SecurityMetrics Guide to

PCI DSS
Guide to PCI DSS Compliance

Compliance
A Resource for Merchants and Service
Providers to Become Compliant

[ EIGHTH EDITION ]


Looking for a
PCI compliance
solution?

Learn more at:

www.securitymetrics.com/pci
Foreword
No matter the advances in cyber security technology and despite
government initiatives and regulations, attackers will continue to
work to steal unprotected payment card data.

Some organizations have simple, easy-to-correct vulnerabilities that

could lead to data breaches. In other instances, organizations with
intricate IT defenses and processes are overridden by an employee
opening a phishing email.

Our guide was specifically created to help merchants and service

providers address the most problematic issues within the 12 PCI DSS
requirements, showcasing auditors’ best practices and IT checklists.
MATT HALBLEIB
Our guide is not intended to be a legal brief on all aspects of PCI SecurityMetrics Audit Director
compliance. Rather, it approaches PCI from the perspective of a CISSP | CISA | QSA (P2PE) | PA-QSA (P2PE)
security analyst, focusing on how to protect your cardholder data.
Thus, we recommend using it as a resource to help with your PCI
compliance efforts.

Ultimately, our goal is to help you better protect

your data from inevitable future attacks.

Guide to PCI DSS Compliance | Foreword | 3

 Contents

Text copyright © 2023 SecurityMetrics Foreword���������������������������������������������������� 3 Requirement 7����������������������������������������������� 77

Requirement 8�����������������������������������������������80
All rights reserved. No part of this publication may be reproduced in any INTRODUCTION����������������������������� 6
manner whatsoever without written permission from the publisher, except in Requirement 9�����������������������������������������������87
How to Read This Guide���������������������������������������� 7
the case of quotations embodied in critical articles or reviews (or for internal
Requirement 10����������������������������������������������94
educational purposes). PCI DSS Compliance Overview��������������������������������� 10
Requirement 11����������������������������������������������98
Top 10 Failing SAQ sections����������������������������������� 12
All inquiries should be addressed to:
Requirement 12���������������������������������������������108
Understanding Your PCI DSS Responsibility���������������������� 14
SecurityMetrics
SAQ Overview����������������������������������������������� 18 HOW TO PREPARE FOR A DATA BREACH���� 116
1275 West 1600 North
Orem, UT 84057 PCI DSS Version 4.0 ������������������������������������������26 How To Prepare For A Data Breach���������������������������� 117

Implementing a PCI Compliant Remote Workforce Setup���������� 37 What To Include In An Incident Response Plan������������������� 121
Or contact:
[email protected] Forensic Perspective�����������������������������������������39 Develop Your Incident Response Plan��������������������������125

Forensic Predictions������������������������������������������44 Test Your Incident Response Plan�����������������������������128

Portions of this guide were adapted from material previously published on
securitymetrics.com/blog and securitymetrics.com/learn. Data Breach Prevention Tools���������������������������������130
PCI DSS REQUIREMENTS������������������� 46
International Standard Book Number: 978-1-7346465-7-3 Requirement 1 ����������������������������������������������47 CONCLUSION����������������������������� 132
Requirement 2�����������������������������������������������54 PCI DSS Budget��������������������������������������������133
The information described in this guide is presented as a reference and is not
intended to replace security assessments, tests, and services performed by Requirement 3�����������������������������������������������59 Create A Security Culture������������������������������������135
qualified security professionals, nor does it replace or supersede PCI DSS
Requirement 4�����������������������������������������������65 Contributors�����������������������������������������������138
Requirements. Users are encouraged to consult with their companies’ IT and
cybersecurity professionals to determine their needs and to procure security Requirement 5�����������������������������������������������69 Terms And Definitions���������������������������������������139
services tailored to those needs.
Requirement 6����������������������������������������������� 72 Appendix��������������������������������������������������142

4| Guide to PCI DSS Compliance | Foreword | 5



How to Read This Guide

Whether you’re a new employee with limited PCI knowledge or an
NOTE:
experienced system administrator, the purpose of our guide is to
help you secure your business and become compliant with PCI DSS
The information described in this guide is presented
requirements. We designed this document as a reference guide to
as a reference and is not intended to replace security
address the most challenging aspects of PCI DSS compliance.
assessments, tests, and services performed by qualified
security professionals. Users are encouraged to consult
Depending on your background, job role, and your organization’s
with their companies’ IT professionals to determine their
needs, some sections may be more useful than others. Rather
needs to procure security services tailored to those needs.
than reading our guide cover to cover, we recommend using it as a
resource for your PCI compliance efforts.

Introduction

90.4%
SECTION CONTENTS

How to Read This Guide ������������������������������� 7 PCI DSS Version 4.0 ��������������������������������� 26
PCI DSS Compliance Overview ������������������������ 10 Implementing a PCI Compliant Remote Workforce Setup �� 37
Top 10 Failing SAQ sections ��������������������������� 12 Forensic Perspective ��������������������������������� 39 of SecurityMetrics customers who started
Understanding Your PCI DSS Responsibility ������������� 14 Forensic Predictions ��������������������������������� 44
their SAQ went on to complete it and achieve
SAQ Overview ��������������������������������������� 18
a passing status in 2022.

6| Guide to PCI DSS Compliance | Introduction | 7

How to Read This Guide

MILESTONES PAGE PCI DSS REQUIREMENTS

MILESTONES PAGE PCI DSS REQUIREMENTS
MILESTONES PAGE PCI DSS REQUIREMENTS
MILESTONES
1 2 3 4 5 6 1 2 3 4 5 6 1 2 3 4 5 6
The following chart displays an overview of the PCI Security
Requirement 1 Requirement 6 Requirement 10
Standards Council’s Prioritized Approach.1 The Prioritized 47 94
Network Security Controls 72 Secure Systems and Log and Monitor Access
Approach offers organizations a risk-based roadmap to address
Software Development
issues on a priority basis, while also supporting organizational
Perimeter firewalls System logs and alerting
financial and operational planning. Regularly update and patch systems
Personal firewalls Establishing log management
The Prioritized Approach is broken down into the following six Establish software development
Properly configure firewalls processes Log management system rules
milestones (based on high-level compliance and security goals1):
Network segmentation Web application firewalls Requirement 11
98 Test Security of Systems
1 Remove sensitive authentication data and Test and monitor configuration
Requirement 7 and Networks
limit data retention 77
Requirement 2 Restrict Access
54 Understand your environment
2 Protect systems and networks, and be Apply Secure Configurations
Restrict access to cardholder data
Change and tamper detection
prepared to respond to a system breach and systems
Default password weaknesses
Vulnerability scanning vs.
3 Secure payment applications System hardening Requirement 8 penetration testing
80 Identify Users and
System configuration management Authenticate Access Vulnerability scanning basics

4 Monitor and control access to your systems

Requirement 3 Weak passwords and usernames
Penetration testing basics
59
Protect Stored Account Data
Account Management Requirement 12
108
5 Protect stored cardholder data Encrypt cardholder data Organizational Policies and Programs
Implement multi-factor authentication
Know where cardholder data resides Formally document business practices
Requirement 9
6 Complete compliance efforts, and ensure Requirement 4 87 Restrict Physical Access to Establish a risk assessment process
all controls are in place 65 Secure Data Over Open Cardholder Data PCI DSS training best practices
and Public Networks
Control physical access to
Stop using SSL/early TLS your workplace

Requirement 5 Keep track of POS terminals

69
Protect Against Malicious Software Train employees early and often
Regularly update your anti-malware Physical security best practices

8| Guide to PCI DSS Compliance | Introduction | 9

 REQUIREMENT 1 REQUIREMENT 4 REQUIREMENT 7 REQUIREMENT 10
PCI DSS Install and Maintain Network Protect Cardholder Data with Strong Restrict Access to System Log and Monitor All Access
Security Controls Cryptography During Transmission Components and Cardholder to System Components and
Compliance Overview • Install a hardware and software
Over Open, Public Networks Data by Business Need to Know Cardholder Data
firewall • Know where data is transmitted • Restrict access to cardholder data • Implement logging and alerting
and received
• Configure firewalls for your • Document who has access to the • Establish log management
environment • Strongly encrypt all transmitted card data environment
PAYMENT SECURITY • Create log management and
cardholder data
• Have strict firewall rules for • Establish a role-based access monitoring system rules
The Payment Card Industry Data inbound and outbound traffic • Stop using SSL and early TLS control system
Security Standard (PCI DSS) was
established in 2006 by the major
card brands (e.g., Visa, MasterCard,
American Express, Discover Financial REQUIREMENT 2 REQUIREMENT 5 REQUIREMENT 8 REQUIREMENT 11
Services, and JCB International). Apply Secure Configurations to Protect All Systems and Networks Identify Users and Authenticate Test Security of Systems
All System Components from Malicious Software Access to System Components and Networks Regularly
All businesses that process, store, REQUIREMENTS • Change default passwords • Create a vulnerability • Use unique ID credentials for • Know your environment
or transmit payment card data are
required to implement the security OVERVIEW • Harden your systems
management plan every employee
• Run vulnerability scans quarterly
standard to prevent cardholder data • Protect systems against malware • Disable/delete inactive accounts
• Implement system configuration • Conduct a penetration test
theft. The investigation of numerous and regularly update anti-virus
management • Configure multi-factor
credit card data compromises has
• Maintain an up-to-date anti- authentication
confirmed that the security controls and
malware program
processes required in the PCI DSS are
essential to protect cardholder data.

Merchants often have a difficult time

REQUIREMENT 3 REQUIREMENT 6 REQUIREMENT 9 REQUIREMENT 12
attaining (or maintaining) compliance
Protect Stored Account Data Develop and Maintain Secure Restrict Physical Access Support Information Security
for a variety of reasons. Many smaller
Systems and Software to Cardholder Data with Organizational Policies and
merchants believe it’s too technical or • Find where card data is held
Programs
costly, while others simply don’t believe • Consistently update your systems • Control physical access at your
• Craft your card flow diagram
it’s effective and refuse to comply. workplace • Document policies and procedures
• Apply all critical/high patches to
• Encrypt stored card data for everything
systems and software • Keep track of POS terminals
• Implement a risk assessment
• Establish secure software • Train your employees often
process
development processes
• Create an incident response plan

10 | Guide to PCI DSS Compliance | Introduction | 11

Top 10 Failing SAQ sections

Top 10 Failing SAQ sections

1 3 5 7 9
We scanned our merchant database
SECURITY ANNUAL INCIDENT PERSONNEL WRITTEN
in search of the top 10 areas where
SecurityMetrics merchant customers POLICY REVIEW RESPONSE RESPONSIBILITIES AGREEMENTS
struggle to become compliant. Starting
with the least adopted requirement,
these are the results: Requirement 12.1 Requirement 12.1.1 Requirement 12.5.3 Requirement 12.4 Requirement 12.8.2

Establish, publish, maintain, and Review the security policy at Establish, document, and Ensure that the security policy Maintain a written agreement
disseminate a security policy. least annually and update the distribute security incident and procedures clearly define that includes an acknowl-
policy when the environment response and escalation information security responsibil- edgement that the service
changes. procedures to ensure timely ities for all personnel. providers are responsible for
and effective handling of all the security of cardholder data
situations. that they possess or impact the
security of the cardholder data
environment.

2 BREACH
PLAN 4 REQUIREMENT
MANAGEMENT 6 AWARENESS
PROGRAM 8 PERSONNEL
RESPONSIBILITIES 10 USAGE
POLICIES

Requirement 12.10.1 Requirement 12.8.5 Requirement 12.6.a Requirement 12.4 Requirement 9.9.2
In 2022, it took the average
SecurityMetrics customer
Create an incident response Maintain information about Implement a formal security Ensure that the security policy Verify that the usage policies
21 days to reach PCI DSS
plan to be implemented in the which PCI DSS requirements awareness program to make and procedures clearly define define all critical devices and
compliance, with an average
event of system breach are managed by each service all personnel aware of the information security responsibil- personnel authorized to use
of 1 support calls.
provider, and which are cardholder data security policy ities for all personnel. the devices.
managed by the entity. and procedures.

Requirement 12.1.1

12 | Guide to PCI DSS Compliance | Introduction | 13

Understanding Your
PCI DSS Responsibility SCOPE YOUR ENVIRONMENT

When scoping your environment, start with the assumption that Segmentation prevents out-of-scope systems from communicating
everything is in scope until it is verified that all necessary controls with systems in the CDE or from impacting the security of the CDE.
The PCI Council continues to update the PCI DSS. For example, Depending on the way you process, store, and transmit payment
are in place and actually provide effective segmentation. An out-of-scope system is a system component that:
the PCI Council introduced version 4.0 of the standard in March data, there are different SAQs that you must choose to fill out. For
2022. You may continue to validate against version 3.2.1 of the example, if you don’t have a storefront and all products are sold
• Does NOT store, process, or transmit cardholder data
standard until March 31, 2024, but we strongly recommend online through a third party, you probably qualify for SAQ A or SAQ
When performing your annual PCI DSS scope assessment,
you examine the changes to version 4.0 and start planning how to A-EP. These different SAQ types will be further explained later in • Is NOT in the same network segment as systems that store,
list and confirm all connected-to systems, which are system
implement those changes in your environment while you have time this section. process, or transmit CHD
components that:
to properly test, and phase in new controls, in a disciplined manner.
• CANNOT connect to any system in the CDE
• Directly connect to the CDE (e.g., via internal
PCI DSS 4.0 introduced many new controls, but the basic definition network connectivity) • Does NOT meet any criteria describing connected-to or
PCI DSS SCOPING AND NETWORK
of what is in-scope has not changed. PCI scope deals with the security-impacting systems
• Indirectly connect to the CDE (e.g., via connection
people, processes, and technologies that must be tested and SEGMENTATION SUPPLEMENT to a jump server with CDE access) To be considered out of scope, controls must be in place to provide
protected to become PCI compliant. An SAQ is simply a validation
reasonable assurance that the out-of-scope system cannot be used
tool for merchants and service providers to self-evaluate their PCI In May 2017, the PCI Security Standards Council (SSC) released • Impact configuration or security of the CDE (e.g., web
to compromise an in-scope system component. Here are some
DSS compliance. a supplemental guide for scoping and network segmentation.2 redirection server, name resolution server)
examples of controls you can use:
The purpose of this guidance was to help organizations identify
• Provide security to the CDE (e.g., network traffic filtering,
If the people, process, or technology component stores, processes, the systems that need to be considered in scope for PCI DSS
patch distribution, authentication management) • Firewall and/or IDS/IPS
or transmits cardholder data, is connected to systems that do, or compliance and clarify how segmentation can reduce the number
could impact the security of the cardholder data environment, it’s of in-scope systems. • Segment CDE systems from out-of-scope systems and • Physical access controls
considered in scope for PCI compliance. This means that PCI re- networks (e.g., firewalls configured to block traffic from
• Logical access controls
quirements apply and the system components must be protected. You need to understand your business environment—especially what untrusted networks)
systems are included and how those systems interact with sensitive • Multi-factor authentication
• Support PCI DSS requirements (e.g., time servers,
System components most likely in scope for your environment data. You are then required to apply PCI DSS security requirements
audit log storage servers) • Restricting administrative access
may include: to all system components included in, connected to, or could impact
the security of the cardholder data environment (CDE), which is • Actively monitoring for suspicious network
• Networking devices “comprised of they system components, people, and processes that or system behavior
• Servers store, process, or transmit CHD or sensitive authentication data.”3
While not required, it’s best practice to implement PCI DSS
• Switches Make sure any changes to your environment are
controls on out-of-scope systems to prevent them from being
• Routers reflected in your annual scope assessment.
used for malicious purposes.
• Computing devices
• Applications
Without adequate network segmentation, your entire network is in
scope of the PCI DSS assessment and applicable PCI requirements.

14 | Guide to PCI DSS Compliance | Introduction | 15

TIPS FROM AN AUDITOR

PCI DSS Scope

Do not panic if you find data Don’t forget power outage procedures where card data is Usually, organizations can find ways to fix processes and delete this
sometimes taken down manually. For example, in most call centers, sensitive data, rather than add servers to their scope. A simple way to
where it does not belong. we’ve discovered that agents are typically unaware that card data find unencrypted card data is by running a card discovery tool, such as
should never be written down. But when the application they use for SecurityMetrics PANscan®.Organizations need to have methods to
recording cardholder data freezes, they tend to resort to typing or detect these mistakes and prevent or delete them. Some use a data
writing it down in a temporary location and retrieving it later for entry. loss prevention (DLP) solution to help them with this process.
These temporary locations are rarely considered in an organization’s
PCI compliance efforts but can lead to increased risk and should be The next step in determining your PCI scope is to find everything that
included in your PCI scope. can communicate with the devices you have identified. This is often
MATT HALBLEIB the hardest part about scoping because you may not understand what
SecurityMetrics Audit Director Paper trails of hand-written information or photocopied payment card can communicate to your systems. Answer the following questions:
CISSP | CISA | QSA (P2PE) | PA-QSA (P2PE) data can sometimes fill multiple rooms. Even if card data is ten years
• How do you manage your systems?
old, it is still in PCI scope.
• How do you log in to them?
If you access a web page for data entry, there’s a decent chance card
• How do you backup your systems?
To discover your PCI scope and what must be included for your data can be found in temporary browser cache files. In addition, it’s
Simple questions can help you begin the scoping process.
PCI compliance, you need to identify anything that processes, the website developer’s responsibility to make sure websites don’t • How do you connect to get reports?
For example, ask yourself:
stores, or transmits cardholder data, and then evaluate what generate cookies or temporary log files with sensitive data. However,
• How do you reset passwords?
people and systems are communicating with your systems. In • How do you collect money? you don’t always have full control of your website, which is why it’s
May 2017, the PCI Council released an informational supplement important to evaluate all systems for cardholder data, even where • How do you administer security controls on your systems?
• Why do you handle card data?
regarding PCI scoping.2 The document helps reinforce and clarify you might not expect it to reside.
scoping points that have always been part of PCI scoping. The • How do you store, process, and transmit this data? If you have a server that handles cardholder data, you must always
document can help you work through your annual scoping For organizations with web portals, if someone mistypes card data into consider what else communicates with that server. Do you have a
exercise and can lead you to discover card flows and in-scope an address or phone number field, it is still considered in PCI scope. database server in some other zone you consider out of scope but
systems that you may have previously ignored. There are always processes you might not realize are in scope. For is reaching that web server to pull reports and save data? Anything
example, if you are a retail store that swipes cards, do you ever take You might think your databases are set up to encrypt all cardholder that can initiate a connection to an in-scope server that handles
In my experience performing PCI audits, entities often overlook the card numbers over the phone or receive emails with card information? data. However, servers you consider out of scope will often hold cardholder data will be in scope for compliance.
ancillary or support types of systems when doing their own PCI Are any paper orders received? Organizations often have finance, temporary files, log files, or backups with lots of unencrypted data.
scoping. For instance, call centers usually pay little attention to treasury, or risk groups that have post-transaction processes involving System administrator folders on file servers are also common In addition, if your system in the CDE initiates a communication out to
QA systems, which often store cardholder data in the form of call cardholder data. It is important to include these processes when culprits, as they often backup failing servers in a rush to prevent data a server in another zone, that server will also be in scope. There are
recordings. These systems are in scope for all PCI requirements! determining scope. loss without considering the PCI implications. very few exceptions to this.

16 | Guide to PCI DSS Compliance | Introduction | 17

SAQ Overview
3.2.1 24 Questions, No Scan 3.2.1 86 Questions, Vuln. Scan 3.2.1 83 Questions, No Scan 3.2.1 329* Questions, Vuln. Scan
A B-IP C-VT D-Merchant
4.0 31 Questions, Vuln. Scan 4.0 48 Questions, Vuln. Scan 4.0 54 Questions, No Scan 4.0 251* Questions, Vuln. Scan

E-commerce website (third party) Processes cards via: Processes cards: E-commerce website

• Fully outsourced card acceptance and processing • Internet-based stand-alone terminal isolated from • One at a time via keyboard into a virtual terminal • Merchant website accepts payment and does not
other devices on the network use a direct post or transparent redirect service
• Merchant website provides an iframe or URL that redirects • On an isolated network at one location
a consumer to a third-party payment processor • Cellular phone (voice) or stand-alone terminal Electronic storage of card data
• No swipe device
• Merchant can't impact the security of the • Knuckle buster/imprint machine • POS system not utilizing tokenization or P2PE
• Knuckle buster/imprint machine
payment transaction
• Merchant stores card data electronically
(e.g., email, e-fax, recorded calls, etc.)

3.2.1 191 Questions, Vuln. Scan 3.2.1 160 Questions, Vuln. Scan 3.2.1 33 Questions, No Scan D-Service 3.2.1 354** Questions, Vuln. Scan
A-EP C P2PE
4.0 151 Questions, Vuln. Scan 4.0 131 Questions, Vuln. Scan 4.0 21 Questions, No Scan Provider 4.0 267** Questions, Vuln. Scan

Ecommerce website (direct post) Payment application systems connected Point-to-point encryption Service Provider
to the Internet:
• Merchant website accepts payment using direct post • Validated PCI P2PE hardware payment terminal • Handles card data on behalf of another business
or transparent redirect service • Virtual terminal (Not C-VT eligible) solution only
• Provides managed firewalls in another entity's cardholder
• IP terminal (Not B-IP eligible) • Merchant specifies they qualify for the data environment
P2PE questionnaire
• Mobile device (smartphone/tablet) with a card processing • Hosts a business's e-commerce environment/website or
application or swipe device controls the flow of e-commerce data.

