Date post: | 05-Apr-2018 |
Category: |
Documents |
Upload: | debanjan-dey |
View: | 227 times |
Download: | 0 times |
of 449
7/31/2019 Compliance Dashboard v0.6
1/448
V0.1 Requirements and testing procedures Jan 2011
V0.2 Add merchant type for each requirements Feb 2011
V0.3 Include Prioritized Approach milestones as defined by PCIco
Add a column Priority with PCIco Milestones (1 to 6)
Add a column Status of implementation
Add a column Estimated date to completion
Add sheet actors
August 2011
V0.4 Add a sheet" What is my merchant Type?" with the full description of the merchanttypes
Add Major observations from the 2011 Verizon PCI Compliance Report for each of
the twelve requirement
Add a column "Validation instructions for QSA/ISA" from the new released ROC-
QSA Reporting Instruction Manual
October 2011
V0.5 Add Guidance for each requirements from the "Navigating PCI DSS V2.0"
Add a compensating control sheet for the definition and management of
compensating controls. Whenever a compensating control is present refer to it into
the column (in place) by the associated ID into the compensating controls sheet
Add Glossary
November 2011
What's new?
PCI Compliance Dashboard VERSIPlease feel free to use this compliance dashboard spreadsheet to sustain y
PCI compliance, to support the discussion with your internal team, QSA and a
Please send any comments, observations or suggestions to Didier_godart@ra
7/31/2019 Compliance Dashboard v0.6
2/448
Compliance Dashboard home page
More information
PCI 30 seconds newsletter - PCI what are you talking about?
PCI 30 seconds newsletter - Payment processing terminology and workflow
PCI 30 seconds newsletter - Distributing roles
PCI 30 seconds newsletter - Merchant levels
PCI 30 seconds newsletter ) What is your type?
PCI 30 seconds newsletter - PCI DSS in a nutshel
PCI 30 seconds newsletter - Define the scope of an assessment
PCI 30 seconds newsletter - certification program, striving for quality
PCI 30 seconds newsletter- The validation toolboxPCI 30 seconds newsletter - Prioritized Approach
PCI 30 seconds newsletter - Tokenization
PCI 30 seconds newsletter - the gap analysis process
PCI 30 seconds newsletter - Compensating controls, magic trick or mirage?
PCI 30 seconds newsletter - The world is not perfect!
PCI 30 seconds newsletter - Nice Look!
Thoughts on the Verizon PCI Compliance Report
Can I use compensating control to resolve vulnerabilities found during a scan?
What to do if my organization can't demonstrate four passing Internal or external scans?
Verizon 2011 PCI Compliance Report
Add an Executive Summary Tab Including # of requirements, % of compliance,
Severity (sum of all severities) depending on the selected merchant type.
Add Charts Tab including Severity per Requirement and % compliance per
requirement
Add Severity Column (= PCI defined priority for not in place requirements)
Add list boxes for the In place/not in place and Compensating control present.
All sheets are protected to avoid accidental deletion. (No password)
Instructions:
1.Select your merchant type within the sheet "Executive summary"
2.Select the appropriate answer for each requirements (Column L: Y/N/C)
3. Use the compensating controls sheet to describe your controls whenever used.
4.View your compliance progress through the "Executive summary" and " Charts"
V0.6
December 2011
https://community.rapid7.com/docs/DOC-1512https://community.rapid7.com/community/infosec/blog/2011/05/11/pci-30-sec-newsletter-1-pci-what-are-you-talking-abouthttps://community.rapid7.com/community/infosec/blog/2011/05/11/pci-newsletter-2-payment-processing-terminology-and-workflowhttps://community.rapid7.com/community/infosec/blog/2011/05/26/pci-30-sec-newsletter-3--role-distributionhttps://community.rapid7.com/community/infosec/blog/2011/06/06/pci-30-seconds-newsletter-n-4-merchant-levels-what-who-and-howhttps://community.rapid7.com/community/infosec/blog/2011/06/15/pci-30-seconds-newsletter-n-5-what-is-your-typehttps://community.rapid7.com/community/infosec/blog/2011/07/06/pci-30-sec-newsletter-8--dss-in-a-nutshellhttps://community.rapid7.com/community/infosec/blog/2011/07/14/pci-30-seconds-newsletter-9-defining-the-scope-of-the-pci-assessmenthttps://community.rapid7.com/community/infosec/blog/2011/06/30/pci-30-sec-newsletter-7--certification-programs-striving-for-qualityhttps://community.rapid7.com/community/infosec/blog/2011/06/21/pci-30-seconds-newsletter-n-6-the-validation-toolboxhttps://community.rapid7.com/community/infosec/blog/2011/08/11/pci-30-seconds-newsletter-10-prioritized-approachhttps://community.rapid7.com/community/infosec/blog/2011/08/19/pci-30-seconds-newsletter-11-tokenizationhttps://community.rapid7.com/community/infosec/blog/2011/08/31/pci-30-seconds-newsletter-12-the-gap-analysis-processhttps://community.rapid7.com/community/infosec/blog/2011/11/14/pci-30-seconds-newsletter-14-the-world-isnt-perfecthttps://community.rapid7.com/community/infosec/blog/2011/11/28/pci-30-seconds-newsletter-15-nice-lookhttps://community.rapid7.com/community/infosec/blog/2011/09/30/consideration-about-the-verizon-2011-payment-card-compliance-reporthttps://community.rapid7.com/community/infosec/blog/2011/09/26/can-i-use-compensating-control-to-resolve-vulnerabilities-found-during-a-scanhttp://localhost/ttps/::community.rapid7.com:community:infosec:blog:2011:09:22:what-to-do-if-my-organization-can-t-demonstrate-four-passing-pci-internal-or-external-scanshttp://www.verizonbusiness.com/resources/reports/rp_2011-payment-card-industry-compliance-report_en_xg.pdfhttp://www.verizonbusiness.com/resources/reports/rp_2011-payment-card-industry-compliance-report_en_xg.pdfhttp://localhost/ttps/::community.rapid7.com:community:infosec:blog:2011:09:22:what-to-do-if-my-organization-can-t-demonstrate-four-passing-pci-internal-or-external-scanshttps://community.rapid7.com/community/infosec/blog/2011/09/26/can-i-use-compensating-control-to-resolve-vulnerabilities-found-during-a-scanhttps://community.rapid7.com/community/infosec/blog/2011/09/30/consideration-about-the-verizon-2011-payment-card-compliance-reporthttps://community.rapid7.com/community/infosec/blog/2011/11/28/pci-30-seconds-newsletter-15-nice-lookhttps://community.rapid7.com/community/infosec/blog/2011/11/14/pci-30-seconds-newsletter-14-the-world-isnt-perfecthttps://community.rapid7.com/community/infosec/blog/2011/08/31/pci-30-seconds-newsletter-12-the-gap-analysis-processhttps://community.rapid7.com/community/infosec/blog/2011/08/19/pci-30-seconds-newsletter-11-tokenizationhttps://community.rapid7.com/community/infosec/blog/2011/08/11/pci-30-seconds-newsletter-10-prioritized-approachhttps://community.rapid7.com/community/infosec/blog/2011/06/21/pci-30-seconds-newsletter-n-6-the-validation-toolboxhttps://community.rapid7.com/community/infosec/blog/2011/06/30/pci-30-sec-newsletter-7--certification-programs-striving-for-qualityhttps://community.rapid7.com/community/infosec/blog/2011/07/14/pci-30-seconds-newsletter-9-defining-the-scope-of-the-pci-assessmenthttps://community.rapid7.com/community/infosec/blog/2011/07/06/pci-30-sec-newsletter-8--dss-in-a-nutshellhttps://community.rapid7.com/community/infosec/blog/2011/06/15/pci-30-seconds-newsletter-n-5-what-is-your-typehttps://community.rapid7.com/community/infosec/blog/2011/06/06/pci-30-seconds-newsletter-n-4-merchant-levels-what-who-and-howhttps://community.rapid7.com/community/infosec/blog/2011/05/26/pci-30-sec-newsletter-3--role-distributionhttps://community.rapid7.com/community/infosec/blog/2011/05/11/pci-newsletter-2-payment-processing-terminology-and-workflowhttps://community.rapid7.com/community/infosec/blog/2011/05/11/pci-30-sec-newsletter-1-pci-what-are-you-talking-abouthttps://community.rapid7.com/docs/DOC-15127/31/2019 Compliance Dashboard v0.6
3/448
Contributor
Peter Hill
Didier Godart
Risk Product Manager
Rapid7
+32 498787744
SkypeID Dgozone
m
Didier Godart
Risk Product Manager
Rapid7
+32 498787744
SkypeID Dgozone
m
Didier GodartRisk Product Manager
Rapid7
+32 498787744
SkypeID Dgozone
m
Didier Godart
Risk Product Manager
Rapid7
+32 498787744
SkypeID Dgozone
m
About Didier About Rapid7 Join the community!
