prioritized_approach_v3.xlsx

8/9/2019 Prioritized_Approach_v3.xlsx

1/76

PCI Security Standards Council® PCI SSC Prioritized Approach for PCI DSS v.3

PCI Security Standards Council Prioritized Appr

Release Notes & Instructions

November 2014

Purpose:

Step 1:

Step 2:

Step 3:

IMPORTANT NOT A!O"T AC#I$IN% PCI &SS COMP'IANC:

Contents: 2 spreadsheets (see tas at otto! of this pa"e#

$ Prioritized Approach %ilestones

$ Prioritized Approach Su!!ary

&ool for trac'in" pro"ress toard co!pliance ith PCI DSS y usin" the Prioritiprovides a sortin" tool to analyze pro"ress y PCI DSS re)uire!ent* !ilestone!ilestone status.

Please indicate +,es+* +-o+* or +-A+ in Colu!n C of the /Prioritized Approachspreadsheet ta. &his step ill auto1populate the /percenta"e co!plete0 eldApproach Su!!ary0 spreadsheet ta.

Analyze results. se the /lter0 functions on colu!n headers of the /Prioritize

%ilestones0 spreadsheet ta to select any of the si4 !ilestones.

Co!plete the contact infor!ation on the +Prioritized Approach Su!!ary+ ta.docu!ent ith your ac)uirer or 5ualied Security Assessor to provide an asseyour or"anization has co!pleted toard PCI DSS co!pliance. ,ou !ay also !esti!ated co!pletion date for each !ilestone phase. Chec' ith your ac)uiresu!ission instructions.

Achievin" PCI DSS co!pliance re)uires an or"anization to successfully !eet A re)uire!ents* re"ardless of the order in hich they are satised* or hether tsee'in" co!pliance follos the PCI DSS Prioritized Approach. &he Prioritized Aprovided to assist or"anizations see'in" to achieve co!pliance* ut it does noin any !anner to* !odify or arid"e the PCI DSS or any of its re)uire!ents.


2/76


All infor!ation pulished y PCI SSC for the Prioritized Approach is su6ect toPCI SSC is not responsile for errors or da!a"es of any 'ind resultin" fro! theinfor!ation contained therein. PCI SSC !a'es no arranty* "uarantee* or repraccuracy or su7ciency of the infor!ation provided as part of the Prioritized Apassu!es no responsiility or liaility re"ardin" the use or !isuse of such infor


3/76


ach Tool

ed Approach. Alsocate"ory* or

ilestones0on the /Prioritized

Approach

,ou !ay share thiss!ent of pro"ressnually enter anr for specic

'' applicale PCI DSSe or"anizationproach is a tool* and is not intended


4/76


han"e ithout notice.use of thesentation as to theproach* and PCI SSCation.


5/76

8PCI DSS co!pliance re)uires successful co!pletion of A99 PCI DSS re)uire!ents* re"ardless of hether the Prioritized Approach is us: PCI SSC Prioritized Appro

Prioritized Approach Summary & Attestation of Compliance*

Part 1: Merchant or Ser(ice Pro(ider In)or*ation

Co!pany -a!e

D;A(s#

Contact -a!e

&itle

;usiness Address

City

StateProvince

Country


6/76

8PCI DSS co!pliance re)uires successful co!pletion of A99 PCI DSS re)uire!ents* re"ardless of hether the Prioritized Approach is used. PCI SSC Prioritized Approach for

Part 3: Relationships

Does your co!pany have a relationship ith one or !ore third1party a"ents (>4 "ateays* e1hostin" co!panies* airli

Does your co!pany have a relationship ith !ore than one ac)uirerE

Part ,: Transaction Processin-

Pay!ent Application in use

Pay!ent Application Fersion


7/76

8PCI DSS co!pliance re)uires successful co!pletion of A99 PCI DSS re)uire!ents* re"ardless of hether the Prioritized Approach is useG PCI SSC Prioritized Approa

Prioritized Approach Summary & Attestation of Compliance*

Milestone %oals Percent

1 H.

2 H.

3 H.

, H.

. H.

Re*o(e sensiti(e authentication data and li*it data retention/ &his !ilestone tar"ets a 'ey area of ris' for entities that have eenco!pro!ised. =e!e!er J if sensitive authentication data and othercardholder data are not stored* the eKects of a co!pro!ise ill e"reatly reduced. If you donLt need it* donLt store it

Protect syste*s and net+or0s and e prepared to respond to asyste* reach/ &his !ilestone tar"ets controls for points of access to!ost co!pro!ises* and the processes for respondin".

Secure pay*ent card applications/ &his !ilestone tar"ets controlsfor applications* application processes* and application servers.Mea'nesses in these areas oKer easy prey for co!pro!isin" syste!sand otainin" access to cardholder data.

Monitor and control access to your syste*s/ Controls for this!ilestone allo you to detect the ho* hat* hen* and ho concernin"ho is accessin" your netor' and cardholder data environ!ent.

Protect stored cardholder data/ Nor those or"anizations that haveanalyzed their usiness processes and deter!ined that they !ust storePri!ary Account -u!ers* %ilestone Nive tar"ets 'ey protection!echanis!s for that stored data.


8/76

8PCI DSS co!pliance re)uires successful co!pletion of A99 PCI DSS re)uire!ents* re"ardless of hether the Prioritized Approach is uO PCI SSC Prioritized Appr

O(erall

An entity submitting this form may be required to complete an Action Plan. Check with your acquirer or the payment brand(s), since not all p

Part .: Tar-et &ate )or Achie(in- 4ull PCI &SS Co*pliance

Part : Merchant or Ser(ice Pro(ider Ac0no+led-e*ents

Si-nature o) 5ecuti(e O6cer

4inalize re*ainin- co*pliance e7orts and ensure all controlsare in place/ &he intent of %ilestone Si4 is to co!plete PCI DSSre)uire!ents* and to nalize all re!ainin" related policies* procedures*and processes needed to protect the cardholder data environ!ent.


