Install and Maintain Network Security Controls

• Processes and mechanisms for network security controls - 1.1

  Processes and mechanisms for installing and maintaining network security controls are defined and understood.

• Network security controls are configured and maintained - 1.2

  Network security controls (NSCs) are configured and maintained to protect cardholder data.

• Network access to and from the CDE is restricted - 1.3

  Network access to and from the cardholder data environment (CDE) is strictly restricted.

• Network connections between trusted and untrusted networks are controlled - 1.4

  Network connections between trusted and untrusted networks are fully controlled and audited.

• Risks to the CDE from computing devices that are able to connect to both untrusted networks and the CDE are mitigated - 1.5

  Risks to the CDE from computing devices that are able to connect to both untrusted networks and the CDE are mitigated.

Apply Secure Configurations to All System Components

• Processes and mechanisms for secure configurations - 2.1

  Processes and mechanisms for applying secure configurations are defined and understood.

• System components are configured and managed securely - 2.2

  System components are configured and managed securely.

• Wireless environments are configured and managed securely - 2.3

  Wireless environments attached to the CDE are configured and managed securely.

Protect Stored Account Data

• Processes and mechanisms for protecting stored account data - 3.1

  Processes and mechanisms for protecting stored account data are defined and understood.

• Storage of account data is kept to a minimum - 3.2

  Storage of account data is minimized through formal retention and disposal schedules.

• Sensitive authentication data is not stored after authorization - 3.3

  Sensitive authentication data (SAD) is strictly prohibited from storage after transaction authorization.

• Access to displays of full PAN is restricted - 3.4

  Access to displays of full Primary Account Number (PAN) is restricted based on explicit business need.

• Primary account number (PAN) is secured wherever it is stored - 3.5

  Primary account number (PAN) is secured wherever it is stored.

• Cryptographic keys are secured - 3.6

  Cryptographic keys used to protect stored account data are completely secured throughout their lifecycle.

• Key management processes and procedures covering all aspects of the key lifecycle are defined and implemented - 3.7

  Key management processes and procedures covering all aspects of the key lifecycle are defined and implemented.

Protect Cardholder Data During Transmission

• Processes and mechanisms for strong cryptography - 4.1

  Processes and mechanisms for using strong cryptography during transmission are defined.

• PAN is protected with strong cryptography during transmission - 4.2

  PAN is securely transmitted over open, public, or untrusted networks using strong cryptography.

Protect All Systems from Malicious Software

• Processes and mechanisms for protecting all systems and networks from malicious software are defined and understood - 5.1

  Processes and mechanisms for protecting all systems and networks from malicious software are defined and understood.

• Malicious software (malware) is prevented, or detected and addressed - 5.2

  Malicious software (malware) is prevented, or detected and addressed on all system components.

• Anti-malware mechanisms are active - 5.3

  Anti-malware mechanisms and processes are active, maintained, and monitored.

• Anti-phishing mechanisms protect users against phishing attacks - 5.4

  Anti-phishing mechanisms protect users against phishing attacks.

Develop and Maintain Secure Systems and Software

• Processes and mechanisms for developing and maintaining secure systems and software are defined and understood - 6.1

  Processes and mechanisms for developing and maintaining secure systems and software are defined and understood.

• Bespoke and custom software are developed securely - 6.2

  Custom software is developed securely according to recognized software standards (e.g., OWASP).

• Security vulnerabilities are identified and addressed - 6.3

  Security vulnerabilities are actively identified and promptly addressed.

• Public-facing web applications are protected - 6.4

  Public-facing web applications are protected against automated and application-layer attacks.

• Changes to system components are managed securely - 6.5

  Changes to system components in production are managed securely.

Restrict Access by Business Need to Know

• Processes and mechanisms for restricting access - 7.1

  Processes and mechanisms for restricting access are explicitly defined.

• Access to system components and data is appropriately defined and assigned - 7.2

  Access to system components and data is appropriately defined and assigned based on business need to know.

• Access privileges are managed appropriately - 7.3

  Access privileges are assigned and managed via a formal approval system.

Identify Users and Authenticate Access

• Processes and mechanisms for identifying users - 8.1

  Processes for identifying users and authenticating access are defined.

• User identification and accounts are strictly managed - 8.2

  User accounts are managed securely throughout their entire operational lifecycle.