3.2.1 41 Questions, No Scan • View or handle cardholder data via the Internet
B 4.0 27 Questions, No Scan
• POS with tokenization

Processes cards via:

• Analog phone, fax, or stand-alone terminal

• Cellular phone (voice) or stand-alone terminal

• Knuckle buster/imprint machine

*Additional controls in Appendix A2
**Additional controls in Appendix Al and A2

18 | Guide to PCI DSS Compliance | Introduction | 19

SAQ Overview

DETERMINE YOUR SAQ TYPE SAQ A SAQ A-EP

How you process credit cards and handle cardholder data

• Your company only accepts card-not-present (ecommerce • Your company only accepts ecommerce transactions. Like most SAQ A merchants, SAQ A-EP merchants have an
determines which of the 9 Self-Assessment Questionnaire
or mail/telephone-order) transactions. ecommerce payment environment where the collection and
(SAQ) types your business needs to fill out. Here are the • All processing of cardholder data–with the exception of the
processing of cardholder data have been outsourced to PCI
different SAQ type requirements: • All processing of cardholder data is entirely outsourced to payment page–is entirely outsourced to a PCI DSS validated
DSS-compliant service providers. Unlike the SAQ A, SAQ A-EP
a PCI DSS validated third-party service provider(s). third-party payment processor.
websites control the flow of cardholder data to the service
• Your company does not electronically store, process, or • Your ecommerce website does not receive cardholder provider (typically using javascript or direct post methods).
transmit any cardholder data on your systems or premises, but data but controls how consumers–or their cardholder
relies entirely on a third party(s) to handle all these functions. data–are redirected to a PCI DSS validated third-party If you have an ecommerce environment and you are not using
payment processor. a third-party iFrame or fully redirecting users to the service
• Your company has reviewed the PCI DSS Attestation of
provider’s website for payment collection but your website
Compliance form(s) from its third-party providers and • If the merchant website is hosted by a third-party provider, the
never receives cardholder data directly, the SAQ A-EP is likely
confirmed that the providers are PCI DSS compliant for provider is validated to all applicable PCI DSS requirements
the correct choice for your compliance documentation.
the services they are providing. (e.g., including PCI DSS Appendix A if the provider is a shared
hosting provider).
• Any cardholder data your company retains is on paper (such
as printed reports or receipts), and these documents are not • Each element of the payment page(s) delivered to a consumer’s
received electronically. browser originates from your website or a PCI DSS compliant
service provider(s).
• All elements of the ecommerce payment page(s) delivered
to the customer’s browser originate from PCI DSS compliant • Your company does not electronically store, process, or
providers or processors. transmit any cardholder data on your systems or premises, but
relies entirely on third parties to handle all of these functions.
In summary, if your company has completely outsourced the
collection and processing of cardholder data to PCI DSS-compliant • Your company has confirmed that all third parties handling
third-party providers and your employees never have access to full storage, processing, and transmission of cardholder data are
credit card numbers, there is a strong likelihood that the SAQ A is PCI DSS compliant.
the appropriate SAQ for your environment.
• Any cardholder data your company retains is on paper
(e.g., printed reports, receipts), and these documents are
Most SAQ A merchants have an ecommerce environment that has
not received electronically.
been fully outsourced to a third-party or that either redirects the
user’s browser to a PCI DSS-compliant payment gateway at checkout
or makes use of a third-party iFrame for payment collection.

20 | Guide to PCI DSS Compliance | Introduction | 21

SAQ Overview

SAQ B SAQ B-IP SAQ C SAQ C-VT

• Your company only uses an imprint machine and/or uses • Your business only uses standalone, PTS-approved Point of • Your business has a payment application system and an • Your company only processes payments through a virtual
only standalone, dial-out terminals (connected via a phone Interaction (POI) devices connected via IP to your payment Internet connection on the same device and/or same local payment terminal accessed by an Internet-connected web
line to your processor) to take your customers’ payment processor to take your customers’ payment card data. area network (LAN). browser.
card information.
• Standalone IP-connected POI devices are validated to • The payment application system isn’t connected to any • Your company’s virtual payment terminal solution is
• Standalone, dial-out terminals are not connected to any the PTS POI program as listed on the PCI SSC website other systems within your environment. provided and hosted by a PCI DSS validated third-party
other systems within your environment. (excludes SCRs). service provider.
• The POS environment isn’t connected to other locations,
• Standalone, dial-out terminals are not connected to • Standalone IP-connected POI devices are not connected to and any LAN is for a single location only. • Your company accesses the PCI DSS-compliant virtual
the Internet. any other systems within your environment. payment terminal solution through a computer that is
• Any cardholder data your business retains is on paper (e.g.,
isolated in a single location and is not connected to other
• Your company does not transmit cardholder data over • The only transmission of cardholder data is from PTS- printed reports, receipts), and these documents are not
locations or systems within your environment.
a network (either an internal network or the Internet). approved POI devices to the payment processor. received electronically.
• Your company’s computer does not have software installed
• Any cardholder data your company retains is on paper • The POI device doesn’t rely on any other device (e.g., computer, • Your company does not store cardholder data in an
that causes cardholder data to be stored.
(e.g., printed reports, receipts), and these documents are mobile phone, tablet) to connect to the payment processor. electronic format.
not received electronically. • Your company’s computer does not have any attached
• The business has only paper reports or paper copies of Typical SAQ C merchants receive cardholder data in person and via
hardware devices that are used to capture or store
• Your company does not store cardholder data in an receipts with cardholder data, and these documents are mail-order/telephone-order transactions that are processed using
cardholder data.
electronic format. not received electronically. a Point-of-Sale system that is configured to not store the full PAN
(credit card number). Typical POS solutions will have multiple POS • Your company does not otherwise receive or transmit
Most SAQ B merchants receive cardholder data in person and via • Your company does not store cardholder data electronically.
workstations/registers connected to a back-end server (the server cardholder data electronically through any channels.
mail-order/telephone-order transactions and process these payments
Most SAQ B-IP merchants receive cardholder data in person and may be hosted by a vendor/third-party). The SAQ C is designed for a
using bank-provided payment terminals that are connected to dial-up/ • Any cardholder data your company retains is on paper,
via mail-order/telephone-order transactions and process these simple, single-location POS deployment.
analog phone lines. Cardholder data should never be received elec- and these documents are not received electronically.
payments using bank-provided terminals.
tronically (via email) or stored electronically. Be sure your terminals
Merchants with multiple locations that are connected to the • Your company does not store cardholder data in an
are connected to analog lines and not connected to IP networks.
SAQ B-IP terminals are, however, connected to an IP network and corporate office should be using the SAQ D. electronic format.
transmit their data over the network instead of an analog connection.
Typically, SAQ C-VT merchants receive cardholder data in person
This allows for much faster processing times, but security controls
and via mail-order/telephone-order transactions and enter the data
must be in place to properly segment and protect payment data being
into a PCI-compliant web-based virtual terminal using a workstation
transmitted over the network.
dedicated to processing payments. Workstations used to enter
payment data into the third-party virtual terminal must be on an
isolated network segment. Network security controls must be
configured to allow only traffic required to perform this business
function. All other inbound and outbound traffic to the network
segment must be blocked.

22 | Guide to PCI DSS Compliance | Introduction | 23

SAQ Overview

SAQ P2PE SAQ D FOR MERCHANTS COMBINING MULTIPLE SAQS PCI DATA SECURITY ESSENTIALS
EVALUATION TOOL FOR SMALL MERCHANTS
• All payment processing is through a validated PCI P2PE SAQ D applies to merchants who don’t meet the criteria for any Some merchants will have multiple payment flows that together may
solution approved and listed by the PCI SSC. other SAQ type. This SAQ type handles merchants who store card not fit any SAQ type besides the SAQ D. For instance, a merchant may
The PCI council released a payment security tool–the Data Security
information electronically and do not use a P2PE certified POS have an outsourced ecommerce payment channel that would fit the
• The only systems in the merchant environment that store, Essentials (DSE) Evaluation Tool–to simplify security evaluation and
system. Examples of SAQ D merchant types include: SAQ A but may also accept card-present transactions using an ana-
process, or transmit account data are the Point of Interaction increase security awareness for eligible small merchants. The Data
log-connected bank terminal (SAQ B).
(POI) devices, which are approved for use with the validated • ecommerce merchants who accept cardholder data on Security Essentials Evaluation Tool includes 15 new categories from
and PCI-listed P2PE solution. their website. the PCI Council–based on payment acceptance methods–which will
A merchant with multiple payment channels will likely be required
help smaller merchants simplify their compliance process and get
• You do not otherwise receive or transmit cardholder • Merchants with electronic storage of cardholder data. to complete the SAQ D as they would not be able to affirmative-
the most benefit from their efforts.
data electronically. ly answer the qualifying criteria questions when looking at their
• Merchants that don’t store cardholder data electronically
multiple payment channels together.
• There’s no legacy storage of electronic cardholder data “Merchants are only eligible to use a Data Security Essentials
• but that do not meet the criteria of another SAQ type.
in the environment. evaluation if they have been notified by their acquirer [aka their
Some merchant banks will allow a merchant to assess each payment
• Merchants with environments that might meet the criteria merchant bank] that it is appropriate for them to do so.”5
• If your business stores cardholder data, this data is only channel separately with the SAQ that matches each payment channel.
of another SAQ type, but that have additional PCI DSS
in paper reports or copies of paper receipts and isn’t So, in the case of an SAQ A + SAQ B combo environment, the merchant
requirements applicable to their environment. To find out more information about DSE evaluations and your
received electronically. may be able to complete an SAQ A to cover their ecommerce channel
possible options, contact your merchant bank.
and an SAQ B to cover the card-present payment channel and provide
• Your business has implemented all controls in the
their bank with both SAQs.
P2PE Instruction Manual (PIM) provided by the P2PE
Solution Provider. SAQ D FOR SERVICE PROVIDERS If your merchant environment consists of two or more simple payment
In order to reduce risk in a merchant payment environment and to channels, it may be worth your time to have a conversation with your
minimize the efforts to maintain PCI DSS compliance, the PCI SSC A service provider is a business entity that isn’t a payment brand, merchant bank to see if you would be able to assess each payment
has developed a standard for point-to-point encryption solutions. but is directly involved in the processing, storage, or transmission channel separately.
P2PE payment solutions will strongly encrypt cardholder data at the of cardholder data on behalf of another organization.
point of entry (POI device) and send the encrypted data to the P2PE
solution provider for decryption and processing. Service providers can also provide services that control or could
impact the security of cardholder data processed under another
Typical SAQ P2PE merchants receive cardholder data in person company’s merchant account.
and via mail-order/telephone-order transactions and process the
payments using validated P2PE terminals (a list of validated P2PE Examples of service providers who qualify for SAQ D include:
solutions can be found on the PCI Council’s website).4
• A service provider that handles card data on behalf of
another business.

• A service provider that provides managed firewalls in

another entity’s cardholder data environment.

• A service provider that hosts a business’s ecommerce

environment/website or controls the flow of ecommerce data.

24 | Guide to PCI DSS Compliance | Introduction | 25

PCI DSS Version 4.0

PCI DSS THE GOAL OF PCI DSS 4.0 Evolution Area Comments

Version 4.0
Scoping guidance will be a more integral part of
Why did the PCI Council make a major rewrite of the PCI DSS when Scoping
the standard itself by providing more detail on
it is considered to be a fairly mature standard?
requirements for scoping validation. New require-
ments include tasks for organizations to verify their
PCI DSS scope and some additional requirements
There are four major reasons for the changes:
for service providers.
PCI DSS 4.0 TRANSITION 1. Ensure the standard continues to meet the security
TIMELINE needs of the payments industry
Protection of Included are continued enhancements to require-
2. Promote security as a continuous process Cardholder Data ments for the protection of cardholder data in
The adoption of PCI DSS version 4.0 IMPLEMENTATION TIMELINE
Transmissions motion throughout the network.
includes an overlapping sunset date 3. Enhance validation methods and procedures
for PCI DSS version 3.2.1 so that the
Stakeholder Official ISA/QSA v3.2.1 Retired Future-dated 4. Add flexibility and support of additional methodologies
transition between versions will be Anti-Phishing The Council recognizes that phishing and social
Preview Release Training and March 31 new requirements to achieve security
smooth.6 The adjacent diagram show and Social engineering are becoming bigger attack vectors.
Support Docs become effective
the PCI DSS 4.0 transition timeline Engineering These are addressed in the PCI DSS 4.0 standard.
March 31
based on information by the PCI
Council. One thing to focus on is that Risk Requirements for performing risk assessments have
1. ENSURE THE STANDARD CONTINUES TO MEET
ample time has been provided for the Assessments been in PCI DSS for years; in version 4.0 these re-
THE SECURITY NEEDS OF THE PAYMENTS INDUSTRY
transition from PCI DSS 3.2.1 to PCI quirements expand and provide more detail for risk
DSS 4.0. 2022 2023 2024 2025 As time moves on, technology changes and so do the attack vectors management as a whole. Additional requirements
of bad actors trying to compromise systems. have been added to clarify the risk assessment
In addition, many new requirements process mentioned in section 12 of the standard.
being added to the standard are fu- Transition period from v3.2.1 to v4.0 It is important to keep up with this changing technology. PCI DSS
ture-dated to allow new processes 4.0 addresses these changes, from scoping to cloud computing. The Authentication The Council aligned more closely with some industry
to be developed before any new re- following table shows some of the areas of further guidance and best practices in authentication, such as addressing
Implementation of future-dated new requirements
quirements will be enforced. We have definition. This is not an exhaustive list but will give you some ideas password length, periodic change guidelines, and
included this section to give you a quick of what has changed. multifactor authentication enhancements. These
introduction to PCI DSS 4.0 and some revisions to password requirements help to
of the larger changes. The following information details the areas of PCI DSS 4.0 evolution: accommodate different authentication options.

Cloud PCI DSS 4.0 now addresses cloud technology where

Considerations it may apply in the standard. The Council has also
reviewed Appendix A, which contains requirements
for shared hosting providers, in order to update it
with cloud technologies in mind.

26 | Guide to PCI DSS Compliance | Introduction | 27

PCI DSS Version 4.0

CUSTOMIZED APPROACH Customized Approach Milestones:

2. PROMOTE SECURITY AS A CONTINUOUS PROCESS 4. ADD FLEXIBILITY AND SUPPORT OF ADDITIONAL PCI DSS 4.0 introduces the concept that not all security approaches The customized approach offers more validation flexibility, but
METHODOLOGIES TO ACHIEVE SECURITY are the same and that there may be many ways to achieve a security it’s not ideal for everyone. The following figure illustrates where
From the beginning, PCI DSS requirements were created to help orga-
objective. Version 4.0 will allow customization of requirements and responsibilities lie when using the customized approach:
nizations develop security best practice habits that would be followed QSAs sometimes get asked the question, “our methods are secure;
testing procedures in order to accommodate this.
year-round, rather than only during an annual assessment period. can’t I meet this requirement another way?” The response had to
be “We could look at defining a compensating control, but that is
Many companies have security solutions in place that may meet the
Many organizations have been able to make this transition to the considered a temporary solution until you can meet the requirement THE ENTITY
intent of a security objective but not meet a specific requirement.
mindset of security as a lifestyle, while others are still focused on the right way.”
This approach could let entities show how their specific solution Implements control(s) that meets the
passing an assessment and moving on.
meets the intent of the security objective and addresses the risk, intent of the PCI DSS Requirement
Version 4.0 of the PCI standard will try to resolve this scenario by
and therefore provides an alternative way to meet the requirement.
For example, there were changes to include more gathering of introducing the concept of validation of a security control using a
Provides documentation that describes
validation information over a period of time to support and ensure customized approach. Companies that adequately meet require-
This new approach will take the place of compensating controls in the customized implementation
that a continuous security process is in place. ments with existing controls can continue to use these controls as a
the PCI DSS 4.0 standard. The PCI council has stated that “Unlike
viable way to achieve compliance.
compensating controls, customized validation will not require a • The who, what, where, when,
business or technical justification for meeting the requirements and how of the controls
Past validation methodologies will now be known as a Defined
3. ENHANCE VALIDATION METHODS AND using alternative methods, as the requirements will now be
Approach. This is essentially what we have been doing for the • Evidence to prove the controls
PROCEDURES outcome-based.”7
past 17 years. Either approach option can be used for a PCI DSS meet the stated intent
The PCI Council has looked at validation methods and procedures requirement and approaches can even be mixed up within a single
While this new validation method may sound simple, it will most • Evidence of how controls
to make sure they are meshing with the new PCI DSS 4.0 release. Report on Compliance (RoC).
likely result in more assessment work initially for the entity in order are maintained, and
to prepare documentation and risk assessment data for a QSA to effectiveness is assured
The SAQ and AOC processes and contents have been evaluated,
evaluate. It will then require specialized testing procedures to be
enhanced, and released in April 2022. The new customized approach
developed by the QSA and agreed upon by the entity.
methods are not supported in current SAQ validation methods.
THE ASSESSOR
The customized approach will not be for everyone and will be
Plans and conducts the assessment
most suited for entities with mature security and risk assessment
processes in place.
• Reviews information
provided by the entity
The custom process provides the advantage of defining a more
permanent solution for compliance validation of specialized security • Derives testing procedures
controls. This is different from previous temporary compensating based on information provided
controls in earlier versions of the standard, where you had to document
• Documents details of testing
a justification for the control with a business or technical constraint.
procedures and results of
testing in the ROC

28 | Guide to PCI DSS Compliance | Introduction | 29

PCI DSS Version 4.0

Relying on a security implementation you already have in place may CUSTOMIZED APPROACH
save on new capital expenses, but it will require more work on your
PCI DSS 4.0 SUMMARY AND RISK ASSESSMENTS
part. You will need to thoroughly document, test, and conduct risk
analysis efforts to present to your QSA. The QSA then has to review
PCI DSS v4.0 may seem daunting, but it is actually an improved As mentioned in the previous section, the Customized Approach is Now, the expectation is that if you make a change in your
your information to develop custom testing procedures–a process
way to counteract the techniques used by threat actors. Preparing now available. However, before jumping right in, larger organiza- environment (e.g., adding a new firewall), you need to do a risk
that will require more reporting from the entity.
for compliance to v4.0 is straightforward if you are already working tions and risk assessment teams may want to look at the Defined assessment on that change.
towards or maintaining compliance to PCI DSS 3.2.1. Approach and Customized Approach so that they understand the
Therefore, an assessment using the Customized Approach will
differences between the two and can make the right decisions for If you don’t have a lot of experience with a formal risk assessment,
likely require more resources than an assessment using the defined
their organization. or don’t have a risk department as part of your company, you may
approach, but it may be a more cost effective method when all
need initial help from a third party to get you going and learn how to
aspects are considered. Be sure to look for a QSA with the depth
A lot of people are excited about the Customized Approach because do these things.
and years of experience necessary to validate custom controls and
it sounds easier to get compliant. In reality, it’s going to be more
develop appropriate testing procedures.
complicated than it sounds. The Customized Approach requires a Formal risk assessments may not seem like a big change based
lot of work and effort to define what the actual requirements are on some of the other future dated requirements that have been
and how to measure the requirements. added to the standard, but this change in PCI DSS 4.0 may result in
The Customized Approach method shouldn’t
additional effort in the transition process.
be a way to disengage from your assessment.
One of the biggest adjustments to PCI 4.0 is the increased use of risk
Rather, utilizing the Customized Approach should
assessments within the Customized and Defined Approaches. Risk
encourage working closely with your QSA.
assessments for a Customized Approach are a big part of the new
standard. Instead of being a simple and quick process, organizations
will need to follow a very structured formalized risk assessment.

In the past, people weren’t certain about what risk assessments

were or the associated requirements. We’d often ask questions like
“have you had a meeting, or have you written a document, or have
you done something that shows that you’ve thought about the risks
in your system?”

30 | Guide to PCI DSS Compliance | Introduction | 31

PCI DSS Version 4.0

KEY PCI DSS 4.0 REQUIREMENT UPDATES

Requirement 5 Requirement 6 Requirement 7
Here’s a quick overview of some key new requirement changes
in each section of PCI DSS 4.0 effective March 31, 2025: 5.3.3 (March 31, 2025) 6.4.2 (March 31, 2025) 7.2.4, 7.2.5, 7.2.5.1 (March 31, 2025)

Organizations will need to scan removable In PCI DSS 3.2.1, a web application Not much has changed in this section.
Requirement 1 3.4.2 (March 31, 2025) 3.5.5.1 (March 31, 2025) media used in the CDE. Since most antivirus firewall or a process to do code reviews It’s the basic, role-based access control
solutions do this or have the capability, it was required to protect web applications requirements, and most of the changes
There were no significant changes. If you’re using remote access technology PCI DSS 4.0 also changes the security required may just require some configuration setting developed by a company. In March 2025, are just tightening account reviews and
to access the cardholder data environment on hashing functionality if your system is using changes. Review the capabilities of the organizations will need to have a web processes around reviews for systems,
(CDE), then you must prevent the copy and a hash method for protecting card data. malware solution you are using to see if they application firewall in place for any web users, and applications.
Requirement 2 relocation of primary account number (PAN) have these capabilities. applications exposed to the Internet.
data. This has been mentioned before, but Organizations will need to use a keyed cryp-
There were no significant changes. now it will be a requirement. tographic hash method, which is different from 5.4.1 (March 31, 2025) This standard has been a long time coming Requirement 8
most common hash algorithms in use. So you and shouldn’t be surprising. There are many
Previously, you could just have a policy may need to change your hashing algorithm to One of the bigger changes is that a solutions, including cloud-based solutions, 8.3.6 (March 31, 2025)
Requirement 3 addressing this process, but now it needs something like HMAC, CMAC, or GMAC, with requirement to have automatic process that can help with this requirement.
to be enforced by some technology. There an effective cryptographic strength of at least mechanisms in place to detect and protect To strengthen passwords, the minimum
3.2.1 (March 31, 2025) may be settings in your remote access 128-bits. A code change of this kind could take personnel against email phishing attacks 6.4.3 (March 31, 2025) length of passwords is moving from 7 to 12
software that have ways of preventing some effort so you may want to focus on this has been added. alpha and numeric characters.
In the past, if you stored sensitive au- access to certain functions. Depending on earlier rather than later. To reduce the possibility of malicious scripts
thentication data before authorization, it what resources you have and your current If you’re doing your email in house, you making it onto payment pages, organizations Depending on your applications, this could
was recommended that you should try to processes, this requirement may or may not may or may not have had all the controls need an inventory of all the known scripts be a simple fix or it may require some code
encrypt or protect it, but it wasn’t required. be difficult to implement. Requirement 4 in place for this yet. If you’ve outsourced used on those pages. changes. So, start checking now to see if
Now, it is required. emails, confirm with your provider and see there are any systems in use in your CDE
3.5.1.2 (March 31, 2025) 4.2.1 (March 31, 2025) what sort of protections they have against This inventory must be documented and that would have difficulty with this future
3.3.3 (March 31, 2025) phishing attacks. tracked to ensure that all the scripts used dated requirement.
This requirement discusses the removal A new requirement in this section will be are authorized, and that the integrity has
Issuers now must encrypt the sensitive of disk-level encryption as an option to to carefully document, track, and inventory been validated. Review the guidance column 8.3.10.1 (March 31, 2025)
authentication data that they may be storing. protect card data. Now it can only be used SSL and TLS certificates in use for the for further information on this requirement.
This may not be a big deal for most issuers for removable media (e.g., a USB drive, an transmission of sensitive data across public Another change in section eight around
at this point, but it may be difficult for some external SSD). You can’t use it anymore networks. Increased tracking will help passwords pertains to service providers.
legacy systems where encryption software on your computer’s hard drive or any kind ensure the certificates’ continued strength Customers of service providers will now
is not readily available. of non-removable media. If you’re using and validity. So, it’s just a new process and have to change their passwords every 90
disk-level encryption for protection, you will tracking that needs to be implemented. days if you’re using just a password for
need to make some changes. authentication (i.e., you are not using a
multi-factor authentication).

