Unlock the full potential of your projects.
Show full map

PCIDSS 4.0 Requirements and Testing Procedures

Technology
SG
Sergey Gulyaev

Payment Card Industry Data Security Standard. Requirements and Testing Procedures. Version 4.0 https://www.security.studio #cybersecurity  #informationsecurity  #compliances  #cyberdefense  #infosec  #securityawareness  #blueteam  #informationsecurity  #vulnerability  #GDPR  #security  #privacy  #infosec  #privacyconsulting  #technology  #dataprivacy  #dataprotection  #datasecurity #securitystudio

Get Started. It's Free
or sign up with your email address
Similar Mind Maps Mind Map Outline
PCIDSS 4.0 Requirements and Testing Procedures by Mind Map: PCIDSS 4.0 Requirements and Testing Procedures

1. For help preparing for PSIDSS 3.1 and 4.0, you can visit https://www.security.studio

2. Appendix A Additional PCI DSS Requirements

2.1. Appendix A1: Additional PCI DSS Requirements for Multi-Tenant Service Providers

2.1.1. A1.1 Multi-tenant service providers protect and separate all customer environments and data.

2.1.2. A1.2 Multi-tenant service providers facilitate logging and incident response for all customers.

2.2. Appendix A2: Additional PCI DSS Requirements for Entities Using SSL/Early TLS for Card- Present POS POI Terminal Connections

2.2.1. A2.1 POI terminals using SSL and/or early TLS are confirmed as not susceptible to known SSL/TLS exploits.

3. Appendix B Compensating Controls

4. Appendix C Compensating Controls Worksheet

4.1. Requirement Number and Definition:

4.1.1. 1. Constraints

4.1.2. 2. Definition of Compensating Controls

4.1.3. 3. Objective

4.1.4. 4. Identified Risk

4.1.5. 5. Validation of Compensating Controls

4.1.6. 6. Maintenance

5. Appendix D Customized Approach

6. Appendix E Sample Templates to Support Customized Approach

6.1. E1 Sample Controls Matrix Template

6.2. E2 Sample Targeted Risk Analysis Template

7. Appendix F Leveraging the PCI Software Security Framework to Support Requirement 6

8. GOAL 1. Build and Maintain a Secure Network and Systems

8.1. Requirement 1: Install and Maintain Network Security Controls

8.1.1. 1.1 Processes and mechanisms for installing and maintaining network security controls are defined and understood.

8.1.2. 1.2 Network security controls (NSCs) are configured and maintained.

8.1.3. 1.3 Network access to and from the cardholder data environment is restricted.

8.1.4. 1.4 Network connections between trusted and untrusted networks are controlled.

8.1.5. 1.5 Risks to the CDE from computing devices that are able to connect to both untrusted networks and the CDE are mitigated.

8.2. Requirement 2: Apply Secure Configurations to All System Components

8.2.1. 2.1 Processes and mechanisms for applying secure configurations to all system components are defined and understood.

8.2.2. 2.2 System components are configured and managed securely.

8.2.3. 2.3 Wireless environments are configured and managed securely.

9. GOAL 2. Protect Account Data

9.1. Requirement 3: Protect Stored Account Data

9.1.1. 3.1 Processes and mechanisms for protecting stored account data are defined and understood.

9.1.2. 3.2 Storage of account data is kept to a minimum.

9.1.3. 3.3 Sensitive authentication data (SAD) is not stored after authorization.

9.1.4. 3.4 Access to displays of full PAN and ability to copy cardholder data are restricted.

9.1.5. 3.5 Primary account number (PAN) is secured wherever it is stored.

9.1.6. 3.6 Cryptographic keys used to protect stored account data are secured.

9.1.7. 3.7 Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented.

9.2. Requirement 4: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks

9.2.1. 4.1 Processes and mechanisms for protecting cardholder data with strong cryptography during transmission over open, public networks are defined and documented.

9.2.2. 4.2 PAN is protected with strong cryptography during transmission

10. GOAL 3. Maintain a Vulnerability Management Program

10.1. Requirement 5: Protect All Systems and Networks from Malicious Software

10.1.1. 5.1 Processes and mechanisms for protecting all systems and networks from malicious software are defined and understood.

10.1.2. 5.2 Malicious software (malware) is prevented, or detected and addressed.

10.1.3. 5.3 Anti-malware mechanisms and processes are active, maintained, and monitored.

10.1.4. 5.4 Anti-phishing mechanisms protect users against phishing attacks.

