Summary
PCI DSS is the global data security standard adopted by payment card brands for all entities that process, store or transmit cardholder data and/or sensitive authentication data. It consists of several steps that mirror security best practices. The version used in this section is PCI DSS v3.2.1.
Definitions
| Definition | Requirements |
|---|
| 1_2_1. Restrict inbound and outbound traffic | 033. Restrict administrative access
259. Segment the organization network |
| 1_2_2. Secure and synchronize router configuration files | 033. Restrict administrative access
062. Define standard configurations
176. Restrict system objects |
| 1_2_3. Install perimeter firewalls | 259. Segment the organization network |
| 1_3_1. Implement a DMZ | 255. Allow access only to the necessary ports
259. Segment the organization network |
| 1_3_2. Limit inbound Internet traffic | 255. Allow access only to the necessary ports
259. Segment the organization network |
| 1_3_3. Implement anti-spoofing measures | 173. Discard unsafe inputs
259. Segment the organization network |
| 1_3_4. Do not allow unauthorized outbound traffic | 062. Define standard configurations
253. Restrict network access
259. Segment the organization network |
| 1_3_5. Permit only “established” connections | 062. Define standard configurations
255. Allow access only to the necessary ports |
| 1_3_6. Place system components that store cardholder data | 033. Restrict administrative access
259. Segment the organization network |
| 1_3_7. Do not disclose private IP addresses and routing information | 077. Avoid disclosing technical information
261. Avoid exposing sensitive information |
| 2_1_1. For wireless environments connected | 142. Change system default credentials
251. Change access point IP |
| 2_2_2. Enable only necessary services | 255. Allow access only to the necessary ports
266. Disable insecure functionalities |
| 2_2_3. Implement additional security features | 062. Define standard configurations |
| 2_2_4. Configure system security parameters | 062. Define standard configurations
235. Define credential interface |
| 2_2_5. Remove all unnecessary functionality | 266. Disable insecure functionalities |
| 2_3. Encrypt all non-console administrative access | 185. Encrypt sensitive information
224. Use secure cryptographic mechanisms
302. Declare dependencies explicitly |
| 3_1. Keep cardholder data storage to a minimum | 183. Delete sensitive data securely
360. Remove unnecessary sensitive information |
| 3_2_1. Do not store the full contents of any track | 335. Define out of band token lifespan
360. Remove unnecessary sensitive information |
| 3_2_2. Do not store the card verification code or value | 360. Remove unnecessary sensitive information |
| 3_2_3. Do not store the personal identification number (PIN) | 360. Remove unnecessary sensitive information |
| 3_3. Mask PAN when displayed | 300. Mask sensitive data |
| 3_4. Render PAN unreadable anywhere it is stored | 185. Encrypt sensitive information |
| 3_4_1. Disk encryption | 145. Protect system cryptographic keys
186. Use the principle of least privilege |
| 3_5_2. Restrict access to cryptographic keys | 145. Protect system cryptographic keys
186. Use the principle of least privilege |
| 3_5_3. Store secret and private keys used to encrypt or decrypt | 145. Protect system cryptographic keys
185. Encrypt sensitive information
333. Store salt values separately |
| 3_5_4. Store cryptographic keys | 145. Protect system cryptographic keys
146. Remove cryptographic keys from RAM |
| 3_6_1. Generation of strong cryptographic keys | 224. Use secure cryptographic mechanisms |
| 3_6_2. Secure cryptographic key distribution | 145. Protect system cryptographic keys |
| 3_6_3. Secure cryptographic key storage | 145. Protect system cryptographic keys
146. Remove cryptographic keys from RAM |
| 3_6_4. Cryptographic key changes for keys | 338. Implement perfect forward secrecy
361. Replace cryptographic keys |
| 3_6_5. Retirement or replacement of keys | 361. Replace cryptographic keys |
| 3_6_7. Prevention of unauthorized substitution of cryptographic keys | 145. Protect system cryptographic keys
176. Restrict system objects |
| 4_1. Use strong cryptography and security protocols | 088. Request client certificates
181. Transmit data using secure protocols
224. Use secure cryptographic mechanisms
252. Configure key encryption
336. Disable insecure TLS versions |
| 4_1_1. Ensure wireless networks transmitting cardholder data | 147. Use pre-existent mechanisms
181. Transmit data using secure protocols
