PCI DSS Compliance Checklist: Prepare your environment for a PCI DSS assessment

Get Prepared For Your Upcoming PCI DSS Assessment

The Payment Card Industry Data Security Standard (PCI DSS) applies to organizations that store, process, and/or transmit cardholder data. Organizations can help prepare for a PCI DSS assessment by determining the scope and becoming familiar with the required security controls to achieve PCI DSS compliance. For some companies, determining which networks and systems are in scope feels like a moving target. When combined with the challenges unique to particular industries and organizational size, it comes as no surprise that properly applying and managing controls based on a checklist may still seem daunting. Partnering with the right QSA that understands your business environment and has relevant assessment experience, eliminates the guesswork so that you have a clearer picture of what is actually required and what steps are needed to get there. The Six Goals and checklist below includes implementation guidance, to support PCI DSS compliance. MegaplanIT can work with you to validate your scope and any applicable controls. Our assessors are experienced in conducting annual assessments, gap assessments, and advisory services to prepare you for annual assessments and provide guidance on business as usual processes throughout the year.

Build and Maintain a Secure Network and Systems With PCI DSS

• Install and maintain properly configurated firewalls to restrict inbound and outbound traffic to the cardholder data environment.
  • Ensure firewall rules are reviewed at least every 6 months. Maintain a record of the reviews.
• Remove vendor-supplied default settings.
  • Default passwords and settings should be changed for all system components.
• Follow documented configuration standards and hardening procedures.
• Maintain accurate and comprehensive data flow and network diagrams.
• Create an accurate inventory of in-scope systems to ensure the scope of the assessment is accurate.

Protect Stored Cardholder Data

• Encrypt stored cardholder data using industry-accepted encryption algorithms and keys.
  • Ensure the key custodians have acknowledged their key custodian responsibilities.
• Stored cardholder data should not exceed what is required in the Data Retention policy.
• Mask PAN when displayed unless there is a business need to view the full PAN.
• Encrypt the transmission of cardholder data across open, public networks.
• Wireless technologies transmitting cardholder data must be secured using strong encryption for authentication and transmission.

Vulnerability Management Program

• Protect systems against malware and update anti-virus programs regularly.
  • Ensure all in-scope systems commonly affected by malicious software have an anti-virus solution deployed.
  • The anti-virus definitions must be current and period scans must be performed.
• Develop and maintain secure systems and applications.
  • A process must be in place to identify and rank security vulnerabilities.
  • Critical security patches must be installed within one month of release.
• A software development process must be followed for internal and external software applications:
  • Development must be based on industry standards and/or best practices.
  • Common coding vulnerabilities should be addressed in the development process.
• Public-facing web applications must have application security assessments performed or have an automated technical solution that detects and prevents web-based attacks (eg. Web application firewalls).
• Change control processes must be followed and documented for all changes to system components.

Implement Strong Access Control Measures

• Restrict access to cardholder data and the cardholder data environment by business need to know.
  • Access should be authorized and approved prior to establishment.
  • Access should be regularly reviewed to ensure appropriate access is assigned.
• Identify and authenticate access to system components.
  • Users should be assigned unique user IDs.
  • Strong password configurations must be implemented.
  • Multi-factor authentication is required for all remote network access and non-console administrative access to the cardholder data environment.
  • Vendor accounts should be enabled only when needed and monitored when in use.

Restrict Physical Access to Cardholder Data

• Facility entry controls must be in place to limit physical access to systems in the cardholder data environment.
  • This can be controlled via badge readers or other access control mechanisms.
  • The access control mechanisms must keep a log of entries for at least three months.
• Procedures must be in place to distinguish between visitors and onsite personnel.
  • A visitor log must be maintained and stored for at least three months.
• Media containing cardholder data must be secured.
  • The movement of any media must be tracked.
  • Secure destruction procedures should be followed when disposing of media.
• Procedures must be established for securing devices that capture payment card data.
  • A list of devices must be maintained.
  • Personnel must be trained on how to inspect devices for tampering.

Regularly Monitor and Test Networks

• All-access to in-scope systems and cardholder data must be logged and monitored.
  • Logs must be secured from unauthorized access and modifications.
  • Logs must be reviewed daily or configured to alert on anomalies.
  • Logs must be stored for at least one year with three months immediately available for review.
• Time-synchronization technology must be in place.
  • Designated time servers should receive time from an industry-accepted external source.
  • All other systems should receive time from the designated time server(s).
• Service Providers must have processes in place to detect failures of security control systems.

Regularly Test Security Systems and Processes

• Processes must be in place to detect unauthorized wireless access points.
• Internal and external vulnerability scans must be performed at least quarterly and after any significant change in the network.
  • Internal re-scans must be performed until all high-risk vulnerabilities are remediated.
  • External scans must be performed via an Approved Scanning Vendor (ASV). Rescans must be performed until a passing scan is achieved.
• Internal, external, and application penetration testing (where applicable) must be performed at least annually or after any significant changes.
• Intrusion detection/prevention systems must be in place and should be configured to alert on suspected compromises.
• File Integrity Monitoring must be deployed and configured to alert personnel of unauthorized modifications.

Maintain an Information Security Policy

• Information Security Policies should be reviewed annually and disseminated to all internal and third-party personnel.
  • Policies should address areas such as employee acceptable use, service provider management, and employment pre-screening.
• Perform Risk Assessments at least annually and upon significant changes to the environment.
• Personnel should receive Security Awareness Training upon hire and annually.
• Maintain an Incident Response Plan and Incident Handling procedures.