32 | Guide to PCI DSS Compliance | Introduction | 33

PCI DSS Version 4.0

8.4.2 (March 31, 2025) Requirement 9 Requirement 11 Before March 31, 2025, companies will have 12.6.2 (March 31, 2025) 12.10.7 (March 31, 2025)
to deploy a solution that will detect changes
Multi-factor authentication will be required There were no significant changes. 11.3.1.2 (March 31, 2025) to those pages (e.g., script additions, Organizations will need to enforce a more Incident response procedures will need
for all access to the CDE, not just from changes to known script and code). formal Security Awareness Program, where to be initiated if stored primary account
external locations. So this would apply to Internal vulnerability scanning must now be before you could get by with some basic numbers (PAN) is detected anywhere it
internal administrative access to servers, Requirement 10 authenticated. This means that it’s not just a security training. is not expected. This means that you are
firewalls, networking gear, etc. scan of ports and services; now, if a service This is a great addition to the always on the watch for new or errant
10.4.1.1 (March 31, 2025) is exposed that requires a credential to standard and is absolutely Organizations will need to document and processes creating repositories of stored
8.5.1 (March 31, 2025) access it (e.g., a web app), you need to use needed for ecommerce websites. update their Security Awareness Program at PAN outside of expected boundaries.
Organizations can no longer review their those credentials to gain access and test least once every 12 months and as needed to
PCI DSS 4.0 adds a new detail to MFA logs manually. the authenticated port or service. address any new threats and vulnerabilities Periodic review of processes dealing with
requirements that might be a bit tricky. that may impact the security of their CDE card data and running a good data discovery
Success of all the factors has to happen Few, if any, companies are manually An important part of this new requirement Requirement 12 or information provided to personnel about tool will be needed to fully say you have
before authentication, and it can’t be known reviewing logs anymore as it’s just too will be that the credentials used by the vul- their role in protecting cardholder data. satisfied this future dated requirement.
from the process which factor has failed. much data to effectively review manually. nerability assessment (VA) scanner must be 12.5.2
There are many log review tools out there entered into the system and stored securely. (Immediately Effective for 4.0 Assessments) 12.6.3.1 (March 31, 2025)
Presently, most systems ask for a username so it shouldn’t be difficult to implement a This will have to be a feature of the VA
and password (i.e., something you know) solution. Manual review of logs is time-con- scanning solution and should be something An annual scoping of your card data The standard now expects a security
and only move on to the second factor if you suming and easy to do poorly, so this is a you check with your vendor carefully on. environment was mentioned in the initial training program to discuss specific threats
have the correct username/password. This good change. discussion section of previous versions and vulnerabilities in your environment,
will no longer be allowed. 11.5.1.1 (March 31, 2025) of PCI DSS, but now the Council has as well as acceptable use of end-user
10.7.2 (March 31, 2025) moved that into the requirements matrix technologies.
Both factors will have to be presented and Another requirement change was on IDS/ under section 12 and made it a trackable
entered without revealing any information All organizations must now detect, alert, IPS, so that systems detect and alert on any requirement effective immediately for For example, if phishing is a big deal for
about which factor might have been wrong if and promptly address failures of critical covert malware communication channels version 4.0. your environment, then you need to address
authentication fails. security control systems. This used to be that are being used (i.e., DNS tunneling). phishing in your training. The training
only required for service providers, but has This may represent a change to the IDS/IPS So a documented scoping exercise will program will also need to be reviewed and
8.6.2 (March 31, 2025) now been extended to everyone. system that you are currently using. have to be done by merchants annually, updated at least annually.
or after any significant changes to the
All application and system passwords that This means that if you had a firewall or IDS 11.6.1 (March 31, 2025) in-scope environment (e.g., people,
could be used for interactive login have system that went down for some reason, systems, processes).
additional approval and tracking controls you would have to detect it, generate an One of the biggest things in section eleven was
on their use, and can no longer reside in a alert, and respond to that alert. This update the addition of a requirement to implement a 12.5.2.1 (March 31, 2025)
script or a file. will require additional procedures for change and tamper detection mechanism for
merchants to implement. We recommend any payment pages. This requirement addition New for service providers will be a future
that you start now to look for solutions. is a direct result of the increase in ecommerce dated requirement to perform this scoping
skimming compromises seen on payment exercise at least every six months and after
pages in recent years. any organizational changes to the company.

34 | Guide to PCI DSS Compliance | Introduction | 35

PCI DSS Version 4.0

TAKEAWAYS Implementing a
What are the most important things to focus on right now?
PCI Compliant Remote
First, read the PCI DSS version 4.0 standard and get familiar with
the bigger changes that could impact your compliance process.
PCI DSS 4.0 SUMMARY
Workforce Setup
PCI DSS version 4.0 may seem daunting, but it is actually an improved
Then start formulating your plans right now to implement changes
way to counteract the techniques used by threat actors. Preparing
for version 4.0. There is plenty of time, so start early and you will
for compliance to version 4.0 is straightforward if you are already It is increasingly common for companies to allow employees to work
not have problems making the transition. During this planning
working towards or maintaining compliance to PCI DSS 3.2.1. from home. It is important to remember that if cardholder data is
process don’t forget to keep working hard to keep your current
processed, transmitted, or stored by employees working from home,
efforts going to be compliant to PCI DSS version 3.2.1.
their home environment will be part of the organization’s PCI scope.

Second, start thinking about how you are conducting your risk
assessments. More formal risk assessment processes are required
in version 4.0 and most organizations will have to add processes
and gain skills to do this correctly. Start researching formal risk
assessments and refer to the industry standards out there like NIST
800-30 and OCTAVE to begin getting familiar with them. It may be a
good idea to consult with a QSA as you develop these processes.

Finally, don’t wait until 2024 to begin switching over to PCI DSS 4.0.
Spread your efforts across the next couple of years and you will be
just fine with the new requirements.

36 | Guide to PCI DSS Compliance | Introduction | 37

Implementing a PCI Compliant Remote Workforce Setup

THE SCOPE OF THE REMOTE WORK CDE EXTENDING THE EXISTING CDE Forensic Perspective
When scoping a work-from-home implementation where employees Many organizations will already have an existing CDE with mature
will be collecting or processing cardholder data, begin by mapping controls designed to protect customer data. When implementing
out the flow of cardholder data. a work-from-home scenario, attempt to leverage the tools and
security controls that exist in the corporate environment. INTRODUCTION

Questions to answer: Assume that the employee’s home network and computer are not SecurityMetrics Payment Card Industry Forensic Investigators
a secure option for processing payments. You can maintain the (PFIs)* thoroughly analyze the point-of-sale (POS) or ecommerce
• How is data being received by the employees (e.g.,
security stance of your CDE by extending your CDE network via environments of organizations that suspect a payment card data
over the phone, fax, Internet communications)?

• Once this data is received, how are employees

VPN connectivity and providing company-owned mobile devices
that have been hardened and can be managed remotely. Also, keep
compromise.
Never Have
processing the data? in mind that split tunneling should be disabled in order to maintain Through a forensic examination of the in-scope computer systems a False Sense
• What devices and network segments are involved in
proper network segmentation. related to the processing of customer payment card information,
data acquired from the breach site can reveal when and how the
of Security.™
the transmission of cardholder data?
Most enterprise phone deployments have moved to Voice over IP breach occurred, contributing vulnerabilities, and aspects of the IT
• Is cardholder data being stored electronically or
on paper?
(VoIP). VoIP offers great flexibility that can also be leveraged in a work-
from-home scenario. If your CDE includes telephone-order options,
environment out of compliance with the PCI DSS.
Learn More About
• What type of voice communication channels
send VoIP endpoints home with your employees that will extend your SecurityMetrics Forensic Investigators have witnessed the rise and SecurityMetrics
are involved?
VoIP system over an encrypted connection (such as a VPN). fall of popular attack trends over 20 consecutive years.
PCI DSS Audits.
• If cardholder data is received over the phone, are calls For more information on protecting voice communications, see Comparing recent forensic trends to previous years, SecurityMetrics’
being recorded? the PCI SSC’s guidance on Protecting Telephone-based Forensic Investigators conducted more investigations of ecommerce
Payment Card Data.8 environments than of point-of-sale (POS) environments. Learn More

Realize that any system involved in the storage, processing, or The following section will further discuss predicted forensic trends..
transmission of cardholder data is in-scope for your environment,
​​RISK REDUCTION STRATEGIES
as is any system that can affect the security of these devices.
*SecurityMetrics PFIs are Qualified Security Assessors,
If you are unable to extend your CDE network to remote locations,
but do not perform a complete QSA audit of each
implementing P2PE may be a good option to reduce both the cost of
PCI requirement during a PCI forensic investigation.
compliance and the risk to your customer’s payment data.
PCI DSS requirement data is analyzed to the extent
observed throughout the course of an investigation.
There are a variety of P2PE devices that can be used to input
cardholder data. Some of these devices are standalone terminals,
while others can be used as a USB connected keypad. Implementing
a P2PE endpoint may allow you to keep the employees’ computer
and network out of scope for your environment.

38 | Guide to PCI DSS Compliance | Introduction | 39

ECOMMERCE
SECURITY TRENDS
Findings From Securitymetrics’
Ecommerce Security Service
92.4 %
92.4% of Shopping Cart Inspect reviews identified
malicious, suspicious, and/or concerning issues on
SecurityMetrics Shopping Cart Inspect
researched ecommerce sites.
helps businesses detect if their
Shopping Cart has been breached.

With the help of Shopping Cart Inspect,

SecurityMetrics Forensic Analysts On average, inspected websites
review businesses’ rendered webpage
code on their shopping cart URL to had 2.44 issues discovered.
collect evidence of a skimming attack.

Those issues include the following classifications:

• Malicious: Evidence of card data being stolen. (Highest threat level)

• Suspicious: Identified issues increase the probability of a potential

exploit. (Medium threat level)

• Concerning: Unlikely method of being breached, but identified issues

could lead to a potential exploit. (Low threat level)

68.3%
3.7% of issues were malicious.
of discovered issues
were suspicous.
68.3% of issues were suspicous.

28% of issues were concerning.

40 | 41
 TOP 5
TOP 5 MALICIOUS ISSUES FOUND

1. Malicious Double Checkout

Double post of credit card data returning to alternate checkout
page on merchant's server. Detect eskimming
LEARN MORE
2. Malicious Post on your website.
A script is running with a post of data to a known bad site.

3. Malicious Javascript
Javascript appears to be acting in a malicious manner, such as
harvesting credit cards or other sensitive data.

4. Form Jacking
Authorized payment webform is being replaced by a counterfeit.

5. Directory Browsing Enabled

Directory Browsing is enabled on the web pages analyzed.
TOP 5 CONCERNING ISSUES FOUND

1. Configuration Vulnerability
TOP 5 SUSPICIOUS ISSUES FOUND A configuration item with a website or web server is not following
best security practices.
1. Javascript issue
Out-of-date JavaScripts can lead to vulnerabilities available for 2. Checkout Configuration Issue
future malicious attacks. The implementation of certain aspects of the checkout process
may not follow best security practices and could leave merchants
2. Ads/Business Intelligence
vulnerable to certain types of attacks.
Advertising/Analytics content is being pulled into the pages being
reviewed in the checkout environment. This can be a source of 3. Mixed HTTP/HTTPS
intermittent card/data loss due to drive-by malvertising. Content called via HTTP in an HTTPS environment, breaking strict
SSL/TLS protocol. In severe cases, this can be exploited by bad
3. Out-of-date CMS - Suspicious
actors to view privileged content.
Out-of-date web components. Unpatched or un-updated software
is a leading cause of sites losing sensitive data. 4. HTTP Header Issue
Improperly configured HTTP headers can provide attackers
4. Configuration Issue
with specific information about your web server setup, such as
Missing required web server security headers.
vulnerable software versions.
5. Suspicious double checkout
5. SPAM Watch
Double post of credit card data returning merchant's checkout
A domain has been flagged by the SPAM community, which could
page on the server. This practice could impact security of the site
be using the email server to transmit malicious communications
and should be reviewed for business need.
by bad actors.

42 | Guide to PCI DSS Compliance | Introduction | 43

Forensic Predictions

Forensic Predictions

PREDICTION 1 PREDICTION 2 PREDICTION 3

INCREASED PHISHING SOPHISTICATION MOBILE ATTACK SURFACE INCREASES DEV ENVIRONMENT RISK
Last year, a major company was breached about every week, let Another trend that’s increased is SMS phishing or smishing. This Mobile attack surfaces will continue to increase. There are a Many recent breaches have actually come from the development
alone the numerous cases of small businesses falling for phishing. is where your text messages are being used against you, with plethora of phone apps, from banking apps to retail apps to social environment. This is because developers are looking for ways to
Some of these breaches even came from teenagers tricking these attackers trying to get access to automatic two-factor authentica- apps, all of which are capable of web view capability. If an attacker speed up production, testing, and deployment, looking for more
large organizations by utilizing sophisticated phishing attacks. tion codes that come up in text messages. But if your phone has can launch and hijack the JavaScript, they can instigate a numbers methods to automate code. Developers are likely dealing with
been compromised via one of these previous methods, attackers of attacks. For instance, if it pulls up a URL, they can conduct increased pressure to launch new products to the market as fast as
For example, one recent phishing example we’ve seen become more will be able to access the code before you do. overlay attacks, where they mimic your bank’s login portal or create possible. Often this speed comes at a cost of security.
relevant is phishing emails sending requests through electronic a form that goes right over the top of your website’s checkout form,
signature tools. Once you click on what you believe is a form to fill allowing them to steal your customers’ sensitive information. Cyber hygiene and a robust security posture has never been
out or sign, you are taken to a blank image. That blank image has more important. The dev attack surface is only going to grow,
malware embedded into it, enabling malicious attackers to gain Much of this issue is the attack surface itself, where you have all of and bad guys are starting to figure this out. Recently, we’ve seen
control of the network. these apps but then don’t have a method to filter or detect spam to attackers looking for backdoors that will allow them access
either be turned on or natively enabled. to the dev environment.
Even if these applications make changes to stop these attack
vectors, bad actors will pivot and try other methods to send out You also have incoming messages being displayed regardless of the Beyond backdoor vulnerabilities and active former DevOps accounts
phishing emails, such as utilizing AI technology to help craft content on the mobile phones. and credentials, third parties or contractors open up security vul-
phishing emails. nerabilities to organizations. For example, impersonation attacks
You need to focus on cybersecurity due diligence and your user that compromise dev tools and code libraries will continue to be a
Another example is of bad guys targeting call centers, where they security awareness because even with all the technical controls huge security issue, such as with clipper malware, which hijacks a
impersonate a customer trying to set up an account and after being in place, these phones can be an easy gateway into your business user’s clipboard data.
unsuccessful send a screenshot to a support agent, only for the security. Previously, these mobile browsers were put in a sandbox,
screenshot to contain malware that gets uploaded to the support with it being difficult for third party coding to be injected into these
agent’s computer and the corporate network. sandboxed apps.

But now with web view, these attackers will continue to target the
web view browser.

We recommend that if you don’t need an app on your phone, get rid of
it. If you do keep an app on your phone, you need to update it regularly.

44 | Guide to PCI DSS Compliance | Introduction | 45

 Requirement 1
1

Install and Maintain Network

Security Controls

Network firewalls are vital for your security. A firewall’s purpose is

to control network traffic into and out of your environment. Simply
installing a firewall on your organization’s network perimeter doesn’t
make you secure; it must be configured properly.

PERIMETER FIREWALLS

A properly configured business-grade perimeter firewall acts as the PERIMETER FIREWALL PROS
first line of defense and blocks unwanted network access. While
these are often physical devices, they can be offered as services in • Most robust security option

PCI DSS Requirements

cloud environments, where they are often referred to as network
• Protects an entire network
security groups.
• Can segment internal parts of a network
A firewall is typically installed at the perimeter of an organization’s
network to protect internal networks from untrusted networks,
such as the Internet, often by restricting the types of network traffic PERIMETER FIREWALL CONS
permitted into the organization’s network and the locations from
• Rules need to be carefully documented
where the traffic originates. Hardware firewalls can also be used
inside an environment to create isolated network segments. Higher • Difficult to configure properly
SECTION CONTENTS security internal network segments are created to limit access to
• Needs to be maintained and reviewed regularly
sensitive data from less secure networks.
Requirement 1 �������������������������������������� 47 Requirement 7 �������������������������������������� 77
PCI DSS requires a firewall between any systems that store
Requirement 2 �������������������������������������� 54 Requirement 8 �������������������������������������� 80
sensitive data and any systems on your network that can be
Requirement 3 �������������������������������������� 59 Requirement 9 �������������������������������������� 87 accessed from the Internet (generally known as the DMZ).

Requirement 4 �������������������������������������� 65 Requirement 10 ������������������������������������� 94

Requirement 5 �������������������������������������� 69 Requirement 11 ������������������������������������� 98
Requirement 6 �������������������������������������� 72 Requirement 12 ������������������������������������ 108

46 | Guide to PCI DSS Compliance | PCI DSS Requirements | 47

 1
PERSONAL FIREWALLS PROPERLY CONFIGURE FIREWALLS

Many personal computers come with pre-installed software firewalls. A common mistake regarding firewalls is assuming they are a plug- FIREWALL CONFIGURATION
This feature must be enabled and configured for any laptop computers and-play technology. After initial installation, additional effort is
BEST PRACTICES
that commonly connect to sensitive data networks and are also used almost always necessary to restrict access and protect the CDE.
to connect to the Internet when outside the network.
1. Create Firewall Configuration Standards:
The end goal of firewall implementation is to prevent potentially
Before implementing firewall settings and rules
Personal firewalls protect the system they are on, while perimeter harmful traffic from the Internet and other untrusted networks from
on the hardware, carefully document settings and
firewalls protect entire networks. A personal firewall can be accessing valuable confidential data, and to prevent data from being
configured to permit more or less network traffic, depending on exfiltrated by malicious actors. In ecommerce applications, a firewall
procedures such as hardware security settings,
port/service rules needed for business, and
Never Have
the network to which it is attached. For example, it might allow
more types of network traffic when the machine is on the company
should be used to limit traffic to essential services needed for a
functioning CDE. By identifying sensitive systems and isolating them
business justification for each rule. Make sure you a False Sense
network, but limit it when on public Wi-Fi. through the proper use of firewalls (e.g., network segmentation),
consider both inbound and outbound traffic.
of Security.™
merchants can more precisely control what type of access is allowed 2. Trust But Verify: After implementing firewall
in and out of these zones, and more easily protect payment data. rules/settings, test the firewall from both external

PERSONAL FIREWALLS PROS

and internal perspectives to confirm settings Learn More About
• Protects mobile workers when outside
In a data breach investigation conducted by SecurityMetrics Forensic
Investigators, an organization had a sophisticated security and IT
are correct using penetration test, vulnerability
scans, and other automated and manual tools and
SecurityMetrics
the corporate network system. However, amongst 300 pages of firewall rules (with about techniques. PCI DSS Audits.
100 rules on every page), two incorrectly written firewall rules left
• Easier to maintain and control 3. Limit Outbound Traffic: Often, we worry too much
the entire network exposed. It was through this vulnerability that the
about blocking inbound ports/services and forget
• Inexpensive attacker accessed their network and stole sensitive data. Learn More
that outbound traffic from inside the network
should be limited as well. This limits malicious
actors’ paths for exfiltrating data.
PERSONAL FIREWALLS CONS
4. Personal Firewalls: Configure personal firewalls
• Should not replace hardware firewalls
on mobile computing platforms to limit riskier types
for network segmentation
of network traffic when on unsecured networks.
• Doesn’t protect an entire network
5. Management: Manage the firewall itself from
• Fewer security options within your network. Disable external management
services unless they’re part of a secure managed
firewall infrastructure.

48 | Guide to PCI DSS Compliance | PCI DSS Requirements | 49

 Segmented 1
NETWORK SEGMENTATION TEST AND MONITOR CONFIGURATION
Network
Example:
Merchants often set up flat networks, meaning everything inside For example, install and configure a multi-interface firewall at Rules and environments change over time, no matter the size of
the network can connect to everything else. They may have one the edge of your network. From there, create one interface on the your organization. Firewall rules should be reviewed (and revised
firewall at the edge of their network, but that’s it. There’s no internal firewall dedicated just to the systems that store, process, and when necessary) over the course of a few months whenever your
INTERNET
segmentation, making it a flat network. transmit cardholder data. If that interface doesn’t allow any environment undergoes a significant change and at least every
other traffic in or out of any out-of-scope zones, this is proper six months.
network segmentation.
Flat networks make security difficult because
if an attacker gets inside, they have access Segmentation is not required for you to be compliant with PCI DSS.
to everything. However, if you’re looking for a way to reduce cost, effort, and time,
you may want to consider segmentation.

Initial intrusion in many of recent investigated data breaches began Segmentation can be tricky, especially for those without a technical
FIREWALL
in areas of an organization’s network that shouldn’t have given the security background. Consider having a security professional
attacker access to the CDE. For example, since the organization’s double-check your segmentation work by performing regular,
network was configured as a flat network, it was not difficult for the third-party segmentation checks.
attacker(s) to migrate from the point of entry (e.g., employee laptop, PORTAL DATABASE
workstation) to the CDE or other sensitive systems.

