PCI DSS

Summary

PCI DSS is the global data security standard adopted by payment card brands for all entities that process, store or transmit cardholder data and/or sensitive authentication data. It consists of several steps that mirror security best practices. The version used in this section is PCI DSS v4.0, March 2022.

Definitions

Definition	Requirements
PCI-1_2_2. Network security controls are configured and maintained	266. Disable insecure functionalities
PCI-1_2_5. Network security controls are configured and maintained	255. Allow access only to the necessary ports
PCI-1_2_6. Network security controls are configured and maintained	266. Disable insecure functionalities
PCI-1_3_1. Inbound traffic to the cardholder data environment is restricted	259. Segment the organization network
PCI-1_3_2. Outbound traffic to the cardholder data environment is restricted	259. Segment the organization network
PCI-1_4_2. Restrict inbound traffic from untrusted networks	255. Allow access only to the necessary ports
PCI-1_4_3. Implement anti-spoofing measures	173. Discard unsafe inputs 176. Restrict system objects 265. Restrict access to critical processes 096. Set user's required privileges
PCI-1_4_4. Network connections between trusted and untrusted networks are controlled	176. Restrict system objects 096. Set user's required privileges
PCI-1_4_5. Do not disclosure of internal IP addresses and routing information	261. Avoid exposing sensitive information 077. Avoid disclosing technical information
PCI-1_5_1. Implement security controls on any computing devices	273. Define a fixed security suite
PCI-2_2_2. System components are configured and managed securely	142. Change system default credentials 144. Remove inactive accounts periodically 034. Manage user accounts
PCI-2_2_4. Remove or disable all unnecessary functionality	154. Eliminate backdoors 266. Disable insecure functionalities
PCI-2_2_5. System components are configured and managed securely	330. Verify Subresource Integrity
PCI-2_2_6. Configure secure system parameters to prevent misuse	062. Define standard configurations
PCI-2_2_7. System components are configured and managed securely	185. Encrypt sensitive information 033. Restrict administrative access
PCI-2_3_1. Wireless environments are configured and managed securely	251. Change access point IP 253. Restrict network access 254. Change SSID name
PCI-2_3_2. Wireless environments are configured and managed securely	252. Configure key encryption
PCI-3_2_1. Retain account data only where necessary and deleted when no longer needed	183. Delete sensitive data securely 360. Remove unnecessary sensitive information
PCI-3_3_1. Sensitive authentication data (SAD) is not stored after authorization	314. Provide processing confirmation 315. Provide processed data information
PCI-3_3_2. Sensitive authentication data (SAD) is encrypted using strong cryptography	185. Encrypt sensitive information
PCI-3_3_3. Sensitive authentication data (SAD) is not stored after authorization	185. Encrypt sensitive information 360. Remove unnecessary sensitive information
PCI-3_4_1. Data is masked when displayed	300. Mask sensitive data
PCI-3_4_2. Use secure remote-access technologies	181. Transmit data using secure protocols 338. Implement perfect forward secrecy
PCI-3_5_1. Primary account number (PAN) is secured wherever it is stored	127. Store hashed passwords 150. Set minimum size for hash functions
PCI-3_6_1. Protect cryptographic keys used to protect stored account data	145. Protect system cryptographic keys
PCI-3_7_1. Generation of strong cryptographic keys	224. Use secure cryptographic mechanisms
PCI-3_7_2. Secure cryptographic key distribution	145. Protect system cryptographic keys
PCI-3_7_3. Secure cryptographic key storage	145. Protect system cryptographic keys 146. Remove cryptographic keys from RAM
PCI-3_7_7. Prevention of unauthorized substitution of cryptographic keys	145. Protect system cryptographic keys 176. Restrict system objects 095. Define users with privileges
PCI-3_7_9. Secure transmission and storage of cryptographic keys	338. Implement perfect forward secrecy
PCI-4_2_1. Strong cryptography during transmission	181. Transmit data using secure protocols 338. Implement perfect forward secrecy
PCI-4_2_2. Strong cryptography to protect data	224. Use secure cryptographic mechanisms
PCI-5_2_1. Deploy an anti-malware solution on system components	273. Define a fixed security suite
PCI-5_3_2. Anti-malware mechanisms and processes are active and monitored	266. Disable insecure functionalities
PCI-5_3_4. Enable audit logs for the anti-malware solution	075. Record exceptional events in logs
PCI-6_2_4. Software engineering techniques to prevent or mitigate common software attacks	169. Use parameterized queries 173. Discard unsafe inputs 174. Transactions without a distinguishable pattern 029. Cookies with security attributes
PCI-6_3_3. Security vulnerabilities are identified and addressed	266. Disable insecure functionalities 353. Schedule firmware updates
PCI-6_4_1. Public-facing web applications are protected against attacks	175. Protect pages from clickjacking 343. Respect the Do Not Track header 029. Cookies with security attributes
PCI-6_4_3. Public-facing web applications are protected against attacks	330. Verify Subresource Integrity