9/76

8PCI DSS co!pliance re)uires successful co!pletion of A99 PCI DSS re)uire!ents* re"ardless of hether the Prioritized Approach i PCI SSC Prioritized Ap

Part 2a: Merchant !usiness 8Chec0 all that apply9

Part 2: Ser(ices Pro(ider !usiness 8Chec0 all that apply9

n ro

t

actions

fy#

fy#


10/76

8PCI DSS co!pliance re)uires successful co!pletion of A99 PCI DSS re)uire!ents* re"ardless of hether the Prioritized Approach is usedQH PCI SSC Prioritized Approac

in" a"ents* loyalty pro"ra! a"ents* etc#E


11/76

8PCI DSS co!pliance re)uires successful co!pletion of A99 PCI DSS re)uire!ents* re"ardless of hether the Prioritized Approach is uQQ PCI SSC Prioritized App

sti*ated &ate )or Co*pletion o)Milestone


12/76

8PCI DSS co!pliance re)uires successful co!pletion of A99 PCI DSS re)uire!ents* re"ardless of hether the Prioritized ApQ2 PCI SSC Prio

ire this section.


13/76

8PCI DSS co!pliance re)uires successful co!pletion of A99 PCI DSS re)uire!ents* re"ardless of hether the Prioritized Approach Q3 PCI SSC Prioritized A


14/76

8PCI DSS co!pliance re)uires successful co!pletion of A99 PCI DSS re)uire!ents* re"ardless of hether the Prioritized Approach QR PCI SSC Prioritized A


15/76

8PCI DSS co!pliance re)uires successful co!pletion of A99 PCI DSS re)uire!ents* re"ardless of hether the Prioritized Approach Q: PCI SSC Prioritized A


16/76

8PCI DSS co!pliance re)uires successful co!pletion of A99 PCI DSS re)uire!ents* re"ardless of hether the Prioritized Approach Q PCI SSC Prioritized A


17/76

Prioritized Approach %ilestones for PCI DSS v.3 =e)uire!ents

CI Security Standards Council® QG PCI SSC Prioritized Approach for PCI DS

PCI &SS Reuire*ents (3/; Milestone

Requirement 1: Install and maintain a firewall configuration to protect cardholder data

6

1

1

2

6

2

6

2

2

2

2

2

2

2

2

.1 Establish and implement firewall and router configuration standards that include the following:

.1.1 A formal process for approving and testing all network connections and changes to the firewall and routerconfigurations

.1.2 Current network diagram that identifies all connections between the cardholder data environment and othernetworks, including any wireless networks

.1.3 Current diagram that shows all cardholder data flows across systems and networks.

.1.4 Requirements for a firewall at each nternet connection and between any demilitari!ed !one "#$%& and thenternal network !one

.1. #escription of groups, roles, and responsibilities for management of network components.

.1.6 #ocumentation and business 'ustification for use of all services, protocols, and ports allowed, includingdocumentation for security features implemented for those protocols considered to be insecure.E(amples of insecure services, protocols, or ports include but are not limited to )*+, *elnet, ++-, $A+, and/$+ v0 and v1

.1.! Requirement to review firewall and router rule sets at least every si( months.

.2 2uild firewall and router configurations that restrict connections between untrusted networks and any systemcomponents in the cardholder data environment.

"ote: An 3untrusted network4 is any network that is e(ternal to the networks belonging to the entity under review,

and5or which is out of the entity6s ability to control or manage.

.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, andpecifically deny all other traffic.

.2.2 ecure and synchroni!e router configuration files.

.2.3 nstall perimeter firewalls between any all wireless networks and the cardholder data environment, andconfigure these firewalls to deny or, control "if such traffic is necessary for business purposes&, permit onlyauthori!ed any traffic from between the wireless environment into and the cardholder data environment.

.3 +rohibit direct public access between the nternet and any system component in the cardholder data

environment..3.1 mplement a #$% to limit inbound traffic to only system components that provide authori!ed publicly

accessible services, protocols, and ports.

.3.2 7imit inbound nternet traffic to + addresses within the #$%.

.3.3 #o not allow any direct connections inbound or outbound for traffic between the nternet and the cardholderdata environment.

.3.4 mplement anti8spoofing measures to detect and block forged source + addresses from entering thenetwork.

.3. #o not allow unauthori!ed outbound traffic from the cardholder data environment to the nternet.


18/76


CI Security Standards Council® QO PCI SSC Prioritized Approach for PCI DS

2

2

2

2

2

2

2

3

.3.6 mplement stateful inspection, also known as dynamic packet filtering. "*hat is, only 4established4connections are allowed into the network.&

.3.! +lace system components that store cardholder data "such as a database& in an internal network !one,egregated from the #$% and other untrusted networks.

.3.# #o not disclose private + addresses and routing information to unauthori!ed parties.

Note: Methods to obscure IP addressing may include, but are not limited to:

Network Address Translation (NAT)Placing serers containing cardholder data behind !ro"y serers#$irewalls or content caches,%emoal or $iltering o$ route adertisements $or !riate networks that em!loy registered addressing,Internal use o$ %&'* address s!ace instead o$ registered addresses+

.4 nstall personal firewall software on any mobile and5or employee8owned devices that connect to the nternetwhen outside the network "for e(ample, laptops used by employees&, and which are also used to access thenetwork.)irewall configurations include:

pecific configuration settings are defined for personal firewall software

+ersonal firewall software is actively running+ersonal firewall software is not alterable by users of mobile and5or employee8owned devices.

. Ensure that security policies and operational procedures for managing firewalls are documented, in use, andknown to all affected parties

Requirement 2: Do not use vendor-supplied defaults for system passwords and othersecurity parameters

2.1 Always change vendor8supplied defaults and remove or disable unnecessary default accounts beforenstalling a system on the network.

*his applies to A77 default passwords, including but not limited to those used by operating systems, software thatprovides security services, application and system accounts, point8of8sale "+& terminals, imple /etwork$anagement +rotocol "/$+& community strings, etc.&

2.1.1 )or wireless environments connected to the cardholder data environment or transmitting cardholder data,change wireless vendor defaults, including but not limited to default wireless encryption keys, passwords, and/$+ community strings.