Firewalls can be used to segment an organization’s network. When

businesses create a secure payment zone–firewalled off from the WEB DATABASE
rest of the day-to-day business traffic–they can better ensure their APPLICATION CLUSTER
CDE only communicates with known and trusted sources. This
limits the size of the CDE and potentially lowers your PCI scope.
VLAN 1 VLAN 2

SMTP WORKSTATIONS

EMAIL SERVER WORKSTATION

CLUSTER CLUSTER

VLAN 3 VLAN 4

50 | Guide to PCI DSS Compliance | PCI DSS Requirements | 51

TIPS FROM AN AUDITOR

NOTES
Requirement 1: Establish
1
“Firewalls are a first line REQUIREMENT 1 IT CHECKLIST

Secure Firewall Rules of defense, so pay special Firewall Implementation And Review

attention to the logs and Assigned to:___________________________________________________

alerts firewalls generate.” Assignment date:______________________________________________

Things You Will Need To Have:

Firewall(s)
It’s best to start by having a block everything mentality, and then
“Deny All” rule for all other inbound and
add exceptions as needed. PCI DSS requires you to document
outbound traffic
a valid business justification for any communication allowed to
or from the CDE. Spend the time to identify the specific source Stateful inspection/dynamic packet filtering
JEN STONE
and destination addresses your systems need to communicate
SecurityMetrics Senior Security Analyst Documented business justification for each port or
with for a given service or protocol. Don’t just allow all access
CISSP | CISA | QSA | CCSFP | CHQP protocol allowed through the firewall
to the Internet because it’s easier. Along the same lines, if you or
any third parties remotely support your environment, limit that
Large environments typically have firewalls in place, but they
inbound access to specific sources and protocols. Things You Will Need To Do:
might not be business-grade. Make sure to choose firewalls that
support the necessary configuration options to protect critical Limit traffic into the CDE to that which is necessary
Often, the volume of log data can be overwhelming, so some
systems and provide segmentation between the CDE and other
merchants turn logging off or send alert messages directly to the Position firewall(s) to prohibit direct inbound and
internal and external networks specific to your organization.
junk bin. It’s important (and required) to review firewall logs daily outbound traffic from the CDE
to identify patterns and activity that indicate attempts to breach
Smaller organizations sometimes struggle to understand Create secure zone(s) for any card data storage,
security. There are many good software packages available to
firewalls, not having the necessary in-house expertise to which must be separate from DMZ
help you deal with the volume of log data and automate alerts, or
configure and manage them correctly and securely. If this is
you may choose to engage the help of a service provider. Explicitly authorize outbound connections from the CDE
the case, contract a PCI-validated third-party service provider
to provide assistance, rather than simply deploying a firewall’s Document all firewall policies and procedures
For requirement 1, remember the following:
default configuration and hoping for the best.
Review firewall logs daily for potential breach activity
• Start with a “block everything” mentality, only opening
up what is necessary.
It may seem obvious, but leave as few holes as Things You May Need To Do:
possible in your firewall. • Pay attention to what logs tell you.
Install a firewall between wireless networks and the
• Review firewall configurations frequently and adjust CDE (wireless only)
as necessary.

52 | Guide to PCI DSS Compliance | PCI DSS Requirements | 53

Requirement 2
Apply Secure Configurations 2
to All System Components

DEFAULT PASSWORD WEAKNESSES SYSTEM CONFIGURATION MANAGEMENT

Out-of-the-box devices, such as routers or POS systems, often Passwords that fall short of these criteria can usually be broken in a Consistency is key when trying to maintain a secure environment.
come with factory settings like default usernames and passwords. short time using readily available password-cracking tools. Once system hardening standards and settings have been defined
Defaults make device installation and support easier, but they and documented, it is critical that they are applied to all systems
also mean every model originates with the same username and in the environment in a consistent manner. Once each system and
password. Default passwords are easy to guess, and many are device in the environment has been appropriately configured, you
SYSTEM HARDENING
published online. still have work to do.

Any system used in your CDE needs to be hardened before it goes

Businesses are often unaware that default settings are used in their Make sure someone is responsible for keeping the
into production. Every application, service, driver, feature, and
environment, due to third-party installation. inventory current and based on what is actually in use.
setting installed on a system may introduce vulnerabilities. The goal
of hardening a system is to remove unnecessary functionality and
In one SecurityMetrics forensic investigation, it was discovered This way, applications and systems that are not approved for use in
configure what is left in a secure manner.
that a third-party IT vendor purposely left POS system default the CDE can be discovered and addressed.
passwords in place to facilitate easier future system maintenance.
Here are some recommended resources for system hardening:
Default passwords might make it easier for IT vendors to support a Many organizations, especially larger ones, turn to one of the many
system without learning new passwords each time, but convenience system management software packages on the market to assist in
• Center for Internet Security (CIS)
is never a valid reason to forego security, nor will it reduce liability. gathering and maintaining this inventory. These applications can scan
• International Organization for Standardization (ISO) and report on hardware and software used in a network and also
When defaults aren’t changed, it provides attackers an easy gateway detect when new devices are brought online. These tools are often
• SysAdmin Audit Network Security (SANS) Institute
into a system, which is why changing vendor defaults on every able to enforce configuration and hardening options, alerting adminis-
system with exposure to your CDE is so vital. • National Institute of Standards Technology (NIST) trators when a system isn’t compliant with your internal standard, or
even re-applying standard configurations when changes are detected.

Passwords must be changed every 90 days and

contain at least seven characters, including
numbers and letters.

54 | Guide to PCI DSS Compliance | PCI DSS Requirements | 55

TIPS FROM AN AUDITOR

NOTES
Requirement 2: REQUIREMENT 2 IT CHECKLIST

System Configuration Configuration Standards

2

Assigned to:___________________________________________________
• Changing default passwords
Assignment date:______________________________________________
• Configuring other security settings

Permitting anything unnecessary to remain on a system could Things You Will Need To Have:
introduce vulnerabilities and open you up to additional risk.
A secure way to access and manage systems in
your environment
Often, organizations get overwhelmed trying to understand
how and where to begin implementing system configuration An inventory of all hardware and software used in
standards, especially in an environment that has expanded and your CDE
JEN STONE changed over time.
Documented configuration standards for all types of
SecurityMetrics Senior Security Analyst
systems in your CDE
CISSP | CISA | QSA | CCSFP | CHQP The first step in securing your environment to meet PCI standards
is to understand where credit card data is stored, processed,
You are required to use industry-accepted configuration and and transmitted. Begin by documenting the flow of cardholder
hardening standards when setting up systems that are part of data through your environment, making a list of each system,
your PCI scope. device, and application it touches along the way. Next, look at
the systems and applications that, while not directly touching
Configuration and hardening requirements apply to all computer the data, can affect the security of those that do. Add this
systems, network devices, and applications used to process or information to your documentation.
secure cardholder data. This may include things like web servers,
database software, firewalls, point-of-sale systems, or worksta- The key to effective system configuration and hardening is
tions used to process credit card transactions. consistency. Once you have identified the systems and applica-
tions that need attention and documented a standard that meets
Examples of system hardening practices include: your environment’s requirements, make sure processes are in
place to follow this standard as time goes on. Keep your standard
• Disabling services and features you don’t use and process up to date as your business changes and as you
discover new threats and vulnerabilities.
• Uninstalling applications you don’t need

• Limiting servers to perform a single role Automated tools can simplify the task of enforcing configuration
standards, allowing administrators to quickly discover systems
• Removing or disabling default accounts
that are out of compliance.

56 | Guide to PCI DSS Compliance | PCI DSS Requirements | 57

Requirement 2 IT Checklist

NOTES
Requirement 3
Things You Will Need To Do:

Assign system administrator and knowledgeable

personnel the responsibility of configuring
Protect Stored Account Data
system components.

Implement a system hardening guide covering all

components of your CDE. ENCRYPT CARDHOLDER DATA KNOW WHERE ALL CARDHOLDER 3

Disable and uninstall any unnecessary programs, DATA RESIDES

According to requirement 3, stored card data must be encrypted
services, guest accounts, scripts, drivers, features,
using industry-accepted algorithms (e.g., AES-256). The problem
subsystems, file systems, and web servers. An essential part of eliminating stored card data is using a valid
is many organizations unknowingly store unencrypted primary
card data discovery tool and methodology. These tools help identify
Document which services and programs are allowed. account numbers (PAN), which typically happens because of mis-
the location of an unencrypted PAN, so you can securely delete or
configured software.
Change vendor-supplied default usernames and encrypt it. They also help identify which processes or flows might
passwords. Remove or disable unnecessary default need to be fixed.
Not only must card data be encrypted, but the encryption keys must
accounts before installing a system on the network
also be protected. Not protecting the encryption key location using
(e.g., operating systems, security software, POS Remember, payment card data can easily leak due to poor processes
a solid PCI DSS encryption key management process is like storing
terminals, routers, firewalls, SNMP). or misconfigured software. Start by looking where you think the data
your house key in your front door lock.
is, and then look where it shouldn’t be.
Document security policies and operation procedures
for managing vendor defaults and other security Assign the responsibility of keeping unencrypted card data off your
You should create and document a current cardholder flow diagram
settings. Inventory all systems within scope of the systems to an individual or team. Have this person or team define,
for all card data flows in your organization. A cardholder data (CHD)
payment application environment and keep inventory document, and follow a process of periodic data discovery cycles to
flow diagram is a graphical representation of how card data moves
up to date. recheck and ensure systems remain clean of unencrypted card data.
through an organization. As you define your environment, it is important
to ask all organizations and departments if they receive cardholder
Things You May Need To Do: information, and define how their answers may change CHD flows.

Use technologies, such as VPN, for web-based

management and other non-console administrative
access. Ensure all traffic is encrypted according to
current standards.

If wireless Internet is enabled in your CDE, change

wireless default settings including encryption keys,
passwords, and SNMP community strings.

Enable only one primary function per server (e.g.,

logging server, web server, DNS).

58 | Guide to PCI DSS Compliance | PCI DSS Requirements | 59

 +3.7 Million
2023 PANSCAN® To accurately craft your CHD flow diagram,
ask yourself:
DATA ANALYSIS
• What device(s) am I using for • Do I store card data before it’s sent • Is card data backed up on my system?
Storage of unencrypted payment card transactions? A virtual terminal? to the processor for approval? Are backups encrypted? Is the backup
data increases an organization’s risk and POS system? server at a different data location?
liability in the event of a data breach.
Primary Account Numbers found • How does settlement occur? Does
3
• What happens to the card data after settlement occur real time or at the • Where might card data be going
a transaction? end of the day? or moved in processes not part of
Since 2010, SecurityMetrics PANscan®
authorization and settlement?
has discovered over 3 billion unencrypted • When is data encrypted? Is it even • How is data authorized and returned
PANs on business networks. In 2022, encrypted at all? by the processor?
users scanned over 2,400 computers and
296.75 TBs.9 Here are key statistics:
Below is a table which describes which CHD
elements can and cannot be stored, as well as
when encryption is required:

MILESTONES GOALS STORAGE ALLOWED ENCRYPTION REQUIRED

Primary account number (PAN) Yes Yes

5% Cardholder Data
Cardholder name

Service code
Yes

Yes
No

No

stored track data (i.e., data Expiration date Yes No

inside magnetic stripe)
Full track data No Not allowed to store

86% Sensitive Authentication Data CAV2/CVC2/CVV2/CID

PIN/PIN block
No

No
Not allowed to store

Not allowed to store

of PANscan® users
discovered unencrypted
PAN data
60 | Guide to PCI DSS Compliance | PCI DSS Requirements | 61
TIPS FROM AN AUDITOR

NOTES
Requirement 3: REQUIREMENT 3 IT CHECKLIST

Protect Cardholder Data Securing Cardholder Data

Assigned to:___________________________________________________
The more data you keep, 3
Assignment date:______________________________________________
the higher the risk.
Things You Will Need To Have:

A documented data retention policy

A data flow diagram

A data discovery tool

BEN CHRISTENSEN
SecurityMetrics Senior Security Analyst
CISSP | CISA | QSA organization. Create data flow diagrams for your entire organiza-
tion (on all information you deem sensitive), not just for your CDE
Don’t keep any data you don’t need. If you only need the last environments. You might miss something if you only focus on the
four numbers of PAN, get rid of the rest! For each element of CDE and CHD.
cardholder data, ask yourself if you really need it or if it is just
nice to have. I have found that some companies have a lot of data In addition, use automated tools that can help you search for
they really don’t need and never ask if the business needs it. The and find unencrypted CHD. You will be surprised by what you
more data you keep, the higher the risk. find outside of your CDE. Run these tools often to ensure data is
where it should be.
IT should work closely with all business groups to decide what
data the company needs, where to store it, and for how long. PCI DSS v4.0 Considerations for Requirement 3
Data retention policies are key to ensuring that your data has the
appropriate controls. Periodic assessments of data retention and As noted above in the PCI DSS v.4.0 summary, Requirement 3
data mappings should be performed. Data requirements might has a lot of changes. Make sure you understand what elements
change over time, so check often. of cardholder data you are storing and what that means for 4.0.
There are some changes to the encryption requirements in 2025.
It is important to know what data you actually store, process, These changes could take a lot of effort, so start now.
and/or transmit. If you don’t know what you have, it is difficult
to implement the correct controls around it. Data flow mapping Also, review your algorithms and hashing functions as those may
helps you understand the data coming into and out of your be impacted when moving to PCI DSS v.4.0.

62 | Guide to PCI DSS Compliance | PCI DSS Requirements | 63

 NOTES
Requirement 4
Things You Will Need To Do:
Protect Cardholder Data with Strong
Have employees acknowledge their training and Cryptography During Transmission
understanding of the policy Over Open, Public Networks
Eliminate storage of sensitive authentication data
after card authorization For requirement 4, you need to identify where you send cardholder Examples of applications that might still
data. The following are common places primary account numbers use SSL/early TLS include:
Encrypt sensitive authentication data while it is 4
(PAN) are sent:
stored before authorization (PCI DSS 4.0)
• POS/POI hardware terminals
Issuers will need to encrypt sensitive authentication • Processors
• Virtual payment terminals
data they are storing (PCI DSS 4.0)
• Backup servers
• Back-office servers
Prevent the copying and relocation of PAN when
• Third parties that store or handle PAN
connecting remotely (PCI DSS 4.0) • Web/application servers
• Outsourced management of systems or infrastructure
Mask out PAN on customer receipts
• Corporate offices The PCI Council believes that SSL and early TLS
Understand guidelines for handling and storing
will no longer protect cardholder data.
cardholder data You need to use encryption and have security policies in place when
you transmit cardholder data over open, public networks.
Can no longer use disk level encryption to protect card
data (only use for removable media) (PCI DSS 4.0) Please note that organizations using POS/POI terminals with existing
implementations of SSL and early TLS must ensure that the devices
Must use a keyed cryptographic hashing method (PCI
STOP USING SSL/EARLY TLS in use are not susceptible to any known exploits for these insecure
DSS 4.0)
protocols. Check with your merchant bank or POS/POI supplier if you
Based on vulnerabilities in web encryption, discontinue or remove have questions about that.
Things You May Need To Do: all instances of SSL and early TLS.

If PAN data is stored for business or legal reasons,

Your systems may still be using SSL and early TLS, so you should
details must be masked, truncated, or secured by
contact your terminal providers, gateways, service providers,
strong cryptography.
vendors, and acquiring banks to determine if the applications and
PAN storage should be accessible by as few devices you use have this encryption protocol.
employees as possible for business or legal reasons.
This includes limited access to cryptographic keys,
removable media, or hard copy of stored details.

64 | Guide to PCI DSS Compliance | PCI DSS Requirements | 65

TIPS FROM AN AUDITOR

Requirement 4:
Things You Will Need To Do:
REQUIREMENT 4 IT CHECKLIST
Check all related device configuration for proper

Sending Data Over Open Transmitting Cardholder Data encryption. Check with vendors to make sure supplied
POS/POI devices are encrypting data appropriately

And Public Networks Assigned to:___________________________________________________

Validate that POS/POI devices are not susceptible to

Leverage tools that can Assignment date:______________________________________________

any known exploits. Devices and software used to
process credit cards need to be PCI DSS compliant

analyze web services and Review all locations where CHD is transmitted or
4
Things You Will Need To Have: received. Examine system configurations. Review all
report any insecure setups. An in-house policy to ensure you do not send
devices and systems to ensure you use appropriate
encryption within your CDE. You must safeguard
unprotected PANs via end-user messaging technologies
sensitive cardholder data during transmission over
open, public networks

NOTES Use only trusted keys and certificates. Check

inbound/outbound transmissions and verify that
encryption keys and certificates are valid. Use secure
BEN CHRISTENSEN
configurations and proper encryption strengths. Do
SecurityMetrics Senior Security Analyst
not support insecure versions or configurations. This
CISSP | CISA | QSA
means you will continually need to check for the latest
encryption vulnerabilities and update as needed
Build off of the data flow diagrams discussed in the tips in Companies should also leverage tools that can analyze web
Requirement 3.3 Know exactly where CHD is coming from and being services and report any insecure setups. You may not be aware Review and implement documented encryption
sent to, inside and outside of your organization. Make sure your CHD of all your services accessible over the internet. Run these tools standard best practices
is encrypted when transmitted over open public networks using often to help ensure you are using acceptable protocols and
Review and implement policies and procedures for
strong and industry accepted encryption technologies. encryption strengths.
sending and receiving credit card data

Are you using strong encryption on all CDE impacting services? I PCI DSS v4.0 Considerations for Requirement 4 Examine system configuration and adjust encryption
have noticed that some companies are still using older technologies configuration as needed
even though the latest is also supported. For example, CDE web Some organizations may have a large number of TLS certificates.
Document, track, and inventory SSL and TLS
servers using TLS 1.3 or TLS 1.2 are still accepting connections Start inventorying those now and remove those certs not needed.
certificates in use for the transmission of sensitive
using TLS 1.1. Disable all insecure protocols and encryption. 2025 seems far off, but it will come quickly. Don’t wait.
data across public networks (PCI DSS 4.0)

66 | Guide to PCI DSS Compliance | PCI DSS Requirements | 67

 NOTES
Requirement 5
Things You May Need To Do:

Make sure TLS is enabled whenever cardholder data is

transmitted or received through web-based services.
Protect All Systems and Networks
Check wireless network encryption standards from Malicious Software
Examine keys and certificates

Prohibit the use of WEP–an insecure wireless REGULARLY UPDATE YOUR ANTI-MALWARE
encryption standard
Anti-malware software needs to be installed on all systems
commonly affected by malware, regardless of its location. Make
sure anti-malware or anti-virus programs are updated on a regular
basis to detect known malware. Maintaining an up-to-date anti-mal- 5
ware program will prevent known malware from infecting systems.

Depending on your relationship with your POS vendor, they may

or may not maintain your anti-malware scanning. If your vendor
doesn’t handle your anti-malware, it’s up to you to ensure regular Anti-malware
scanning is conducted.
software needs
Using outside sources such as the United States Computer
Emergency Readiness Team (US-CERT), SANS Institute, and vendor/ to be installed on
anti-malware threat feeds, you can identify emerging malware and
attacks on systems. Then configure systems to alert and report all systems
suspicious activity, such as new files added to known malware
directories or unauthorized access attempts. commonly affected
Vigilant vulnerability management is the most effective way for you to by malware,
proactively reduce the window of compromise, greatly narrowing the
opportunity for malicious actors to successfully attack your systems regardless of
and steal valuable data. As part of your vulnerability management
strategy, make sure to include updated anti-malware software. its location.

68 | Guide to PCI DSS Compliance | PCI DSS Requirements | 69

TIPS FROM AN AUDITOR

Requirement 5: REQUIREMENT 5 IT CHECKLIST NOTES

Implement And Update Anti-Malware Updates

Your Anti-Malware Assigned to:___________________________________________________

Assignment date:______________________________________________
System administrators are
responsible for making Things You Will Need To Do:

sure that their anti-malware Deploy anti-malware program on commonly

affected systems 5

software are up to date. Protect all systems against malware and regularly
update anti-malware software or programs

Set anti-malware to detect and remove all known

types of malicious software
MICHAEL OHRAN
CISSP | CISA | QSA | SSF | SSL Maintain and evaluate audit logs with IT staff

Set anti-malware program to scan automatically

System administrators have the responsibility of making sure their PCI DSS v4.0 Considerations for Requirement 5
anti-malware software, including the signatures, are up to date. Make sure anti-malware program is updated
In PCI DSS v.4.0, Requirement 5 is broadened by using the term automatically (with signatures kept current)
After a software upgrade, verify that signatures are able to be anti-malware instead of anti-virus. Most solutions have already
Ensure anti-malware program cannot be disabled or
updated. The new software may use different firewall rules or expanded past simply protecting against “viruses,” but it might be
altered by users (i.e., admin access only)
directory permissions, requiring some system configuration time for a more comprehensive solution.
changes to ensure signature updates continue. Document and review malware procedures; review
Several new requirements were added. Though not enforced until with necessary staff
PCI DSS requires anti-malware software to be installed on all April 2025, start implementing them sooner. Finding the appropriate
Examine system configurations and periodically
systems that are commonly affected by malware (e.g., Windows). solution to help against phishing attacks will be interesting, and will
evaluate malware threats to system
While Linux servers are often considered systems not commonly not necessarily be inside the CDE.
affected by malware, it’s highly recommended that anti-malware
software be installed for any Internet-facing Linux servers.