ON 0.5ur journey to
cquiring banks.
pid7.com
http://be.linkedin.com/in/didiergodarthttp://www.rapid7.com/https://community.rapid7.com/index.jspahttps://community.rapid7.com/index.jspahttp://www.rapid7.com/http://be.linkedin.com/in/didiergodart7/31/2019 Compliance Dashboard v0.6
4/448
Didier Godart
Risk Product Manager
Rapid7
+32 498787744
SkypeID Dgozone
m
About Didier About Rapid8 Join the community!
Swathy Anand
Vice President - Project
Management
Fuze Network
m
About Swathy About Fuze Network
http://be.linkedin.com/in/didiergodarthttp://www.rapid7.com/https://community.rapid7.com/index.jspahttp://www.linkedin.com/profile/view?id=14392124&locale=en_US&trk=tyahhttp://www.fuzenetwork.com/http://www.fuzenetwork.com/http://www.linkedin.com/profile/view?id=14392124&locale=en_US&trk=tyahhttps://community.rapid7.com/index.jspahttp://www.rapid7.com/http://be.linkedin.com/in/didiergodart7/31/2019 Compliance Dashboard v0.6
5/448
ORGANIZATION NAME
Merchant Type: D
PCI-DSS REQUIREMENTS % compliance# of
Requirements# in Place # not in Place
#
Compensating
Controls
Severity
1 100% 28 28 0 0 0
2 0% 26 0 26 0 67
3 5% 37 2 35 0 135
4 0% 9 0 9 0 18
5 0% 7 0 7 0 14
6 0% 36 0 36 0 129
7 0% 9 0 9 0 36
8 0% 33 0 33 0 111
9 0% 29 0 29 0 111
10 0% 33 0 33 0 132
11 0% 25 0 25 0 64
12 0% 44 0 44 0 216
You MUST enter in cell B3 your Merchant type (A, B, C, C-VT, D)
7/31/2019 Compliance Dashboard v0.6
6/448
0
67
135
18 14
129
36
111 111
132
64
0
50
100
150
200
250
PCI Severity per requirements
7/31/2019 Compliance Dashboard v0.6
7/448
0%
20%
40%
60%
80%
100%
120%
1 2 3 4 5 6 7 8 9 10 11
Compliance % per requirement
7/31/2019 Compliance Dashboard v0.6
8/448
216
7/31/2019 Compliance Dashboard v0.6
9/448
12
7/31/2019 Compliance Dashboard v0.6
10/448
Name Firstname Email Tel Function Areas of expertize Section 1 Section 2 Section 3 Section 4 Section 5 Section 6
7/31/2019 Compliance Dashboard v0.6
11/448
Section 7 Section 8 Section 9 Section 10 Section 11 Section 12
7/31/2019 Compliance Dashboard v0.6
12/448
What is your merchant type? - Select your merchant Type
Types Description
A Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This
would never apply to face-to-face merchants.
B Imprint-only merchants with no electronic cardholder data storage, or standalone, dial- out terminal merchants with no
electronic cardholder data storage
C-VT Merchants using only web-based virtual terminals, no electronic cardholder data storage
C Merchants with payment application systems connected to the Internet, no electronic cardholder data storage
D All other merchants not included in descriptions for SAQ types A through C above, and all service providers defined by apayment brand as eligible to complete an SAQ.
7/31/2019 Compliance Dashboard v0.6
13/448
Compensating
Control Id
Constraints Objective Identified Risk
# List constraints precluding
compliance with the original
requirement.
Define the objective of the
original control; identify the
objective met by the
compensating control.
Identify any additional risk
posed by the lack of the
original control.
12
3
4
5
6
7
8
9
10
11
7/31/2019 Compliance Dashboard v0.6
14/448
7/31/2019 Compliance Dashboard v0.6
15/448
AAA Acronym for authentication, authorization, and accounting. Protocol for authenticating a user based on their
verifiable identity, authorizing a user based on their user rights, and accounting for a users consumption of
network resources.
Access Control Mechanisms that limit availability of information or information-processing resources only to authorized persons
or applications.
Account Data Account data consists of cardholder data plus sensitive authentication data. See Cardholder Data and Sensitive
Authentication Data
Account Number See Primary Account Number (PAN).Acquirer Also referred to as acquiring bank or acquiring financial institution. Entity that initiates and maintains
relationships with merchants for the acceptance of payment cards.
Adware Type of malicious software that, when installed, forces a computer to automatically display or download
advertisements.
AES Abbreviation for Advanced Encryption Standard. Block cipher used in symmetric key cryptography adopted by
NIST in November 2001 as U.S. FIPS PUB 197 (or FIPS 197).
ANSI Acronym for American National Standards Institute. Private, non-profit organization that administers and
coordinates the U.S. voluntary standardization and conformity assessment system.
Anti-Virus Program or software capable of detecting, removing, and protecting against various forms of malicious software
(also called malware) including viruses, worms, Trojans or Trojan horses, spyware, adware, and rootkits.
Application Includes all purchased and custom software programs or groups of programs, including both internal and external
(for example, web) applications.
Audit Log Also referred to as audit trail. Chronological record of system activities. Provides an independently verifiable trail
sufficient to permit reconstruction, review, and examination of sequence of environments and activities
surrounding or leading to operation, procedure, or event in a transaction from inception to final results.
Audit Trail See Audit Log.
ASV Acronym for Approved Scanning Vendor. Company approved by the PCI
SSC to conduct external vulnerability scanning services.
7/31/2019 Compliance Dashboard v0.6
16/448
Authentication Process of verifying identity of an individual, device, or process. Authentication typically occurs through the use of
one or more authentication factors such as:
Something you know, such as a password or passphrase
Something you have, such as a token device or smart card
Something you are, such as a biometric
Authentication Credentials Combination of the user ID or account ID plus the authentication factor(s) used to authenticate an individual,
device, or process,
Authorization Granting of access or other rights to a user, program, or process. For a network, authorization defines what anindividual or program can do after successful authentication.
For the purposes of a payment card transaction authorization occurs when a merchant receives transaction
approval after the acquirer validates the transaction with the issuer/processor.
Backup Duplicate copy of data made for archiving purposes or for protecting against damage or loss.
Bluetooth Wireless protocol using short-range communications technology to facilitate transmission of data over short
distances.
Cardholder Non-consumer or consumer customer to whom a payment card is issued to or any individual authorized to use the
payment card.
Cardholder Data At a minimum, cardholder data consists of the full PAN. Cardholder data may also appear in the form of the full
PAN plus any of the following: cardholder name, expiration date and/or service code
See Sensitive Authentication Data for additional data elements that may be transmitted or processed (but not
stored) as part of a payment transaction.
Cardholder Data Environment The people, processes and technology that store, process or transmit cardholder data or sensitive authentication
data, including any connected system components.
B
C
7/31/2019 Compliance Dashboard v0.6
17/448
Card Verification Code or
Value
Also known as Card Validation Code or Value, or Card Security Code.
Refers to either: (1) magnetic-stripe data, or (2) printed security features.
(1) Data element on a card's magnetic stripe that uses secure cryptographic process to protect data integrity on
the stripe, and reveals any alteration or counterfeiting. Referred to as CAV, CVC, CVV, or CSC depending on
payment card brand. The following list provides the terms for each card brand:
CAV Card Authentication Value (JCB payment cards)
CVC Card Validation Code (MasterCard payment cards)
CVV Card Verification Value (Visa and Discover payment cards)
CSC Card Security Code (American Express)(2) For Discover, JCB, MasterCard, and Visa payment cards, the second type of card verification value or code is the
rightmost three-digit value printed in the signature panel area on the back of the card. For American Express
payment cards, the code is a four-digit unembossed number printed above the PAN on the face of the payment
cards. The code is uniquely associated with each individual piece of plastic and ties the PAN to the plastic. The
following list provides the terms for each card brand:
CID Card Identification Number (American Express and Discover payment cards)
CAV2 Card Authentication Value 2 (JCB payment cards)
CVC2 Card Validation Code 2 (MasterCard payment cards)
CVV2 Card Verification Value 2 (Visa payment cards)
CERT Acronym for Carnegie Mellon University's Computer Emergency Response Team. The CERT Program develops
and promotes the use of appropriate technology and systems management practices to resist attacks on
networked systems, to limit damage, and to ensure continuity of critical services.
