
Summary
PCI DSS is the global data security standard adopted by payment card brands for all entities that process, store or transmit cardholder data and/or sensitive authentication data. It consists of several steps that mirror security best practices. The version used in this section is PCI DSS v3.2.1.
Definitions
Definition | Requirements |
---|
1_2_1. Restrict inbound and outbound traffic | 033. Restrict administrative access 259. Segment the organization network |
1_2_2. Secure and synchronize router configuration files | 033. Restrict administrative access 062. Define standard configurations 176. Restrict system objects |
1_2_3. Install perimeter firewalls | 259. Segment the organization network |
1_3_1. Implement a DMZ | 255. Allow access only to the necessary ports 259. Segment the organization network |
1_3_2. Limit inbound Internet traffic | 255. Allow access only to the necessary ports 259. Segment the organization network |
1_3_3. Implement anti-spoofing measures | 173. Discard unsafe inputs 259. Segment the organization network |
1_3_4. Do not allow unauthorized outbound traffic | 062. Define standard configurations 253. Restrict network access 259. Segment the organization network |
1_3_5. Permit only “established” connections | 062. Define standard configurations 255. Allow access only to the necessary ports |
1_3_6. Place system components that store cardholder data | 033. Restrict administrative access 259. Segment the organization network |
1_3_7. Do not disclose private IP addresses and routing information | 077. Avoid disclosing technical information 261. Avoid exposing sensitive information |
2_1_1. For wireless environments connected | 142. Change system default credentials 251. Change access point IP |
2_2_2. Enable only necessary services | 255. Allow access only to the necessary ports 266. Disable insecure functionalities |
2_2_3. Implement additional security features | 062. Define standard configurations |
2_2_4. Configure system security parameters | 062. Define standard configurations 235. Define credential interface |
2_2_5. Remove all unnecessary functionality | 266. Disable insecure functionalities |
2_3. Encrypt all non-console administrative access | 185. Encrypt sensitive information 224. Use secure cryptographic mechanisms 302. Declare dependencies explicitly |
3_1. Keep cardholder data storage to a minimum | 183. Delete sensitive data securely 360. Remove unnecessary sensitive information |
3_2_1. Do not store the full contents of any track | 335. Define out of band token lifespan 360. Remove unnecessary sensitive information |
3_2_2. Do not store the card verification code or value | 360. Remove unnecessary sensitive information |
3_2_3. Do not store the personal identification number (PIN) | 360. Remove unnecessary sensitive information |
3_3. Mask PAN when displayed | 300. Mask sensitive data |
3_4. Render PAN unreadable anywhere it is stored | 185. Encrypt sensitive information |
3_4_1. Disk encryption | 145. Protect system cryptographic keys 186. Use the principle of least privilege |
3_5_2. Restrict access to cryptographic keys | 145. Protect system cryptographic keys 186. Use the principle of least privilege |
3_5_3. Store secret and private keys used to encrypt or decrypt | 145. Protect system cryptographic keys 185. Encrypt sensitive information 333. Store salt values separately |
3_5_4. Store cryptographic keys | 145. Protect system cryptographic keys 146. Remove cryptographic keys from RAM |
3_6_1. Generation of strong cryptographic keys | 224. Use secure cryptographic mechanisms |
3_6_2. Secure cryptographic key distribution | 145. Protect system cryptographic keys |
3_6_3. Secure cryptographic key storage | 145. Protect system cryptographic keys 146. Remove cryptographic keys from RAM |
3_6_4. Cryptographic key changes for keys | 338. Implement perfect forward secrecy 361. Replace cryptographic keys |
3_6_5. Retirement or replacement of keys | 361. Replace cryptographic keys |
3_6_7. Prevention of unauthorized substitution of cryptographic keys | 145. Protect system cryptographic keys 176. Restrict system objects |
4_1. Use strong cryptography and security protocols | 088. Request client certificates 181. Transmit data using secure protocols 224. Use secure cryptographic mechanisms 252. Configure key encryption 336. Disable insecure TLS versions |
4_1_1. Ensure wireless networks transmitting cardholder data | 147. Use pre-existent mechanisms 181. Transmit data using secure protocols 252. Configure key encryption |