2.2 #evelop configuration standards for all system components. Assure that these standards address all knownecurity vulnerabilities and are consistent with industry8accepted system hardening standards.

ources of industry8accepted system hardening standards may include, but are not limited to:9 Center for nternet ecurity "C&nternational rgani!ation for tandardi!ation "&ysAdmin Audit /etwork ecurity "A/& nstitute/ational nstitute of tandards *echnology "/*&


19/76


CI Security Standards Council® Q PCI SSC Prioritized Approach for PCI DS

3

3

3

3

3

2

2

2

3

Requirement 3: Protect stored cardholder data

1

1

2.2.1 mplement only one primary function per server to prevent functions that require different security levelsrom co8e(isting on the same server. ")or e(ample, web servers, database servers, and #/ should bemplemented on separate servers.&/ote: here virtuali!ation technologies are in use, implement only one primary function per virtual systemcomponent.

2.2.2 Enable only necessary services, protocols, daemons, etc., as required for the function of the system.

2.2.3 mplement additional security features for any required services, protocols, or daemons that areconsidered to be insecure;for e(ample, use secured technologies such as se technologies such as


20/76


CI Security Standards Council® 2H PCI SSC Prioritized Approach for PCI DS

1

1

1

3.2.1 #o not store the full contents of any track "from the magnetic stripe located on the back of a card,equivalent data contained on a chip, or elsewhere&. *his data is alternatively called full track, track, track 0, track1, and magnetic8stripe data.

ote: In the normal course o$ business, the $ollowing data elements $rom the magnetic stri!e may need to beetained:The cardholders namePrimary account number (PAN)-"!iration date

.erice code

To minimi/e risk, store only these data elements as needed $or business+

3.2.2 #o not store the card verification code or value "three8digit or four8digit number printed on the front or backof a payment card& used to verify card8not8present transactions.to verify card8not8present transactions.

3.2.3 #o not store the personal identification number "+/& or the encrypted +/ block.

3.3 $ask +A/ when displayed "the first si( and last four digits are the ma(imum number of digits to bedisplayed&, such that only personnel with a legitimate business need can see the full +A/.ote: This re0uirement does not su!ersede stricter re0uirements in !lace $or dis!lays o$ cardholder data1$ore"am!le, legal or !ayment card brand re0uirements $or !oint2o$2sale (P3.) recei!ts+

3.4 Render +A/ unreadable anywhere it is stored "including on portable digital media, backup media, and inogs& by using any of the following approaches:§ ne8way hashes based on strong cryptography "hash must be of the entire +A/&

§ *runcation "hashing cannot be used to replace the truncated segment of +A/&

§ nde( tokens and pads "pads must be securely stored&

§ trong cryptography with associated key management processes and procedures

"ote: t is a relatively trivial effort for a malicious individual to reconstruct original +A/ data if they have access toboth the truncated and hashed version of a +A/. here hashed and truncated versions of the same +A/ arepresent in an entity6s environment, additional controls should be in place to ensure that the hashed and truncatedversions cannot be correlated to reconstruct the original +A/.

3.4.1 f disk encryption is used "rather than file8 or column8level database encryption&, logical access must bemanaged separately and independently of native operating system authentication and access controlmechanisms "for e(ample, by not using local user account databases or general network login credentials&.#ecryption keys must not be associated with user accounts.

3. #ocument and implement procedures to protect keys used to secure stored cardholder data againstdisclosure and misuse: ote: This re0uirement a!!lies to keys used to encry!t stored cardholder data, and also a!!lies to key2encry!ting keys used to !rotect data2encry!ting keys1such key2encry!ting keys must be at least as strong ashe data2encry!ting key+

3..1 Restrict access to cryptographic keys to the fewest number of custodians necessary.


21/76


CI Security Standards Council® 2Q PCI SSC Prioritized Approach for PCI DS

3..2 tore secret and private keys used to encrypt5decrypt cardholder data in one "or more& of the followingorms at all times:Encrypted with a key8encrypting key that is at least as strong as the data8encrypting key, and that is storedeparately from the data encrypting keyithin a secure cryptographic device "such as a host security module "


22/76


CI Security Standards Council® 22 PCI SSC Prioritized Approach for PCI DS

2

2

2

2

Requirement !: "se and regularly update anti-virus software or programs

2

2

2

2

2

Requirement #: $ncrypt transmission of cardholder data across open% pu&licnetwor's

4.1 >se strong cryptography and security protocols "for e(ample, 75*7, +EC,


23/76



2

Requirement (: Develop and maintain secure systems and applications

3

3

3

3

.4 Ensure that security policies and operational procedures for protecting systems against malware aredocumented, in use, and known to all affected parties.

6.1 Establish a process to identify security vulnerabilities, using reputable outside sources for securityvulnerability information, and assign a risk ranking "for e(ample, as 3high,4 3medium,4 or 3low4& to newly

discovered security vulnerabilities.

"ote$ Risk rankings should be based on industry best practices as well as consideration of potential impact. )ore(ample, criteria for ranking vulnerabilities may include consideration of the C= basecore, and5or the classification by the vendor, and5or type of systems affected.

$ethods for evaluating vulnerabilities andassigning risk ratings will vary based on an organi!ation?s environment and risk assessment strategy. Riskankings should,

at a minimum, identify all vulnerabilities considered to be a 3high risk4 to the environment. n addition to the riskanking, vulnerabilities may be considered 3critical4 if they pose an imminent threat to the

environment, impact critical systems, and5or would result in a potential compromise if not addressed. E(amplesof critical systems may include security systems, public8facing devices and systems, databases, and otherystems that store, process, or transmit

cardholder data.

6.2 Ensure that all system components and software are protected from known vulnerabilities by installingapplicable vendor supplied security patches. nstall critical security patches within one month of release.

"ote$ Critical security patches should be identified according to the risk ranking process defined in RequirementF.0.

6.3 #evelop internal and e(ternal software applications "including web8based administrative access toapplications& securely, as follows:

n accordance with +C # "for e(ample, secure authentication and logging&2ased on industry standards and5or best practices.ncorporating information security throughout the software8development life cycle

"ote: this applies to all software developed internally as well as bespoke or custom software developed by a thirdparty.

6.3.1 Remove development, test and5or custom application accounts, user #s, and passwords beforeapplications become active or are released to customers.