CIS Acronym for Center for Internet Security. Non-profit enterprise with mission to help organizations reduce the
risk of business and e-commerce disruptions resulting from inadequate technical security controls.
Column-Level Database
Encryption
Technique or technology (either software or hardware) for encrypting contents of a specific column in a database
versus the full contents of the entire database. Alternatively, see Disk Encryption or File-Level Encryption.
7/31/2019 Compliance Dashboard v0.6
18/448
Compensating Controls Compensating controls may be considered when an entity cannot meet a requirement explicitly as stated, due to
legitimate technical or documented business constraints, but has sufficiently mitigated the risk associated with the
requirement through implementation of other controls. Compensating controls must:
(1) Meet the intent and rigor of the original PCI DSS requirement;
(2) Provide a similar level of defense as the original PCI DSS requirement;
(3) Be above and beyond other PCI DSS requirements (not simply in compliance with other PCI DSS
requirements); and
(4) Be commensurate with the additional risk imposed by not adhering to the PCI DSS requirement.
See Compensating Controls Appendices B and C in PCI DSS Requirements and Security Assessment Proceduresfor guidance on the use of compensating controls.
Compromise Also referred to as data compromise, or data breach. Intrusion into a computer system where unauthorized
disclosure/theft, modification, or destruction of cardholder data is suspected.
Console Screen and keyboard which permits access and control of a server, mainframe computer or other system type in a
networked environment.
Consumer Individual purchasing goods, services, or both.
Cryptography Discipline of mathematics and computer science concerned with information security, particularly encryption and
authentication. In applications and network security, it is a tool for access control, information confidentiality, and
integrity.
Database Structured format for organizing and maintaining easily retrievable information. Simple database examples are
tables and spreadsheets.
Database Administrator Also referred to as DBA. Individual responsible for managing and administering databases.
Default Accounts Login account predefined in a system, application, or device to permit initial access when system is first put into
service. Additional default accounts may also be generated by the system as part of the installation process.
Default Password Password on system administration, user, or service accounts predefined in a system, application, or device;
usually associated with default account. Default accounts and passwords are published and well known, and
therefore easily guessed.
D
7/31/2019 Compliance Dashboard v0.6
19/448
Degaussing Also called disk degaussing. Process or technique that demagnetizes the disk such that all data stored on the disk
is permanently destroyed.
Disk Encryption Technique or technology (either software or hardware) for encrypting all stored data on a device (for example, a
hard disk or flash drive). Alternatively, File- Level Encryption or Column-Level Database Encryption is used to
encrypt contents of specific files or columns.
DMZ Abbreviation for demilitarized zone. Physical or logical sub-network that provides an additional layer of security
to an organizations internal private network. The DMZ adds an additional layer of network security between the
Internet and an organizations internal network so that external parties only have direct connections to devices in
the DMZ rather than the entire internal network.DNS Acronym for Domain Name System or domain name server. System that stores information associated with
domain names in a distributed database on networks such as the Internet.
DSS Acronym for Data Security Standard and also referred to as PCI DSS.
Dual Control Process of using two or more separate entities (usually persons) operating in concert to protect sensitive functions
or information. Both entities are equally responsible for the physical protection of materials involved in vulnerable
transactions. No single person is permitted to access or use the materials (for example, the cryptographic key). For
manual key generation, conveyance, loading, storage, and retrieval, dual control requires dividing knowledge of
the key among the entities. (See also Split Knowledge.)
Dynamic Packet Filtering See Stateful Inspection.
ECC Acronym for Elliptic Curve Cryptography. Approach to public-key cryptography based on elliptic curves over
finite fields. See Strong Cryptography.
Egress Filtering Method of filtering outbound network traffic such that only explicitly allowed traffic is permitted to leave the
network.
Encryption Process of converting information into an unintelligible form except to holders of a specific cryptographic key. Use
of encryption protects information between the encryption process and the decryption process (the inverse of
encryption) against unauthorized disclosure. See Strong Cryptography.
Encryption Algorithm A sequence of mathematical instructions used for transforming unencrypted text or data to encrypted text or data,
and back again. See Strong Cryptography.
E
7/31/2019 Compliance Dashboard v0.6
20/448
Entity Term used to represent the corporation, organization or business which is undergoing a PCI DSS review.
File Integrity Monitoring Technique or technology under which certain files or logs are monitored to detect if they are modified. When
critical files or logs are modified, alerts should be sent to appropriate security personnel.
File-Level Encryption Technique or technology (either software or hardware) for encrypting the full contents of specific files.
Alternatively, see Disk Encryption or Column-Level Database Encryption.
FIPS Acronym for Federal Information Processing Standards. Standards that are publicly recognized by the U.S.
Federal Government; also for use by non- government agencies and contractors.
Firewall Hardware and/or software technology that protects network resources from unauthorized access. A firewall
permits or denies computer traffic between networks with different security levels based upon a set of rules and
other criteria.
Forensics Also referred to as computer forensics. As it relates to information security, the application of investigative tools
and analysis techniques to gather evidence from computer resources to determine the cause of data compromises.
FTP Acronym for File Transfer Protocol. Network protocol used to transfer data from one computer to another
through a public network such as the Internet. FTP is widely viewed as an insecure protocol because passwords
and file contents are sent unprotected and in clear text. FTP can be implemented securely via SSH or other
technology.
GPRS
Acronym for General Packet Radio Service. Mobile data service available to users of GSM mobile phones.
Recognized for efficient use of limited bandwidth. Particularly suited for sending and receiving small bursts of data,
such as e-mail and web browsing.
GSM Acronym for Global System for Mobile Communications. Popular standard for mobile phones and networks.
Ubiquity of GSM standard makes international roaming very common between mobile phone operators, enabling
subscribers to use their phones in many parts of the world.
G
7/31/2019 Compliance Dashboard v0.6
21/448
Hashing Process of rendering cardholder data unreadable by converting data into a fixed-length message digest via Strong
Cryptography. Hashing is a (mathematical) function in which a non-secret algorithm takes any arbitrary length
message as input and produces a fixed length output (usually called a hash code or message digest). A hash
function should have the following properties:
(1) It is computationally infeasible to determine the original input given only the hash code,
(2) It is computationally infeasible to find two inputs that give the same hash code.In the context of PCI DSS, hashing must be applied to the entire PAN for the hash code to be considered rendered
unreadable. It is recommended that hashed cardholder data includes a salt value as input to the hashing function
(see Salt).
Host Main computer hardware on which computer software is resident.
Hosting Provider Offers various services to merchants and other service providers. Services range from simple to complex; from
shared space on a server to a whole range of shopping cart options; from payment applications to connections
to payment gateways and processors; and for hosting dedicated to just one customer per server. A hosting
provider may be a shared hosting provider, who hosts multiple entities on a single server.
HTTP Acronym for hypertext transfer protocol. Open internet protocol to transfer or convey information on the World
Wide Web.
HTTPS Acronym for hypertext transfer protocol over secure socket layer. Secure HTTP that provides authentication and
encrypted communication on the World Wide Web designed for security-sensitive communication such as web-
based logins.
Hypervisor Software or firmware responsible for hosting and managing virtual machines. For the purposes of PCI DSS, the
hypervisor system component also includes the virtual machine monitor (VMM).
ID Identifier for a particular user or application.
I
H
7/31/2019 Compliance Dashboard v0.6
22/448
IDS Acronym for intrusion detection system. Software or hardware used to identify and alert on network or system
intrusion attempts. Composed of sensors that generate security events; a console to monitor events and alerts and
control the sensors; and a central engine that records events logged by the sensors in a database. Uses system of
rules to generate alerts in response to security events detected.
IETF Acronym for Internet Engineering Task Force. Large, open international community of network designers,
operators, vendors, and researchers concerned with evolution of Internet architecture and smooth operation of
Internet. The IETF has no formal membership and is open to any interested individual.
Index Token A cryptographic token that replaces the PAN, based on a given index for an unpredictable value.
Information Security Protection of information to insure confidentiality, integrity, and availability.
Information System Discrete set of structured data resources organized for collection, processing, maintenance, use, sharing,
dissemination, or disposition of information.
Ingress Filtering Method of filtering inbound network traffic such that only explicitly allowed traffic is permitted to enter the
network.