4_2. Never send unprotected PANs | 181. Transmit data using secure protocols |
5_1. Deploy anti-virus software | 273. Define a fixed security suite |
5_1_1. Ensure that anti-virus programs are capable of detecting | 041. Scan files for malicious code 118. Inspect attachments |
5_2. Ensure anti-virus mechanisms maintenance | 262. Verify third-party components |
5_3. Ensure that anti-virus mechanisms are actively running | 186. Use the principle of least privilege |
6_2. Ensure that all system components and software are protected | 062. Define standard configurations 158. Use a secure programming language 262. Verify third-party components |
6_3. Develop internal and external software applications securely | 062. Define standard configurations 152. Reuse database connections |
6_3_1. Remove development, test or custom application accounts | 154. Eliminate backdoors |
6_4_1. Separate development or test environments from production environments | 180. Use mock data |
6_4_3. Production data (live PANs) are not used for testing or development | 180. Use mock data |
6_4_4. Removal of test data and accounts from system components | 154. Eliminate backdoors |
6_5_1. Injection flows | 050. Control calls to interpreted code 117. Do not interpret HTML code 160. Encode system outputs 169. Use parameterized queries 173. Discard unsafe inputs 321. Avoid deserializing untrusted data 344. Avoid dynamic code execution |
6_5_2. Buffer overflow | 157. Use the strict mode 173. Discard unsafe inputs 345. Establish protections against overflows |
6_5_3. Insecure cryptographic storage | 145. Protect system cryptographic keys 185. Encrypt sensitive information 224. Use secure cryptographic mechanisms |
6_5_4. Insecure communications | 181. Transmit data using secure protocols 336. Disable insecure TLS versions |
6_5_5. Improper error handling | 077. Avoid disclosing technical information 078. Disable debugging events |
6_5_7. Cross-site scripting (XSS) | 029. Cookies with security attributes 050. Control calls to interpreted code 160. Encode system outputs 173. Discard unsafe inputs 340. Use octet stream downloads 344. Avoid dynamic code execution 349. Include HTTP security headers |
6_5_8. Improper access control | 033. Restrict administrative access 035. Manage privilege modifications 080. Prevent log modification 096. Set user's required privileges 176. Restrict system objects 186. Use the principle of least privilege 265. Restrict access to critical processes 266. Disable insecure functionalities 320. Avoid client-side control enforcement 341. Use the principle of deny by default |
6_5_9. Cross-site request forgery (CSRF) | 029. Cookies with security attributes 174. Transactions without a distinguishable pattern 349. Include HTTP security headers |
6_5_10. Broken authentication and session management | 023. Terminate inactive user sessions 025. Manage concurrent sessions 026. Encrypt client-side session information 027. Allow session lockout 028. Allow users to log out 029. Cookies with security attributes 030. Avoid object reutilization 031. Discard user session data 032. Avoid session ID leakages 037. Parameters without sensitive data 088. Request client certificates 114. Deny access with inactive credentials 131. Deny multiple password changing attempts 139. Set minimum OTP length 140. Define OTP lifespan 141. Force re-authentication 142. Change system default credentials 143. Unique access credentials 153. Out of band transactions 209. Manage passwords in cache 225. Proper authentication responses 226. Avoid account lockouts 228. Authenticate using standard protocols 229. Request access credentials 231. Implement a biometric verification component 236. Establish authentication time 237. Ascertain human interaction 238. Establish safe recovery 264. Request authentication 319. Make authentication options equally secure 320. Avoid client-side control enforcement 328. Request MFA for critical systems 332. Prevent the use of breached passwords 334. Avoid knowledge-based authentication 347. Invalidate previous OTPs 357. Use stateless session tokens 362. Assign MFA mechanisms to a single account |
7_1_1. Define access needs for each role | 095. Define users with privileges 096. Set user's required privileges 176. Restrict system objects |
7_1_2. Restrict access to privileged user IDs | 186. Use the principle of least privilege 341. Use the principle of deny by default |
7_1_3. Assign access | 095. Define users with privileges 096. Set user's required privileges |
