Back to books home

Volume 3 - Building a PCI DSS Information Security Program

  • 3.1 Volume Introduction
  • 3.2 The High-Level PCI DSS requirements
  • 3.3 Building a PCI DSS Information Security Program
    • 3.3.1 Where you come from matters
    • 3.3.2 Information Security Programs are meant to address Risks
    • 3.3.3 Information Security Frameworks
  • 3.4 The PCI DSS Information Security Program Structure
    • 3.4.1 Recapping the PCI DSS data elements
    • 3.4.2 Data Classification
    • 3.4.3 Examples of data classification
  • 3.5 Governance
    • 3.5.1 Responsibilities for the program
    • 3.5.2 (Information Security) Policies (Requirement 12)
    • 3.5.3 Documenting usage of card information
  • 3.6 It’s all about risk
    • 3.6.1 Risk Assessment Requirement 1: Identifies critical assets, threats, and vulnerabilities
    • 3.6.2 Risk Assessment Requirement 2: Results in a formal, documented analysis of risk
    • 3.6.3 Risk Assessment: A proposed formal process based on NIST and Threat Modeling
      • 3.6.3.1 Step 1 - Establish a risk context
      • 3.6.3.2 Step 2 - Phase 2 – Assess Risk
      • 3.6.3.3 Step 3 - Phase 3 – Respond to Risk
      • 3.6.3.4 Step 4 - Phase 4 – Monitor Risk
  • 3.7 The body of the program
    • 3.7.1 Requirement 1 - Network (level) security controls (NSC, previously termed Firewall) - Isolating the Cardholder Data Environment (CDE)
      • 3.7.1.1 Protecting the CDE and the Trusted network from Untrusted sources
      • 3.7.1.2 Wireless
      • 3.7.1.3 Network Security Control (NSC) Configuration Standards
      • 3.7.1.4 Changes to the CDE
      • 3.7.1.5 Remote Access - Workstations, Desktops, Laptops
    • 3.7.2 - Requirement 2 - Hardening
    • 3.7.3 - Requirement 3 - Storage of Account Data
      • 3.7.3.1 Encryption of Stored Data
    • 3.7.4 - Requirement 4 - Transmission of Cardholder Data
      • 3.7.4.1 SSL/TLS (for transmission)
    • 3.7.5 - Requirement 5 - Protections against Malicious Software (Antivirus)
    • 3.7.6 - Requirement 6 - Secure Software Development, Vulnerability Management & Patching, Web Security, and Change Control
      • 3.7.6.1 Software Development Requirements
      • 3.7.6.2 Vulnerability Management
      • 3.7.6.3 Secure External Web Apps
      • 3.7.6.4 Change control
    • 3.7.7 - Requirement 7 - Need to know
    • 3.7.8 - Requirement 8 - Authentication
      • 3.7.8.1 User Identification and Accounts (ensuring traceability)
      • 3.7.8.2 User Authentication (confirming the identity)
      • 3.7.8.3 Application and system accounts
    • 3.7.9 - Requirement 9 - Physical security
      • 3.7.9.1 Visitors
      • 3.7.9.2 Media Management
      • 3.7.9.3 Protection of Point-of-Sale (POS) and other payment devices
    • 3.7.10 - Requirement 10 - Logging & Monitoring (audit trails)
    • 3.7.11 Requirement 11 - Testing
      • 3.7.11.1 - Testing wireless networks
      • 3.7.11.2 Vulnerability testing
      • 3.7.11.3 Penetration testing
      • 3.7.11.4 Other detective controls
      • 3.7.11.5 Changes to payment pages
  • 3.8 Other Requirements
    • 3.8.1 Targeted Risk Assessments
    • 3.8.2 Security awareness
    • 3.8.3 Managing Third-party service providers (TPSP)
    • 3.8.4 Incident Response Management
    • 3.8.5 Other Service Provider Requirements
    • 3.8.6 Multi-tenant service provider (previously shared service provider) requirements
  • 3.9 Addressing compliance gaps – prioritization
  • 3.10 When you cannot meet the “defined approach” as is
    • 3.10.1 Compensating Controls - the old way
    • 3.10.2 Customized Approach - the new way
  • 3.11 Total Cost of Ownership (TCO) and Return-on-Investment (ROI)
  • 3.12 Sections Removed: Mappings & The PCI Resources PCI DSS requirements matrix
  • End Notes - Volume 3