Payment Card Industry (PCI)

Data Security Standard

Requirements and Security Assessment Procedures

Table of Contents
Document Changes ......................................................................................................................................................... .................. 2 Introduction and PCI Data Security Standard Overview ................................................................................................................. 5 PCI DSS Applicability Information .................................................................................................................................................... 7 Relationship between PCI DSS and PA-DSS .................................................................................................................................... 9 Scope of Assessment for Compliance with PCI DSS Requirements ............................................................................................ 10 Network Segmentation ......................................................................................................................................................... ......... 10 Wireless ......................................................................................................................................................... ............................... 11 Third Parties/Outsourcing ......................................................................................................................................................... ..... 11 Sampling of Business Facilities/System Components.................................................................................................................... 12 Compensating Controls ......................................................................................................................................................... ........ 13 Instructions and Content for Report on Compliance .................................................................................................................... 14 Report Content and Format ......................................................................................................................................................... .. 14 Revalidation of Open Items ......................................................................................................................................................... .. 17 PCI DSS Compliance Completion Steps .................................................................................................................................... 18 Detailed PCI DSS Requirements and Security Assessment Procedures ..................................................................................... 19 Build and Maintain a Secure Network .......................................................................................................................................... 20 Requirement 1: Install and maintain a firewall configuration to protect cardholder data ............................................................ 20 Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters ............................. 24 Protect Cardholder Data ......................................................................................................................................................... ....... 28 Requirement 3: Protect stored cardholder data ......................................................................................................................... 28

Requirement 4: Encrypt transmission of cardholder data across open, public networks ........................................................... 35 Maintain a Vulnerability Management Program ........................................................................................................................... 37 Requirement 5: Use and regularly update anti-virus software or programs ............................................................................... 37 Requirement 6: Develop and maintain secure systems and applications .................................................................................. 38 Implement Strong Access Control Measures .............................................................................................................................. 44 Requirement 7: Restrict access to cardholder data by business need to know ......................................................................... 44 Requirement 8: Assign a unique ID to each person with computer access ............................................................................... 46 Requirement 9: Restrict physical access to cardholder data ..................................................................................................... 51 Regularly Monitor and Test Networks .......................................................................................................................................... 55 Requirement 10: Track and monitor all access to network resources and cardholder data ....................................................... 55 Requirement 11: Regularly test security systems and processes. ............................................................................................ 59 Maintain an Information Security Policy ...................................................................................................................................... 64 Requirement 12: Maintain a policy that addresses information security for all personnel. .............................................................. 64 Appendix A: Additional PCI DSS Requirements for Shared Hosting Providers ................................................................... 70 Appendix B: Compensating Controls ...................................................................................................................................... 72 Appendix C: Compensating Controls Worksheet ................................................................................................................... 73 Compensating Controls Worksheet Completed Example........................................................................................................ 74 Appendix D: Segmentation and Sampling of Business Facilities/System Components ..................................................... 75

Introduction and PCI Data Security Standard Overview

The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to protect cardholder data. PCI DSS applies to all entities involved in payment card processing including merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process or transmit cardholder data. PCI DSS comprises a minimum set of requirements for protecting cardholder data, and may be enhanced by additional controls and practices to further mitigate risks. Below is a high-level overview of the 12 PCI DSS requirements.

PCI DSS Applicability Information

PCI DSS applies wherever account data is stored, processed or transmitted. Account Data consists of Cardholder Data plus Sensitive Authentication Data, as follows: Cardholder Data includes: Cardholder Data includes: Sensitive Authentication Data includes:

Sensitive Authentication Data includes:

on a chip

The primary account number is the defining factor in the applicability of PCI DSS requirements. PCI DSS requirements are applicable if a primary account number (PAN) is stored, processed, or transmitted. If PAN is not stored, processed or transmitted, PCI DSS requirements do not apply. If cardholder name, service code, and/or expiration date are stored, processed or transmitted with the PAN, or are otherwise present in the cardholder data environment, they must be protected in accordance with all PCI DSS requirements except Requirements 3.3 and 3.4, which apply only to PAN. PCI DSS represents a minimum set of control objectives which may be enhanced by local, regional and sector laws and regulations. Additionally, legislation or regulatory requirements may require specific protection of personally identifiable information or other data elements (for example, cardholder name), or define an entitys disclosure practices related to consumer information. Examples include legislation

related to consumer data protection, privacy, identity theft, or data security. PCI DSS does not supersede local or regional laws, government regulations, or other legal requirements.