10.2. Requirement 6: Develop and Maintain Secure Systems and Software

10.2.1. 6.1 Processes and mechanisms for developing and maintaining secure systems and software are defined and understood.

10.2.2. 6.2 Bespoke and custom software are developed securely.

10.2.3. 6.3 Security vulnerabilities are identified and addressed.

10.2.4. 6.4 Public-facing web applications are protected against attacks.

10.2.5. 6.5 Changes to all system components are managed securely.

10.2.6. Implement Strong Access Control Measures

11. GOAL 4. Implement Strong Access Control Measures

11.1. Requirement 7: Restrict Access to System Components and Cardholder Data by Business Need to Know

11.1.1. 7.1 Processes and mechanisms for restricting access to system components and cardholder data by business need to know are defined and understood.

11.1.2. 7.2 Access to system components and data is appropriately defined and assigned.

11.1.3. 7.3 Access to system components and data is managed via an access control system(s).

11.2. Requirement 8: Identify Users and Authenticate Access to System Components

11.2.1. 8.1 Processes and mechanisms for identifying users and authenticating access to system components are defined and understood.

11.2.2. 8.2 User identification and related accounts for users and administrators are strictly managed throughout an account’s lifecycle.

11.2.3. 8.3 Strong authentication for users and administrators is established and managed.

11.2.4. 8.4 Multi-factor authentication (MFA) is implemented to secure access into the CDE

11.2.5. 8.5 Multi-factor authentication (MFA) systems are configured to prevent misuse.

11.2.6. 8.6 Use of application and system accounts and associated authentication factors is strictly managed.

11.3. Requirement 9: Restrict Physical Access to Cardholder Data

11.3.1. 9.1 Processes and mechanisms for restricting physical access to cardholder data are defined and understood.

11.3.2. 9.2 Physical access controls manage entry into facilities and systems containing cardholder data.

11.3.3. 9.3 Physical access for personnel and visitors is authorized and managed.

11.3.4. 9.4 Media with cardholder data is securely stored, accessed, distributed, and destroyed.

11.3.5. 9.5 Point of interaction (POI) devices are protected from tampering and unauthorized substitution.

12. GOAL 5. Regularly Monitor and Test Networks

12.1. Requirement 10: Log and Monitor All Access to System Components and Cardholder Data

12.1.1. 10.1 Processes and mechanisms for logging and monitoring all access to system components and cardholder data are defined and documented.

12.1.2. 10.2 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.

12.1.3. 10.3 Audit logs are protected from destruction and unauthorized modifications.

12.1.4. 10.4 Audit logs are reviewed to identify anomalies or suspicious activity.

12.1.5. 10.5 Audit log history is retained and available for analysis.

12.1.6. 10.6 Time-synchronization mechanisms support consistent time settings across all systems.

12.1.7. 10.7 Failures of critical security control systems are detected, reported, and responded to promptly.

12.2. Requirement 11: Test Security of Systems and Networks Regularly

12.2.1. 11.1 Processes and mechanisms for regularly testing security of systems and networks are defined and understood.

12.2.2. 11.2 Wireless access points are identified and monitored, and unauthorized wireless access points are addressed.

12.2.3. 11.3 External and internal vulnerabilities are regularly identified, prioritized, and addressed.

12.2.4. 11.4 External and internal penetration testing is regularly performed, and exploitable vulnerabilities and security weaknesses are corrected.

12.2.5. 11.5 Network intrusions and unexpected file changes are detected and responded to.

12.2.6. 11.6 Unauthorized changes on payment pages are detected and responded to.

13. GOAL 6. Maintain an Information Security Policy

13.1. Requirement 12: Support Information Security with Organizational Policies and Programs

13.1.1. 12.1 A comprehensive information security policy that governs and provides direction for protection of the entity’s information assets is known and current.

13.1.2. 12.2 Acceptable use policies for end-user technologies are defined and implemented.

13.1.3. 12.3 Risks to the cardholder data environment are formally identified, evaluated, and managed.

13.1.4. 12.4 PCI DSS compliance is managed.

13.1.5. 12.5 PCI DSS scope is documented and validated.

13.1.6. 12.6 Security awareness education is an ongoing activity.

13.1.7. 12.7 Personnel are screened to reduce risks from insider threats.

13.1.8. 12.8 Risk to information assets associated with third-party service provider (TPSP) relationships is managed.

13.1.9. 12.9 Third-party service providers (TPSPs) support their customers’ PCI DSS compliance.

13.1.10. 12.10 Suspected and confirmed security incidents that could impact the CDE are responded to immediately.