The document outlines the requirements and processes for implementing PCI DSS v3.2 for entities dealing with cardholder data, emphasizing the need for security measures across various systems and applications. It details 12 high-level requirements ranging from firewall maintenance to encryption, access control, and regular audits to ensure compliance and protect sensitive data. Additionally, the document stresses the importance of documentation and establishing policies to safeguard cardholder information and mitigate risks.

1. PCI DSS v3.2
Implementation - Bliss or Nightmare

2. Requirements & Scope
● Scope includes Security Devices, Virtual Servers, Network Devices, Server
forms, Applications which are connected to the Card holder data
environment (CDE)
● Isolation of CDE from rest of the environment is not mandatory but
recommended
● Any third party service provider involved in CDE will need annual and/or on
deman PCI DSS assessments
● There are 12 high level requirements that are to be met for the entity to get
PCI Certified

3. Steps in PCI DSS assessment process
● To confirm the scope of the PCI DSS assessment
● To perform the environment assessment for all 12 requirements.
● To complete assessment reports, documentation viz., Self-Assessment
Questionnaire (SAQ), Report on Compliance (ROC), compensating control
documentations
● To complete the compliance attestation for service providers (PA-DSS) or
merchants
● To complete other requested documentation such as ASV scan reports for
the service providers or merchants
● To do remediation if any of the requirements are not in place and provide
report

4. Req 1: Install & maintain a firewall configuration protecting
cardholder data
● Establish formal process for testing and approving any firewall/routing
configuration changes
● Secure & Synchronize Router & Firewall configuration files
● Use features viz., NAT to hide private IP addresses
● Implement personal firewall or softwares for portable devices
● Limit inbound internet traffic to servers in the DMZ
● Implement anti-spoofing to detect & block fourced IP-addresses traffic
entering the network

5. Req 2: Do not use vendor-supplied defaults for system
passwords and other security parameters
● To remove/change all vendor supplied default passwords in the system
before connecting to the network
● To harden the devices based on industry standard viz., CIS/SANS/NIST
before installation
● Enable only necessary function & services in the servers
● Ensure Security policy & procedure have details on changing the vendor
default credentials

6. Req 3: Protect stored cardholder data
● To implement data retention & disposal policies for storing card holder data
for business, legal & regulatory purposes
● Not to store full track data, cvv or full pin after authorization even if
encrypted
● To mask full card number with first six and last 4 digits visible in the PAN
number
● Encrypt full PAN number anywhere if it’s stored
● Decryption keys for the above encryption to be separately stored and not to
be associated with accounts
● Fully document all the key management procedures for the decryption keys
used in the system

7. Req 4: Encrypt transmission of cardholder data across open,
public networks
● To implement data retention & disposal policies for storing card holder data
for business, legal & regulatory purposes
● Not to store full track data, cvv or full pin after authorization even if
encrypted
● To mask full card number with first six and last 4 digits visible in the PAN
number
● Encrypt full PAN number anywhere if it’s stored
● Decryption keys for the above encryption to be separately stored and not to
be associated with accounts
● Fully document all the key management procedures for the decryption keys
used in the systems

8. Req 5: Protect all systems against malware and regularly update
anti-virus software or programs
● Deploy AV for all Servers & Desktops. Don’t forget Linux Servers
● AV solution to be running up to date on new releases
● System owner shouldn’t be allowed to turn-off the AV program at his/her
discretion
● AV scan logs to be centralized and available for PCI audit
● Procedure and policies in place for management approval in case of any
alteration required on the scan or updates

9. Req 6: Develop and maintain secure systems and applications
● Procedure and policy in place to update the security patches provided by system
vendor
● Security patches to be updated within a month of release
● Conduct code review for custom codes for application vulnerabilities
● Change control process in place to seperate Production & Development environments
● To ensure production data not used in development environment
● Change control process in place for approvals, roll-back & testing for any system
change requests
● To conduct Security Vulnerability Assessment for public facing webservers
periodically
● To have coding practice/training in place to avoid DB, OS, Actve directory level
injection

10. Req 7: Restrict access to cardholder data by business need to
know
● Restrict access to cardholder data, system components, Privileged
Userids
● Documented procedure for approvals of any changes on the above
● To have a default deny all setting for any privileges for users/roles
● To open only those based on the Business/System need
● Documentation of policy and procedure in place for restricting the
cardholder data access only for those in need

11. Req 8: Identify and authenticate access to system components
● Unique user id for individual users
● Approvals and monitoring in place for privileged user-ids
● Revoke access to terminated/resigned users immediately
● Disable inactive users within 90 days
● Remote access to be enabled for third party only when required
● Lock out user ids with invalid attempts maximum of 6 attempts
● Implement idle session timeout within 15 minutes
● Enable 2FA for the privileged user-ids
● Strict password controls viz., password history, complex password,
encryption etc.,
● Any application IDs to be used only by systems and not by individual users

12. Req 9: Restrict physical access to cardholder data
● Enable physical access control to cardholder data environment
● Restrict access to public available jacks
● Implement visitor access controls including badges/log book etc.,
● Maintain strict control on securing and distribution of media
● Approvals and monitoring in place for privileged user-ids
● Destroy media securely after business required period
● Maintain list of systems and do periodical monitoring for any
tampering
● Security policies and procedure in place for restricting physical
access to the cardholder data environment

13. Req 10: Track and monitor all access to network resources and
cardholder data
● Automated audit trails to monitor user access, invalid attempts,
stopping and pausing of audit logs
● Do time synchronization for all the systems
● Audit trails to be secured and non-alterable
● Review logs and security events to identify suspicious activities
● Review the security events daily
● Process for responding to security controls

14. Req 11: Regularly test security systems and processes
● Implement process in place for quarterly review of Wireless access
points
● To maintain an inventory of wireless access points
● To have a incident response procedure if any unauthorized access
points are identified
● To run quarterly internal/external vulnerability scans and clear high
vulnerability results
● To run PEN tests with industry accepted standards
● To implement intrusion-detection/prevention systems

15. Req 12: Maintain a policy that addresses information security for
all personnel
● Publish and implement a organization wide security policy which is
to be reviewed annually
● To implement an annual risk assessment process
● To develop usage policies for critical systems & technologies
● Owner and contact information of critical system to be available as
part of documentation
● Hiring process to include security policy implementation
● To implement a incident response plan for any system breach
● Designate persons available to respond 24/7 to alerts