70 | Guide to PCI DSS Compliance | PCI DSS Requirements | 71

Requirement 6
Develop and Maintain Secure
Systems and Software

REGULARLY UPDATE AND PATCH SYSTEMS ESTABLISH SOFTWARE

DEVELOPMENT PROCESSES WEB APPLICATION FIREWALL PROS
Application developers will never be perfect, which is why updates Operating system updates often contain essential security
to patch security holes are frequently released. Once a threat enhancements that are specifically intended to correct recently • Immediate response to web application security flaws
If you develop payment applications in house (e.g., ecommerce
actor knows they can get through a security hole, they pass that exposed vulnerabilities. When using an unsupported OS that
websites, POS applications), you must use strict development • Protection for third-party modules used in web applications
knowledge to other criminals who could then exploit this weakness doesn’t receive such updates and patches, the vulnerability
processes and secure coding guidelines as outlined in the PCI DSS.
until a patch has been deployed. potential increases exponentially. • Deployed as reverse proxies
Don’t forget to develop and test applications according to industry
accepted standards like the Open Web Application Security
Quickly implementing security updates is crucial to your Be vigilant about consistently updating software associated with 6
Project (OWASP).
security posture. Patch all critical components in the card your system. Requirement 6 details that organizations must “install WEB APPLICATION FIREWALL CONS
flow pathway, including: critical patches within a month of release” to maintain compliance.3
• Requires more effort to set up
Don’t forget about critical software installations like credit card
Be vigilant about consistently updating the
• Internet browsers payment applications and mobile devices. To stay up to date, ask • Possibly break critical business functions (if not careful)
software associated with your system.
your software vendors to put you on their patch and upgrade
• Firewalls • May require some network re-configuration
notification list.
• Application software

• Databases
Keep in mind that the more systems, WEB APPLICATION FIREWALLS
• POS terminals computers, and apps your company has,
the more vulnerabilities it may be exposed to. Requirement 6 requires public-facing web applications to regularly
• Operating systems
monitor, detect, and prevent web-based attacks, such as imple-
menting web application firewalls (WAF) in front of public-facing
Older Windows systems can make it difficult for merchants to Another way to stay on top of vulnerabilities is through vulnerability web applications. Even though these solutions can’t perform the
remain secure, especially when the manufacturer no longer supports scanning, which is arguably the easiest way to discover software patch many functions of an all-purpose network firewall (e.g., network
a particular operating system or version (e.g., Windows 7, Windows holes that cyber criminals would use to exploit, gain access to, and segmentation), they specialize in one specific area: monitoring and
Server 2008 R2). compromise an organization. blocking web-based traffic.

A WAF can protect web applications that are visible or accessible

from the Internet. Your web application firewall must be up to date,
generate audit logs, and either block cyber-attacks or generate a
security alert if it detects attack patterns.

72 | Guide to PCI DSS Compliance | PCI DSS Requirements | 73

TIPS FROM AN AUDITOR

Requirement 6:
System Updating And Companies need to embrace the idea of change
Software Development control for their software development and
system patching/updating.

Companies need to embrace the idea of change control for their coding practices in their application development process and keep
MICHAEL OHRAN Another important subsection of requirement 6 is the need to have
software development and system patching/updating. There are software code safe from malicious vulnerabilities (e.g., cross-site
CISSP | CISA | QSA | SSF | SSL proper change control processes and procedures. Change control
four requirements detailed by the PCI Council of what a proper scripting, SQL injection, insecure communications, CSRF).
processes should include at least the following:
change control procedure must contain:
System administrators have the responsibility to ensure that all
Insecure communications, for example, have been in the spotlight
system components (e.g., servers, firewalls, routers, workstations) • Development/test environments must be separate from
1. Changes must have a documented explanation of what will be since SSL and TLS 1.0 are no longer considered acceptable
and software are updated with critical security patches within 30 production with proper access control in place to enforce
impacted by the change. protocols when data is being transmitted over open, public
days of public release. If not, these components and software are access rights.
networks. Everyone should be on TLS 1.2+ now.
vulnerable to malware and security exploits.
• Separation of duties must be implemented between 2. Changes must have documented approval by authorized parties.
personnel assigned to development/test environments and PCI DSS v4.0 Considerations for Requirement 6
those assigned to production. 3. Changes to an organization’s production environment must
Quickly implementing security updates is crucial
undergo proper iterations of testing and QA before being Requirements have been moved around and grouped together
to your security posture. • Production data (e.g., live credit card numbers, live
released into production. where they are related.
personally identifiable information) must never be used in
test/development environments.
4. Change control procedures must always include a back-out or New requirements have been added, notably that all scripts loaded
Systems or software might be excluded from updates because they
• All test data and accounts must be removed before a roll-back procedure in case the updates go awry. onto the payment page of the consumer’s browser must be managed.
weren’t able to communicate with the update server (e.g., WSUS,
production system becomes active. New solutions and services are being developed to assist with
Puppet). This broken communication could have resulted from a
When developing software (e.g., web applications), it’s crucial that
network or system configuration change. It’s imperative that system • Change control procedures related to implementing
organizations adopt industry-accepted standards or best practices Also, a web application firewall is no longer optional.
administrators are alerted when security updates fail. security patches and software modifications must
for coding, such as OWASP. This will guide them in enforcing secure
be documented.

74 | Guide to PCI DSS Compliance | PCI DSS Requirements | 75

REQUIREMENT 6 IT CHECKLIST NOTES Requirement 7
Software Updates
Restrict Access to System
Components and Cardholder
Assigned to:___________________________________________________
Data by Business Need to Know
Assignment date:______________________________________________

RESTRICT ACCESS TO CARDHOLDER

Things You Will Need To Have:
DATA AND SYSTEMS
Vendor supported programs, operating systems,
and devices
You should have a role-based access control (RBAC) system, which
Access to an update server (i.e., repository for grants access to cardholder data and systems on a need-to-know basis.
systems to get updates) Configuring administrator and user accounts helps prevent exposing
sensitive data to those who don’t need to know this information.
A change management process

PCI DSS requires a defined and up-to-date list of the roles with
7
Things You Will Need To Do: access to the cardholder data environment.3 On this list, you should
include each role, the definition of each role, access to data resources,
Have a process in place to keep up to date with the
current privilege level, and what privilege level is necessary for each
latest identified security vulnerabilities and their
person to perform their normal business responsibilities. Users must
threat level
fit into one of the roles you outline.
Install all vendor-supplied security patches on all
system components
Have a defined and up-to-date list of roles with
Ensure all security updates are installed within one
access to the card data environment.
month of release

Things You May Need To Do: User access isn’t limited to your normal office staff. It applies to
anyone needing access to your systems behind the desk, such as
Set up a manual or automatic schedule to install the
an IT group or maintenance professional. You need to define and
latest security patches for all system components
document what kind of user permissions they have.

76 | Guide to PCI DSS Compliance | PCI DSS Requirements | 77

TIPS FROM AN AUDITOR

Requirement 7: Cardholder data and card

REQUIREMENT 7 IT CHECKLIST NOTES

Restrict Access systems should only be

Establish Access Control

Assigned to:___________________________________________________
accessible to those that
Assignment date:______________________________________________
need that information to
do their jobs. Things You Will Need To Have:

Written policy detailing access controls for systems

in the CDE

Required Features:
MICHAEL OHRAN
Document access control policies based on job
CISSP | CISA | QSA | SSF | SSL
classification and function
7
This requirement is one of the oldest and most basic parts of the PCI DSS v4.0 Considerations for Requirement 7 Roles and privilege levels defined
PCI DSS (and data security in general).
“Deny all” rule in place for access control systems
PCI DSS 4.0 raises the expectations of managing user accounts,
There’s no new trend or solution. But not all organizations system accounts, and access privileges. More frequent reviews
accurately comply with this requirement or have even tried are required. Prepare for the new requirements by thoroughly Things You Will Need To Do:
role-based access at all. documenting all accounts and related access privileges.
Detail a written policy to include access to cardholder
data based on job roles with privilege level, and
This is all you need to know: don’t give access to people who
approval/documentation of employee access
don’t need it. Cardholder data and card systems should only be
accessible to those that need that information to do their jobs. Once Document policies in place with each employees’ role/
you’ve implemented access privileges, make sure to document it. access and train employees on their specific access level

Things You May Need To Do:

Implement access controls on any systems where

cardholder data is stored and handled

Configure access controls to only allow authorized parties

and deny all others without prior approval or access

78 | Guide to PCI DSS Compliance | PCI DSS Requirements | 79

Requirement 8 IMPLEMENT MULTI-FACTOR
AUTHENTICATION
Identify Users and Authenticate
Access to System Components System security should not be based solely on the complexity of a
username and password, and no password should be considered
uncrackable. That’s why multi-factor authentication (MFA) is an
The longer the password or passphrase and the
WEAK PASSWORDS AND USERNAMES effective solution to secure remote access and is a requirement
more character formats and words from other
under the PCI DSS.10
languages included, it will be exponentially more
If a username or password doesn’t meet the recommended
difficult for an attacker to crack that password.
security standards for length, uniqueness, and complexity, you Configuring multi-factor authentication requires at least two of
will be a soft target for an attacker that is trying to gain access to three following factors:
your environment and sensitive information. One approach that an
With this security comes a risk posed by human nature. When • Something you know (e.g., a username and password,
attacker may take is to try a brute-force attack against a system
a password is too hard to remember, it is often written down PIN number)
by guessing the password of a user account. Once the attacker
and placed in an easy to access location. Be sure to review
has gained access, they will then work to escalate their account • Something you have (e.g., hardware token, smartcard)
and update your company password policy so that increasing
privileges and move laterally through a variety of attack vectors.
the complexity doesn’t undermine security objectives. Some • Something you are (e.g., a fingerprint, ocular scan, voiceprint)
companies use a password wallet that the company controls in
Having a nondescript username and a strong password will make
order to ensure compliance with periodic password changes, Your authentication mechanisms should be out-of-band and
guessing your login credentials exponentially more difficult and keep
length, and complexity policies for their employees. independent of each other. There should be a physical separation
your authentication method from being a soft target. Additionally,
between mechanisms, so that access to one factor does not grant
work with development to ensure the error responses are the same
access to another, and if one factor is compromised, it does not
latency regardless whether the username is valid or not.
affect the integrity and confidentiality of any other factor.
ACCOUNT MANAGEMENT
PCI DSS requirement 8 specifies that passwords must be changed
Additionally, make sure that you “incorporate multi-factor authen-
every 90 days (the new password cannot be the same as any of the PCI requires the disabling of default accounts and having unique user
tication for all remote network access (both user and administra-
previous four passwords used) and must be comprised of either and admin account names instead of using system defaults or common
tor, and including third-party access for support or maintenance)
at least seven characters of both numbers and letters or have usernames (i.e., admin, an organization’s name, or a combination of
originating from outside the entity’s network.”3
the complexity and strength that is at least equivalent to seven the two). A company is much more secure if an attacker has to first
characters of both numbers and letters. guess the username before cracking its corresponding password.

Passwords that fall short of this criteria can easily be broken using a Be sure that an account lock-out is set to at most six consecutive
password-cracking tool, rainbow table or through social engineering. failed login attempts within a 30-minute period. Requiring an ad-
As computing power increases, what seems like a good password ministrator to manually unlock accounts will discourage automated
may in reality be easy to break. hacking methods.

The more manual steps malicious actors have to go through, the

more likely it is they will move on to an easier target.

80 | Guide to PCI DSS Compliance | PCI DSS Requirements | 81

 A few examples of effective multi-factor authentication for remote
access could include:

Example 1: The remote user enters their username and

password, and then must enter an authentication code that is Example 2: The remote user enters a password and
available to them through an RSA token in their possession. biometric to log in to a smartphone or laptop. The individual
then provides a single authentication factor (e.g., another
password, digital certificate, signed challenge response) to
connect to the corporate network.

REMOTE USER PORTAL REMOTE USER

PASSWORD
REMOTE USER SIGNATURE
PASSWORD PASSWORD
SIGNED CHALLENGE
OR RESPONSE
BIOMETRIC

OTP

8
MOBILE DEVICE

If a remote access application configuration only

requires a username and password to access
ONE-TIME
PASSWORD sensitive data or systems and devices that
store, process, or transmit cardholder data, the
application has been configured insecurely.

82 | Guide to PCI DSS Compliance | PCI DSS Requirements | 83

TIPS FROM AN AUDITOR

Requirement 8: REQUIREMENT 8 IT CHECKLIST NOTES

Use Unique ID Credentials An easy way to remember complex and long passwords is by using
Establish Access Control

passphrases. Passphrases are groups of words with spaces in between Assigned to:___________________________________________________
(e.g., “Boba Fett in 1983 ROJ was WAY better than 2022 BoBF!”). A
passphrase can contain symbols and upper- and lower-case letters. It Assignment date:______________________________________________
doesn’t have to make sense grammatically. Passphrases are generally
easier to remember but more difficult to crack than shorter passwords.
Things You Will Need To Have:
In addition to strong passphrases, password manager software can
Multi-factor authentication for all remote access
help you use different passwords for all of your accounts.
Account management policies and procedures

Documented approval for changes to account access

You need different passwords for different
MICHAEL MAUGHAN services so that if one service gets compromised Database access restrictions
SecurityMetrics Security Analyst the attacker is unable to access other services
CISSP | CISA | QSA with those credentials.
Required Features:

Requirement 8 is all about having unique ID information. For Document access control policies based on job
example, you must have your own unique ID credentials and If your email account password is compromised and you use the classification and function
8
account on your systems and devices so that you can prove with same password across several devices, or even use that email
Roles and privilege levels defined
audit log files who committed the error or malicious action. With address to receive the reset password emails from several websites,
a shared account a malicious user could simply blame the other you have a major security problem on your hands. “Deny all” rule in place for access control systems
users that use the same account.
Something to be aware of with brute force attacks is the latency
As a system administrator, best practice is to have a regular difference between an error that has a valid username and one that
account that is used for day-to-day work on your portable device does not. If the response has more or less latency than a normal
and a different administrative account when performing adminis-
trative functions on the systems you manage.
username error response, then the attacker will know that username
is likely a valid username. Next the attacker will try to brute force the
Do not use generic accounts,
Security professionals recognize that passwords are no longer
password of that newly discovered user account. So it’s good practice
to make all authentication errors respond with the same latency.
shared group passwords, or
sufficient to secure data. While passwords are still required, they
simply are not secure enough. You must set strong, long passwords. Another practice to consider is having a company managed
generic passwords.
If you use a passphrase be sure to include words from various foreign password wallet that the company controls in order to ensure
languages, this will make a brute force attacker have to use multiple compliance with periodic password changes, length, and
dictionaries rather than just one, which increases the time to crack complexity policies for their employees.
the passphrase substantially.

84 | Guide to PCI DSS Compliance | PCI DSS Requirements | 85

 NOTES Requirement 9
Restrict Physical Access
Things You Will Need To Do:
to Cardholder Data
Monitor all remote access accounts used by vendors,
business partners, or IT support personnel when the
To comply with this PCI DSS requirement, you must document:
account is in use. CONTROL PHYSICAL ACCESS
Disable all remote access accounts when not in use. TO YOUR WORKPLACE • Who has access to secure environments and why they need
this access
Enable accounts used for remote access only when
Employees may think physical security only applies after hours.
they are needed. • What, when, where, and why devices are used
However, most data thefts (e.g., social engineering attacks) occur in
Implement a multi-factor authentication solution for the middle of the day. • A list of authorized device users
all remote access sessions.
• Locations where the device is and is not allowed
Mitigate the risk of physical threats by implementing physical
Configure multi-factor authentication with at least
security policies and procedures that preserve onsite business • What applications can be accessed on the device
two of the following methods:
security for your critical assets and data. For example, if you keep
• Logging of access attempts
Something you know (e.g., password and username) confidential information, products, or equipment in the workplace,
secure these items in a locked area. If possible, limit outsider
Something you have (e.g., one-time password)
access to one monitored entrance, and (if applicable) require
Something you are (e.g., fingerprint or retinal scan) non-employees to wear visitor badges. Access policy and procedure documentation must be kept up to date
and followed, especially when individuals are terminated or their job
Don’t store sensitive information in the open. Many companies that roles and responsibilities change.
have services requiring repeat billing or batch processing keep
9
physical copies of credit card information in easily accessible areas Best practice is not to allow these removable devices to leave the
for convenience. While this collection of paper copies may make office, but if they do, consider attaching external GPS tracking and
life easier, it puts valuable cardholder data at risk of theft unless remote wipe technology on all laptops, tablets, external hard drives,
appropriate controls are in place. flash drives, and mobile devices.

Employee access to sensitive areas should be controlled and must

be related to an individual’s job function. The majority of physical data theft takes only
minutes to plan and execute.

86 | Guide to PCI DSS Compliance | PCI DSS Requirements | 87

Make sure all workstations and mobile devices have an automated
timeout or logout (e.g., a password-protected screensaver pops up
on a computer after a set amount of time). This reduces the window
of opportunity for unauthorized users to access data from these PHYSICAL SECURITY BEST PRACTICES TRAIN EMPLOYEES
devices and systems when nobody is looking.
EARLY AND OFTEN
Most physical security risks can be prevented with
little effort. Here are a few suggestions to improve your
While you may understand how to protect customer
physical security:
KEEP TRACK OF POS TERMINALS card information, your employees may not. And as
employee turnover is so common, regular security
• While working on your risk assessment, look for
Organizations that use POS systems, PIN pads, and mobile devices training is crucial to secure your business.
physical security risks.
or kiosks are required to do three new things:
• Lock all office doors and applicable equipment Social engineering is a serious threat to both
1. Maintain an up-to-date list of all devices including (e.g., mobile devices) when not in use day and night. small and large businesses. A social engineer
physical location, serial numbers, make, and model. uses social interaction to gain access to private
• Require passwords to access computers and
areas, steal information, or perform malicious
2. Periodically inspect devices. You should ensure device mobile devices.
behavior. Employees fall for social engineering
surfaces haven’t been tampered with, make sure serial
• Encrypt your data or don’t store data on these devices. attacks more often than you may think.
numbers match, and check that seals haven’t been broken.
This could be a very large task depending on the size of • Use timeout screensavers and privacy monitors
For example, if someone walked into your storefront
your organization. Whether you inspect devices every day on computers.
and said they were there to work on your network and
or every month is based on your tampering risk level (e.g.,
• Install and use blinds in all office windows. needed you to lead them to the server room, would
publicly accessible 24/7 gas station terminals vs. a behind-
your employees think twice to verify their identity?
the-counter card swipe device). Document your findings. • Keep logs of who enters and leaves.

3. Provide staff awareness training for staff who interact • Keep track of devices that go in and out. Train your employees to question unusual behavior.
9
with card-present devices on a day-to-day basis (e.g., Establish a communication and response policy
• Have policies in place for stolen equipment
cashiers), and record the who, what, and when for future in case of suspicious behavior. Train employees to
(e.g., a good incident response plan).
reference. Training should include how to report suspicious stop and question anyone who does not work for
behavior and what to do when third parties claim they need • Train staff against social engineering. the company, especially if the person tries to enter
to work on your system. For example, rather than assuming the back office or network areas.
• Limit access to CHD through role-based access.
IT support staff came in last night to install a new device
on the side of a terminal, employees should be trained to • Have staff report suspicious activity and devices.
question if it’s supposed to be there, and then to notify
• Monitor sensitive areas with video cameras and
management (according to documented incident response
store the video logs for appropriate durations.
policies and procedures).

88 | Guide to PCI DSS Compliance | PCI DSS Requirements | 89

TIPS FROM AN AUDITOR

Requirement 9:
Improve Your
Physical Security Once you know what systems you need to
protect, put controls in place that can log
and restrict access to them.

MICHAEL MAUGHAN
SecurityMetrics Security Analyst
CISSP | CISA | QSA

Having electronic access on doors, using cameras to monitor all Today, you see more organizations hosting their systems in It’s also necessary to protect card-swipe devices. Merchants must Lastly, it’s important to have good security training for your
entries and exits to secure areas, implementing multiple levels of outsourced data centers. Data centers generally have great physical monitor these devices for tampering or complete replacement. management and employees. Help them understand malicious
access based on a business need, and approving visitor/employee security because they pay attention to the basics. They use cameras Make sure attackers don’t substitute, bypass, or steal your terminal. conduct and motivate them to report suspicious behavior and
9
access are all standard controls for physical security. to monitor all entries and exits, have multiple levels of access You and your employees must know what the tamper properties are violations of company policy and procedures.
(e.g., lobby, mantrap, hallways, data floors, and cages) to segment (e.g., seals, appearance, weight) and test them often. Security best
Once you know what systems you need to protect, put controls in physical areas and limit access only to individuals who have been practice is to mount devices with tamper-resistant stands, screws
place that can log and restrict access to them (e.g., badge readers). authorized. They also use different levels of authentication requiring and tape. If you are using a validated P2PE solution, make sure
A good risk assessment would determine an appropriate amount both badge and biometrics (e.g., fingerprint, retina) for access. to follow the physical security requirements located in the corre-
of money to spend on controls necessary to mitigate the identified sponding P2PE Instruction Manual.
Digital IP-based cameras are becoming more common, making
risk. Something that companies often overlook is the access given
it easier and more cost effective to deploy and monitor camera
to delivery personnel for a night drop. Do you know if that delivery
systems. These cameras can take snapshots of people and then
person locked the doors when they left?
send those snapshots to security supervisors for verification.

90 | Guide to PCI DSS Compliance | PCI DSS Requirements | 91

 NOTES
REQUIREMENT 9 IT CHECKLIST Things You May Need To Do:

Improving Physical Security A set process to train employees about proper device
management and a way to report any suspicious
Assigned to:___________________________________________________ behavior around the processing device.

A secure location to keep media, including a second

Assignment date:______________________________________________
secure location, if business practice is to separate
media no longer needed.

Things You Will Need To Have: Things You Will Need To Do: A good risk assessment of the threats and
vulnerabilities related to physical security.
Policies and procedures that limit the access to your Restrict access to any publicly accessible network jack.
physical media and devices used for processing
Keep physical media secure and maintain strict
control over any media being moved within the facility NOTES
and outside of it.
NOTES
Keep electronic media in a secure area with
limited access (e.g., a locked office clearly marked
“Management Only”) and require management approval
before the media is moved from its secure location.

Use a secure courier when sending media through the

mail so the location of the media can be tracked.

Destroy media in a way that it cannot be

reconstructed; if the media is separated prior to 9
destruction, keep the media in a locked container with
a clear label of “To Be Shredded” or something similar.

Maintain a list of all devices used for processing, and

train all employees to inspect devices for evidence
of tampering. Training should include a process for
verifying the identity of outside vendors wanting
access to the machine, a process for reporting
suspicious behavior around the machine, and a
system to ensure employees know not to replace
devices without management approval.