• Strong authentication is established - 8.3

  Strong authentication parameters for all users are established and enforced.

• Multi-factor authentication is implemented - 8.4

  Multi-factor authentication (MFA) is strictly implemented for all access into the CDE.

• Multi-factor authentication systems are configured securely - 8.5

  Multi-factor authentication (MFA) systems are implemented and configured securely.

• Use of application and system accounts and associated authentication factors is strictly managed - 8.6

  Use of application and system accounts and associated authentication factors is strictly managed.

Restrict Physical Access to Cardholder Data

• Processes and mechanisms for restricting physical access - 9.1

  Processes for managing physical access to cardholder data are defined.

• Physical access controls manage entry - 9.2

  Physical access controls manage entry into secure facilities and data hubs.

• Physical access for personnel is authorized - 9.3

  Physical access for all personnel and third-party visitors is properly managed.

• Media with cardholder data is securely stored - 9.4

  All physical media containing cardholder data is securely handled and archived.

• Point-of-interaction devices are protected from tampering - 9.5

  Point-of-interaction (POI) devices are physically protected from tampering or substitution.

Log and Monitor All Access

• Processes and mechanisms for logging and monitoring - 10.1

  Processes for logging and monitoring all access are defined and understood.

• Audit logs are implemented - 10.2

  Audit logs are implemented to support the detection of anomalies.

• Audit logs are protected from destruction - 10.3

  Audit logs are secured against unauthorized modifications or deletion.

• Audit logs are reviewed - 10.4

  Audit logs are reviewed regularly to identify suspicious activity.

• Audit log history is retained - 10.5

  Audit log history is retained and readily available for forensic analysis.

• Time-synchronization mechanisms support consistent time - 10.6

  Time-synchronization mechanisms ensure consistent timestamps across systems.

• Failures of critical security controls are detected and reported - 10.7

  Failures of critical security controls are detected and responded to promptly.

Test Security of Systems and Networks

• Processes and mechanisms for testing security - 11.1

  Processes for regularly testing system and network security are defined.

• Wireless access points are identified and monitored - 11.2

  Rogue wireless access points are regularly identified and addressed.

• External and internal vulnerabilities are identified - 11.3

  External and internal vulnerabilities are regularly identified and prioritized.

• External and internal penetration testing is regularly performed, and exploitable vulnerabilities and security weaknesses are corrected - 11.4

  External and internal penetration testing is regularly performed, and exploitable vulnerabilities and security weaknesses are corrected.

• Network intrusions are detected - 11.5

  Network intrusions and unexpected file changes are continuously monitored.

• Unauthorized changes on payment pages are detected and responded to - 11.6

  Unauthorized modifications to HTTP headers and payment page contents are detected and responded to.

Support Information Security with Policies

• A comprehensive information security policy is known - 12.1

  A comprehensive security policy governs the protection of all assets.

• Acceptable use policies for end-user technologies are implemented - 12.2

  Acceptable use policies for end-user technologies are documented and implemented.

• Risks to the CDE are formally identified, evaluated, and managed - 12.3

  Risks to the cardholder data environment are formally identified, evaluated, and managed through a targeted risk analysis process.

• PCI DSS compliance is managed throughout the year - 12.4

  PCI DSS compliance is actively managed and monitored on an ongoing basis throughout the assessment period.

• PCI DSS scope is documented and validated - 12.5

  The PCI DSS scope is formally documented, maintained, and validated at least annually and upon significant changes.

• Security awareness education is provided to all personnel - 12.6

  Security awareness education is implemented and maintained for all personnel involved with the cardholder data environment.

• Personnel with access to the CDE are screened - 12.7

  Personnel with access to the cardholder data environment are subject to background screening before hire to minimize the risk of insider threats.

• Risks from third-party service providers are managed - 12.8

  Risks posed to cardholder data by third-party service providers (TPSPs) are formally identified, assessed, and managed.

• Third-party service providers acknowledge their PCI DSS responsibilities - 12.9

  Third-party service providers formally acknowledge their responsibility for protecting cardholder data and maintaining PCI DSS compliance for the services they provide.

• Suspected and confirmed security incidents that could impact the CDE are responded to immediately - 12.10

  Suspected and confirmed security incidents that could impact the CDE are responded to immediately.