24/76


CI Security Standards Council® 2R PCI SSC Prioritized Approach for PCI DS

3

3

3

3

3

3

6

6

6

6

6

3

3

3

3

3

3

3

6.3.2 Review custom code prior to release to production or customers in order to identify any potential codingvulnerabilityusing either manual or automated processes& to include at least the following:Code changes are reviewed by individuals other than the originating code author, and by individuals

knowledgeable about code8review techniques and secure coding practices.Code reviews ensure code is developed according to secure coding guidelinesAppropriate corrections are implemented prior to release.Code8review results are reviewed and approved by management prior to release

"ote$ *his requirement for code reviews applies to all custom code "both internal and public8facing&, as part ofhe system development life cycle. Code reviews can be conducted by knowledgeable internal personnel or third

parties. +ublic8facing web applications are also sub'ect to additional controls, to address ongoing threats andvulnerabilities after implementation, as defined at +C # Requirement F.F.

6.4 )ollow change control processes and procedures for all changes to system components. *he processesmust include the following:

6.4.1 eparate development5test environments from production environments, and enforce the separation withaccess controls.

6.4.2 eparation of duties between development5test and productionenvironment.

6.4.3 +roduction data "live +A/s& are not used for testing or development.

6.4.4 Removal of test data and accounts before production systems become active.

6.4. Change control procedures for the implementation of security patches and software modifications mustnclude the following:

6.4..1 #ocumentation of impact.

6.4..2 #ocumented change approval by authori!ed parties.

6.4..3 )unctionality testing to verify that the change does not adversely impact the security of the system.

6.4..4 2ack8out procedures.

6. Address common coding vulnerabilities in software8development processes as follows:*rain developers in secure coding techniques, including how to avoid common coding vulnerabilities, and

understanding how sensitive data is handled in memory.#evelop applications based on secure coding guidelines.

"ote$ *he vulnerabilities listed at F.D.0 through F.D.0 were current with industry best practices when this versionof +C # waspublished.


25/76


CI Security Standards Council® 2: PCI SSC Prioritized Approach for PCI DS

3

3

3

3

3

3

Requirement ): Restrict access to cardholder data &y &usiness need to 'now

4

4

4

4

4

4

4

4

%e0uirements 4+5+6 through 4+5+, below, a!!ly to web a!!lications and a!!lication inter$aces (internal ore"ternal):

6..! Cross8site scripting "H&.

6..# mproper Access Control "such as insecure direct ob'ect references, failure to restrict >R7 access, anddirectory traversal and failure to restrict user access to functions&.

6..% Cross8site request forgery "CR)&.

6..1 2roken authentication and session management.

"ote$ Requirement F.D.0 is a best practice until Iune -, 10D, after which it becomes a requirement

6.6 Nor pulic1facin" e applications* address ne threats and vulnerailities on an on"oin" asisand ensure these applications are protected a"ainst 'non attac's y either of the folloin"!ethods

=eviein" pulic1facin" e applications via !anual or auto!ated application vulneraility

security assess!ent tools or !ethods* at least annually and after any chan"es

Note: &his assess!ent is not the sa!e as the vulneraility scans perfor!ed for =e)uire!ent QQ.2.

Installin" an auto!ated technical solution that detects and prevents e1ased attac's (for

e4a!ple* a e1application

reall# in front of pulic1facin" e applications* to continually chec' all tra7c

6.! Ensure that security policies and operational procedures for developing and maintaining secure systems andapplications are documented, in use, and known to all affected parties.

!.1 7imit access to system components and cardholder data to only those individuals whose 'ob requires suchaccess.

!.1.1 #efine access needs for each role, including:ystem components and data resources that each role needs to access for their 'ob function7evel of privilege required "for e(ample, user, administrator, etc.& for accessing resources

!.1.2 Restrict access to privileged user #s to least privilegesnecessary to perform 'ob responsibilities.

!.1.3 Assign access based on individual personnel?s 'obclassification and function

!.1.4 Require documented approval by authori!ed partiespecifying required privileges.

!.2 Establish an access control system for systems components with multiple users that restricts access basedon a user?s need to know, and is set to 3deny all4 unless specifically allowed.

*his access control system must include the following:

!.2.1 Coverage of all system components.

!.2.2 Assignment of privileges to individuals based on 'ob classification and function.

!.2.3 #efault 3deny8all4 setting.

!.3 Ensure that security policies and operational procedures for restricting access to cardholder data aredocumented, in use, and known to all affected parties.


26/76



Requirement *: +ssign a unique ID to each person with computer access

4

4

4

4

4

4

4

4

4

4

4

4

4

4

4

#.1 #efine and implement policies and procedures to ensure proper user identification management fornonconsumer users and administrators on all system components as follows:

#.1.1 Assign all users a unique # before allowing them to access system components or cardholder data.

#.1.2 Control addition, deletion, and modification of user #s, credentials, and other identifier ob'ects.

#.1.3 mmediately revoke access for any terminated users.

#.1.4 Remove5disable inactive user accounts at least every J days.

#.1. $anage #s used by vendors to access, support, or maintain system components via remote access asollows:Enabled only during the time period needed and disabled when not in use.$onitored when in use.

#.1.6 7imit repeated access attempts by locking out the user # after not more than si( attempts.

#.1.! et the lockout duration to a minimum of - minutes or until an administrator enables the user #.

#.1.# f a session has been idle for more than 0D minutes, require the user to re8authenticate to re8activate theerminal or session.

#.2 n addition to assigning a unique #' employ at least one of the following methods to authenticate all users:omething you know, such as a password or passphrase

omething you have, such as a token device or smart card

omething you are, such as a biometric

#.2.1 >sing strong cryptography, render all authentication credentials "such as passwords5phrases& unreadableduring transmission and storage on all system component.

#.2.2 =erify user identity before modifying any authenticationcredential;for e(ample, performing password resets, provisioning new tokens, or generating new keys.

#.2.3 +asswords5phrases must meet the following:Require a minimum length of at least seven characters.Contain both numeric and alphabetic characters.

Alternatively, the passwords5phrases must have comple(ity and strength at least equivalent to the parameterspecified above.

#.2.4 Change user passwords5passphrases at least everyJ days.