PCI-6_5_4. Changes to all system components are managed securely	095. Define users with privileges
PCI-6_5_5. Changes to all system components are managed securely	156. Source code without sensitive information 180. Use mock data 261. Avoid exposing sensitive information
PCI-6_5_6. Changes to all system components are managed securely	171. Remove commented-out code 360. Remove unnecessary sensitive information
PCI-7_2_2. Access to system components and data is appropriately defined and assigned	096. Set user's required privileges
PCI-7_2_3. Required privileges are approved by authorized personnel	035. Manage privilege modifications
PCI-7_2_5. Access to system components and data is defined and assigned	176. Restrict system objects 186. Use the principle of least privilege
PCI-7_2_6. Access to system components and data is defined and assigned	229. Request access credentials
PCI-7_3_1. Access to system components and data is managed via an access control system	229. Request access credentials
PCI-7_3_2. Access to system components and data is managed via an access control system	229. Request access credentials 096. Set user's required privileges
PCI-7_3_3. Access control system is set to deny by default	341. Use the principle of deny by default
PCI-8_2_1. Assign a unique ID before access to system components	143. Unique access credentials
PCI-8_2_3. User identification for users and administrators are strictly managed	176. Restrict system objects
PCI-8_2_4. User identification for users and administrators are strictly managed	034. Manage user accounts 095. Define users with privileges
PCI-8_2_5. Access for terminated users is immediately revoked	023. Terminate inactive user sessions
PCI-8_2_6. Inactive user accounts are removed within 90 days of inactivity	144. Remove inactive accounts periodically
PCI-8_2_8. User identification for users and administrators are strictly managed	141. Force re-authentication
PCI-8_3_1. Strong authentication for users and administrators is established	229. Request access credentials
PCI-8_3_2. Strong authentication for users and administrators is established	338. Implement perfect forward secrecy
PCI-8_3_3. Strong authentication for users and administrators is established	264. Request authentication
PCI-8_3_5. Initial or reset password or passphrase used by authorized user	140. Define OTP lifespan 347. Invalidate previous OTPs
PCI-8_3_6. Passwords or passphrases with minimum level of complexity	132. Passphrases with at least 4 words 133. Passwords with at least 20 characters 139. Set minimum OTP length
PCI-8_3_7. A previously used password cannot be used to gain access to an account	129. Validate previous passwords
PCI-8_3_9. A password or passphrase cannot be used indefinitely	130. Limit password lifespan
PCI-8_3_11. An authentication factor cannot be used by anyone other than the user assigned	362. Assign MFA mechanisms to a single account
PCI-8_4_1. Multi-factor authentication (MFA) is implemented to secure access	328. Request MFA for critical systems
PCI-8_4_2. Multi-factor authentication (MFA) is implemented to secure access	328. Request MFA for critical systems
PCI-8_4_3. Multi-factor authentication (MFA) is implemented to secure access	328. Request MFA for critical systems
PCI-8_5_1. Multi-factor authentication (MFA) systems are configured to prevent misuse	319. Make authentication options equally secure
PCI-8_6_3. Use of application and associated authentication factors is strictly managed	130. Limit password lifespan
PCI-9_2_2. Physical access controls manage entry into systems containing data	255. Allow access only to the necessary ports
PCI-9_2_3. Physical access controls manage entry into systems containing data	249. Locate access points 253. Restrict network access
PCI-9_4_1. Media with cardholder data is securely stored and accessed	231. Implement a biometric verification component
PCI-9_4_3. Media is secured and tracked when transported	147. Use pre-existent mechanisms 181. Transmit data using secure protocols
PCI-9_4_7. Media is secured and tracked when transported	183. Delete sensitive data securely
PCI-10_2_1. Audit logs are enabled and active for all system components	075. Record exceptional events in logs
PCI-10_3_2. Audit logs are protected from destruction and unauthorized modifications	080. Prevent log modification
PCI-10_6_1. System clocks and time are synchronized	363. Synchronize system clocks
PCI-10_7_2. Failures of critical security control systems are detected and responded to promptly	266. Disable insecure functionalities
PCI-11_2_1. Wireless access points are identified and monitored	249. Locate access points
PCI-12_9_1. Third-party service providers support their customers	315. Provide processed data information
PCI-3_6_1_1. Protect cryptographic keys used to protect stored account data	351. Assign unique keys to each device 361. Replace cryptographic keys
PCI-3_6_1_2. Protect cryptographic keys used to protect stored account data	151. Separate keys for encryption and signatures
PCI-10_2_1_3. Audit logs are enabled and active for all system components	085. Allow session history queries
PCI-10_2_1_4. Audit logs are enabled and active for all system components	075. Record exceptional events in logs

Last updated

2023/09/18