Relationship between PCI DSS and PA-DSS

Use of a PA-DSS compliant application by itself does not make an entity PCI DSS compliant, since that application must be implemented into a PCI DSS compliant environment and according to the PA-DSS Implementation Guide provided by the payment application vendor (per PA-DSS Requirement 13.1). The requirements for the Payment Application Data Security Standard (PA-DSS) are derived from the PCI DSS Requirements and Security Assessment Procedures (this document). The PA-DSS details what a payment application must support to facilitate a customers PCI DSS compliance. Secure payment applications, when implemented in a PCI DSS-compliant environment, will minimize the potential for security breaches leading to compromises of full magnetic stripe data, card verification codes and values (CAV2, CID, CVC2, CVV2), and PINs and PIN blocks, along with the damaging fraud resulting from these breaches. Just a few of the ways payment applications can prevent compliance include: Storage of magnetic stripe data and/or equivalent data from the chip in the customer's network after authorization; Applications that require customers to disable other features required by the PCI DSS, like anti-virus software or firewalls, in order to get the payment application to work properly; and Vendors use of unsecured methods to connect to the application to provide support to the customer. The PA-DSS applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data as part of authorization or settlement, where these payment applications are sold, distributed, or licensed to third parties. Please note the following regarding PA-DSS applicability: PA-DSS does apply to payment applications that are typically sold and installed off the shelf without much customization by software vendors. PA-DSS does not apply to payment applications developed by merchants and service providers if used only in-house (not sold, distributed, or licensed to a third party), since this in-house developed payment application would be covered as part of the merchants or service providers normal PCI DSS complianc

Scope of Assessment for Compliance with PCI DSS Requirements

The PCI DSS security requirements apply to all system components. In the context of PCI DSS, system components are defined as any network component, server, or application that is included in or connected to the cardholder data environment. System components also include any virtualization components such as virtual machines, virtual switches/routers, virtual appliances, virtual applications/desktops, and hypervisors. The cardholder data environment is comprised of people, processes and technology that store, process or transmit cardholder data or sensitive authentication data. Network components include but are not limited to firewalls, switches, routers, wireless access points, network appliances, and other security appliances. Server types include, but are not limited to the following: web, application, database, authentication, mail, proxy, network time protocol (NTP), and domain name server (DNS). Applications include all purchased and custom applications, including internal and external (for example, Internet) applications. The first step of a PCI DSS assessment is to accurately determine the scope of the review. At least annually and prior to the annual assessment, the assessed entity should confirm the accuracy of their PCI DSS scope by identifying all locations and flows of cardholder data and ensuring they are included in the PCI DSS scope. To confirm the accuracy and appropriateness of PCI DSS scope, perform the following:

The assessed entity identifies and documents the existence of all cardholder data in their environment, to verify that no cardholder data exists outside of the currently defined cardholder data environment (CDE). Once all locations of cardholder data are identified and documented, the entity uses the results to verify that PCI DSS scope is appropriate (for example, the results may be a diagram or an inventory of cardholder data locations). The entity considers any cardholder data found to be in scope of the PCI DSS assessment and part of the CDE unless such data is deleted or migrated/consolidated into the currently defined CDE. The entity retains documentation that shows how PCI DSS scope was confirmed and the results, for assessor review and/or for reference during the next annual PCI SCC scope confirmation activity.

Network Segmentation
Network segmentation of, or isolating (segmenting), the cardholder data environment from the remainder of an entitys network is not a PCI DSS requirement. However, it is strongly recommended as a method that may reduce: The scope of the PCI DSS assessment The cost of the PCI DSS assessment The cost and difficulty of implementing and maintaining PCI DSS controls The risk to an organization (reduced by consolidating cardholder data into fewer, more controlled locations) Without adequate network segmentation (sometimes called a "flat network") the entire network is in scope of the PCI DSS assessment. Network segmentation can be achieved through a number of physical or logical means, such as properly configured internal network firewalls, routers with strong access control lists, or other technologies that restrict access to a particular segment of a network. An important prerequisite to reduce the scope of the cardholder data environment is a clear understanding of business needs and processes related to the storage, processing or transmission of cardholder data. Restricting cardholder data to as few locations as possible by elimination of unnecessary data, and consolidation of necessary data, may require reengineering of long-standing business practices. Documenting cardholder data flows via a dataflow diagram helps fully understand all cardholder data flows and ensures that any network segmentation is effective at isolating the cardholder data environment. If network segmentation is in place and being used to reduce the scope of the PCI DSS assessment, the assessor must verify that the segmentation is adequate to reduce the scope of the assessment. At a high level, adequate network segmentation isolates systems that store, process, or transmit cardholder data from those that do not. However, the adequacy of a specific implementation of network segmentation is highly variable and dependent upon a number of factors, such as a given network's configuration, the technologies deployed, and other controls that may be implemented. Appendix D: Segmentation and Sampling of Business Facilities/System Components provides more information on the effect of network segmentation and sampling on the scope of a PCI DSS assessment.