#.2. #o not allow an individual to submit a new password5phrase that is the same as any of the last fourpasswords5phrases he or she has used.

#.2.6 et passwords5phrases for first time use and upon reset to a unique value for each user, and changemmediately after the first use.


27/76


CI Security Standards Council® 2G PCI SSC Prioritized Approach for PCI DS

2

4

4

2

4

#.3 ncorporate two8factor authentication for remote network access originating from outside the network bypersonnel "including users and administrators& and all third parties, "including vendor accessor support or maintenance&.

"ote$ *wo8factor authentication requires that two of the three authentication methods "see Requirement B.1 fordescriptions of authentication methods& be used for authentication. >sing oneactor twice "for e(ample, using two separate passwords& is not considered two8factor authentication. E(amples

of two8factor technologies include remote authentication and dial8in service "RA#>& with tokensK terminalaccess controller access control system "*ACAC& with tokensK and other technologies that facilitate two8factor

authentication.

#.4 #ocument and communicate authentication procedures and policies to all users including:

uidance on selecting strong authentication credentialsuidance for how users should protect their authentication credentialsnstructions not to reuse previously used passwordsnstructions to change passwords if there is any suspicion the password could be compromised

#. #o not use group, shared, or generic #s, passwords, or other authentication methods as follows:

eneric user #s are disabled or removed.hared user #s do not e(ist for system administration and other critical functions.hared and generic user #s are not used to administer any system components

#..1 Additional requirement for service providers: ervice providers with remote access to customer premisesfor e(ample, for support of + systems or servers& must use a unique authentication credential "such as a

password5phrase& for each customer.

"ote$ *his requirement is not intended to apply to shared hosting providers accessing their own hostingenvironment, where multiple customer environments are hosted.

"ote$ Requirement B.D.0 is a best practice until Iune -, 10D, after which it becomes a requirement

#.6 here other authentication mechanisms are used "for e(ample, physical or logical security tokens, smartcards, certificates, etc.&, use of these mechanisms must be assigned as follows:

Authentication mechanisms must be assigned to an individual account and not shared among multipleaccounts.

+hysical and5or logical controls must be in place to ensure only the intended account can use that mechanismo gain access


28/76


CI Security Standards Council® 2O PCI SSC Prioritized Approach for PCI DS

4

4

Requirement ,: Restrict physical access to cardholder data

2

2

2

2

2

#.! All access to any database containing cardholder data "including access by applications, administrators, andall other users& is restricted as follows:

All user access to, user queries of, and user actions on databases are through programmatic methods.nly database administrators have the ability to directly access or query databases.Application #s for database applications can only be used by the applications "and not by individual users or

other non8application processes&

#.# Ensure that security policies and operational procedures for identification and authentication aredocumented, in use, and known to all affected parties.

%.1 >se appropriate facility entry controls to limit and monitor physical access to systems in the cardholder dataenvironment.

%.1.1 >se video cameras and5or access control mechanisms to monitor individual physical access to sensitiveareas. Review collected data and correlate with other entries. tore for at least three months, unless otherwise

estricted by law.

"ote$ 3ensitive areas4 refers to any data center, server room or any area that houses systems that store,process, or transmit cardholder data. *his e(cludes public8facing areas where only point8of sale terminals arepresent, such as the cashier areas in a retail store.

%.1.2 mplement physical and5or logical controls to restrict access to publicly accessible network 'acks. )ore(ample, network 'acks located in public areas and areas accessible to visitors could be disabled and onlyenabled when network access is e(plicitly authori!ed. Alternatively, processes could be implemented to ensurehat visitors are escorted at all times in n areas with active network 'acks. )or e(ample, areas accessible to

visitors should not have network ports enabled unless network access is specifically authori!ed.

%.1.3 Restrict physical access to wireless access points, gateways, handheld devices,networking5communications hardware, and telecommunications lines.

%.2 #evelop procedures to easily distinguish between onsite personnel and visitors to include:

dentifying new onsite personnel or visitors "for e(ample, assigning badges&Changes to access requirementsRevoking or terminating onsite personnel and e(pired visitor identification "such as # badges&

%.3 Control physical access for onsite personnel to the sensitive areas as follows:

Access must be authori!ed and based on individual 'ob function.Access is revoked immediately upon termination, and all physical access mechanisms, such as keys, access

cards, etc., are returned or disabled

%.4 mplement procedures to identify and authori!e visitors.+rocedures should include the following

%.4.1 =isitors are authori!ed before entering, and escorted at all times within, areas where cardholder data isprocessed or maintained.


29/76



1

1

2

%.4.2 =isitors are identified and given a badge or other identification that e(pires and that visibly distinguisheshe visitors from onsite personnel.

%.4.3 =isitors are asked to surrender the badge or identification before leaving the facility or at the date ofe(piration.

%.4.4 A visitor log is used to maintain a physical audit trail of visitor activity to the facility as well as computerooms

and data centers where cardholder data is stored or transmitted. #ocument the visitor?s name, the firmepresented, and the onsite personnel authori!ing physical access on the log. Retain this log for a minimum ofhree

months, unless otherwise restricted by law.

%. +hysically secure all media.

%..1 tore media backups in a secure location, preferably an off8site facility, such as an alternate or backup site,ora commercial storage facility. Review the location?s security at least annually.

%.6 $aintain strict control over the internal or e(ternal distribution of any kind of media, including the following:

%.6.1 Classify media so the sensitivity of the data can be determined.

%.6.2 end the media by secured courier or other delivery method that can be accurately tracked.

%.6.3 Ensure management approves any and all media that is moved from a secured area "especially whenmedia is distributed to individuals&.

%.! $aintain strict control over the storage and accessibility of media.

%.!.1 +roperly maintain inventory logs of all media and conduct media inventories at least annually.

%.# #estroy media when it is no longer needed for business or legal reasons as follows:

%.#.1 hred, incinerate, or pulp hardcopy materials so that cardholder data cannot be reconstructed.

%.#.2 Render cardholder data on electronic media unrecoverable so that cardholder data cannot beeconstructed.