Insecure
Protocol/Service/Port
A protocol, service, or port that introduces security concerns due to the lack of controls over confidentiality and/or
integrity. These security concerns include services, protocols, or ports that transmit data and authentication
credentials (e.g., password/passphrase in clear-text over the Internet), or that easily allow for exploitation by
default or if misconfigured. Examples of insecure services, protocols, or ports include but are not limited to FTP,
Telnet, POP3, IMAP, and SNMP.
IP Acronym for internet protocol. Network-layer protocol containing address information and some control
information that enables packets to be routed. IP is the primary network-layer protocol in the Internet protocol
suite.
IP Address Also referred to as internet protocol address. Numeric code that uniquely identifies a particular computer on the
Internet.
IP Address Spoofing Attack technique used by a malicious individual to gain unauthorized access to computers. The malicious individual
sends deceptive messages to a computer with an IP address indicating that the message is coming from a trusted
host.
IPS Acronym for intrusion prevention system. Beyond an IDS, an IPS takes the additional step of blocking the
attempted intrusion.
IPSEC Abbreviation for Internet Protocol Security. Standard for securing IP communications by encrypting and/or
authenticating all IP packets. IPSEC provides security at the network layer.
7/31/2019 Compliance Dashboard v0.6
23/448
ISO Better known as International Organization for Standardization. Non- governmental organization consisting of a
network of the national standards institutes of over 150 countries, with one member per country and a central
secretariat in Geneva, Switzerland, that coordinates the system.
Issuer Entity that issues payment cards or performs, facilitates, or supports issuing services including but not limited to
issuing banks and issuing processors. Also referred to as issuing bank or issuing financial institution.
Issuing services Examples of issuing services may include but are not limited to authorization and card personalization.
Key In cryptography, a key is a value that determines the output of an encryption algorithm when transforming plain
text to ciphertext. The length of the key generally determines how difficult it will be to decrypt the ciphertext in a
given message. See Strong Cryptography.
Key Management In cryptography, it is the set of processes and mechanisms which support key establishment and maintenance,
including replacing older keys with new keys as necessary.
LAN
Acronym for local area network. A group of computers and/or other devices that share a common
communications line, often in a building or group of buildings.
LDAP Acronym for Lightweight Directory Access Protocol. Authentication and authorization data repository utilized for
querying and modifying user permissions and granting access to protected resources.
Log See Audit Log.
LPAR Abbreviation for logical partition. A system of subdividing, or partitioning, a computer's total
resourcesprocessors, memory and storageinto smaller units that can run with their own, distinct copy of the
operating system and applications. Logical partitioning is typically used to allow the use of different operating
systems and applications on a single device. The partitions may or may not be configured to communicate with
each other or share some resources of the server, such as network interfaces.
L
K
7/31/2019 Compliance Dashboard v0.6
24/448
MAC Acronym for message authentication code. In cryptography, it is a small piece of information used to
authenticate a message. See Strong Cryptography.
MAC Address Abbreviation for media access control address. Unique identifying value assigned by manufacturers to network
adapters and network interface cards.
Magnetic-Stripe Data Also referred to as track data. Data encoded in the magnetic stripe or chip used for authentication and/or
authorization during payment transactions. Can be the magnetic stripe image on a chip or the data on the track 1and/or track 2 portion of the magnetic stripe.
Mainframe Computers that are designed to handle very large volumes of data input and output and emphasize throughput
computing. Mainframes are capable of running multiple operating systems, making it appear like it is operating as
multiple computers. Many legacy systems have a mainframe design.
Malicious Software /
Malware
Software designed to infiltrate or damage a computer system without the owner's knowledge or consent. Such
software typically enters a network during many business-approved activities, which results in the exploitation of
system vulnerabilities. Examples include viruses, worms, Trojans (or Trojan horses), spyware, adware, and rootkits.
Masking In the context of PCI DSS, it is a method of concealing a segment of data when displayed or printed. Masking is
used when there is no business requirement to view the entire PAN. Masking relates to protection of PAN when
displayed or printed. See Truncation for protection of PAN when stored in files, databases, etc.
Merchant For the purposes of the PCI DSS, a merchant is defined as any entity that accepts payment cards bearing the logos
of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods
and/or services. Note that a merchant that accepts payment cards as payment for goods and/or services can also
be a service provider, if the services sold result in storing, processing, or transmitting cardholder data on behalf of
other merchants or service providers. For example, an ISP is a merchant that accepts payment cards for monthly
billing, but also is a service provider if it hosts merchants as customers.
Monitoring Use of systems or processes that constantly oversee computer or network resources for the purpose of alerting
personnel in case of outages, alarms, or other predefined events.
MPLS Acronym for multi protocol label switching. Network or telecommunications mechanism designed for connecting
a group of packet-switched networks.
M
7/31/2019 Compliance Dashboard v0.6
25/448
NAT Acronym for network address translation. Known as network masquerading or IP masquerading. Change of an IP
address used within one network to a different IP address known within another network.
Network Two or more computers connected together via physical or wireless means.
Network Administrator Personnel responsible for managing the network within an entity. Responsibilities typically include but are not
limited to network security, installations, upgrades, maintenance and activity monitoring.
Network Components Include, but are not limited to firewalls, switches, routers, wireless access points, network appliances, and other
security appliances.
Network Security Scan Process by which an entitys systems are remotely checked for vulnerabilities through use of manual or automated
tools. Security scans that include probing internal and external systems and reporting on services exposed to the
network. Scans may identify vulnerabilities in operating systems, services, and devices that could be used by
malicious individuals.
Network Segmentation Network segmentation isolates system components that store, process, or transmit cardholder data from systems
that do not. Adequate network segmentation may reduce the scope of the cardholder data environment and thus
reduce the scope of the PCI DSS assessment. See the Network Segmentation section in the PCI DSS Requirements
and Security Assessment Procedures for guidance on using network segmentation. Network segmentation is not a
PCI DSS requirement. See System Components.
NIST Acronym for National Institute of Standards and Technology. Non-regulatory federal agency within U.S.
Commerce Department's Technology Administration. Their mission is to promote U.S. innovation and industrial
competitiveness by advancing measurement science, standards, and technology to enhance economic security and
improve quality of life.
NMAP Security-scanning software that maps networks and identifies open ports in network resources.
Non-Consumer Users Individuals, excluding cardholders, who access system components, including but not limited to employees,
administrators, and third parties.
NTP Acronym for Network Time Protocol. Protocol for synchronizing the clocks of computer systems, network
devices and other system components.
N
7/31/2019 Compliance Dashboard v0.6
26/448
Off-the-Shelf Description of products that are stock items not specifically customized or designed for a specific customer or user
and are readily available for use.
Operating System / OS Software of a computer system that is responsible for the management and coordination of all activities and the
sharing of computer resources. Examples of operating systems include Microsoft Windows, Mac OS, Linux and
Unix.
OWASP Acronym for Open Web Application Security Project. A non-profit organization focused on improving the securityof application software. OWASP maintains a list of critical vulnerabilities for web applications. (See
http://www.owasp.org).
PA-QSA Acronym for Payment Application Qualified Security Assessor, company approved by the PCI SSC to conduct
assessments on payment applications against the PA-DSS.
PAN Acronym for primary account number and also referred to as account number. Unique payment card number
(typically for credit or debit cards) that identifies the issuer and the particular cardholder account.
Password / Passphrase A string of characters that serve as an authenticator of the user.
Pad In cryptography, the one-time pad is an encryption algorithm with text combined with a random key or "pad" that
is as long as the plain-text and used only once. Additionally, if key is truly random, never reused, and, kept secret,
the one-time pad is unbreakable
Parameterized Queries A means of structuring SQL queries to limit escaping and thus prevent injection attacks.
PAT Acronym for port address translation and also referred to as network address port translation. Type of NAT
that also translates the port numbers.
Patch Update to existing software to add functionality or to correct a defect.
Payment Application Any application that stores, processes, or transmits cardholder data as part of authorization or settlement
Payment Cards For purposes of PCI DSS, any payment card/device that bears the logo of the founding members of PCI SSC, which
are American Express, Discover Financial Services, JCB International, MasterCard Worldwide, or Visa, Inc.
O
P
7/31/2019 Compliance Dashboard v0.6
27/448
PCI Acronym for Payment Card Industry.
PDA
Acronym for personal data assistant or personal digital assistant. Handheld mobile devices with capabilities
such as mobile phones, e-mail, or web browser.