252. Configure key encryption |
| 4_2. Never send unprotected PANs | 181. Transmit data using secure protocols |
| 5_1. Deploy anti-virus software | 273. Define a fixed security suite |
| 5_1_1. Ensure that anti-virus programs are capable of detecting | 041. Scan files for malicious code
118. Inspect attachments |
| 5_2. Ensure anti-virus mechanisms maintenance | 262. Verify third-party components |
| 5_3. Ensure that anti-virus mechanisms are actively running | 186. Use the principle of least privilege |
| 6_2. Ensure that all system components and software are protected | 062. Define standard configurations
158. Use a secure programming language
262. Verify third-party components |
| 6_3. Develop internal and external software applications securely | 062. Define standard configurations
152. Reuse database connections |
| 6_3_1. Remove development, test or custom application accounts | 154. Eliminate backdoors |
| 6_4_1. Separate development or test environments from production environments | 180. Use mock data |
| 6_4_3. Production data (live PANs) are not used for testing or development | 180. Use mock data |
| 6_4_4. Removal of test data and accounts from system components | 154. Eliminate backdoors |
| 6_5_1. Injection flows | 050. Control calls to interpreted code
117. Do not interpret HTML code
160. Encode system outputs
169. Use parameterized queries
173. Discard unsafe inputs
321. Avoid deserializing untrusted data
344. Avoid dynamic code execution |
| 6_5_2. Buffer overflow | 157. Use the strict mode
173. Discard unsafe inputs
345. Establish protections against overflows |
| 6_5_3. Insecure cryptographic storage | 145. Protect system cryptographic keys
185. Encrypt sensitive information
224. Use secure cryptographic mechanisms |
| 6_5_4. Insecure communications | 181. Transmit data using secure protocols
336. Disable insecure TLS versions |
| 6_5_5. Improper error handling | 077. Avoid disclosing technical information
078. Disable debugging events |
| 6_5_7. Cross-site scripting (XSS) | 029. Cookies with security attributes
050. Control calls to interpreted code
160. Encode system outputs
173. Discard unsafe inputs
340. Use octet stream downloads
344. Avoid dynamic code execution
349. Include HTTP security headers |
| 6_5_8. Improper access control | 033. Restrict administrative access
035. Manage privilege modifications
080. Prevent log modification
096. Set user's required privileges
176. Restrict system objects
186. Use the principle of least privilege
265. Restrict access to critical processes
266. Disable insecure functionalities
320. Avoid client-side control enforcement
341. Use the principle of deny by default |
| 6_5_9. Cross-site request forgery (CSRF) | 029. Cookies with security attributes
174. Transactions without a distinguishable pattern
349. Include HTTP security headers |
| 6_5_10. Broken authentication and session management | 023. Terminate inactive user sessions
025. Manage concurrent sessions
026. Encrypt client-side session information
027. Allow session lockout
028. Allow users to log out
029. Cookies with security attributes
030. Avoid object reutilization
031. Discard user session data
032. Avoid session ID leakages
037. Parameters without sensitive data
088. Request client certificates
114. Deny access with inactive credentials
131. Deny multiple password changing attempts
139. Set minimum OTP length
140. Define OTP lifespan
141. Force re-authentication
142. Change system default credentials
143. Unique access credentials
153. Out of band transactions
209. Manage passwords in cache
225. Proper authentication responses
226. Avoid account lockouts
228. Authenticate using standard protocols
229. Request access credentials
231. Implement a biometric verification component
236. Establish authentication time
237. Ascertain human interaction
238. Establish safe recovery
264. Request authentication
319. Make authentication options equally secure
320. Avoid client-side control enforcement
328. Request MFA for critical systems
332. Prevent the use of breached passwords
334. Avoid knowledge-based authentication
347. Invalidate previous OTPs
357. Use stateless session tokens
362. Assign MFA mechanisms to a single account |
| 7_1_1. Define access needs for each role | 095. Define users with privileges
096. Set user's required privileges
176. Restrict system objects |
| 7_1_2. Restrict access to privileged user IDs | 186. Use the principle of least privilege
341. Use the principle of deny by default |
| 7_1_3. Assign access | 095. Define users with privileges
096. Set user's required privileges |