%.% +rotect devices that capture payment card data via direct physical interaction with the card from tamperingandubstitution.

ote: These re0uirements a!!ly to card reading deices used in card2!resent transactions (that is, card swi!e ordi!) athe !oint o$ sale+ This re0uirement is not intended to a!!ly to manual key2entry com!onents such as com!uter

keyboards and P3. key!ads+ote: %e0uirement + is a best !ractice until 7une 89, 95, a$ter which it becomes a re0uirement

%.%.1 $aintain an up8to8date list of devices. *he list should include the following:

$ake, model of device7ocation of device "for e(ample, the address of the site or facility where the device is located&#evice serial number or other method of unique identification


30/76


CI Security Standards Council® 3H PCI SSC Prioritized Approach for PCI DS

2

2

4

4

4

4

4

4

4

4

4

4

4

%.%.2 +eriodically inspect device surfaces to detect tampering "for e(ample, addition of card skimmers todevices&, or substitution "for e(ample, by checking the serial number or other device characteristics to verify ithas not been swapped with a fraudulent device&.

"ote: E(amples of signs that a device might have been tampered with or substituted include une(pectedattachments or cables plugged into the device, missing or changed security labels, broken or differently coloredcasing, or changes to the serial number or other e(ternal markings.

%.%.3 +rovide training for personnel to be aware of attempted tampering or replacement of devices. *raininghould include the following:

=erify the identity of any third8party persons claiming to be repair or maintenance personnel, prior to grantinghem access to modify or troubleshoot devices.#o not install, replace, or return devices without verification.2e aware of suspicious behavior around devices "for e(ample, attempts by unknown persons to

unplug or open devices&.Report suspicious behavior and indications of device tampering or substitution to appropriate

personnel "for e(ample, to a manager or security officer&

%.1 Ensure that security policies and operational procedures for restricting physical access to cardholder dataaredocumented, in use, and known to all affected parties.

Requirement 1: .rac' and monitor all access to networ' resources and cardholderdata

.1 mplement audit trails to link all access to system components to each individual user.

.2 mplement automated audit trails for all system components to reconstruct the following events.

.2.1 All individual user accesses to cardholder data.

.2.2 All actions taken by any individual with root or administrative privileges.

.2.3 Access to all audit trails.

.2.4 nvalid logical access attempts.

.2 >se of and changes to identification and authenticationmechanisms;including but not limited to creation of new accounts and elevation of privileges;and all changes,additions, or deletions to accounts with root or administrative privileges.

.2.6 nitiali!ation, stopping, or pausing of the audit logs

.2.! Creation and deletion of system level ob'ects

.3 Record at least the following audit trail entries for all system components for each event:

.3.1 >ser identification.

.3.2 *ype of event.

.3.3 #ate and time.


31/76


CI Security Standards Council® 3Q PCI SSC Prioritized Approach for PCI DS

4

4

4

4

44

4

4

4

4

4

4

4

4

4

4

4

Requirement 11: Regularly test security systems and processes

.3.4 uccess or failure indication.

.3. rigination of event.

.3.6 dentity or name of affected data, system component, or resource.

.4 >sing time synchroni!ation technology, synchroni!e all critical system clocks and times and ensure that theollowing is implemented for acquiring, distributing, and storing time.

.4.1 Critical systems have the correct and consistent time..4.2 *ime data is protected.

.4.3 *ime settings are received from industry8accepted time sources.

. ecure audit trails so they cannot be altered.

..1 7imit viewing of audit trails to those with a 'ob8related need.

..2 +rotect audit trail files from unauthori!ed modifications.

..3 +romptly back up audit trail files to a centrali!ed log server or media that is difficult to alter.

..4 rite logs for e(ternal8facing technologies onto a log server on the internal log server or media device.

.. >se file integrity monitoring or change8detection software on logs to ensure that e(isting log data cannotbe changed without generating alerts "although new data being added should not cause an alert&.

.6 Review logs and security events for all system components to identify anomalies or suspicious activity.

"ote$ 7og harvesting, parsing, and alerting tools may be used to meet this Requirement.

.6.1 Review the following at least daily:

All security events7ogs of all system components that store, process, or transmit C


32/76



4

4

2

2

2

2

2

1.1 mplement processes to test for the presence of wireless access points "B1.00&, and detect and identify allauthori!ed and unauthori!ed wireless access points on a quarterly basis.

"ote: $ethods that may be used in the process include but are not limited to wireless network scans,physical5logical inspections of system components and infrastructure, network access control "/AC&, or wireless#5+. hichever methods are used, they must be sufficient to detect and identify both authori!ed and

unauthori!ed devices.

1.1.1 $aintain an inventory of authori!ed wireless access points including a documented business 'ustification.

1.1.2 mplement incident response procedures in the event unauthori!ed wireless access points are detected.

1.2 Run internal and e(ternal network vulnerability scans at least quarterly and after any significant change inhe networksuch as new system component installations, changes in network topology, firewall rule modifications, product

upgrades&.

/ote: $ultiple scan reports can be combined for the quarterly scan process to show that all systems werecanned and all

applicable vulnerabilities have been addressed. Additional documentation may be required to verify non8emediated

vulnerabilities are in the process of being addressed.

)or initial +C # compliance, it is not required that four quarters of passing scans be completed if the assessorverifies 0& the most recent scan result was a passingcan, 1& the entity has documented policies and procedures requiring quarterly scanning, and -& vulnerabilities

noted in the scan results have been corrected as shown in a re8scan"s&. )or subsequent years after the initial +C# review, four quarters of passing scans must have occurred.

1.2.1 +erform quarterly internal vulnerability scans and rescans as needed, until all 3high8risk4 vulnerabilities "asdentified in Requirement F.0& are resolved. cans must be performed by qualified personnel.

1.2.2 +erform quarterly e(ternal vulnerability scans, via an Approved canning =endor "A=& approved by the+ayment Card ndustry ecurity tandards Council "+C C&. +erform rescans as needed, until passing scansare achieved.

"ote$ Guarterly e(ternal vulnerability scans must be performed by an Approved canning =endor "A=&,approved by the +ayment Card ndustry ecurity tandardsCouncil "+C C&. Refer to the A= +rogram uide published on the +C C website for scan customer

esponsibilities, scan preparation, etc.