92 | Guide to PCI DSS Compliance | PCI DSS Requirements | 93

 Organizations should review their logs daily
Requirement 10 LOG MANAGEMENT SYSTEM RULES to search for errors, anomalies, or suspicious
activities that deviate from the norm.
Log and Monitor All Access
Here are some event actions to consider when setting up
to System Components and
your log management system rules:
Cardholder Data To take advantage of log management, look at your security strategy
• Password changes and risk assessment and make sure the following steps are taken
care of:
• Unauthorized logins
SYSTEM LOGS AND ALERTING ESTABLISHING LOG MANAGEMENT
• Login failures • Decide how and when to generate logs.
System event logs are recorded pieces of information regarding the Logs should be collected and sent to a central location, whether
• New login events • Secure your stored logs so they aren’t maliciously altered
actions taken on computer systems like firewalls, office computers, an onsite logging server or an online service. Businesses should
by cybercriminals or accidentally altered by well-
or payment applications. review their logs daily to search for errors, anomalies, or suspicious • Malware detection
intentioned employees.
activities that deviate from the norm.
• Malware attacks seen by IDS
Log monitoring systems (e.g., Security Information and Event • Assign responsible personnel the duty to review logs daily.
Management [SIEM] tools) oversee network activity, inspect system From a security perspective, the purpose of a log alert is to act as a • Denial of service attacks
• Set up a team to review suspicious alerts and determine if
events, alert you to suspicious activity, and store user actions that red flag when something potentially malicious is happening. Reviewing
• Errors on network devices they are incidents or false positives.
occur inside your systems. Think of these systems as a lookout, logs regularly helps identify issues in your system. Given the large
providing you with data breach alerts. The raw log files are also amount of log data generated by systems and networking devices, it’s • File name changes • Spend time to create rules for alert generation (don’t just
known as audit records, audit trails, or event logs. impractical to manually review all logs each day; plus, PCI DSS v4.0 rely on a template).
• File integrity changes
requires automated mechanisms to perform audit log reviews.
• Store logs for at least one year, with three months readily
Most systems and software generate logs including operating • System object errors
available.
systems, Internet browsers, POS systems, workstations, anti-mal- Log monitoring software takes care of this issue by using rules to
• Data exported
ware, firewalls, and IDS/IPS. Some systems with logging capabilities automate log review and only alert on events that might be real • Frequently check log collection to identify necessary
do not automatically enable logging, so it’s important to ensure issues. Often this is done using real-time reporting software that • Shared access events adjustments.
all systems create and collect logs. Some systems generate logs alerts you via email or text when suspicious actions are detected.
• Disconnected events • Identify assets, risks, threats, and vulnerabilities and make
but don’t provide event log management solutions. Be aware of
sure that all are monitored and settings are configured to
your system capabilities and install third-party log monitoring and Often, log monitoring software comes with default alerting templates • File auditing 10
generate alerts.
management software as needed. to optimize monitoring and alerting functions immediately. However,
• New service installation
not everyone’s network and system designs are the same, and • Confirm everything is being appropriately logged by testing
it’s critical to correctly configure what is being monitored and the • New user accounts the alert and monitoring configurations
alerting threshold rules during setup.
• New processes started or running processes stopped
Diligent log monitoring means that you’ll have a quicker response
• Modified registry values
time to security events and better security program effectiveness.
Logs are only useful if they are regularly reviewed.
• Scans on your firewall’s open and closed ports Not only will log analysis and daily monitoring demonstrate your
willingness to comply with PCI DSS requirements, but it will also
help defend against internal and external threats.

94 | Guide to PCI DSS Compliance | PCI DSS Requirements | 95

TIPS FROM AN AUDITOR

Requirement 10: REQUIREMENT 10 IT CHECKLIST NOTES

Audit Logs and Improving Physical Security

Log Monitoring Regular log monitoring means Assigned to:___________________________________________________

a quicker response time to Assignment date:______________________________________________

security events and improved

Things You Will Need To Have:
security program effectiveness. An automated audit log tracking all security-related
events for all system components

Audit logs that track:

Any action taken by an individual with

administrative privileges

MICHAEL MAUGHAN Failed login attempts

SecurityMetrics Security Analyst It is a good idea to test your alerting capabilities as part of your
Changes to accounts–including elevation of
CISSP | CISA | QSA incident response test to ensure alerts are being generated and
privileges, account additions, and account deletions
critical systems and applications are being appropriately monitored.
It’s critical that you configure the log monitoring solution correctly Identification of user, what the event type was,
so that the appropriate directories, files, security controls, and To correlate events over multiple systems you must synchronize date and time of the event, whether the event was
events are being monitored. Given the large amount of log data system times. All systems should get their system time from a success or failure, where the event originated
generated by systems, it can be time intensive to manually analyze internal time servers, which in turn receive time from a trusted from, and the name of affected data, system
logs (and automated mechanisms to perform audit log reviews will external source. component, or resource
need to be implemented for PCI DSS v4.0).
10
PCI DSS requires service providers to implement a process to Things You Will Need To Do:
You likely need SIEM tools to sift through logs and drill down into detect and respond to failures of critical security controls in a
Have a process in place to review logs and security
problems. In the past, SIEM systems were mainly utilized by large timely manner. You need to be able to detect these failures and have
events at least daily, in addition to any system
corporations, but solutions for smaller companies are now available. defined incident responses in place. Your response plans not only
component reviews, as defined by your organization
need to address the response to fix the problem, but they should
for risk management strategy or other policies.
Organizations often struggle with good log review processes. Using also identify risks created by the failure, find root causes, document
SIEM tools can enable you to have real-time alerting to help you lessons learned, and implement any necessary changes to prevent Have a process in place to respond to anomalies and
recognize a current attack and initiate your incident response plan. failures from happening again. exceptions.

Keep all audit log records for at least one year and keep
the last three months’ logs readily available for analysis.

96 | Guide to PCI DSS Compliance | PCI DSS Requirements | 97

Requirement 11
Test Security of Systems
and Networks Regularly

PAYMENT PAGE BASICS VULNERABILITY SCANNING VS.

UNDERSTAND YOUR ENVIRONMENT CHANGE AND TAMPER DETECTION
What exactly qualifies as a payment page? PENETRATION TESTING
FOR PAYMENT PAGES
The types of systems that make up a business’s IT environment
influence the kinds of attacks to which they’re susceptible; therefore, • A web-based user interface containing one or more To clarify, vulnerability scanning and penetration testing are two
One of the biggest v4.0 changes was the addition of requirement
a security testing plan should be tailored to the environment. form elements intended to capture account data from a different methods to improve security. Some mistakenly believe
11.6.1, which details that merchants and service providers need
consumer or submit captured account data. The payment vulnerability scans are the same as a professional penetration test.
to implement a change and tamper detection mechanism for any
Defects in web browsers, email clients, POS software, operating page can be rendered as any one of:
payment pages. This requirement addition is a direct result of the
systems, and server interfaces can allow attackers to gain access to Here are the two biggest differences:
increase in ecommerce skimming compromises seen on payment • A single document or instance,
a system. Installing security updates and patches for systems in the
pages in recent years.
cardholder or sensitive data environments can help correct defects • A document or component displayed in an inline frame • A vulnerability scan is automated, while a penetration test
and vulnerabilities before attackers have the opportunity to exploit within a non-payment page, includes a live person that runs tests against your network.
Specifically, requirement 11.6.1 details exactly how organizations
them. A vulnerability scanning process helps to identify vulnerabili-
need to implement change detection procedures and • Multiple documents or components each containing • A vulnerability scan only identifies vulnerabilities. During a
ties, so they can be corrected.
technologies to alert personnel to unauthorized modifications one or more form elements contained in multiple inline penetration test, the tester attempts to exploit discovered
to the HTTP headers and contents of the page(s) used to house frames within a nonpayment page. vulnerabilities to gain access to secure systems or
In the case of custom in-house applications, internal code review
the TPSP iframe. Such tamper-detection mechanisms must run sensitive data.
and testing, and independent penetration testing, can expose many For example, an SAQ A merchant uses a third-party iframe to
at least weekly to look for unauthorized modifications to these
of the weaknesses commonly found in application code. perform payment capture, this would qualify as a payment page
critical web pages.
(and they would need to comply with requirement 11.6.1).
Vulnerability scans and penetration tests work
These types of scans and tests are the best line of defense in
This requirement has been included in the SAQ A, the SAQ A-EP, the together to identify weaknesses and encourage
identifying weaknesses, so they can be corrected before deployment. However, if the merchant’s website is configured to redirect the
SAQ D for Merchant, and the SAQ D for Service Providers. overall system security.
customer’s browser to the TPSP’s payment acceptance page, they
would mark this requirement as Not Applicable.

Vulnerability scans are an easy way to gain weekly, monthly, or

11
quarterly insight into the status of your systems, while penetration
tests are a more thorough way to evaluate overall security.

98 | Guide to PCI DSS Compliance | PCI DSS Requirements | 99

VULNERABILITY SCANNING BASICS PENETRATION TESTING BASICS

A vulnerability scan is an automated, high-level test that looks for Vulnerability scanning is an automated method to identify Penetration testing takes vulnerability detection to the next level. PENETRATION TESTING PROS
and reports potential vulnerabilities in systems and applications. potentially harmful vulnerabilities, so you can remediate them Penetration testers are people that analyze networks and systems,
• Rules out false positives
to improve system security. identify potential vulnerabilities, misconfigurations, or coding errors,
PCI DSS requires two types of vulnerability scanning: internal and and try to exploit them. In simple terms, penetration testers attempt • Live, manual tests mean more accurate and
external. Think of your environment as a house. External vulnerability Typically, vulnerability scanning tools will generate an extensive to break into your company’s network by exploiting weaknesses the thorough results
scanning is like checking to see if doors and windows are locked, while report of discovered vulnerabilities with references for further same way a hacker would. However, unlike a hacker, the penetration
internal vulnerability scanning is like testing to see if bedroom and research on these vulnerabilities. Some reports even offer tester documents and communicates their methods and findings so
bathroom doors have locks that would prevent an intruder from moving suggestions on how to fix discovered issues, and links to fixes that you can fix vulnerabilities before an actual hacker gets to them. PENETRATION TESTING CONS
to more sensitive areas once they have gained access to the house. and patches where available.
• Time (1 day to 3 weeks)

An external vulnerability scan is performed from outside of your Remember, when it comes to vulnerability scanning, your A penetration test is a thorough, live • Cost (around $15,000 to $30,000)
network and identifies known weaknesses in perimeter network organization is responsible for scan configuration, actual scanning, examination designed to identify and exploit
devices, servers, or applications. All external IPs and domains findings review, and vulnerability remediation. For PCI compliance, weaknesses in your system.
exposed in the CDE, or that can provide access to the CDE, are passing quarterly vulnerability scan reports must be provided. This
required to be scanned by a PCI Approved Scanning Vendor (ASV) means that if a vulnerability is discovered during a scan that is a
at least quarterly. A PCI ASV is required to go through a rigorous high risk, or that causes the scan to fail, you must work to resolve Depending on how your business is required to validate PCI
yearly recertification process, during which each ASV runs their the issue, and then re-scan the affected system to show it was fixed. compliance, PCI DSS Requirement 11 may call for annual internal
scanning tool against PCI Council-provided sites planted with and external penetration testing.3 Even if not required for PCI
vulnerabilities to test which ones the tool finds and which ones compliance, performing regular penetration testing is a security
it misses. best practice. Any organization can benefit by using a penetration
VULNERABILITY SCANNING PROS
test to measure the security of a system or application, or an entire
An internal vulnerability scan is performed from within your network, • Quick, high-level look at potential vulnerabilities network environment.
and it looks at other hosts on the same network to identify internal
• Very affordable compared to penetration testing
vulnerabilities. These scans are also required to be performed at The time it takes to conduct a penetration test varies based on
least quarterly for PCI compliance. There are a variety of tools to • Automatic (can be automated to run weekly, network size, system complexity, and the individual penetration test
help you comply with internal vulnerability scan requirements. For monthly, quarterly) staff members assigned. A small environment can be completed in
example, you can: a few days, but a large environment can take multiple weeks.

11
• Purchase an internal vulnerability scanning tool from your VULNERABILITY SCANNING CONS Typically, penetration test reports contain a detailed description of
ASV or another provider. testing methodologies, vulnerabilities discovered, attacks used, and
• False positives
suggestions for remediation.
• Download an open source vulnerability scanning tool.
• Businesses must manually research and correct
Keep in mind that the scanning tool you use still needs to be each vulnerability before testing again In addition to annual penetration tests, perform a penetration test
configured by a security expert after you purchase or download it. whenever significant infrastructure changes occur to check if these
• Does not confirm if a vulnerability is exploitable
changes introduced new vulnerabilities.

100 | Guide to PCI DSS Compliance | PCI DSS Requirements | 101

DIFFERENT TYPES OF
PENETRATION TESTING

Network Penetration Test Segmentation Check Application Penetration Test Mobile Penetration Test Wireless Penetration Test Social Engineering

The objective of a network penetration A type of network penetration testing, the The objective of an application penetration The objective of a mobile application The objective of a wireless penetration test Social engineering assessments are used to
test is to identify security issues with the objective of a segmentation check is to test is to identify security issues resulting from penetration test is to identify security issues is to identify misconfigurations of authorized test the effectiveness of an organization’s
design, implementation, and maintenance of confirm that firewalls and other controls are insecure development practices in the design, resulting from insecuredevelopment practices wireless infrastructure and the presence of security awareness training. The tester will
servers, workstations, and network services. preventing access to the cardholder data coding, and deployment of the software. in the design, coding, and publishing of the unauthorized access points. use typical business scenarios and normal,
PCI compliance requires these tests be environment (CDE) and other sensitive envi- software that supports a mobile application. everyday interactions with personnel to
performed from outside, as well as within, ronments as intended. Basically, segmenta- find those that do not follow established
your environment, targeting the cardholder tion checks confirm if network segmentation Commonly identified issues include: Commonly identified issues include: security policies and procedures, or are
data environment at all access points. is set up properly. Remember that the PCI Commonly identified issues include: not security minded. The goal of the tester
• Injection vulnerabilities (e.g., SQL • Insecure wireless
definition of a segmented CDE means no is that of an attacker: to take advantage
injection, remote code execution) • Insecure local storage encryption standards
communication is allowed from non-trusted of the employee and trick them into doing
Commonly identified issues include: or out-of-scope networks and systems. • Cross-site scripting • Information disclosures • Weak encryption passphrase something they shouldn’t.
vulnerabilities (XSS)
• Misconfigured software, • Injection vulnerabilities (e.g., • Rogue (unauthorized) and
If you use network segmentation to isolate
firewalls, and operating systems • Broken authentication (i.e., the SQL injection, cross-site unsecured access points
your CDE and reduce PCI scope, segmenta- Commonly identified issues include:
log-in panel can be bypassed) scripting (XSS), remote
• Outdated, vulnerable, software tion checks are an annual requirement. For
code execution) • Employee clicked on
and operating systems service providers that use segmentation to • Broken authorization (i.e.,
malicious emails
limit PCI scope, you’re required to conduct low-level accounts can access • Broken authentication (i.e., the
• Insecure protocols
penetration tests on segmentation controls high-level functionality) log-in panel can be bypassed) • Employee allowed unauthorized
• Weak authentication practices every six months. individuals into secure areas
• Improper error handling (sensitive • Broken authorization (i.e.,
• Overly permissive access controls data, or data useful to hackers, low-level accounts can access • Employee connected a randomly
exposed in error messages) high-level functionality) discarded or discovered USB to
Commonly identified issues include:
their workstation
• Vulnerable or outdated plugins,
• TCP/UDP access is allowed
libraries, and other application • Employee divulge sensitive or
where it is not expected
dependencies secret information
• ICMP (ping) access is allowed 11
where it should not be

102 | Guide to PCI DSS Compliance | PCI DSS Requirements | 103

TIPS FROM AN AUDITOR
REQUIREMENT 11 IT CHECKLIST

Security Testing

Requirement 11: Assigned to:___________________________________________________

NOTES

Testing Security Perform a penetration test at

Assignment date:______________________________________________
least yearly and after major
network changes. Things You Will Need To Have:

A process for detecting and identifying authorized

and unauthorized wireless devices on a quarterly
basis. The method should be able to identify all of the
following wireless access points:

WLAN cards inserted into system components

Portable or mobile devices attached to system

components that create wireless access points
DAVID PAGE
(by USB or other means)
SecurityMetrics Senior Security Analyst
CISSP | CISA | QSA Wireless devices attached to a network port or device

An inventory of authorized wireless access points

If your organization is required to be PCI compliant, don’t procrasti- PCI DSS v4.0 Considerations for Requirement 11
with listed business justifications
nate beginning the penetration test process. Finding and engaging a
good penetration testing partner can take more time than you realize. Like other areas of the PCI DSS, the version 4.0 update includes A defined process for performing quarterly internal
additions and clarifications that impact an organization’s vulnerabili- and external vulnerability scans that addresses
In performing PCI assessments, it is common to see an organiza- ty discovery, testing, and treatment programs. discovered vulnerabilities and includes re-scanning
tion’s penetration testing process, from start to finish, taking as to confirm remediation
long as everything else involved in the assessment combined. If you New internal vulnerability scanning requirements now call for “au-
A defined penetration testing methodology that
wait until your QSA is onsite, or until your SAQ is due, to discuss thenticated” internal scanning. This allows the scanner to simulate a
covers testing the perimeter of the CDE and any
penetration test scope, methodology, and objectives, you may be user with access to systems, to better catch vulnerabilities that exist
critical systems, both internal and external
unable to meet your PCI compliance deadlines. Start thinking about in applications and other software that require users to log in first.
penetration testing months before your PCI deadlines. An intrusion detection or prevention system that
11
Organizations are now required to define and document their own examines traffic at the perimeter of the CDE to detect
Remember, the required annual penetration test can begin before penetration testing methodology. By doing this, you will be able to potential malicious behavior and malware activity
your PCI assessment, but you can’t be validated as PCI compliant clearly communicate infrastructure details, unique attributes of
A change-detection mechanism covering systems
before the testing is finished. systems and applications, and testing goals and requirements to
within the CDE that detects unauthorized modifications
the penetration testing partner you engage. This allows for more
to critical system files, configuration files, content files,
effective testing and more useful results, all in an effort to better
and HTTP headers and contents of payment websites
secure your environment.

104 | Guide to PCI DSS Compliance | PCI DSS Requirements | 105

 NOTES NOTES
Things You Will Need To Do: Things You May Need To Do:

Run quarterly internal vulnerability scans using a If wireless scanning is used to identify wireless
qualified internal resource or third party (in either access points, scans must be run at least quarterly.
case, organizational independence must exist),
If automated wireless monitoring is used, configure
address discovered vulnerabilities, and then re-scan
the system to generate alerts to notify personnel if
systems until high-risk vulnerabilities are resolved
unauthorized devices are detected.
Run quarterly external vulnerability scans (using an
If your organization is a service provider that uses
ASV), remediate failing items, and then re-scan until
network segmentation to limit PCI scope, make sure
all scans have a passing status.
your penetration testing procedures confirm that
Run internal and external scans after any significant segmentation is operational and isolates all out-of-scope
change to systems or the network. systems from systems in your CDE every six months.

Perform internal and external penetration testing

annually and after significant changes, and be
prepared to work with the tester to remediate and
re-test any discovered issues.

Configure your intrusion detection/prevention system

according to the vendor’s recommendations, so that
it is kept up to date and will alert you if potential
compromises are detected.

Configure your change-detection mechanism to alert

personnel to unauthorized modification of monitored
files, and configure the tools to perform critical file
comparisons at least weekly.

Have a process in place to daily respond to alerts

generated by your intrusion detection/prevention and
change-detection systems.
11

106 | Guide to PCI DSS Compliance | PCI DSS Requirements | 107

Requirement 12
Support Information Security
with Organizational Policies
and Programs

FORMALLY DOCUMENT ESTABLISH A RISK

BUSINESS PRACTICES ASSESSMENT PROCESS

Not only do policies and procedures need to be followed, they also Documents you’ll want to include in your security policy: PCI requires all entities to perform an annual risk assessment Part of a risk assessment is to assign a ranking or score to identified
need to be documented. Policies should be written down and easily that identifies critical assets, threats, vulnerabilities, and risks. risks. This will help establish priorities and provide direction on what
accessible to all employees. • Employee manuals This exercise helps organizations identify, prioritize, and manage vulnerabilities you should address first. Methodically identifying,
information security risks. ranking, and mitigating risks can decrease the time an attacker can
• Policies and procedures
Documentation helps protect your business from potential liability access and negatively affect your systems, and over time closes the
in the event of a breach. Thorough and accurately documented • Technology usage policies Organizations that take a proactive approach to security will use door to the attack.
security policies and procedures help forensic investigators see what internal and external resources to identify critical assets, assess
• Third-party vendor engagement process
security measures your company has in place, and demonstrate your vulnerabilities and threats against those assets, and implement a
company’s proactive and committed approach to security. • Incident response plans risk management plan to mitigate those threats.

If you are a service provider, your executive management is required A risk assessment should occur at least annually and after
For PCI compliance, documentation of all
to implement a PCI DSS Charter.3 This charter must establish re- significant changes in your environment or business processes.
security measures and actions should be
sponsibility for the protection of cardholder data and grant authority
updated regularly.
to create and implement a PCI DSS compliance program, including
overall accountability for maintaining PCI DSS compliance. It must The purpose of the risk assessment is to help
also define how the person responsible for PCI DSS compliance will organizations identify potential security vulner-
communicate with executive management. abilities, threats, and risks to come up with an
action plan.
Third parties (e.g., partners, vendors, service providers) that have
access to your CDE or cardholder data present a risk to the security
of your environment. You must have a list of all third-party service Just because a system is vulnerable doesn’t mean it’s exploitable or
providers you use, the PCI requirements these service providers even likely to be exploited. Some vulnerabilities may require so many
12
impact or manage on your behalf, a process for performing due preconditions that the risk of a successful attack is virtually zero.
diligence prior to engaging a third party, and a way to monitor the
PCI compliance of each third party you’ve engaged.

