Requirement 1
Install and maintain a firewall configuration to protect cardholder data
Requirement 2
Do not use vendor supplied defaults for
... [Show More] system passwords and other security parameters
Requirement 3
Protect stored cardholder data by enacting a formal data retention policy and implement secure deletion methods
Requirement 4
Encrypt transmission of cardholder data across open, public networks
Requirement 5
Protect all systems against malware and regularly update anti-virus software or programs
Requirement 6
Develop and maintain secure systems and applications
Requirement 7
Restrict access to cardholder data by business need to know
Requirement 8
Identify and authenticate access to system components
Requirement 9
Restrict physical access to cardholder data
Requirement 10
Track and monitor all access to network resources and cardholder data
Requirement 11
Regularly test security systems and processes
Requirement 12
Maintain a policy that addresses information security for all personnel
Appendix A1
Shared hosting providers must protect the cardholder data environment
Appendix A2
Additional PCI DSS Requirements for Entities using SSL/early TLS
Appendix A3
Designated Entities Supplemental Validation (DESV)
Compensating Controls
1- Meet the intent and rigor of the original PCI requirement
2- Sufficiently offset the risk that the original PCI DSS requirement was designed to defend against
3- Be "above and beyond" other PCI DSS requirements (i.e., not simply in compliance with other requirements)
4- Be commensurate with additional risk imposed by not adhering to original requirement
Compensating Controls -
To consider Compensating Controls, one of the following must exist that precludes implementing the stated control:
1- Legitimate Technical Constraint
2- Documented Business Constraint
Compensating Controls :
Existing PCI DSS requirements CANNOT be considered as compensating controls if they are already required for the
Compensating Controls ...
Existing PCI DSS requirements may be combined with new controls to become a compensating control
SAQs
is a validation tool intended to assist merchants and service providers in self-evaluating their compliance with the PCI DSS
SAQ A
Card-Not-Present (e-commerce or MO/TO) merchants, all cardholder data functions outsourced to PCI DSS compliant service providers.
Not applicable to face-to-face channels.
SAQ A-EP
E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn't directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant's systems or premises.
Applicable only to
e-commerce channels.
SAQ B
Imprint-only merchants with no electronic cardholder data storage, or standalone, dial-out terminal merchants with no electronic cardholder data storage.
Not applicable to e-commerce channels.
SAQ B-IP
Merchants using only stand-alone, PTS-approved payment terminals with an IP connection to the payment processor, with no electronic cardholder data storage.
Not applicable to e-commerce channels.
SAQ C
Merchants with segmented payment application systems connected to the Internet, with no electronic cardholder data storage.
Not applicable to e-commerce channels.
SAQ C-VT
Merchants using only web-based virtual payment terminals, with no electronic cardholder data storage.
Not applicable to e-commerce channels.
SAQ D
SAQ D for Merchants: All merchants not included in the descriptions for other SAQ types.
SAQ D for Service Providers: All service providers identified by a payment brands as eligible to complete a self-assessment questionnaire.
P2PE
Merchants who have implemented a validated Point-to-Point Encryption Solution that is listed on the PCI SSC website, with no electronic cardholder data storage.
Not applicable to e-commerce channels
Prioritize Approach Goal #1
Remove sensitive authentication data and limit data retention
Intent:
Remove SAD & limit data retention
Prioritize ApproachGoal #2
Protect systems and networks, and be prepared to respond to a system breach
Intent:
Controls for point of access and processes for responding
Prioritize ApproachGoal #3
Secure payment card applications
Intent:
Controls for applications, application processes, and application servers.
Prioritize ApproachGoal #4
Monitor and control access to
your systems
Intent:
Detect the who, what, when, and how [Show Less]