Wireless
If wireless technology is used to store, process, or transmit cardholder data (for example, point-of-sale transactions, line-busting), or if a wireless local area network (WLAN) is connected to, or part of, the cardholder data environment (for example, not clearly separated by a firewall), the PCI DSS requirements and testing procedures for wireless environments apply and must be performed (for example, Requirements 1.2.3, 2.1.1, and 4.1.1). Before wireless technology is implemented, an entity should carefully evaluate the need for the technology against the risk. Consider deploying wireless technology only for non-sensitive data transmission.

Third Parties/Outsourcing

For service providers required to undergo an annual onsite assessment, compliance validation must be performed on all system components in the cardholder data environment. A service provider or merchant may use a third-party service provider to store, process, or transmit cardholder data on their behalf, or to manage components such as routers, firewalls, databases, physical security, and/or servers. If so, there may be an impact on the security of the cardholder data environment. 1) They can undergo a PCI DSS assessment on their own and provide evidence to their customers to demonstrate their compliance; or 2) If they do not undergo their own PCI DSS assessment, they will need to have their services reviewed during the course of each of their customers PCI DSS assessments. See the bullet beginning For managed service provider (MSP) reviews, in Item 3, Details about Reviewed Environment, in the Instructions and Content for Report on Compliance section, below, for more information. Additionally, merchants and service providers must manage and monitor the PCI DSS compliance of all associated third-party service providers with access to cardholder data. Refer to Requirement 12.8 in this document for details.

Sampling of Business Facilities/System Components

Sampling is not a PCI DSS requirement. However, after considering the overall scope and complexity of the environment being assessed, the assessor may independently select representative samples of business facilities/system components in order to assess PCI DSS requirements. These samples must be defined first for business facilities and then for system components within each selected business facility. Samples must be a representative selection of all of the types and locations of business facilities, as well as types of system components within selected business facilities. Samples must be sufficiently large to provide the assessor with assurance that controls are implemented as expected. Sampling of business facilities/system components for an assessment does not reduce the scope of the cardholder data environment or the applicability of PCI DSS requirements. Whether or not sampling is to be used, PCI DSS requirements apply to the entire cardholder data environment. If sampling is used, each sample must be assessed against all applicable PCI DSS requirements. Sampling of the PCI DSS Requirements themselves is not permitted. Examples of business facilities include but are not limited to: corporate offices, stores, franchise locations, processing facilities, data centers, and other facility types in different locations. Sampling should include system components within each selected business facility. For example, for each business facility selected, include a variety of operating systems, functions, and applications that are applicable to the area under review. As an example, the assessor may define a sample at a business facility to include Sun servers running Apache WWW, Windows servers running Oracle, mainframe systems running legacy card processing applications, data transfer servers running HP-UX, and Linux Servers running MYSQL. If all applications run from a single version of an OS (for example, Windows 7 or Solaris 10), then the sample should still include a variety of applications (for example, database servers, web servers, data transfer servers). When independently selecting samples of business facilities/system components, assessors should consider the following: If there are standard, centralized PCI DSS security and operational processes and controls in place that ensure consistency and that each business facility/system component must follow, the sample can be smaller than if there are no standard processes/controls in place. The sample must be large enough to provide the assessor with reasonable assurance that all business facilities/system components are configured per the standard processes. If there is more than one type of standard security and/or operational process in place (for example, for different types of business facilities/system components), the sample must be large enough to include business facilities/system components secured with each type of process

Detailed PCI DSS Requirements and Security Assessment Procedures

For the PCI DSS Requirements and Security Assessment Procedures, the following defines the table column headings:

PCI DSS Requirements This column defines the Data Security Standard and lists requirements to achieve PCI DSS compliance; compliance will be validated against these requirements. Testing Procedures This column shows processes to be followed by the assessor to validate that PCI DSS requirements are in place. In Place This column must be used by the assessor to provide a brief description of the controls which were validated as in place for each requirement, including descriptions of controls found to be in place as a result of compensating controls, or as a result of a requirement being Not Applicable. Not in Place This column must be used by the assessor to provide a brief description of controls that are not in place. Note that a non-compliant report should not be submitted to a payment brand or acquirer unless specifically requested. , For further instructions on non-compliant reports, please refer to the Attestations of Compliance, available on the PCI SSC website (www.pcisecuritystandards.org). Target Date/Comments For those controls Not in Place the assessor may include a target date that the merchant or service provider expects to have controls In Place. Any additional notes or comments may be included here as well

