PCI Data Security
Requirement |
What this requirement means to
you... |
How you can meet this
requirement... |
1 |
Install and maintain a
firewall, and configure it
to protect cardholder
data.
Firewall configuration
review is mandatory at
intervals of six months or
less. |
Establish configuration standards for firewalls
and routers, that deny access from
untrusted sources, and prevent access to
cardholder data. Configure firewalls to
prevent connections between public servers
and cardholder data, including wireless
networks.
Install an application layer firewall in front
of Web-facing applications. Periodic vulnerability
testing is a requirement. |
Install routers with built-in
firewall technology. Verify the
Windows firewall is enabled
and configured correctly. All
hardware and application
firewalls, including routers
are subject to this equirement.
Install firewall technology to
protect any Web-based services,
such as remote ordering
systems.
Set up a process for reviewing
firewall configuration at
least every six months, to
verify configuration remains
secure and unchanged.
|
| 2 |
Do not use vendor-supplied
defaults for system
passwords and other
security parameters. |
Change vendor-supplied default user
names and passwords before connecting
to the network. Encrypt all non-console
administrative access. |
Be careful to change any
user names and passwords
already established as part
of software and hardware
you may install. Remote
administration software,
wireless access points, and
routers are prime examples.
|
| 3 |
Protect stored cardholder
data. |
Keep data storage to a minimum, and do
not store sensitive data after authorization.
Never store the validation code or
PIN, even if encrypted.
When file deletion is required, delete the
files securely to prevent the possibility of
recovery. |
Always upgrade to the latest
version of Aloha validated
against the applicable security
standards.
Configure Aloha per this document,
to minimize data storage,
and to encrypt
cardholder data when stored
short-term.
Obtain third-party technology,
and establish a procedure
and schedule for using
it to securely delete files,
when file deletion is required.
This requirement applies to
any security related files
requiring deletion, based on
data retention policies.
|
| 4 |
Encrypt transmission of
cardholder data across
open, public networks. |
Use strong cryptography and security
protocols to safeguard sensitive data
transmission over public networks.
Ensure all wireless networks are using
the latest technology, complying with
IEEE 802.11i wherever possible. Never
send unencrypted customer data by email. |
Make sure your operating
system, including Internet
Explorer, is up to date.
Eliminate all use of WEP by
dates specified in the master
specification, replacing hardware
and software to support
IEEE 802.11i. Constantly test
your network to verify it is
‘snooper’ free.
As a ‘best practice,’ we recommend
immediate upgrade
to the IEEE 802.11i standard.
|
| |
Maintain a Vulnerability Management Program |
| 5 |
Use and regularly update
antivirus and antispyware
software. |
Install a reputable antivirus program that
is also capable of detecting and removing
spyware and adware. Update it immediately
upon installation, and continue to
update it regularly. Daily is not too often.
Configure the antivirus program to run
continuously, and ensure that it is generating
audit logs.
You can use separate antivirus and antispyware
programs, if you wish, as long
as both fulfill the requirements.
|
Install and configure antivirus
and antispyware software,
per recommended parameters,
for maximum security.
Update antivirus program
and virus definitions every
day, as a ‘best practice,’ including installations on all
terminals. Terminals may
require manual updates. |
| 6 |
Develop and maintain
secure systems and
applications. |
Obtain and install all operating system
security patches and updates at least
monthly. |
Establish a schedule to
obtain and install operating
system updates for the
server and the terminals.
|
| |
Implement Strong Access Control Measures |
| 7 |
Restrict access to ardholder
data by business
need-to-know. |
Limit access to computers and applications
that may contain cardholder information
only to those for whom it is
necessary for their job functions. Use
‘need to know’ criteria, and exclude all
others.
|
Use security policies that
prevent unauthorized
access, and provide physical
access to the BOH file
server only to employees
who require it.
|
| 8 |
Assign a unique ID to
each person with computer
access. Store user
passwords in an
encrypted format. |
Install the latest version of Aloha validated
against the applicable data security
standards, and implement unique IDs
and strong passwords for anyone having
access to Aloha Manager or Aloha EDC.
Implement two-factor authentication
wherever possible, especially for remote
access. |
Ensure authorized users
have their own user name
and expiring, complex password.
Require the user name
and password, plus other
authentication method for
remote access.
|
| 9 |
Restrict physical access
to cardholder data. |
Limit access to computers, printers,
administrative terminals, or other devices
that could hold cardholder data, especially
between employees and visitors.
Prevent unauthorized access to printed
customer data records, such as receipts,
and establish procedures, as laid out in
the standards, for disposal. |
Install all parts of the Aloha
network except FOH terminals
in areas to which only
authorized personnel have
access. Exclude access to
these parts to non-management
employees, if possible.
Establish offsite storage for
customer related paper documents,
and establish an
acceptable destruction
schedule and procedure. You
must visit the storage facility
at least annually, to monitor
the security of the site.
|
| |
Regularly Monitor and Test Networks |
| 10 |
Track and monitor all
access to network
resources and cardholder
data. |
Use extensive access and activity logging
to monitor access to the system, and
activities on the system, including audit
trails for all critical functions. Ensure at
least three months of log activity are
available. |
Activate this type of logging
activity, which is built in to the
Aloha system, in Aloha Manager.
It is always active in
EDC.
|
| 11 |
Regularly test security
systems and processes. |
Perform regular security tests to expose
vulnerabilities in systems and processes. |
Establish a schedule of physically
examining and verifying
that all security related
settings are set correctly in
the Aloha system, and in any
third-party programs that
could impact security, including
programs like PCAnywhere.
You must undergo a PCI
security scan by an
Approved Scanning Vendor
(ASV) on a quarterly basis.
|
| |
Maintain an Information Security Policy |
| 12 |
Maintain a policy that
addresses information
security for employees
and contractors. |
Maintain a security policy that promulgates
and explains these requirements,
including approvals, authentication procedures,
and more. This requirement
includes maintaining a policy regarding
remote access technologies, wireless
technologies, removable electronic
media, e-mail and Internet usage, removable
electronic media, laptops, or personal
digital assistants (PDAs). |
Create and maintain a system
of explaining the security
policy to all employees. In
this system, discuss all
requirements, authentication
procedures, and more.
Do not permit employee or
customer memory cards, laptops,
or PDAs in sensitive
areas, and do not permit any
e-mail or Internet access.
|
| |
Appendices — Additional Requirements |
| A |
PCI DSS Applicability for
Hosting Providers |
Hosting providers protect cardholder data
environment. |
Ask your hosting providers
about the measures they
take to protect cardholder
data.
|
| B |
Compensating Controls |
Requirement number three, above, may
be difficult for some sites or some technologies.
This Appendix permits alternate,
or compensating, controls that
accomplish the same level of safety by
means other than those outlined in the
requirement itself. |
Create, configure, and
request approval for any
compensating, or alternate,
methods you need to implement,
to protect cardholder
data. If you can use standard
configuration to accomplish
this protection, do not establish
alternate methods. |