1.2.3 +erform internal and e(ternal scans, and rescans as needed, after any significant change. cans must beperformed by qualified personnel.


33/76



2

2

2

2

2

2

4

1.3 mplement a methodology for penetration testing that includes the following:

s based on industry8accepted penetration testing approaches "for e(ample, /* +B800D&ncludes coverage for the entire C#E perimeter and critical systemsncludes testing from both inside and outside the networkncludes testing to validate any segmentation and scope8reduction controls#efines application8layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement F.D#efines network8layer penetration tests to include components that support network functions as well as

operating systems

ncludes review and consideration of threats and vulnerabilities e(perienced in the last 01 monthspecifies retention of penetration testing results and remediation activities results.

/ote: *his update to Requirement 00.- is a best practice until Iune -, 10D, after which it becomes aequirement. +C #

v1. requirements for penetration testing must be followed until v-. is in place.

1.3.1 +erform e(ternal penetration testing at least annually and after any significant infrastructure or application

upgrade or modification "such as an operating system upgrade, a sub8network added to the environment, or aweberver added to the environment&.

1.3.2 +erform internal penetration testing at least annually and after any significant infrastructure or applicationupgrade or modification "such as an operating system upgrade, a sub8network added to the environment, or aweb server added to the environment&

1.3.3 E(ploitable vulnerabilities found during penetration testing are corrected and testing is repeated to verifyhe

corrections.

1.3.4 f segmentation is used to isolate the C#E from other networks, perform penetration tests at least annually

andafter any changes to segmentation controls5methods to verify that the segmentation methods are operational andeffective, and isolate all out8of8scope systems from in8scope systems.

1.4 >se intrusion8detection and5or intrusion8prevention techniques to detect and5or prevent intrusions into thenetwork.$onitor all traffic at the perimeter of the cardholder data environment as well as at critical points in the cardholderdata environment, and alert personnel to suspected compromises. @eep all intrusion8detection and preventionengines, baselines, and signatures up to date.

1. #eploy a change8detection mechanism "for e(ample, file8integrity monitoring tools& to alert personnel tounauthori!ed modification of critical system files, configuration files, or content filesK and configure the software toperform critical file comparisons at least weekly.

"ote$ )or change8detection purposes, critical files are usually those that do not regularly change, but themodification of which could indicate a system compromise or risk of compromise. Change8detection mechanismsuch as file8integrity monitoring products usually come preconfigured with critical files for the related

operating system. ther critical files, such as those for custom applications, must be evaluated and defined byhe entity "that is,he merchant or service provider&


34/76


CI Security Standards Council® 3R PCI SSC Prioritized Approach for PCI DS

4

4

6

6

1

6

6

6

6

6

6

6

6

6

6

6

6

6

6

1..1 mplement a process to respond to any alerts generated by the change detection solution.

1.6 Ensure that security policies and operational procedures for security monitoring and testing are documented,nuse, and known to all affected parties.

Requirement 12: /aintain a policy that addresses information security for allpersonnel

2.1 Establish, publish, maintain, and disseminate a security policy that accomplishes the following:

2.1.1 Review the security policy at least annually and update the policy when the environment changes.

2.2 mplement a risk8assessment process that:

s performed at least annually and upon significant changes to the environment "for e(ample, acquisition,merger, relocation, etc.&,

dentifies critical assets, threats, and vulnerabilities, andResults in a formal risk assessment.

E(amples of risk8assessment methodologies include but are not limited to C*A=E, 1D and /* +B8-.

2.3 #evelop usage policies for critical technologies and define proper use of these technologies.

"ote$ E(amples of critical technologies include, but are not limited to, remote access and wireless technologies,aptops,ablets, removable electronic media, email usage and nternet usage.

Ensure these usage policies require the following:

2.3.1 E(plicit approval by authori!ed parties

2.3.2 Authentication for use of the technology.

2.3.3 A list of all such devices and personnel with access.

2.3.4 A method to accurately and readily determine owner, contact information, and purpose "for e(ample,abeling, coding, and5or inventorying of devices.

2.3. Acceptable uses of the technology.

2.3.6 Acceptable network locations for the technologies.

2.3.! 7ist of company8approved products.

2.3.# Automatic disconnect of sessions for remote8access technologies after a specific period of inactivity.

2.3.% Activation of remote8access technologies for vendors and business partners only when needed byvendors and business partners, with immediate deactivation after use.

2.3.1 )or personnel accessing cardholder data via remote8access technologies, prohibit the copying, moving,and storage of cardholder data onto local hard drives and removable electronic media, unless e(plicitlyauthori!ed for a defined business need.

here there is an authori!ed business need, the usage policies must require the data be protected inaccordance with all applicable +C # Requirements.

2.4 Ensure that the security policy and procedures clearly define information security responsibilities for allpersonnel.

2. Assign to an individual or team the following information security management responsibilities:

2..1 Establish, document, and distribute security policies and procedures.


35/76


CI Security Standards Council® 3: PCI SSC Prioritized Approach for PCI DS

6

2

6

6

6

6

6

6

2

2

2

2

2

2

2

2..2 $onitor and analy!e security alerts and information, and distribute to appropriate personnel.

2..3 Establish, document, and distribute security incident response and escalation procedures to ensure timelyand effective handling of all situations.

2..4 Administer user accounts, including additions, deletions, and modifications.

2.. $onitor and control all access to data.

2.6 mplement a formal security awareness program to make all personnel aware of the importance ofcardholder data security.

2.6.1 Educate personnel upon hire at least annually./ote: $ethods can vary depending on the role of the personnel and their level of access to the cardholder data.

2.6.2 Require personnel to acknowledge at least annually that they have read and understood the securitypolicy and procedures.

2.! creen potential personnel prior to hire to minimi!e the risk of attacks from internal sources. "E(amples ofbackground checks include previous employment history, criminal record, credit history and reference checks.&"ote$ )or those potential personnel to be hired for certain positions such as store cashiers who only haveaccess to one card number at a time when facilitating a transaction, this requirement is a recommendation only.

2.# $aintain and implement policies and procedures to manage service providers with whom cardholder data ishared, or that could affect the security of cardholder data, as follows:

2.#.1 $aintain a list of service providers.