PCI DSS Requirements and Security Assessment Procedures, Version 2.0 October 2010 Copyright 2010 PCI Security Standards Council LLC Page 20 Build

and Maintain a Secure Network

Requirement 1: Install and maintain a firewall configuration to protect cardholder data

Firewalls are devices that control computer traffic allowed between an entitys networks (internal) and untrusted networks (external), as well as traffic into and out of more sensitive areas within an entitys internal trusted networks. The cardholder data environment is an example of a more sensitive area within an entitys trusted network. A firewall examines all network traffic and blocks those transmissions that do not meet the specified security criteria. All systems must be protected from unauthorized access from untrusted networks, whether entering the system via the Internet as e-commerce, employee Internet access through desktop browsers, employee e-mail access, dedicated connections such as business-to-business connections, via wireless networks, or via other sources. Often, seemingly insignificant paths to and from untrusted networks can provide unprotected pathways into key systems. Firewalls are a key protection mechanism for any computer network. Other system components may provide firewall functionality, provided they meet the minimum requirements for firewalls as provided in Requirement 1. Where other system components are used within the cardholder data environment to provide firewall functionality, these devices must be included within the scope and assessment of Requirement 1.
PCI DSS Requirements Testing Procedures In Place Not in Place Target Date/ Comments

1.1 Establish firewall and router configuration standards that include the following:

1.1.1 A formal process for approving and testing all network connections and changes to the firewall and router configurations 1.1.2 Current network diagram with all connections to cardholder data, including any wireless networks

1.1 Obtain and inspect the firewall and router configuration standards and other documentation specified below to verify that standards are complete. Complete the following: 1.1.1 Verify that there is a formal process for testing and approval of all network connections and changes to firewall and router configurations. 1.1.2.a Verify that a current network diagram (for example, one that shows cardholder data flows over the network) exists and that it documents all connections to cardholder data, including any wireless networks.

1.1.2.b Verify that the diagram is kept current. 1.1.3 Requirements for a firewall at each Internet connection 1.1.3.a Verify that firewall configuration standards include and between any demilitarized zone (DMZ) and the internal requirements for a firewall at each Internet connection and network zone between any DMZ and the internal network zone. 1.1.3.b Verify that the current network diagram is consistent with

PCI DSS Requirements

Testing Procedures

In Place

Not in Place

Target Date/ Comments

1.1.4 Description of groups, roles, and responsibilities for logical management of network components

1.1.5 Documentation and business justification for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure. Examples of insecure services, protocols, or ports include but are not limited to FTP, Telnet, POP3, IMAP, and SNMP. 1.1.5.b Identify insecure services, protocols, and ports allowed; and verify they are necessary and that security features are documented and implemented by examining firewall and router configuration standards and settings for each service. 1.1.6 Requirement to review firewall and router rule sets at least 1.1.6.a Verify that firewall and router configuration standards require every six months review of firewall and router rule sets at least every six months. 1.1.6.b Obtain and examine documentation to verify that the rule sets are reviewed at least every six months. 1.2 Build firewall and router configurations that restrict connections 1.2 Examine firewall and router configurations to verify that between untrusted networks and any system components in the connections are restricted between untrusted networks and system cardholder data environment. components in the cardholder data environment, as follows: Note: An untrusted network is any network that is external to the networks belonging to the entity under review, and/or which is out of the entity's ability to control or manage. 1.2.1 Restrict inbound and outbound traffic to that which is 1.2.1.a Verify that inbound and outbound traffic is limited to that necessary for the cardholder data environment. which is necessary for the cardholder data environment, and that the restrictions are documented. 1.2.1.b Verify that all other inbound and outbound traffic is specifically denied, for example by using an explicit deny all or

1.1.4 Verify that firewall and router configuration standards include a description of groups, roles, and responsibilities for logical management of network components. 1.1.5.a Verify that firewall and router configuration standards include a documented list of services, protocols and ports necessary for businessfor example, hypertext transfer protocol (HTTP) and Secure Sockets Layer (SSL), Secure Shell (SSH), and Virtual Private Network (VPN) protocols.