PED PIN entry device
Penetration Test Penetration tests attempt to exploit vulnerabilities to determine whether unauthorized access or other maliciousactivity is possible. Penetration testing includes network and application testing as well as controls and processes
around the networks and applications, and occurs from both outside the network trying to come in (external testing)
and from inside the network.
Personnel Full-time and part-time employees, temporary employees, contractors, and consultants who are resident on the
entitys site or otherwise have access to the cardholder data environment.
Personally Identifiable
Information
Information that can be utilized to identify an individual including but not limited to name, address, social security
number, phone number, etc.
PIN Acronym for personal identification number. Secret numeric password known only to the user and a system to
authenticate the user to the system. The user is only granted access if the PIN the user provided matches the PIN
in the system. Typical PINs are used for automated teller machines for cash advance transactions. Another type of
PIN is one used in EMV chip cards where the PIN replaces the cardholders signature.
PIN Block A block of data used to encapsulate a PIN during process ing. The PIN block format defines the content of the PINblock and how it is processed to retrieve the PIN. The PIN block is composed of the PIN, the PIN length, and may
contain subset of the PAN.
POI Acronym for Point of Interaction, the in itial point where data is read from a card. An electronic transaction-
acceptance product, a POI consists of hardware and software and is hosted in acceptance equipment to enable a
cardholder to perform a card transaction. The POI m ay be attended or unattended. POI transactions are typically
integrated circuit (chip) and/or m agnetic-stripe card-based payment transactions.
Policy Organization-wide rules governing acceptable use of computing resources, security practices, and guiding
development of operational procedures
POS Acronym for point of sale. Hardware and/or software used to process payment card transactions at merchant
locations.
Private Network Network established by an organization that uses private IP address space. Private networks are commonly
designed as local area networks. Private network access from public networks should be properly protected with
the use of firewalls and routers.
Procedure Descriptive narrative for a policy. Procedure is the how to for a policy and describes how the policy is to be
implemented.
7/31/2019 Compliance Dashboard v0.6
28/448
Protocol Agreed-upon method of communication used within networks. Specification describing rules and procedures that
computer products should follow to perform activities on a network.
PTS Acronym for PIN Transaction Security, PTS is a set of modular evaluation requirements managed by PCI Security
Standards Council, for PIN acceptance POI terminals. Please refer to www.pcisecuritystandards.org.
Public Network Network established and operated by a telecommunications provider, for specific purpose of providing data
transmission services for the public. Data over public networks can be intercepted, modified, and/or diverted while
in transit. Examples of public networks in scope of the PCI DSS include, but are not limited to, the Internet,
wireless, and mobile technologies.PVV Acronym for PIN verification value. Discretionary value encoded in magnetic stripe of payment card.
QSA Acronym for Qualified Security Assessor, company approved by the PCI SSC to conduct PCI DSS on-site
assessments.
RADIUS Abbreviation for Remote Authentication Dial-In User Service. Authentication and accounting system. Checks if
information such as username and password that is passed to the RADIUS server is correct, and then authorizes
access to the system. This authentication method may be used with a token, smart card, etc., to provide two-
factor authentication.
RBAC
Acronym for role-based access control. Control used to restrict access by specific authorized users based on their
job responsibilities.
Remote Access Access to computer networks from a remote location, typically originating from outside the network. An example
of technology for remote access is VPN.
Removable Electronic Media Media that store digitized data and which can be easily removed and/or transported from one computer system to
another. Examples of removable electronic media include CD-ROM, DVD-ROM, USB flash drives and removable
hard drives.
ROC Report on Compliance - Report containing details documenting an entitys compliance status with the PCI DSS.
Q
R
7/31/2019 Compliance Dashboard v0.6
29/448
Report on Validation Also referred to as ROV. Report containing details documenting a payment applications compliance with the PCI
PA-DSS.
Re-keying
Process of changing cryptographic keys. Periodic re-keying limits the amount of data encrypted by a single key.
Remote Lab Environment A lab that is not maintained by the PA-QSA.
Reseller / Integrator An entity that sells and/or integrates payment applications but does not develop them.
RFC 1918 The standard identified by the Internet Engineering Task Force (IETF) that defines the usage and appropriate
address ranges for private (non-internet routable) networks.
Risk Analysis / RiskAssessment
Process that identifies valuable system resources and threats; quantifies loss exposures (that is, loss potential)based on estimated frequencies and costs of occurrence; and (optionally) recommends how to allocate resources
to countermeasures so as to minimize total exposure.
Rootkit Type of malicious software that when installed without authorization, is able to conceal its presence and gain
administrative control of a computer system.
Router Hardware or software that connects two or more networks. Functions as sorter and interpreter by looking at
addresses and passing bits of information to proper destinations. Software routers are sometimes referred to as
gateways.
RSA Algorithm for public-key encryption described in 1977 by Ron Rivest, Adi Shamir, and Len Adleman at
Massachusetts Institute of Technology (MIT); letters RSA are the initials of their surnames.
Salt Random string that is concatenated with other data prior to being operated on by a hash function. See also Hash.
Sampling The process of selecting a cross-section of a group that is representative of the entire group. Sampling may be
used by assessors to reduce overall testing efforts, when it is validated that an entity has standard, centralized PCI
DSS security and operational processes and controls in place. Sampling is not a PCI DSS requirement.
SANS Acronym for SysAdmin, Audit, Networking and Security, an institute that provides computer security training and
professional certification. (See www.sans.or
Scoping Process of identifying all system components, people, and processes to be included in a PCI DSS assessment. The
first step of a PCI DSS assessment is to accurately determine the scope of the review.
S
7/31/2019 Compliance Dashboard v0.6
30/448
SDLC Acronym for system development life cycle. Phases of the development of a software or computer system that
includes planning, analysis, design, testing, and implementation.
Secure Coding The process of creating and implementing applications that are resistant to tampering and/or compromise.
Secure Wipe Also called secure delete, a program utility used to delete specific files permanently from a computer system.
Security Officer Also called secure delete, a program utility used to delete specific files permanently from a computer system.
Security Policy Set of laws, rules, and practices that regulate how an organization manages, protects, and distributes sensitiveinformation
Security Protocols Network communications protocols designed to secure the transmission of data. Examples of security protocols
include, but are not limited to SSL/TLS, IPSEC, SSH, etc.
SAQ Acronym for Self-Assessment Questionnaire. Tool used by any entity to validate its own compliance with the PCI
DSS.
Sensitive Area Any data center, server room or any area that houses systems that stores, processes, or transmits cardholder data.
This excludes the areas where only point-of-sale terminals are present such as the cashier areas in a retail store.
Sensitive Authentication Data Security-related information (including but not limited to card validation codes/values, full magnetic-stripe data,
PINs, and PIN blocks) used to authenticate cardholders and/or authorize payment card transactions.
Separation of Duties Practice of dividing steps in a function among different individuals, so as to keep a single individual from being able
to subvert the process.
Server Computer that provides a service to other computers, such as processing communications, file storage, or
accessing a printing facility. Servers include, but are not limited to web, database, application, authentication, DNS,
mail, proxy, and NTP.
Service Code Three-digit or four-digit value in the magnetic-stripe that follows the expiration date of the payment card on the
track data. It is used for various things such as defining service attributes, differentiating between international
and national interchange, or identifying usage restrictions.
7/31/2019 Compliance Dashboard v0.6
31/448
Service Provider Business entity that is not a payment brand, directly involved in the processing, storage, or transmission of
cardholder data. This also includes companies that provide services that control or could impact the security of
cardholder data. Examples include managed service providers that provide managed firewalls, IDS and other
services as well as hosting providers and other entities. Entities such as telecommunications companies that only
provide communication links without access to the application layer of the communication link are excluded.
SHA-1/SHA-2 Acronym for Secure Hash Algorithm. A family or set of related cryptographic hash functions including SHA-1 and
SHA-2. See Strong Cryptography.
Smart Card Also referred to as chip card or IC card (integrated circuit card). A type of payment card that has integratedcircuits embedded within. The circuits, also referred to as the chip, contain payment card data including but not
limited to data equivalent to the magnetic-stripe data.
SNMP Acronym for Simple Network Management Protocol. Supports monitoring of network attached devices for any
conditions that warrant administrative attention.
Spyware Type of malicious software that when installed, intercepts or takes partial control of the users computer without
the users consent.
SQL
Acronym for Structured Query Language. Computer language used to create, modify, and retrieve data from
relational database management systems.
