PCI-DSS Requirements

 

 

 

Build and Maintain a Secure Network

  • Requirement 1: Install and maintain a firewall configuration to protect cardholder data
  • Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

 

  • Protect Cardholder Data
  • Requirement 3: Protect stored cardholder data
  • Requirement 4: Encrypt transmission of cardholder data across open, public networks

 

Maintain a Vulnerability Management Program

  • Requirement 5: Use and regularly update anti-virus software
  • Requirement 6: Develop and maintain secure systems and applications

    •  

    Implement Strong Access Control Measures

  • Requirement 7: Restrict access to cardholder data by business need-to-know
  • Requirement 8: Assign a unique ID to each person with computer access
  • Requirement 9: Restrict physical access to cardholder data

    •  

    Regularly Monitor and Test Networks

  • Requirement 10: Track and monitor all access to network resources and cardholder data
  • Requirement 11: Regularly test security systems and processes

    •  

    Maintain an Information Security Policy

  • Requirement 12: Maintain a policy that addresses information security

     

    How InterSOC helps with PCI compliance:

     

    Requirement 6: Develop and maintain secure systems and applications
    Unscrupulous individuals use security vulnerabilities to gain privileged access to systems. Many of these
    vulnerabilities are fixed by vendor-provided security patches. All systems must have the most recently
    released, appropriate software patches to protect against exploitation by employees, external hackers,
    and viruses. Note: Appropriate software patches are those patches that have been evaluated and tested
    sufficiently to determine that the patches do not conflict with existing security configurations. For in-house
    developed applications, numerous vulnerabilities can be avoided by using standard system development
    processes and secure coding techniques.

     

    ** InterSOC can collect events from custom applications for greater visibility. Custom applications are often the source of vulnerabilities and can only be identified with application level assessments. Secure Application Development training to help you security your applications, and application assessment to verify.

     

    Requirement 10: Track and monitor all access to network resources and cardholder data
    Logging mechanisms and the ability to track user activities are critical. The presence of logs in all
    environments allows thorough tracking and analysis if something does go wrong. Determining the cause
    of a compromise is very difficult without system activity logs.

     

    10.1 Establish a process for linking all access to system components (especially access done with
    administrative privileges such as root) to each individual user.

     

    ** InterSOC relates activities from each user with system auditing events with customized alerting.

     

    10.2 Implement automated audit trails for all system components to reconstruct the following events:
    10.2.1 All individual user accesses to cardholder data
    10.2.2 All actions taken by any individual with root or administrative privileges
    10.2.3 Access to all audit trails
    10.2.4 Invalid logical access attempts
    10.2 5 Use of identification and authentication mechanisms
    10.2.6 Initialization of the audit logs
    10.2.7 Creation and deletion of system-level objects.

     

    ** System events are collected and analyzed for unauthorized activity, with custom throttled alerting

     

    10.3 Record at least the following audit trail entries for all system components for each event:
    10.3.1 User identification
    10.3.2 Type of event
    10.3.3 Date and time
    10.3.4 Success or failure indication
    10.3.5 Origination of event
    10.3.6 Identity or name of affected data, system component, or resource.

     

    ** Full event details are collected and used for security analysis and reporting

     

    10.5 Secure audit trails so they cannot be altered.
    10.5.1 Limit viewing of audit trails to those with a job-related need
    10.5.2 Protect audit trail files from unauthorized modifications
    10.5.3 Promptly back-up audit trail files to a centralized log server or media that is difficult to alter
    10.5.4 Copy logs for wireless networks onto a log server on the internal LAN.
    10.5.5 Use file integrity monitoring and change detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert).

     

    ** InterSOC collects and processes Log data immediately from devices to ensure it is protected and un-altered

     

     

    10.6 Review logs for all system components at least daily. Log reviews must include those servers that
    perform security functions like intrusion detection system (IDS) and authentication, authorization,
    and accounting protocol (AAA) servers (for example, RADIUS).

     

    ** InterSOC continuously monitors data and employs advanced Patent Pending Threat Model Analysis to identify patterns of attack with persistent tracking of activity for all types of log data. InterSOC also provides multiple customized dashboards, real-time investigation, and incident response for the highest level of security response.


    10.7 Retain audit trail history for at least one year, with a minimum of three months online availability.

     

    ** InterSOC provides real-time online access and transparent archiving

     

    11.2 Run internal and external network vulnerability scans at least quarterly and after any significant
    change in the network (such as new system component installations, changes in network
    topology, firewall rule modifications, product upgrades).

     

    ** InterSOC: Provides Automated internal Assessment Scanning

     

    The complete PCI Data Security Standard

    .