| 7_2_2. Assignment of privileges | 095. Define users with privileges
096. Set user's required privileges
341. Use the principle of deny by default |
| 8_1_1. Assign all users a unique ID | 143. Unique access credentials
229. Request access credentials
264. Request authentication |
| 8_1_2. Control addition, deletion, and modification of user IDs | 034. Manage user accounts
035. Manage privilege modifications
122. Validate credential ownership |
| 8_1_3. Immediately revoke access for any terminated users | 114. Deny access with inactive credentials |
| 8_1_4. Remove/disable inactive user accounts | 144. Remove inactive accounts periodically |
| 8_1_8. Require the user to re-authenticate (inactive) | 023. Terminate inactive user sessions |
| 8_2. Ensure proper user-authentication management for non-consumer users | 229. Request access credentials |
| 8_2_1. Using strong cryptography | 127. Store hashed passwords
181. Transmit data using secure protocols
185. Encrypt sensitive information |
| 8_2_2. Verify user identity before modifying any authentication credential | 122. Validate credential ownership
238. Establish safe recovery |
| 8_2_3. Passwords or passphrases must meet minimum requirements | 132. Passphrases with at least 4 words
133. Passwords with at least 20 characters |
| 8_2_4. Change user passwords | 130. Limit password lifespan |
| 8_2_5. Passwords or passphrases | 126. Set a password regeneration mechanism
129. Validate previous passwords |
| 8_2_6. Set passwords or passphrases for first time use | 136. Force temporary password change
137. Change temporary passwords of third parties
367. Proper generation of temporary passwords |
| 8_5. Do not use group, shared, or generic IDs, passwords | 143. Unique access credentials
362. Assign MFA mechanisms to a single account |
| 8_6. Proper use of authentication mechanisms | 362. Assign MFA mechanisms to a single account |
| 8_7. Database containing cardholder data | 033. Restrict administrative access
265. Restrict access to critical processes |
| 9_1_3. Restrict physical access to wireless access points, gateways, handheld devices, networking/communications hardware, and telecommunication lines | 250. Manage access points |
| 9_8_2. Render cardholder data on electronic media unrecoverable | 183. Delete sensitive data securely |
| 10_2_1. Individual user accesses to cardholder data | 075. Record exceptional events in logs |
| 10_2_2. Actions taken by any individual with root or administrative privileges | 046. Manage the integrity of critical files
075. Record exceptional events in logs |
| 10_2_3. Access to all audit trails | 075. Record exceptional events in logs |
| 10_2_4. Invalid logical access attempts | 075. Record exceptional events in logs |
| 10_2_5. Use of and changes to identification and authentication mechanisms | 075. Record exceptional events in logs |
| 10_2_6. Initialization, stopping,or pausing of the audit logs | 046. Manage the integrity of critical files
075. Record exceptional events in logs |
| 10_2_7. Creation and deletion of system-level objects | 075. Record exceptional events in logs |
| 10_3. Record at least the following audit trail entries | 079. Record exact occurrence time of events |
| 10_4_1. Critical systems have the correct and consistent time | 363. Synchronize system clocks |
| 10_4_2. Time data is protected | 046. Manage the integrity of critical files
363. Synchronize system clocks |
| 10_4_3. Time settings are received from industry-accepted time source | 363. Synchronize system clocks |
| 10_5_1. Limit viewing of audit trails | 096. Set user's required privileges
176. Restrict system objects |
| 10_5_2. Protect audit trail files | 080. Prevent log modification |
| 10_5_3. Promptly back up audit trail files | 080. Prevent log modification |
| 10_5_5. Use file-integrity monitoring or change-detection software | 046. Manage the integrity of critical files |
| 12_3_2. Authentication for use of the technology | 232. Require equipment identity
305. Prioritize token usage |
| 12_3_8. Automatic disconnect of sessions for remote-access technologies after a specific period of inactivity | 369. Set a maximum lifetime in sessions |
| A1_1. A hosting provider must fulfill these requirements | 096. Set user's required privileges
186. Use the principle of least privilege |
| A1_2. Restrict each entity's access and privileges | 186. Use the principle of least privilege |
| A1_3. Ensure logging and audit trails | 075. Record exceptional events in logs |
| A2_1. Where POS POI terminals use SSL or early TLS | 336. Disable insecure TLS versions |