SQL Injection Form of attack on database-driven web site. A malicious individual executes unauthorized SQL commands by
taking advantage of insecure code on a system connected to the Internet. SQL injection attacks are used to steal
information from a database from which the data would normally not be available and/or to gain access to an
organizations host computers through the computer that is hosting the database.
SSH Abbreviation for Secure Shell. Protocol suite providing encryption for network services like remote login or
remote file transfer.
SSL Acronym for Secure Sockets Layer. Established industry standard that encrypts the channel between a web
browser and web server to ensure the privacy and reliability of data transmitted over this channel.
Stateful Inspection Also called dynamic packet filtering, it is a firewall capability that provides enhanced security by keeping track of
communications packets. Only incoming packets with a proper response (established connections) are allowed
through the firewall.
7/31/2019 Compliance Dashboard v0.6
32/448
Strong Cryptography Cryptography based on industry-tested and accepted algorithms, along with strong key lengths and proper key-
management practices. Cryptography is a method to protect data and includes both encryption (which is
reversible) and hashing (which is not reversible, or one way). Examples of industry-tested and accepted
standards and algorithms for encryption include AES (128 bits and higher), TDES (minimum double-length keys),
RSA (1024 bits and higher), ECC (160 bits and higher), and ElGamal (1024 bits and higher).
See NIST Special Publication 800-57 (http://csrc.nist.gov/publications/) for more information.
SysAdmin Abbreviation for system administrator. Individual with elevated privileges who is responsible for managing a
computer system or network.System Components Any network component, server, or application included in or connected to the cardholder data environment.
System-level object Anything on a system component that is required for its operation, including but not limited to application
executable and configuration files, system configuration files, static and shared libraries & DLL's, system
executables, device drivers and device configuration files, and added third-party components.
TACACS Acronym for Terminal Access Controller Access Control System. Remote authentication protocol commonly used
in networks that communicates between a remote access server and an authentication server to determine user
access rights to the network. This authentication method may be used with a token, smart card, etc., to provide
two-factor authentication.
TCP Acronym for Transmission Control Protocol. Basic communication language or protocol of the Internet.
TDES Acronym for Triple Data Encryption Standard and also known as 3DES or Triple DES. Block cipher formed
from the DES cipher by using it three times. See Strong Cryptography.
TELNET Abbreviation for telephone network protocol. Typically used to provide user- oriented command line login
sessions to devices on a network. User credentials are transmitted in clear text.
Threat Condition or activity that has the potential to cause information or information processing resources to be
intentionally or accidentally lost, modified, exposed, made inaccessible, or otherwise affected to the detriment of
the organization
T
7/31/2019 Compliance Dashboard v0.6
33/448
TLS Acronym for Transport Layer Security. Designed with goal of providing data secrecy and data integrity between
two communicating applications. TLS is successor of SSL.
Token A value provided by hardware or software that usually works with an authentication server or VPN to perform
dynamic or two-factor authentication. See RADIUS, TACACS, and VPN.
Transaction Data Data related to electronic payment card transaction.
Trojan Also referred to as Trojan horse. A type of malicious software that when installed, allows a user to perform a
normal function while the Trojan performs malicious functions to the computer system without the users
knowledge.
Truncation Method of rendering the full PAN unreadable by permanently removing a segment of PAN data. Truncation relatesto protection of PAN when stored in files, databases, etc. See Masking for protection of PAN when displayed on
screens, paper receipts, etc.
Trusted Network Network of an organization that is within the organizations ability to control or manage.
Two-Factor Authentication Method of authenticating a user whereby two or more factors are verified. These factors include something the
user has (such as hardware or software token), something the user knows (such as a password, passphrase, or PIN)
or something the user is or does (such as fingerprints or other forms of biometrics).
Untrusted Network Network that is external to the networks belonging to an organization and which is out of the organizations ability
to control or manage.
Virtualization Virtualization refers to the logical abstraction of computing resources from physical constraints. One common
abstraction is referred to as virtual machines or VMs, which takes the content of a physical machine and allows it
to operate on different physical hardware and/or along with other virtual machines on the same physical
hardware. In addition to VMs, virtualization can be performed on many other computing resources, including
applications, desktops, networks, and storage.
Virtual Machine Monitor
(VMM)
The VMM is included with the hypervisor and is software that implements virtual machine hardware abstraction. It
manages the system's processor, memory, and other resources to allocate what each guest operating system
requires.
V
U
7/31/2019 Compliance Dashboard v0.6
34/448
Virtual Machine A self-contained operating environment that behaves like a separate computer. It is also known as the Guest,
and runs on top of a hypervisor.
Virtual Appliance (VA) A VA takes the concept of a pre-configured device for performing a specific set of functions and run this device as a
workload. Often, an existing network device is virtualized to run as a virtual appliance, such as a router, switch, or
firewall.
Virtual Switch or Router A virtual switch or router is a logical entity that presents network infrastructure level data routing and switching
functionality. A virtual switch is an integral part of a virtualized server platform such as a hypervisor driver,
module, or plug-in.
Virtual Terminal A virtual terminal is web-browser-based access to an acquirer, processor or third party service provider website toauthorize payment card transactions, where the merchant manually enters payment card data via a securely
connected web browser. Unlike physical terminals, virtual terminals do not read data directly from a payment
card. Because payment card transactions are entered manually, virtual terminals are typically used instead of
physical terminals in merchant environments with low transaction volumes.
VLAN Abbreviation for virtual LAN or virtual local area network. Logical local area network that extends beyond a
single traditional physical local area network.
VPN Acronym for virtual private network. A computer network in which some of connections are virtual circuits
within some larger network, such as the Internet, instead of direct connections by physical wires. The end points of
the virtual network are said to be tunneled through the larger network when this is the case. While a common
application consists of secure communications through the public Internet, a VPN may or may not have strong
security features such as authentication or content encryption.
A VPN may be used with a token, smart card, etc., to provide two-factor authentication.
Vulnerability Flaw or weakness which, if exploited, may result in an intentional or unintentional compromise of a system.
WAN
Acronym for wide area network. Computer network covering a large area, often a regional or company wide
computer system.
Web Application An application that is generally accessed via a web browser or through web services. Web applications may be
available via the Internet or a private, internal network.
W
7/31/2019 Compliance Dashboard v0.6
35/448
Web Server Computer that contains a program that accepts HTTP requests from web clients and serves the HTTP responses
(usually web pages).
WEP Acronym for Wired Equivalent Privacy. Weak algorithm used to encrypt wireless networks. Several serious
weaknesses have been identified by industry experts such that a WEP connection can be cracked with readily
available software within minutes. See WPA.
Wireless Access Point Network that connects computers without a physical connection to wires.
WLAN Acronym for wireless local area network. Local area network that links two or more computers or devices
without wires.
WPA/WPA2 Acronym for WiFi Protected Access. Security protocol created to secure wireless networks. WPA is the successorto WEP.. WPA2 was also released as the next generation of WPA.
7/31/2019 Compliance Dashboard v0.6
36/448
PCI DSS Requirement NEW - Guidance
Major Observations from the Verizon 2011 PCI Compliance Report:
44 percent compliance, compared to the 46 percent who were found compliant in previous report
The most difficult part of meeting this requirement is the documentation of network device configurations, with o
Documentation is however, its frequently outdated.
Restricting inbound access (PCI Requirement 1.2.1) continues to be an issue for many being audited, with 23 perc
Insecure traffic, such as FTP and Telnet, is still flowing through many networks.Most businesses dont have anyone with the time to dig into every rule in the firewalls to understand the complet
7/31/2019 Compliance Dashboard v0.6
37/448
1.1 Establish firewall and router configuration
standards that include the following:
Firewalls and routers are key components of the
architecture that controls entry to and exit from the
network. These devices are software or hardware devices
that block unwanted access and manage authorized
access into and out of the network. Without policies and
procedures in place to document how staff should
configure firewalls and routers, a business could easily
lose its first line of defense in data-protection. Thepolicies and procedures will help to ensure that the
organizations first line of defense in the protection of its
data remains strong.
Virtual environments where data flows do not transit a
physical network should be assessed to ensure
appropriate network segmentation is achieved.
1.1.1 A formal process for approving and testing all
network connections and changes to the firewall
and router configurations
A policy and process for approving and testing all
connections and changes to the firewalls and routers will
help prevent security problems caused by misconfiguration
of the network, router, or firewall.
Data flows between virtual machines should be included inpolicy and process
Network diagrams enable the organization toidentify the location of all its network devices.
