8. Requirement 1: install and
maintain a firewall
Requirement 2: do not use vendor-
supplied defaults
9. Include testing upon change and/or every six
months
Basic deny on all “untrusted” networks and
hosts
Prohibit public access
Install personal firewall on mobile devices
10. Change defaults before deployment
Develop configuration standards
Encrypt all non-console admin access
11. Requirement 3: protect stored
cardholder data
Requirement 4: encrypt transmission
of cardholder data across open,
public networks
12. Limit storage time
Do not store sensitive authentication data
(even if encrypted)
Mask PAN when displayed
Render PAN unreadable at minimum for
portable media, backup media, logs, etc
Protect crypto keys
Key management process
13.
14. Use strong cryptography
Never send PAN unencrypted
15. Requirement 5: use and regularly update
anti-virus software or programs
Requirement 6: develop and maintain
secure systems and applications
16. Deploy antivirus software
Ensure that all antivirus software is current,
active and capable of generating logs
17. Ensure that all software is updated/patched
(critical patches within a month)
Create process for vulnerability discovery
Develop software in accordance with DSS
Follow change control
Develop web software securely
Annual code review of web-facing
applications
18. Requirement 7: restrict access to
cardholder data by business need to
know
Requirement 8: assign a unique ID to
each person with computer access
Requirement 9: restrict physical
access to cardholder data
19. Limit physical and digital access
Establish access control (default: deny all)
20. Unique user names
Employ either password or two-factor
authentication
Two-factor required for remote access
Encrypt passwords (storage and transmission)
Password management
21. Facility entry controls
Distinguish between employee and visitor
Ensure authorization
Keep Visitor log and retain for three months
Store media backups securely
Secure all digital and physical media
Maintain control of data flow
Destroy media
22. Requirement 10: track and monitor
all access to network resources
and cardholder data
Requirement 11: regularly test
security systems and processes
23. Establish process to link access control to
users
Implement automated audit trails
Sync clocks
Secure audit trails
Review logs at least daily
Retain audit trail for at least one year; three
months should be readily accessible
24. Test for WAPs at least quarterly
Run internal and external vulnerability scans
at least quarterly
Run internal and external penetration testing
at least once a year
Use intrusion detection/prevention
Deploy file integrity monitoring system
25. Requirement 12: maintain a policy
that addresses information security
for employees and contractors
26. Publish all policies related to DSS
implementation
Develop SOP
Develop employee-related policies
Policies must address SAs and contractors
Security awareness program
Screen incoming employees
Incident response plan
