use the principle of least privilege
6_2. Ensure that all system components and software are protected062. Define standard configurations
158. Use a secure programming language
262. Verify third-party components
6_3. Develop internal and external software applications securely062. Define standard configurations
152. Reuse database connections
6_3_1. Remove development, test or custom application accounts154. Eliminate backdoors
6_4_1. Separate development or test environments from production environments180. Use mock data
6_4_3. Production data (live PANs) are not used for testing or development180. Use mock data
6_4_4. Removal of test data and accounts from system components154. Eliminate backdoors
6_5_1. Injection flows050. Control calls to interpreted code
117. Do not interpret HTML code
160. Encode system outputs
169. Use parameterized queries
173. Discard unsafe inputs
321. Avoid deserializing untrusted data
344. Avoid dynamic code execution
6_5_2. Buffer overflow157. Use the strict mode
173. Discard unsafe inputs
345. Establish protections against overflows
6_5_3. Insecure cryptographic storage145. Protect system cryptographic keys
185. Encrypt sensitive information
224. Use secure cryptographic mechanisms
6_5_4. Insecure communications181. Transmit data using secure protocols
336. Disable insecure TLS versions
6_5_5. Improper error handling077. Avoid disclosing technical information
078. Disable debugging events
6_5_7. Cross-site scripting (XSS)029. Cookies with security attributes
050. Control calls to interpreted code
160. Encode system outputs
173. Discard unsafe inputs
340. Use octet stream downloads
344. Avoid dynamic code execution
349. Include HTTP security headers
6_5_8. Improper access control033. Restrict administrative access
035. Manage privilege modifications
080. Prevent log modification
096. Set user's required privileges
176. Restrict system objects
186. Use the principle of least privilege
265. Restrict access to critical processes
266. Disable insecure functionalities
320. Avoid client-side control enforcement
341. Use the principle of deny by default
6_5_9. Cross-site request forgery (CSRF)029. Cookies with security attributes
174. Transactions without a distinguishable pattern
349. Include HTTP security headers
6_5_10. Broken authentication and session management023. Terminate inactive user sessions
025. Manage concurrent sessions
026. Encrypt client-side session information
027. Allow session lockout
028. Allow users to log out
029. Cookies with security attributes
030. Avoid object reutilization
031. Discard user session data
032. Avoid session ID leakages
037. Parameters without sensitive data
088. Request client certificates
114. Deny access with inactive credentials
131. Deny multiple password changing attempts
139. Set minimum OTP length
140. Define OTP lifespan
141. Force re-authentication
142. Change system default credentials
143. Unique access credentials
153. Out of band transactions
209. Manage passwords in cache
225. Proper authentication responses
226. Avoid account lockouts
228. Authenticate using standard protocols
229. Request access credentials
231. Implement a biometric verification component
236. Establish authentication time
237. Ascertain human interaction
238. Establish safe recovery
264. Request authentication
319. Make authentication options equally secure
320. Avoid client-side control enforcement
328. Request MFA for critical systems
332. Prevent the use of breached passwords
334. Avoid knowledge-based authentication
347. Invalidate previous OTPs
357. Use stateless session tokens
362. Assign MFA mechanisms to a single account
7_1_1. Define access needs for each role095. Define users with privileges
096. Set user's required privileges
176. Restrict system objects
7_1_2. Restrict access to privileged user IDs186. Use the principle of least privilege
341. Use the principle of deny by default
7_1_3. Assign access095. Define users with privileges
096. Set user's required privileges
7_2_2. Assignment of privileges095. Define users with privileges
096. Set user's required privileges
341. Use the principle of deny by default
8_1_1. Assign all users a unique ID143. Unique access credentials
229. Request access credentials
264. Request authentication
8_1_2. Control addition, deletion, and modification of user IDs034. Manage user accounts
035. Manage privilege modifications
122. Validate credential ownership
8_1_3. Immediately revoke access for any terminated users114. Deny access with inactive credentials
8_1_4. Remove/disable inactive user accounts144. Remove inactive accounts periodically
8_1_8. Require the user to re-authenticate (inactive)023. Terminate inactive user sessions
8_2. Ensure proper user-authentication management for non-consumer users229. Request access credentials
8_2_1. Using strong cryptography127. Store hashed passwords
181. Transmit data using secure protocols
185. Encrypt sensitive information
8_2_2. Verify user identity before modifying any authentication credential122. Validate credential ownership
238. Establish safe recovery
8_2_3. Passwords or passphrases must meet minimum requirements132. Passphrases with at least 4 words
133. Passwords with at least 20 characters
8_2_4. Change user passwords130. Limit password lifespan
8_2_5. Passwords or passphrases126. Set a password regeneration mechanism
129. Validate previous passwords
8_2_6. Set passwords or passphrases for first time use136. Force temporary password change
137. Change temporary passwords of third parties
367. Proper generation of temporary passwords
8_5. Do not use group, shared, or generic IDs, passwords143. Unique access credentials
362. Assign MFA mechanisms to a single account
8_6. Proper use of authentication mechanisms362. Assign MFA mechanisms to a single account
8_7. Database containing cardholder data033. Restrict administrative access
265. Restrict access to critical processes
9_1_3. Restrict physical access to wireless access points, gateways, handheld devices, networking/communications hardware, and telecommunication lines250. Manage access points
9_8_2. Render cardholder data on electronic media unrecoverable183. Delete sensitive data securely
10_2_1. Individual user accesses to cardholder data075. Record exceptional events in logs
10_2_2. Actions taken by any individual with root or administrative privileges046. Manage the integrity of critical files
075. Record exceptional events in logs
10_2_3. Access to all audit trails075. Record exceptional events in logs
10_2_4. Invalid logical access attempts075. Record exceptional events in logs
10_2_5. Use of and changes to identification and authentication mechanisms075. Record exceptional events in logs
10_2_6. Initialization, stopping,or pausing of the audit logs046. Manage the integrity of critical files
075. Record exceptional events in logs
10_2_7. Creation and deletion of system-level objects075. Record exceptional events in logs
10_3. Record at least the following audit trail entries079. Record exact occurrence time of events
10_4_1. Critical systems have the correct and consistent time363. Synchronize system clocks
10_4_2. Time data is protected046. Manage the integrity of critical files
363. Synchronize system clocks
10_4_3. Time settings are received from industry-accepted time source363. Synchronize system clocks
10_5_1. Limit viewing of audit trails096. Set user's required privileges
176. Restrict system objects
10_5_2. Protect audit trail files080. Prevent log modification
10_5_3. Promptly back up audit trail files080. Prevent log modification
10_5_5. Use file-integrity monitoring or change-detection software046. Manage the integrity of critical files
12_3_2. Authentication for use of the technology232. Require equipment identity
305. Prioritize token usage
12_3_8. Automatic disconnect of sessions for remote-access technologies after a specific period of inactivity369. Set a maximum lifetime in sessions
A1_1. A hosting provider must fulfill these requirements096. Set user's required privileges
186. Use the principle of least privilege
A1_2. Restrict each entity's access and privileges186. Use the principle of least privilege
A1_3. Ensure logging and audit trails075. Record exceptional events in logs
A2_1. Where POS POI terminals use SSL or early TLS336. Disable insecure TLS versions