Additionally, the network diagram can be used to
map the data flow of cardholder data across the
network and between individual devices in order to
fully understand the scope of the cardholder data
environment. Without current network and data
flow diagrams, devices with cardholder data may be
overlooked and may unknowingly be left out of the
layered security controls implemented for PCI DSS
and thus vulnerable to compromise.
Network and data flow diagrams should include
virtual system components and document Intra-
host data flows.
1.1.2 Current network diagram with allconnections to cardholder data, including any
wireless networks
7/31/2019 Compliance Dashboard v0.6
38/448
1.1.4 Description of groups, roles, and
responsibilities for logical management of network
components
This description of roles and assignment of responsibility
ensures that someone is clearly responsible for the
security of all components and is aware of their
responsibility, and that no devices are left unmanaged.
Using a firewall on every connection coming into (and out
of) the network allows the organization to monitor and
control access in and out, and to minimize the chances of
a malicious individuals obtaining access to the internal
network.
Compromises often happen due to unused or insecure
service and ports, since these often have known
vulnerabilitiesand many organizations are vulnerable to
these types of compromises because they do not patch
security vulnerabilities for services, protocols, and ports
they don't use (even though the vulnerabilities are still
present). Each organization should clearly decide which
services, protocols, and ports are necessary for their
business, document them for their records, and ensure
that all other services, protocols, and ports and disabledor removed. Also, organizations should consider blocking
all traffic and only re-opening those ports once a need
has been determined and documented.
Additionally, there are many services, protocols, or ports
that a business may need (or have enabled by default)
that are commonly used by malicious individuals to
compromise a network. If these insecure services,
protocols, or ports are necessary for business, the risk
posed by use of these protocols should be clearly
understood and accepted by the organization, the use of
the protocol should be justified, and the security features
that allow these protocols to be used securely should be
documented and implemented. If these insecure services,
protocols, or ports are not necessary for business, they
should be disabled or removed.
1.1.3 Requirements for a firewall at each Internet
connection and between any demilitarized zone
(DMZ) and the internal network zone
1.1.5 Documentation and business justification for
use of all services, protocols, and ports allowed,
including documentation of security features
implemented for those protocols considered to be
insecure. Examples of insecure services, protocols,
or ports include but are not limited to FTP, Telnet,
POP3, IMAP, and SNMP.
7/31/2019 Compliance Dashboard v0.6
39/448
1.2 Build firewall and router configurations that
restrict connections between untrusted networks
and any system components in the cardholder data
environment.
Note: An untrusted network is any network that is
external to the networks belonging to the entity
under review, and/or which is out of the entity's
ability to control or manage.
It is essential to install network protection, namely a
system component with (at a minimum) stateful
inspection firewall capability, between the internal,
trusted network and any other untrusted network that is
external and/or out of the entitys ability to control ormanage. Failure to implement this measure correctly
means that the entity will be vulnerable to unauthorized
access by malicious individuals or software.
If firewall functionality is installed but does not have rules
that control or limit certain traffic, malicious individuals
may still be able to exploit vulnerable protocols and ports
to attack your network.
This review gives the organization an opportunity at least
every six months to clean up any unneeded, outdated, or
incorrect rules, and ensure that all rule sets allow only
authorized services and ports that match business
justifications.
It is advisable to undertake these reviews on a more
frequent basis, such as monthly, to ensure that the rule
sets are current and match the needs of the business
without opening security holes and running unnecessary
risks.
This requirement is intended to prevent malicious
individuals from accessing the organization's network via
unauthorized IP addresses or from using services,
protocols, or ports in an unauthorized manner (for
example, to send data they've obtained from within your
network out to an untrusted server.
All firewalls should include a rule that denies all inbound
and outbound traffic not specifically needed. This will
prevent inadvertent holes that would allow other,
1.2.1 Restrict inbound and outbound traffic to that
which is necessary for the cardholder data
environment.
1.1.6 Requirement to review firewall and router
rule sets at least every six months
7/31/2019 Compliance Dashboard v0.6
40/448
1.2.2 Secure and synchronize router configuration
files.
While running configuration files are usually implemented
with secure settings, the start-up files (routers run these
files only upon re-start) may not be implemented with the
same secure settings because they only run occasionally.
When a router does re-start without the same securesettings as those in the running configuration files, it may
result in weaker rules that allow malicious individuals into
the network, because the start-up files may not be
implemented with the same secure settings as the
running configuration files.
1.2.3 Install perimeter firewalls between any
wireless networks and the cardholder data
environment, and configure these firewalls to deny
or control (if such traffic is necessary for business
purposes) any traffic from the wireless
environment into the cardholder data
environment.
The known (or unknown) implementation and
exploitation of wireless technology within a network is a
common path for malicious individuals to gain access to
the network and cardholder data. If a wireless device or
network is installed without a companys knowledge, a
malicious individual could easily and invisibly enter the
network. If firewalls do not restrict access from wireless
networks into the payment card environment, malicious
individuals that gain unauthorized access to the wireless
network can easily connect to the payment card
environment and compromise account information.
Firewalls must be installed between all wireless networks
and the CDE, regardless of the purpose of the
environment to which the wireless network is connected.
This may include, but is not limited to, corporate
networks, retail stores, warehouse environments, etc.
1.3 Prohibit direct public access between the
Internet and any system component in the
cardholder data environment.
A firewall's intent is to manage and control all
connections between public systems and internal systems
(especially those that store, process or transmit
cardholder data). If direct access is allowed between
public systems and the CDE, the protections offered by
the firewall are bypassed, and system components storing
cardholder data may be exposed to compromise.
1.3.1 Implement a DMZ to limit inbound traffic to
only system components that provide authorized
publicly accessible services, protocols, and ports.
The DMZ is that part of the network that manages
connections between the Internet (or other untrusted
networks), and internal services that an organization
needs to have available to the public (like a web server). It
is the first line of defense in isolating and separating
traffic that needs to communicate with the internal
network from traffic that does not.
This functionality is intended to prevent malicious
individuals from accessing the organization's network via
unauthorized IP addresses or from using services,
protocols, or ports in an unauthorized manner.
un n en e an po en a y arm u ra c n or ou .
7/31/2019 Compliance Dashboard v0.6
41/448
1.3.2 Limit inbound Internet traffic to IP addresses
within the DMZ.
Termination of IP connections at the DMZ provides
opportunity for inspection and restriction of
source/destination, and/or inspection / blocking of
content, thus preventing unfiltered access between
1.3.3 Do not allow any direct connections inbound
or outbound for traffic between the Internet and
the cardholder data environment.
Termination of IP connections both inbound and
outbound provides opportunity for inspection and
restriction of source/destination, and/or inspection /blocking of content, thus preventing unfiltered access
between untrusted and trusted environments. This helps
prevent, for example, malicious individuals from sending
data they've obtained from within your network out to an
external untrusted server in an untrusted network.
1.3.4 Do not allow internal addresses to pass from
the Internet into the DMZ.
Normally a packet contains the IP address of the
computer that originally sent it. This allows other
computers in the network to know where it came from.
In certain cases, this sending IP address will be spoofed
by malicious individuals.
For example, malicious individuals send a packet with a
spoofed address, so that (unless your firewall prohibits
it) the packet will be able to come into your network
from the Internet, looking like it is internal, and
therefore legitimate, traffic. Once the malicious
individual is inside your network, they can begin to
compromise your systems.
Ingress filtering is a technique you can use on your
firewall to filter packets coming into your network to,
among other things, ensure packets are not spoofed
to look like they are coming from your own internalnetwork.
For more information on packet filtering, consider
obtaining information on a corollary technique called
e ress filterin .1.3.5 Do not allow unauthorized outbound traffic
from the cardholder data environment to the
Internet.
All traffic outbound from inside the cardholder data
environment should be evaluated to ensure that
outbound traffic follows established, authorized rules.
Connections should be inspected to restrict traffic to
only authorized communications (for example by
restricting source/destination addresses/ports, and/or
blocking of content).
Where environments have no inbound connectivity
allowed, outbound connections may be achieved via
architectures or system components that interrupt and
inspect the IP connectivity.
7/31/2019 Compliance Dashboard v0.6
42/448
1.3.6 Implement stateful inspection, also known as
dynamic packet filtering. (That is, only
established connections are allowed into the
network.)
A firewall that performs stateful packet inspection
keeps "state" (or the status) for each connection to the
firewall. By keeping "state," the firewall knows whether
what appears to be a response to a previous connection
is truly a response (since it "remembers" the previous
connection) or is a malicious individual or software
trying to spoof or trick the firewall into allowing the
connection.