2.#.2 $aintain a written agreement that includes an acknowledgement that the service providers are responsibleor the security of cardholder data the service providers possess or otherwise store, process or transmit on behalf

of the customer, or to the e(tent that they could impact the security of the customer?s cardholder dataenvironment.

"ote$ *he e(act wording of an acknowledgement will depend on the agreement between the two parties, thedetails of the service being provided, and the responsibilities assigned to each party. *he acknowledgement doesnot have to include the e(act wording provided in this requirement.

2.#.3 Ensure there is an established process for engaging service providers including proper due diligence prioro engagement.

2.#.4 $aintain a program to monitor service providers? +C # compliance status at least annually.

2.#. $aintain information about which +C # requirements are managed by each service provider, andwhich are managed by the entity.

2.% Additional requirement for service providers: ervice providers acknowledge in writing to customers thathey are responsible for the security of cardholder data the service provider possesses or otherwise stores,

processes, or transmits on behalf of the customer, or to the e(tent that they could impact the security of thecustomer?s cardholder dataenvironment.

"ote$ *his requirement is a best practice until Iune -, 10D, after which it becomes a requirement.

"ote$ *he e(act wording of an acknowledgement will depend on the agreement between the two parties, thedetails of the service being provided, and the responsibilities assigned to each party. *he acknowledgementdoes not have tonclude the e(act wording provided in this requirement.

2.1 mplement an incident response plan. 2e prepared to respond immediately to a system breach.


36/76



2

2

2

2

2

2

3

3

3

3

3

2.1.1 Create the incident response plan to be implemented in the event of system breach. Ensure the planaddresses the following, at a minimum:

Roles, responsibilities and communication and contact strategies in the event of a compromise including

notification of the payment brands, at a minimumpecific incident response procedures

2usiness recovery and continuity procedures

#ata back8up processes

Analysis of legal requirements for reporting compromises

Coverage and responses of all critical system componentsReference or inclusion of incident response procedures from the payment brands

2.1.2 *est the plan at least annually.

2.1.3 #esignate specific personnel to be available on a 1L5 basis to respond to alerts.

2.1.4 +rovide appropriate training to staff with security breach response responsibilities.

2.1. nclude alerts from intrusion detection, intrusion prevention, and file integrity monitoring systems.

2.1.6 #evelop a process to modify and evolve the incident response plan according to lessons learned and to

ncorporate industry developments.

Requirement +01: hared hosting providers must protect the cardholder dataenvironment

A.1 +rotect each entity?s "that is merchant, service provider, or other entity& hosted environment and data, perA.0.0 through A.0.L:

A hosting provider must fulfill these requirements as well as all other relevant sections of the +C #.

"ote: Even though a hosting provider may meet these requirements, the compliance of the entity that uses thehosting provider is not guaranteed. Each entity must comply with the +C # and validate compliance asapplicable.

A1.1 Ensure that each entity only runs processes that have access to that entity?s cardholder data environment.

A.1.2 Restrict each entity?s access and privileges to its own cardholder data environment only.

A.1.3 Ensure logging and audit trails are enabled and unique to each entity?s cardholder data environment andconsistent with +C # Requirement 0.

A.1.4 Enable processes to provide for timely forensic investigation in the event of a compromise to any hostedmerchant or service provider.


37/76


CI Security Standards Council® 3G PCI SSC Prioritized Approach for PCI DS

I) status is


38/76


CI Security Standards Council® 3O PCI SSC Prioritized Approach for PCI DS


39/76




40/76


CI Security Standards Council® RH PCI SSC Prioritized Approach for PCI DS


41/76


CI Security Standards Council® RQ PCI SSC Prioritized Approach for PCI DS


42/76


CI Security Standards Council® R2 PCI SSC Prioritized Approach for PCI DS


43/76


CI Security Standards Council® R3 PCI SSC Prioritized Approach for PCI DS


44/76


CI Security Standards Council® RR PCI SSC Prioritized Approach for PCI DS


45/76


CI Security Standards Council® R: PCI SSC Prioritized Approach for PCI DS


46/76


CI Security Standards Council® R PCI SSC Prioritized Approach for PCI DS


47/76


CI Security Standards Council® RG PCI SSC Prioritized Approach for PCI DS


48/76


CI Security Standards Council® RO PCI SSC Prioritized Approach for PCI DS


49/76




50/76


CI Security Standards Council® :H PCI SSC Prioritized Approach for PCI DS


51/76


CI Security Standards Council® :Q PCI SSC Prioritized Approach for PCI DS


52/76


CI Security Standards Council® :2 PCI SSC Prioritized Approach for PCI DS


53/76


CI Security Standards Council® :3 PCI SSC Prioritized Approach for PCI DS


54/76


55/76


CI Security Standards Council® :: PCI SSC Prioritized Approach for PCI DS


56/76


CI Security Standards Council® : PCI SSC Prioritized Approach for PCI DS


57/76


CI Security Standards Council® :G PCI SSC Prioritized Approach for PCI DS


58/76


CI Security Standards Council® :O PCI SSC Prioritized Approach for PCI DS


59/76




60/76


CI Security Standards Council® H PCI SSC Prioritized Approach for PCI DS


61/76


CI Security Standards Council® Q PCI SSC Prioritized Approach for PCI DS


62/76




63/76




64/76




65/76




66/76


CI Security Standards Council® PCI SSC Prioritized Approach for PCI DS


67/76


CI Security Standards Council® G PCI SSC Prioritized Approach for PCI DS


68/76


CI Security Standards Council® O PCI SSC Prioritized Approach for PCI DS


69/76


70/76


CI Security Standards Council® GH PCI SSC Prioritized Approach for PCI DS


71/76


CI Security Standards Council® GQ PCI SSC Prioritized Approach for PCI DS


72/76


CI Security Standards Council® G2 PCI SSC Prioritized Approach for PCI DS


73/76


CI Security Standards Council® G3 PCI SSC Prioritized Approach for PCI DS


74/76


CI Security Standards Council® GR PCI SSC Prioritized Approach for PCI DS


75/76


CI Security Standards Council® G: PCI SSC Prioritized Approach for PCI DS


76/76

prioritized_approach_v3.xlsx

Documents