108 | Guide to PCI DSS Compliance | PCI DSS Requirements | 109

 Employees need to be given specific rules and regular training. A
PCI DSS TRAINING security awareness program that includes regular training (e.g.,
BEST PRACTICES brief monthly training or communications) will remind them of the
importance of security, especially keeping them up to date with
If you think your employees know how to secure cardholder data and current security policies and practices. Here are some tips to help
what they’re required to do to be compliant, you’re probably mistaken. By informing employees about and holding them employees protect your sensitive data:
In fact, most breaches can be traced back to human error. Although accountable for their responsibilities, you can
most workers aren’t malicious, they are human, and often forget better protect your business and customers. • Communicate often: Focus each month on a different aspect
security best practices or don’t know exactly what is expected of them. of data security, such as passwords, social engineering, or

Unfortunately, malicious actors will take advantage of human error

email phishing.
Never Have
to gain access to sensitive data. For example, when employees leave
• Give frequent reminders: Emphasize data security best
practices to your employees through emails, newsletters,
a False Sense
mobile devices in plain sight and unattended, they provide potential
access to passwords, multi-factor authentication tokens, and
meetings, or webinars. of Security.™
other valuable information. Malicious actors may access networks • Train employees on new policies ASAP: Newly hired
because employees set up easy-to-guess passwords. And the
list goes on.
employees should be trained on security and PCI policies
as quickly as possible.
Learn More About
• Make training materials easily available: Intranet sites are a
SecurityMetrics
Often, people are the weakest link in your overall security scheme.
great way to provide access to training and policy information. PCI DSS Audits.
• Set clear expectations: Don’t present training as a list of “Do
Nots.” Rather, help employees see that they all have a vested
interest in protecting the organization and its business. Learn More
• Create incentives: Reward your employees for being proactive.

• Regularly test employees: Create an environment where

employees aren’t afraid to report suspicious behavior.

12

110 | Guide to PCI DSS Compliance | PCI DSS Requirements | 111

TIPS FROM AN AUDITOR

Requirement 12: First you must perform a formal

PCI Compliance Basics risk assessment to ensure that the
control will meet the objective of the
requirement and address the risk
that the original control mitigated.

DAVID PAGE
SecurityMetrics Senior Security Analyst
CISSP | CISA | QSA

The risk assessment is where a lot of organizations struggle with Another area of difficulty, especially for small organizations, is For example, if you are a retail merchant, you have a requirement technologies you rely on are kept current and are still supported by
PCI compliance. Many treat it as simply another item on the to-do putting together a comprehensive and relevant security awareness to periodically inspect each point-of-interaction device (PINpad) vendor-provided updates and security patches.
list. In reality, a risk assessment can be the most important part of program. Don’t be afraid of what you don’t know! Even if you aren’t for signs of tampering. How frequently these inspections should
your overall security and compliance program, since it helps you a security expert yourself, there is a wealth of security-related occur can vary based on many factors. How frequently you decide to All organizations are now required to document and confirm their PCI
identify systems, third parties, business processes, and people that information available online, and many resources that make it easy perform them must be based on a formal targeted risk assessment scope annually to ensure all flows and locations of cardholder data
are in scope for PCI compliance. Too many companies approach to present a polished training program to your employees. This is that documents the factors that resulted in your decision. are taken into account, and any changes to scope are understood.
PCI as simply an “IT issue” and are surprised when they realize PCI one area where the help of an outside security expert or partner can Service providers must perform this scoping exercise at least every
compliance touches a lot of other business processes and practices. be valuable, since security threats are constantly evolving. Another example that requires performance of a targeted risk six months.
If you aren’t doing a formal risk assessment now and are intimidated assessment is if you implement the new Customized Approach to
by the process, start small and plan to increase the scope of the PCI DSS v4.0 Considerations for Requirement 12 any PCI requirement. If you take this route, you are able to define Additionally, service providers now need a process to make sure
review each year. your own security controls to meet the requirement. However, first that organizational changes don’t have a negative impact on PCI
The annual risk assessment requirement still calls for the identifica- you must perform a formal risk assessment to ensure that the compliance and the performance of PCI responsibilities.
tion of assets, threats, and likelihood of exploitation to occur, but it control will meet the objective of the requirement and address the
A risk assessment is a great starting point clarifies that the risk assessment is to be targeted toward each PCI risk that the original control mitigated.
12
for establishing a successful security and PCI requirement that allows an organization the flexibility to define their
compliance program. own testing frequency or controls. Another addition to this requirement section is to define an annual
process to review hardware, software, and cryptographic cipher
suites and protocols used in your environment to ensure that the

112 | Guide to PCI DSS Compliance | PCI DSS Requirements | 113

REQUIREMENT 12 IT CHECKLIST NOTES
Things You Will Need To Do: Things You May Need To Do:
Security Testing
Perform a risk assessment annually that, at a If you are assessing PCI compliance as a service
minimum, covers the processes and technologies provider, you are required to establish a charter
Assigned to:___________________________________________________
that are involved in handling credit card data, and that assigns responsibility and grants authority to
targets any “periodic” requirements you meet using implement your PCI compliance program, including
Assignment date:______________________________________________
a Customized Approach accountability to executive management.

Ensure that each employee completes annual security Service providers must perform quarterly reviews
Things You Will Need To Have: awareness training, and that you annually review your to confirm policies and procedures related to PCI
training program to make sure it is relevant compliance are being followed.
Written security policies and procedures that address
all PCI requirements Screen potential employees that will have access to Service providers must also perform a PCI DSS
credit card data or the CDE by performing background scoping exercise every six months, make sure that
A security awareness program that provides
checks prior to hire organizational changes don’t negatively impact PCI
immediate training to new hires, and annual training
compliance, and support their customers’ requests
to all personnel Annually check the PCI compliance status of your
for information about their PCI compliance and PCI
third-party service providersPerform annual testing
Documented usage policies for technologies that responsibility.
of your incident response plan. Include training for
could impact the security of your CDE (email, Internet
each person who plays a role in responding to a
access, laptops, cellular phones, remote access, etc)
potential incident
NOTES
A documented process for engaging and monitoring
Perform a PCI scoping exercise to identify all flows
the PCI compliance of each service provider that has
and locations of cardholder data in your environment,
an impact on your security
and any system, processes, or people that can impact
A documented incident response plan the security of your cardholder data environment

Perform an annual review of all hardware, software,

and encryption technologies you use to make sure
none of them are outdated or unsupported

12

114 | Guide to PCI DSS Compliance | PCI DSS Requirements | 115



How To Prepare
For A Data Breach
You can’t afford to be unprepared for the aftermath of a data breach.
It’s up to you to control the situation and protect your business. DATA BREACH FINES

The following section will help you better understand how to suc-
Merchant processor compromise fine $5,000 – $50,000
cessfully stop payment card information from being stolen, mitigate
damage, and restore operations as quickly as possible.
Card brand compromise fees $5,000 – $500,000

INCIDENT RESPONSE PLAN OVERVIEW Forensic investigation $12,000 – $100,000

Onsite QSA assessments

$20,000 – $100,000
INCIDENT RESPONSE PLAN BASICS following the breach

How To Prepare
Unfortunately, organizations will experience system attacks, with Free credit monitoring for
$10 – $30/card
some of these attacks succeeding. If your organization is breached, affected individuals
you may be liable for the following fines, losses, and costs:11
Card re-issuance penalties $3 – $10 per card

For A Data Breach

A well-executed incident response plan can minimize breach impact,
reduce fines, decrease negative press, and help you get back to Security updates $15,000+
business more quickly. In an ideal world (and if you’re following PCI
DSS requirements), you should already have an incident response
Lawyer fees $5,000+
plan in place, and employees should be trained to quickly deal with a
data breach.
Breach notification costs $1,000+
If there is no plan, employees scramble to figure out what they’re
supposed to do, and that’s when mistakes can occur. For example, Technology repairs $2,000+
SECTION CONTENTS if employees wipe a system without first creating images of the
compromised systems, then you would be prevented from learning
TOTAL POSSIBLE COST: $50,000 – $773,000+
How To Prepare For A Data Breach �������������������� 117 Test Your Incident Response Plan ��������������������� 128 what happened and what you can do to avoid re-infection.

What To Include In An Incident Response Plan ���������� 121 Data Breach Prevention Tools ������������������������ 130
Develop Your Incident Response Plan ������������������ 125

116 | Guide to PCI DSS Compliance | How To Prepare For A Data Breach | 117
How To Prepare For A Data Breach

INCIDENT RESPONSE PHASES PHASE 1: PREPARE PHASE 2: IDENTIFY

An incident response plan should be set up to address a suspected Preparation often takes the most effort in your incident response Identification (or detection) is an ongoing process where you When you discover a breach, remember:
data breach in a series of phases with specific needs to be addressed. planning, but it’s by far the most crucial phase to protect your orga- determine whether you’ve actually been breached by looking for
• Don’t panic.
The incident response phases are: nization. This ongoing phase includes the following steps: deviations from normal operations and activities.
• Don’t make hasty decisions.
• Phase 1: Prepare • Ensure your employees receive proper training regarding An organization normally learns that they have been breached in
• Don’t wipe and reinstall your systems (yet).
their incident response roles and responsibilities. one of four ways:
• Phase 2: Identify
• Contact your forensic investigator to help you
• Develop and conduct tabletop exercises (i.e., incident response
• Phase 3: Contain • The breach is discovered internally (e.g., review of intrusion contain the breach.
drill scenarios) to evaluate your incident response plan.
detection system logs, alerting systems, system anomalies,
• Phase 4: Eradicate
• Ensure that all aspects of your incident response plan (e.g., or anti-malware scan malware alerts).
• Phase 5: Recover training, hardware, and software resources) are approved Steps to consider during containment and documentation:
• Your bank informs you of a possible breach based on
and funded in advance.
• Phase 6: Review reports of customer credit card fraud.
• Stop the leakage of sensitive data as soon as possible
• Consider engaging with a PFI on a retainer basis so you can
• Law enforcement discovers the breach while investigating
quickly bring them in to assist should a breach happen. • Unplug affected systems from the network, rebuild clean
the sale of stolen card information.
new systems, and keep old systems offline. This is the
It’s important to discover a data breach quickly, • A customer complains to you because your organization best option if it’s possible because it allows a forensic
identify where it’s coming from, and pinpoint was the last place they used their card before it began investigator to evaluate untouched systems. This is easier
what it has affected. racking up fraudulent charges. to do in virtual server environments but can be costly.

• If system replacement is not possible, the next main task

will be documentation. This means you need to preserve as
much information as possible for forensic analysis. If you
PHASE 3: CONTAIN
Incident Response Phase Timeline: know how to take a complete image of your system, you
should do so. If you know where the virus files are, copy
When an organization becomes aware of a possible breach, it’s
that directory to a backup. Resort to screenshots or phone
understandable to want to fix it immediately.
videos of behaviors as a last resort before taking action to
DATA BREACH
PRE BREACH POST BREACH change the systems.
However, without taking the proper steps and involving the right
people, you can inadvertently destroy valuable forensic data. • Call in a professional forensic investigator to help learn
PHASE 1 Prepare Forensic investigators use this data to determine how and when the about the breach. In some industries, this may be a required
breach occurred, as well as help devise a plan to prevent similar step (such as when payment data is stolen), but it’s always
PHASE 2 Identify future attacks. recommended to get forensic analysts involved, so you can
develop better future processes.

PHASE 3 PHASE 4 PHASE 5 PHASE 6

Contain Eradicate Recover Review

118 | Guide to PCI DSS Compliance | How To Prepare For A Data Breach | 119
How To Prepare For A Data Breach

PHASE 4: ERADICATE
What To Include In An
Incident Response Plan
After containing the incident, you need to find and remediate the
policies, procedures, or technology that led to the breach. This Set your incident response plan into motion
means all malware should be securely removed, and systems immediately after learning about a suspected
should again be hardened, patched, and updated. data breach.
Creating an incident response plan can seem overwhelming. To
Whether you do this or bring in a third party to help you, it’s simplify the process, develop your incident response plan in smaller,
important to be thorough. If any security issues or traces of more manageable procedures.
malware remain in your systems, you may still be losing sensitive
data (with your liability increasing).
Never Have
While every organization needs varying policies, training, a False Sense
and documents, there are a few itemized response lists
that most organizations should include in their incident
of Security.™
PHASE 5: RECOVER
response plan, such as:

Recovering from a data breach is the process of restoring and • Emergency contact/communications list Learn More About
returning affected systems and devices back into your business
environment. During this time, it’s important to get your systems
• System backup and recovery processes list SecurityMetrics
and business operations up and running again as quickly as possible. • Forensic analysis list PCI DSS Audits.
• Jump bag list
Remember to ensure all systems have been hardened, patched,
replaced, and tested before you consider reintroducing the previously • Security policy review list Learn More
compromised systems back into your production environment.

PHASE 6: REVIEW

After the forensic investigation, meet with all incident response

team members and discuss what you’ve learned from the data
breach, reviewing the events in preparation for future attacks.

This is where you will analyze everything about the data breach.
Determine what worked well and what didn’t in your response plan.
Then, revise your plan.

120 | Guide to PCI DSS Compliance | How To Prepare For A Data Breach | 121
What To Include In An Incident Response Plan

EMERGENCY CONTACT/ SYSTEM BACKUP AND RECOVERY FORENSICS ANALYSIS LIST

COMMUNICATIONS LIST PROCESSES LIST A forensics analysis list is for organizations that use in-house forensic
Proper communication is critical to successfully managing a data Your incident response team should craft specific statements that investigations resources. Your forensic team will need to know where
breach, which is why you need to document a thorough emergency target the various audiences, including a holding statement, press to look for irregular behavior and how to access system security
Your system backup and recovery processes list will help
contact/communications list. Your list should contain information release, customer statement, and internal/employee statement. For and event logs. You might need multiple lists based on your different
you deal with the technical aspects of a data breach. Here
about: who to contact, how to reach these contacts, the appropriate example, you should have prepared emails and talking points ready operating systems and functionalities (e.g., server, database).
are some things that should be included:
timelines to reach out, and what should be said to external parties. to go after a data breach.
• Procedures for disconnecting from the Internet (e.g., who
is responsible to decide whether or not you disconnect) Your forensic team may need the following tools:
In this list, you should document everyone that needs to Your statements should address questions like:
• System configuration diagrams that include • Data acquisition tools
be contacted in the event of a data breach, such as the
• Which locations were and are impacted by the breach? information like device descriptions, IP addresses,
following individuals: • Write-blockers
and OS information
• How was the breach discovered?
• Response team • Clean/wiped USB hard drives
• Process for switching to redundant systems and
• Is any other sensitive data at risk?
• Executive team preserving evidence • Cabling for all connections in your environment
• How will it affect customers and the community?
• Legal team • Process for preserving evidence (e.g., logs, • Other forensic analysis tools (e.g., EnCase, FTK,
• What services or assistance (if any) will you provide timestamps) X-Ways)
• Forensics company
your customers?
• Practices to test the full system backup and
• Public relations
• When will you be back up and running? system recovery
If your organization doesn’t have access to an experienced computer
• Affected individuals
• What will you do to prevent this from occurring again? • Steps to test and verify that any compromised systems forensic examiner in-house, you will want to consider hiring a forensics
• Law enforcement are clean and fully functional firm, vetting them in advance with pre-completed agreements.
This vetting process helps ensure you get an experienced forensic
• Merchant processor
Identify in advance the party within your organization that is investigator when you need it.
responsible for timely notifications that fulfill your state’s specific This list helps you preserve any compromised data, quickly handle
requirements. This could be your inside legal counsel, newly hired a data breach, and preserve your systems through backups. By
breach management firm, or C-level executive. creating and implementing this list, your organization can lessen
You need to determine how and when notifications will be made.
further data loss and help you return to normal operations as quickly
Several states have legislated mandatory time frames that dictate
as possible.
when an organization must make notifications to potentially affected
Your public response to the data breach
cardholders and law enforcement. You should be aware of the laws
will be judged heavily, so review your
in your state and have instructions in your incident response plan
statements thoroughly.
that outline how you will make mandated notifications.

122 | Guide to PCI DSS Compliance | How To Prepare For A Data Breach | 123
What To Include In An Incident Response Plan

Develop Your Incident

Response Plan
JUMP BAG LIST SECURITY POLICY REVIEW LIST

Your jump bag list is for grab-and-go responses (i.e., when you need Your security policy review list deals with your response to a breach Developing and implementing a thorough incident response plan will For organizations that process data online, improper coding could
to respond to a breach quickly). This list should include overall and its aftermath. This list helps you analyze the breach, so you can help your business handle a data breach quickly and efficiently, while be their biggest risk. For a brick-and-mortar organization that offers
responses and actions employees need to take immediately after learn what to change. also minimizing the damage from a data breach. Wi-Fi for their customers, their biggest risk may be improper network
a data breach. Your list will keep your plan organized and prevent access. Some organizations may place a higher priority on ensuring
mistakes caused by panic. physical security, while others may focus on securing their remote
STEP 1: IDENTIFY AND PRIORITIZE ASSETS
Your security policy review list should include access applications.
documentation of the following things:
Start by identifying and documenting where your organization keeps
Some things to include in your jump bag list are:
• When the breach was detected, by whom and its crucial data assets. Assess what would cause your organization
Here are examples of a few possible risks:
• Incident handler’s journal to document the incident what method to suffer heavy losses if it was stolen or damaged.
(e.g., who, what, where, when, why) • External or removable media: Malware executed
• Scope of the incident and affected systems
After identifying critical assets, prioritize them according to the from removable media (e.g., flash drive, CD)
• Incident response team contact list
• Data that was put at risk How the breach was importance and highest risk (e.g., risks based on your annual risk
• Attrition: Employs brute force methods (e.g., DDoS,
• USB hard drives and write-blockers contained and eradicated assessment), quantifying your asset values. This will help justify your
password cracking)
security budget and show executives what needs to be protected and
• USB multi-hub • Work performed and changes made to systems
why it’s essential to do so. • Web: Malware executed from a site or web-based app
during recovery
• Flashlight, pens, notebooks (e.g., drive-by download)
• Areas where the response plan was effective
• All of your documented lists STEP 2: IDENTIFY POTENTIAL RISKS • Email security: Malware executed via email message
• Areas that need improvement (e.g., which security controls or attachment (e.g., malware)
• USB containing bootable versions of your operating
failed, improvements to security awareness programs) Determine what risks and attacks are the greatest current threats
system(s) • Impersonation: Replacement of something benign
against your systems. Keep in mind that these risks will be different
with something malicious (e.g., SQL injection attacks,
• Computer and network tool kit for every organization.
rogue wireless access points)
You should look at where your security controls failed and how
• Hard duplicators with write-block capabilities
to improve them. The purpose of this list is to document the • Loss or theft: Loss of computing device or media (e.g.,
• Forensic tools and software (if you decide to use entire incident, what was done, what worked, what didn’t, and laptop, smartphone)
in-house forensic investigations resources) what was learned.

124 | Guide to PCI DSS Compliance | How To Prepare For A Data Breach | 125
Develop Your Incident Response Plan

STEP 3: ESTABLISH PROCEDURES STEP 4: SET UP A RESPONSE TEAM STEP 5: SELL THE PLAN STEP 6: TRAIN YOUR STAFF

If you don’t have established procedures to follow, a panicked Organize an incident response team that coordinates your organiza- Your incident response team won’t be effective without proper Just having an incident response plan isn’t enough. Employees need
employee may make detrimental security decisions that could tion’s actions after a data breach. support and resources to follow your plan. to be properly trained on your incident response plan and know what
damage your organization. they’re expected to do after a data breach. This means training your
Your team’s goal should be to coordinate resources during a Security is not a bottom-up process. Management at the highest team on a regular basis to ensure they know how to respond.
security incident to minimize impact and restore operations as level (e.g., CEO, VP, CTO) must understand that security policies–like
Your data breach policies and procedures should include: quickly as possible. your incident response plan–must be implemented from the top and
pushed down. This is true for both enterprise organizations as well The regular work routine makes it easy for staff
• A baseline of normal activity to help identify breaches
as mom-and-pop shops. to forget crucial security lessons and best
• How to identify and contain a breach Some of the necessary team roles are: practices.
For enterprise organizations, executive members need to be on
• How to record information on the breach • Team leader
board with your incident response team. For smaller organizations,
• Notification and communications plan • Lead investigator management needs to support additional resources planned for Employees also need to understand their role in maintaining
incident response. company security. To help them, teach employees to identify
• Defense approach • Communications leader
attacks such as phishing emails, spear phishing attacks, and social
• Employee training • C-suite representative When presenting your incident response plan, focus on how engineering efforts.
your plan will benefit your organization (e.g., financial and brand
• IT director
benefits). For example, if you experience a data breach and manage
• Public relations the incident poorly, your company’s reputation will likely receive
Over time, you may need to adjust your policies according to your or-
irreparable brand damage.
ganization’s needs. Some organizations might require a more robust • Documentations and timeline leader
notification and communication plan, while others might need help
• Human resources
from outside resources. However, all organizations need to focus on
The more effective you are at presenting your
employee training (e.g., your security policies and procedures). • Legal representative
goals, the easier it will be to obtain necessary
• Breach response experts funding to create, practice, and execute your
incident response plan.

Make sure your response team covers all aspects of your organization
and understand their particular roles in the plan. Each member will
bring a unique perspective to the table, and they should own specific
data breach response roles that are documented to manage a crisis.