1.3.7 Place system components that store
cardholder data (such as a database) in an internal
network zone, segregated from the DMZ and other
untrusted networks.
Cardholder data requires the highest level of
information protection. If cardholder data is located
within the DMZ, access to this information is easier for
an external attacker, since there are fewer layers to
penetrate.
Note: the intent of this requirement does not include
storage in volatile memory.
Restricting the broadcast of IP addresses is essential to
prevent a hacker learning the IP addresses of the
internal network, and using that information to access
the network.
Effective means to meet the intent of this requirement
may vary depending on the specific networking
technology being used in your environment. For example,
the controls used to meet this requirement may be
different for IPv4 networks than for IPv6 networks.
One technique to prevent IP address information from
being discovered on an IPv4 network is to implement
Network Address translation (NAT). NAT, which is
typically managed by the firewall, allows an organization
to have internal addresses that are visible only inside the
network and external address that are visible externally. If
a firewall does not hide or mask the IP addresses of the
internal network, a malicious individual could discover
internal IP addresses and attempt to access the network
with a spoofed IP address.
For IPv4 networks, the RFC1918 address space is reserved
for internal addressing, and should not be routable on the
Internet. As such, it is preferred for IP addressing ofinternal networks. However, organizations may have
reasons to utilize non-RFC1918 address space on the
internal network. In these circumstances, prevention of
route advertisement or other techniques should be used
to prevent internal address space being broadcast on the
Internet or disclosed to unauthorized parties.
1.3.8 Do not disclose private IP addresses and
routing information to unauthorized parties.
Note: Methods to obscure IP addressing may
include, but are not limited to:
- Network Address Translation (NAT)
- Placing servers containing cardholder data
behind proxy servers/firewalls or content caches,
- Removal or filtering of route advertisements for
private networks that employ registered
addressing,
- Internal use of RFC1918 address space instead of
registered addresses.
7/31/2019 Compliance Dashboard v0.6
43/448
If a computer does not have a firewall or anti-virus
program installed, spyware, Trojans, viruses, worms and
rootkits (malware) may be downloaded and/or installed
unknowingly. The computer is even more vulnerable
when directly connected to the Internet and not behind
the corporate firewall. Malware loaded on a computer
when not behind the corporate firewall can then
maliciously target information within the network whenthe computer is re-connected to the corporate network.
Note: The intent of this requirement applies to remote
access computers regardless of whether they are
employee owned or company owned. Systems that
cannot be managed by corporate policy introduce
weaknesses to the perimeter and provide opportunities
that malicious individuals may exploit.
1.4 Install personal firewall software on any mobile
and/or employee-owned computers with direct
connectivity to the Internet (for example, laptops
used by employees), which are used to access the
organizations network.
7/31/2019 Compliance Dashboard v0.6
44/448
Testing Procedure
nly 63 percent of companies meeting Requirement 1.1.5 regularly.
nt of businesses found to be non-compliant at the time of the assessment.
rule sets.
7/31/2019 Compliance Dashboard v0.6
45/448
1.1 Obtain and inspect the firewall and router configuration standards and other
documentation specified below to verify that standards are complete. Complete the
following:
1.1.1 Verify that there is a formal process for testing and approval of all network
connections and changes to firewall and router configurations.
1.1.2.a Verify that a current network diagram (for example, one that showscardholder data flows over the network) exists and that it documents all connections
to cardholder data, including any wireless networks.
1.1.2.b Verify that the diagram is kept current.
7/31/2019 Compliance Dashboard v0.6
46/448
1.1.3.a Verify that firewall configuration standards include requirements for a firewall
at each Internet connection and between any DMZ and the internal network zone.
1.1.3.b Verify that the current network diagram is consistent with the firewall
configuration standards.
1.1.4 Verify that firewall and router configuration standards include a description of
groups, roles, and responsibilities for logical management of network components.
1.1.5.a Verify that firewall and router configuration standards include a documented
list of services, protocols and ports necessary for businessfor example, hypertext
transfer protocol (HTTP) and Secure Sockets Layer (SSL), Secure Shell (SSH), and
Virtual Private Network (VPN) protocols.
7/31/2019 Compliance Dashboard v0.6
47/448
1.1.5.b Identify insecure services, protocols, and ports allowed; and verify they are
necessary and that security features are documented and implemented by examining
firewall and router configuration standards and settings for each service.
1.1.6.a Verify that firewall and router configuration standards require review of
firewall and router rule sets at least every six months.
1.1.6.b Obtain and examine documentation to verify that the rule sets are reviewed
at least every six months.
1.2 Examine firewall and router configurations to verify that connections are restricted
between untrusted networks and system components in the cardholder data
environment, as follows:
1.2.1.a Verify that inbound and outbound traffic is limited to that which is necessary
for the cardholder data environment, and that the restrictions are documented.
7/31/2019 Compliance Dashboard v0.6
48/448
1.2.1.b Verify that all other inbound and outbound traffic is specifically denied, for
example by using an explicit deny all or an implicit deny after allow statement.
1.2.2 Verify that router configuration files are secure and synchronizedfor example,
running configuration files (used for normal running of the routers) and start-up
configuration files (used when machines are re-booted), have the same, secure
configurations.
1.2.3 Verify that there are perimeter firewalls installed between any wireless
networks and systems that store cardholder data, and that these firewalls deny or
control (if such traffic is necessary for business purposes) any traffic from the wireless
environment into the cardholder data environment.
1.3 Examine firewall and router configurationsincluding but not limited to the choke
router at the Internet, the DMZ router and firewall, the DMZ cardholder segment, the
perimeter router, and the internal cardholder network segmentto determine that
there is no direct access between the Internet and system components in the internal
cardholder network segment, as detailed below.
1.3.1 Verify that a DMZ is implemented to limit inbound traffic to only system
components that provide authorized publicly accessible services, protocols, and ports.
7/31/2019 Compliance Dashboard v0.6
49/448
1.3.2 Verify that inbound Internet traffic is limited to IP addresses within the DMZ.
1.3.3 Verify direct connections inbound or outbound are not allowed for traffic
between the Internet and the cardholder data environment.
1.3.4 Verify that internal addresses cannot pass from the Internet into the DMZ.
1.3.5 Verify that outbound traffic from the cardholder data environment to the
Internet is explicitly authorized
7/31/2019 Compliance Dashboard v0.6
50/448
1.3.6 Verify that the firewall performs stateful inspection (dynamic packet filtering).
(Only established connections should be allowed in, and only if they are associated
with a previously established session.)
1.3.7 Verify that system components that store cardholder data are on an internal
network zone, segregated from the DMZ and other untrusted networks.
1.3.8.a Verify that methods are in place to prevent the disclosure of private IP
addresses and routing information from internal networks to the Internet.
1.3.8.b Verify that any disclosure of private IP addresses and routing information to
external entities is authorized.
7/31/2019 Compliance Dashboard v0.6
51/448
1.4.a Verify that mobile and/or employee-owned computers with direct connectivity to
the Internet (for example, laptops used by employees), and which are used to access
the organizations network, have personal firewall software installed and active.
1.4.b Verify that the personal firewall software is configured by the organization to
specific standards and is not alterable by users of mobile and/or employee-owned
computers.
7/31/2019 Compliance Dashboard v0.6
52/448
Validation instruction for QSA/ISA
(For In-Place Requirements)
Priority A B
Mer
7/31/2019 Compliance Dashboard v0.6
53/448
6
Identify the document(s) which defines the formal processes for:
i. Testing of all network connections
ii. Approval of all network connections
iii. Testing of all firewall configuration changes
iv. Approval of all firewall configuration changes
v. Testing of all router configuration changes
vi. Approval of all router configuration changes
Describe how the documented processes were observed to be implemented, for:
i. Testing of all network connections
ii. Approval of all network connections
iii. Testing of all firewall configuration changes
iv. Approval of all firewall configuration changes
v. Testing of all router configuration changes
vi. Approval of all router configuration changes
6
Identify the current network diagram(s).
i. Iscurrent
ii. Includes all connections to cardholder data
iii. Includes any wireless network connections
1
.Identify the document requiring that the network diagram is kept current.
rocess is followed.
1
7/31/2019 Compliance Dashboard v0.6
54/448
Identify the firewall configuration standards that define requirements for:
i. A firewall at each Internet connection
ii. A firewall between any DMZ and the internal network zone 2
.Identify the c