7_2_2. Assignment of privileges | 095. Define users with privileges 096. Set user's required privileges 341. Use the principle of deny by default |
8_1_1. Assign all users a unique ID | 143. Unique access credentials 229. Request access credentials 264. Request authentication |
8_1_2. Control addition, deletion, and modification of user IDs | 034. Manage user accounts 035. Manage privilege modifications 122. Validate credential ownership |
8_1_3. Immediately revoke access for any terminated users | 114. Deny access with inactive credentials |
8_1_4. Remove/disable inactive user accounts | 144. Remove inactive accounts periodically |
8_1_8. Require the user to re-authenticate (inactive) | 023. Terminate inactive user sessions |
8_2. Ensure proper user-authentication management for non-consumer users | 229. Request access credentials |
8_2_1. Using strong cryptography | 127. Store hashed passwords 181. Transmit data using secure protocols 185. Encrypt sensitive information |
8_2_2. Verify user identity before modifying any authentication credential | 122. Validate credential ownership 238. Establish safe recovery |
8_2_3. Passwords or passphrases must meet minimum requirements | 132. Passphrases with at least 4 words 133. Passwords with at least 20 characters |
8_2_4. Change user passwords | 130. Limit password lifespan |
8_2_5. Passwords or passphrases | 126. Set a password regeneration mechanism 129. Validate previous passwords |
8_2_6. Set passwords or passphrases for first time use | 136. Force temporary password change 137. Change temporary passwords of third parties 367. Proper generation of temporary passwords |
8_5. Do not use group, shared, or generic IDs, passwords | 143. Unique access credentials 362. Assign MFA mechanisms to a single account |
8_6. Proper use of authentication mechanisms | 362. Assign MFA mechanisms to a single account |
8_7. Database containing cardholder data | 033. Restrict administrative access 265. Restrict access to critical processes |
9_1_3. Restrict physical access to wireless access points, gateways, handheld devices, networking/communications hardware, and telecommunication lines | 250. Manage access points |
9_8_2. Render cardholder data on electronic media unrecoverable | 183. Delete sensitive data securely |
10_2_1. Individual user accesses to cardholder data | 075. Record exceptional events in logs |
10_2_2. Actions taken by any individual with root or administrative privileges | 046. Manage the integrity of critical files 075. Record exceptional events in logs |
10_2_3. Access to all audit trails | 075. Record exceptional events in logs |
10_2_4. Invalid logical access attempts | 075. Record exceptional events in logs |
10_2_5. Use of and changes to identification and authentication mechanisms | 075. Record exceptional events in logs |
10_2_6. Initialization, stopping,or pausing of the audit logs | 046. Manage the integrity of critical files 075. Record exceptional events in logs |
10_2_7. Creation and deletion of system-level objects | 075. Record exceptional events in logs |
10_3. Record at least the following audit trail entries | 079. Record exact occurrence time of events |
10_4_1. Critical systems have the correct and consistent time | 363. Synchronize system clocks |
10_4_2. Time data is protected | 046. Manage the integrity of critical files 363. Synchronize system clocks |
10_4_3. Time settings are received from industry-accepted time source | 363. Synchronize system clocks |
10_5_1. Limit viewing of audit trails | 096. Set user's required privileges 176. Restrict system objects |
10_5_2. Protect audit trail files | 080. Prevent log modification |
10_5_3. Promptly back up audit trail files | 080. Prevent log modification |
10_5_5. Use file-integrity monitoring or change-detection software | 046. Manage the integrity of critical files |
12_3_2. Authentication for use of the technology | 232. Require equipment identity 305. Prioritize token usage |
12_3_8. Automatic disconnect of sessions for remote-access technologies after a specific period of inactivity | 369. Set a maximum lifetime in sessions |
A1_1. A hosting provider must fulfill these requirements | 096. Set user's required privileges 186. Use the principle of least privilege |
A1_2. Restrict each entity's access and privileges | 186. Use the principle of least privilege |
A1_3. Ensure logging and audit trails | 075. Record exceptional events in logs |
A2_1. Where POS POI terminals use SSL or early TLS | 336. Disable insecure TLS versions |