126 | Guide to PCI DSS Compliance | How To Prepare For A Data Breach | 127
Test Your Incident Response Plan

Test Your Incident

When designing your tabletop exercise, prepare the following
exercise information in advance:

Response Plan • A facilitator guide that documents your exercise’s purpose,

scope, objective, and scenario, including a list of questions After conducting a tabletop exercise, set up a
to address your exercise’s objectives. debrief meeting to discuss response successes
To help staff, regularly test their reactions through real-life PARALLEL TESTING and weaknesses.
• A participant briefing that includes the exercise agenda
simulations such as tabletop exercises. Tabletop exercises allow
In parallel testing, your incident response team actually tests their and logistics information.
employees to learn and practice their incident response roles when
incident response roles in a test environment. Parallel testing is
nothing is at stake, which can help you discover gaps in your incident • A participant guide that includes the same information Your team’s input will help you know where and how to
the most realistic simulation and provides your team with the best
response plan (e.g., communication issues). as the facilitator guide, except it either doesn’t include make necessary revisions to your incident response plan
feedback about their roles.
any of the questions or includes a shorter list of questions and training processes.
designed to prepare participants.
TYPES OF TABLETOP EXERCISES Parallel testing is more expensive and requires more time planning
than other exercises because you need to simulate an actual • An after-action report that documents the evaluations,
production environment, with realistic systems and networks. observations, and lessons learned from your tabletop
DISCUSSION-BASED EXERCISE
exercise staff.
In a discussion-based tabletop exercise, incident response team CONDUCT A TABLETOP EXERCISE
members discuss response roles in hypothetical situations. This
tabletop exercise is a great starting point because it doesn’t require
extensive preparation or resources, while it still tests your team’s Before conducting a tabletop exercise, determine your
response to real-life scenarios without risk to your organization. organization’s needs by asking:

• Has your incident response team received adequate

However, this exercise can’t fully test your incident response plan or
training regarding their roles and responsibilities?
your team’s response roles.
• When did you last conduct a tabletop exercise?
SIMULATION EXERCISE
• Have there been recent organizational changes that
might affect your incident response plan?
In a simulation exercise, your team tests their incident responses
through a live walk-through test that has been highly choreo- • Has there been any recent guidance or legislation that
graphed and planned. This exercise allows participants to might impact your response plan?
experience how events actually happen, helping your team better
understand their roles.
Next, design your tabletop exercise around an incident response plan
However, simulation exercises require a lot of time to plan and topic or section that you want tested. Identify any desired learning
coordinate, while still not fully testing your team’s capabilities. objectives or outcomes. From there, create and coordinate with
your tabletop exercise staff (e.g., facilitator, participants, and data
collector) to schedule your tabletop exercise.

128 | Guide to PCI DSS Compliance | How To Prepare For A Data Breach | 129
Data Breach Prevention Tools

Data Breach Prevention Tools

This section outlines data breach prevention tools that can help Malware is software that consists of files that are copied to a target INSTALL INTRUSION DETECTION INSTALL DATA LOSS PREVENTION SOFTWARE
improve your data breach response and increase your data security. computer. Even if your anti-virus software cannot recognize the
AND PREVENTION SYSTEMS
malware files’ signatures, FIM software will detect that files have In addition to these, you should have data loss prevention (DLP)
been written to your computer and will alert you to check and make software in place. DLP software watches outgoing data streams for
INSTALL AND MONITOR FILE INTEGRITY One of the reasons data breaches are so prevalent is a lack of
sure you know what those files are. If the change was known (like sensitive or critical data formats that should not be sent through a
proactive, comprehensive security dedicated to monitoring system
MONITORING SOFTWARE a system update), then you don’t need to worry. If not, chances are firewall, and it blocks this data from leaving your system.
irregularities, such as intrusion detection systems (IDS) and
you have new malware added that could not be detected and can
intrusion prevention systems (IPS).
File integrity monitoring (FIM) software is a great companion for your now be dealt with. Make sure to properly implement it, so that your DLP knows where
malware prevention controls. New malware comes out so frequently data is allowed to go, since if it’s too restrictive, it might block
Using these systems can help identify a suspected attack and help
you can’t just rely on anti-virus software to protect your systems. It Here are some places where FIM should be set up to monitor: critical transmissions to third party organizations.
you locate security holes in your network that attackers used. Without
often takes many months for a signature of newly detected malware
the knowledge derived from IDS logs, it can be very difficult to find
to make it into the malware signature files, which allows it to be • Operating system critical directories
system vulnerabilities and determine if cardholder data was accessed
detected by anti-virus software.
• Critical installed application directories or stolen.

Configure FIM software to watch critical file directories for changes. • Web server and/or web application directories
By setting up alerts on an IDS, you can be warned as soon as
FIM software is typically configured to monitor areas of a computer’s
• User areas (if an employee facing computer) suspicious activity is identified and be able to significantly minimize
file system where critical files are located. FIM tools will generate an
compromise risk within your organization. You may even stop a
alert that can be monitored when a file is changed.
FIM can also be set up to check if web application code or files are breach in its tracks.
modified by an attacker.

An IDS could help you detect a security breach

as it’s happening in real time.

For more preventive measures, you might consider an IPS, which

also monitors network activity for malicious activities, logs this
information, and reports it; but it can prevent and block many
intrusions that are detected. An IPS can drop malicious packets, block
traffic from the malicious source address, and reset connections.

130 | Guide to PCI DSS Compliance | How To Prepare For A Data Breach | 131
 PCI DSS Budget
The cost of PCI compliance depends on your organization’s structure.
Here are a few variables that will factor into the cost of your overall
compliance to the PCI DSS:

• Your business type (e.g., franchise, service provider,

mom-and-pop shop): Each business type will have varying
amounts of transactions, cardholder data, environment
structure, risk levels, and merchant or service provider
levels, meaning that each business will have different
security requirements.

• Your organization’s size: Typically, the larger the

organization, the more potential vulnerabilities it has. More
staff members, more programs, more processes, more
computers, more cardholder data, and more departments
mean more cost.

• Your organization’s environment: The type of processing

systems, the brand of computers, the kind of firewalls, the
model of back-end servers, etc. can all affect your PCI cost.

Conclusion
• Your organization’s dedicated PCI staff and outside
help: Even with a dedicated team, organizations usually
require outside assistance or consulting to help them meet
PCI requirements.

SECTION CONTENTS

PCI DSS Budget ������������������������������������ 133 Terms And Definitions ������������������������������� 139
Create A Security Culture ���������������������������� 135 Appendix ������������������������������������������ 142
Contributors ��������������������������������������� 138

132 | Guide to PCI DSS Compliance | Conclusion | 133

PCI DSS Budget

Create A Security Culture

The following are estimated annual PCI budgets:11

SMALL ENTITY BUDGET MEDIUM/LARGE ENTITY BUDGET Unless someone oversees PCI on management’s side (not just IT), OVERCOME MANAGEMENT’S
PCI compliance won’t happen. We often see departments inside
BUDGET CONCERNS
companies (e.g., networking, IT, HR, risk) expecting other departments
Self-assessment questionnaire (SAQ) $50 – $200 Onsite audit $40,000+ to take charge of PCI compliance, which means nobody is in charge of
If you’re having problems communicating budgetary needs to
it. Other times, organizations expect a third-party QSA to be the PCI
$100 – $150 management, conduct a risk assessment before starting the
Vulnerability scan Vulnerability scan $800+ project manager, which is not feasible because the QSA’s role is to
(PER IP ADRESS) PCI process. NIST 800-30 is a good risk assessment protocol to
assess what is in place, not create a security and compliance program.
follow. At the end of your assessment, you’ll have an idea of your
Training and policy development $70 Penetration testing $15,000+ compromise probability, how much a compromise would cost, and
(PER EMPLOYEE) Security is not a bottom-up process. Management often says or implies
the impact a breach might have on your organization (including
that IT should “just get their organization secure.” However, those
brand damage).
TOTAL POSSIBLE COST: $220+ Training and policy development $5,000+ placed in charge of PCI compliance and security may not have the
means necessary to reach their goals.
Simply put, you need to find a way to show how much money
TOTAL POSSIBLE COST: $60,800+ weak security will cost the organization. For example, “if someone
For example, IT may not have the budget to implement adequate
gains access to the system through X, this is how much it will cost
security policies and technologies (e.g., firewalls, FIM). Some may
and how much damage it will cause.” Consider asking marketing
try to look for free software to fill in security gaps, but this process
or accounting teams for help delivering the message in more
can be expensive due to the time it takes to implement and manage.
bottom-line terms.
In some instances, we have seen IT departments wanting their PCI
auditor to purposely fail their compliance evaluations so they could
prove their higher security budget needs. Obviously, it would have
If possible, work with a QSA to identify security
been better to focus on security from the top level down beforehand.
controls to address what tools you may need
to implement.
C-level management should support the PCI process. If you are a
C-level executive, you should be involved with budgeting, assisting,
and establishing a security culture from the top-down.
Keep in mind this budget doesn’t include implementing
and managing security controls, such as firewalls, Additionally, organizations can sometimes focus on becoming
encryption, and updating systems and equipment. “certified” as PCI compliant, while not actually addressing,
monitoring, and regularly reviewing critical security controls and
processes. Keep in mind that this attitude of just checking off SAQ
questions doesn’t make an organization PCI compliant, nor will it
protect them from future data breaches.

134 | Guide to PCI DSS Compliance | Conclusion | 135

TIPS FROM AN AUDITOR

PCI DSS Responsibilities

and Challenges Small merchants and service
providers tend to struggle with
documenting and following
policies and procedures.

JEN STONE
SecurityMetrics Senior Security Analyst
CISSP | CISA | QSA | CCSFP | CHQP

In my experience, small merchants and service providers tend to account for storage. This is a low-cost solution that can help key To help address some of these concerns, requirement 12 details Often, organizations are not leveraging many of the PCI require-
struggle with documenting and following policies and procedures. personnel keep PCI DSS compliance on their minds throughout the how service providers need to define a charter for the organization’s ments in a way that actually increases security for their CDE.
During a PCI DSS assessment, a QSA will verify that required year. It will also help document necessary evidence for their annual compliance program, involving executive management. While this
policies and procedures are in place and being followed. self-assessment (or to their assessor). is only required for service providers, it’s recommended that larger For instance, PCI requires log centralization and daily reviews. PCI
merchants follow this requirement as well. also requires change detection or FIM on CDE systems to detect
Smaller merchants and service providers whose CDE consists Large enterprise organizations usually document their policies unauthorized changes to key files and directories. To achieve
of only a few machines often feel that they don’t have time to and procedures sufficiently. They generally have very specific Large organizations and service providers should establish an compliance, organizations might set up log monitoring and FIM, but
document procedures. Unfortunately, it’s not uncommon to perform and thorough change control processes, and they typically official PCI charter that describes the management and account- then ignore every alert coming their way. They may technically have
a renewal assessment where the business neglected to maintain follow documented approval processes prior to implement- ability of the organization’s compliance program.3 Additionally, they FIM and log monitoring in place, but these systems alone are not
compliance due to employee turnover and lack of documentation. ing changes to their CDE. Unfortunately, due to their size and should implement internal audit procedures to ensure security making their environments more secure because necessary time
the different entities involved in their CDE management, their practices are properly in place throughout the year.3 and effort are not taken to respond to genuine alerts.
At a minimum, small merchants should set up a PCI email user or reaction time tends to be much slower, with different stakehold-
active directory account and add reminders in their calendar to ers often making contradictory decisions. When vulnerability As you implement your cybersecurity program, make sure you
perform security processes throughout the year (e.g., quarterly scans or penetration tests identify weaknesses that may place PCI compliance cannot just be an annual understand why a security control is required so you can structure
vulnerability assessment scans, semi-annual firewall reviews). The their CDE at risk, it’s not always apparent which group should be audit event. tools and processes around the protection each control offers.
evidence collected from these tasks can then be sent to that PCI responsible for addressing these vulnerabilities.

136 | Guide to PCI DSS Compliance | Conclusion | 137

Contributors

Contributors Terms And Definitions

Access Control List (ACL): A list of instructions for firewalls to Federal Information Processing Standards (FIPS): US federal
Matt Halbleib Brad Caldwell
know what to allow in and out of systems. government standards for computer security that are publicly
announced (e.g., encryption standards).
Jen Stone Joshua Brandeberry
Advanced Encryption Standard (AES): A government encryption
standard to secure sensitive electronic information. File Integrity Monitoring (FIM): A method to watch for changes
Michael Simpson Jeff Compton
in software, systems, and applications to detect potential
Approved Scanning Vendor (ASV): A company approved by the PCI malicious activity.
Gary Glover Heather Page
SSC to conduct vulnerability scanning tests.
File Transfer Protocol (FTP): An insecure way to transfer computer
Michael Maughan Tyler Farr
Captured: Data is being recorded, gathered, or stored from an unau- files between computers using the Internet. (See SFTP)
thorized source.
Winn Oakey Sidnie Anderson
Firewall (FW): A system designed to screen incoming and outgoing
Card Verification Value (CVV/CSC/CVC/CAV): Element on a network traffic.
David Page Rich Bushell
payment card that protects information on the magnetic stripe.
Specific acronyms depend on the card brand. Hypertext Transfer Protocol (HTTP): A method of communication
Michael Ohran Jon Clark
between servers and browsers. (See HTTPS)
Cardholder Data Environment (CDE): Any individual, software,
Trevor Hansen Sarah Kemple
system, or process that processes, stores, or transmits Hypertext Transfer Protocol Over Secure Socket (HTTPS): A
We hope our PCI DSS Guide will cardholder data. secure method of communication between servers and browsers.
Mark Miner Jameson Olsen
help you close the gaps in your (See HTTP)
data security and compliance. Cardholder Data (CHD): Sensitive data found on payment cards,
Winnie Miller Hunter Steffen
such as an account holder name or PAN data. Incident Response Plan (IRP): Policies and procedures to
Please reach out to us with effectively limit the effects of a security breach.
Marj Eldard Katherine Bullock
any questions you have. Chief Information Security Officer (CISO): Similar to a CSO, but
with responsibility for IT rather than entity-wide security. Information Technology (IT): Anything relating to networks,
David Ellis Emory French-Folsom
801.705.5621 computers, and programming, including the people that work with
Data Loss Prevention (DLP): A piece of software or strategy used those technologies.
Aaron Willis Ashley Perry
to catch unencrypted data sent outside the network.
Internet Protocol (IP): Defines how computers send packets of data
Whitney Taylor Karen Smith
Domain Name Server (DNS): A way to translate URLs to to each other.
IP addresses.
Don Robertson Ben Caldwell
Intrusion Detection System (IDS): Types of systems that are used
Exfiltrated: The unauthorized transfer of data from a system. to monitor network traffic and report potential malicious activity.
Brad Nelson Eric Smith

138 | Guide to PCI DSS Compliance | Conclusion | 139

Terms And Definitions

Intrusion Prevention System (IPS): Types of systems that–like Point-To-Point Encryption (P2PE): Payment card data encryption Transport Layer Security (TLS): A more secure Internet security
an IDS–monitors network traffic and reports potential malicious from the point of interaction to a merchant solution provider. standard for encrypting the link between a website and a browser to
activity, but also prevents and blocks many detected. enable transmission of sensitive information. (See SSL)
Primary Account Number (PAN): The 12 to 19 digits that
Multi-factor Authentication (MFA): Two out of three independent identify a payment card. Also called a bank card number or Two-Factor Authentication (TFA): (See MFA)
methods of authentication are required to verify a computer or payment card number.
network user. The three possible factors are: Virtual Private Network (VPN): A strategy of connecting remote
Qualified Security Assessor (QSA): Individuals and firms certified computers to send and receive data securely over the Internet as if
• Something you know (such as a username and password) by the PCI SSC to perform PCI compliance assessments. they were directly connected to the private network.

• Something you have (such as an RSA token or one-time

Risk: The likelihood that a threat will trigger or exploit a vulnerabili- Vulnerability: A flaw or weakness in procedure, design, implemen-
Never Have
password token)
ty and the resulting impact on an organization. tation, or security control that could result in a security breach. a False Sense
• Something you are (such as fingerprint or iris scans)
Risk Assessment (RA): An assessment of the potential vulnerabil- Vulnerable: A state in which a weakness in a system, environment,
of Security.™
National Institute of Standards and Technology (NIST): Federal ities, threats, and possible risk to the confidentiality, integrity, and software, or website could be exploited by an attacker.
technology agency that assists in developing and applying
technology, measurements, and standards (e.g., the NVD).
availability of payment data held by an organization.
Web Application Firewall (WAF): An application firewall that monitors,
Learn More About
Risk Management Plan (RMP): The strategy to implement security filters, and blocks HTTP traffic to and from a web application. SecurityMetrics
National Vulnerability Database (NVD): A repository of all known
vulnerabilities, maintained by NIST.
measures to reduce risks and vulnerabilities to a reasonable and
appropriate level. Wi-Fi Protected Access (WPA): A security protocol designed to
PCI DSS Audits.
secure wireless computer networks. (See WPA2)
Network Access Control (NAC): Restricts data that users, apps, Role-Based Access Control (RBAC): The act of restricting users’
and programs can access on a computer network. access to systems based on their role within an organization. Wi-Fi Protected Access II (WPA2): A more secure version of WPA. Learn More
(See WPA)
Open Web Application Security Project (OWASP): A non-profit Secure File Transfer Protocol (SFTP): A secure way to encrypt
organization focused on software security improvement. Often data that is in transit. (See FTP) Wired Equivalent Privacy (WEP): An outdated and weak security
heard in the context of “OWASP Top 10”–a list of top algorithm for wireless networks.
threatening vulnerabilities. Secure Socket Layer (SSL): An outdated Internet security standard
for encrypting the link between a website and a browser to enable Wireless Local Area Network (WLAN): A network that links to two
Payment Card Industry Data Security Standard (PCI DSS): transmission of sensitive information (predecessor to TLS). or more devices wirelessly.
Requirements put together by the PCI SSC, required of all
businesses that process, store, or transmit payment card data to Self-Assessment Questionnaire (SAQ): A collection of questions
help prevent cardholder data theft. used to document an entity’s PCI DSS assessment results, based on
their processing environment.
Payment Card Industry Security Standards Council (PCI SSC):
An organization established in 2006 by Visa, MasterCard, American Threat: The potential for a person, event, or action to exploit a
Express, Discover Financial Services, and JCB International to specific vulnerability.
regulate cardholder data security.

140 | Guide to PCI DSS Compliance | Conclusion | 141

Appendix

Appendix Our Products and Services

1. PCI Security Standards Council, LLC (2022). The prioritized 6. PCI Security Standards Council, LLC (2022). Countdown to PCI
approach to pursue PCI DSS compliance [webpage]. Retrieved DSSv4.0 [webpage]. Retrieved from https://blog.pcisecurity-
from https://docs-prv.pcisecuritystandards.org/PCI%20DSS/ standards.org/countdown-to-pci-dss-v4.0
1. PCI Compliance: 5. Vulnerability Scanning: 9. Workforce Training:
Supporting%20Document/Prioritized-Approach-For-PCI-
DSS-v4-0.pdf 7. PCI Security Standards Council, LLC (2019). 5 questions about PCI • PCI for Small Business • External Vulnerability Scan • Security and Compliance Training
DSS v4.0 [webpage]. Retrieved from https://blog.pcisecurity-
• PCI Policies • Internal Vulnerability Scan • Cybersecurity Training
2. PCI Security Standards Council, LLC (2016). Information standards.org/5-questions-about-pci-dss-v4-0
supplement: Guidance for PCI DSS scoping and • PCI Training • Mobile Security • PCI Security Training
network segmentation [webpage]. Retrieved from 8. PCI Security Standards Council, LLC (2018). Information
• PCI DSS Audit • HIPAA Security and Privacy Training
https://www.pcisecuritystandards.org/documents/ supplement: Protecting telephone-based payment card data 6. Data Discovery:
Guidance-PCI-DSS-Scoping-and-Segmentation_v1.pdf [webpage]. Retrieved from https://www.pcisecuritystandards. • SSF Audit • Policies and Procedures Templates
• Card Data Discovery
org/documents/Protecting_Telephone_Based_Payment_Card_
• P2PE Audit
3. PCI Security Standards Council, LLC (2022). Payment card Data_v3-0_nov_2018.pdf • PII Data Discovery 10. Security Audits:
industry (PCI) data security standard: Requirements and testing
2. HIPAA Compliance: • EI3PA Compliance
procedures version 4.0 [webpage]. Retrieved from https://www. 9. SecurityMetrics (2023). PANscan trends [webpage]. Retrieved 7. Ecommerce Security:
pcisecuritystandards.org/documents/PCI-DSS-v4_0.pdf from https://www.securitymetrics.com/learn/panscan-trends • HIPAA for Small Business • NIST 800-30 Risk Assessment
• Shopping Cart Inspect
• HIPAA Policies • CIS Controls
4. PCI Security Standards Council, LLC (2022). List of validated 10. PCI Security Standards Council, LLC (2017). Information • Shopping Cart Monitor
products and solutions [webpage]. Retrieved from https://www. supplement: Multi-factor authentication [webpage]. Retrieved • HIPAA Training • PIN Security Assessment
pcisecuritystandards.org/assessors_and_solutions from https://www.pcisecuritystandards.org/pdfs/Multi-Factor- 8. Security Operations:
• HIPAA Audit • Security Consulting
Authentication-Guidance-v1.pdf
• SecurityMetrics Pulse SOS
5. PCI Security Standards Council, LLC (2018). PCI data security • HITRUST
3. GDPR Compliance:
essentials for small merchants [webpage]. Retrieved from 11. Glover, G. (2022). How much does PCI compliance cost? • Managed Firewall
https://www.pcisecuritystandards.org/pdfs/PCI-DSE-Overview- [webpage]. Retrieved from https://www.securitymetrics.com/ • GDPR Defense 11. Security Testing:
• Antivirus Essentials
for-Small-Merchants.pdf blog/how-much-does-pci-compliance-cost
• GDPR Assessment • Penetration Testing

4. Managed Programs: 12. Incident Response:

• PCI compliance Program for • Incident Response
PCI Level 1- 4 Merchants
• Table Top Exercises
• HIPAA for Health Networks

Never have a false sense of security.™

142 | Guide to PCI DSS Compliance | Conclusion | 143
ABOUT
SECURITYMETRICS
We secure peace of mind for organizations that handle sensitive
data. We hold our tools, training, and support to a higher, more
thorough standard of performance and service.

We are a PCI certified Approved Scanning Vendor (ASV), Qualified

Security Assessor (QSA), Certified Forensic Investigator (PFI), and
Managed Security provider with over 20 years of data security
experience. From local shops to some of the world’s largest brands,
we help all businesses achieve data security through managed
services and compliance mandates (PCI, HIPAA, GDPR, HITRUST).
We have tested over 1 million systems for data security and
compliance. We are privately held and are headquartered in Orem,
Utah, where we maintain a Security Operations Center (SOC) and
24/7 multilingual technical support.

www.securitymetrics.com/pci
 Looking for a
PCI compliance
solution?

Learn more at:

www.securitymetrics.com/pci