2.1
2.1
Always change vendor-supplied defaults before installing a system on the network—for example, include passwords, simple network management protocol (SNMP) community strings, and elimination of unnecessary accounts.
2.2.1
2.2.1
Implement only one primary function per server.
2.2.2
2.2.2
Disable all unnecessary and insecure services and protocols (services and protocols not directly needed to perform the device’s specified function).
2.2.3
2.2.3
Configure system security parameters to prevent misuse.
2.2.4
2.2.4
Remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers.
2.3
2.3
Encrypt all non-console administrative access. Use technologies such as SSH, VPN, or SSL/TLS for web-based management and other non-console administrative access.
3.4
Render PAN, at minimum, unreadable anywhere it is stored (including on portable digital media, backup media, in logs) by using any of the following approaches: § One-way hashes based on strong cryptography § Truncation § Index tokens and pads (pads must be securely stored) § Strong cryptography with associated key-management processes and procedures The MINIMUM account information that must be rendered unreadable is the PAN.
3.4.1
If disk encryption is used (rather than file- or column-level database encryption), logical access must be managed independently of native operating system access control mechanisms (for example, by not using local user account databases). Decryption keys must not be tied to user accounts.
3.4.1.b
3.4.1.b
Verify that cryptographic keys are stored securely (for example, stored on removable media that is adequately protected with strong access controls)
3.4.1.c
3.5.2
Store cryptographic keys securely in the fewest possible locations and forms.
3.5
3.5
Protect cryptographic keys used for encryption of cardholder data against both disclosure and misuse:
3.5.1
3.5.1
Restrict access to cryptographic keys to the fewest number of custodians necessary
3.5.2
3.5.2
Store cryptographic keys securely in the fewest possible locations and forms.
3.6.1
3.6.1
Generation of strong cryptographic keys
3.6.2
3.6.2
Secure cryptographic key distribution
3.6.3
3.6.3
Secure cryptographic key storage
3.6.4
3.6.4
Periodic cryptographic key changes - As deemed necessary and recommended by the associated application (for example, re-keying); preferably automatically - At least annually
3.6.5
3.6.5
Retirement or replacement of old or suspected compromised cryptographic keys
3.6.6
3.6.6
Split knowledge and establishment of dual control of cryptographic keys.
3.6.7
3.6.4
Prevention of unauthorized substitution of cryptographic keys
4.1
4.1
Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks.
6.1
6.1
Ensure that all system components and software have the latest vendor-supplied security patches installed. Install critical security patches within one month of release.
6.2
6.2
Establish a process to identify newly discovered security vulnerabilities (for example, subscribe to alert services freely available on the Internet). Update configuration standards as required by PCI DSS Requirement 2.2 to address new vulnerability issues.
6.2.b
6.2.b
Verify that processes to identify new security vulnerabilities include using outside sources for security vulnerability information and updating the system configuration standards reviewed in Requirement 2.2 as new vulnerability issues are found.
7.1
7.1
Limit access to system components and cardholder data to only those individuals whose job requires such access. Access limitations must include the following:
7.1.1
7.1.1
Restriction of access rights to privileged user IDs to least privileges necessary to perform job responsibilities
7.1.2
7.1.2
Assignment of privileges is based on individual personnel’s job classification and function
7.1.4
7.1.4
Implementation of an automated access control system
8.1
8.1
Assign all users a unique ID before allowing them to access system components or cardholder data.
8.2
8.2
In addition to assigning a unique ID, employ at least one of the following methods to authenticate all users: § Password or passphrase § Two-factor authentication (for example, token devices, smart cards, biometrics, or public keys)
8.5
8.5
Ensure proper user authentication and password management for non-consumer users and administrators on all system components as follows:
8.5.1
8.5.1
Control addition, deletion, and modification of user IDs, credentials, and other identifier objects.
8.2
8.2
In addition to assigning a unique ID, employ at least one of the following methods to authenticate all users: § Password or passphrase § Two-factor authentication (for example, token devices, smart cards, biometrics, or public keys)
8.5.1
8.5.1
Control addition, deletion, and modification of user IDs, credentials, and other identifier objects.
8.5.2
8.5.2
Verify user identity before performing password resets.
8.5.4
8.5.4
Immediately revoke access for any terminated users.