Oct 07, 2009 The Payment Card Industry Data Security Standard Compliance Planning Guide version 1.2 is targeted for merchants that accept payment cards, financial institutions that process payment card transactions, and service providers—third-party companies that provide payment card processing or data storage services. IT solutions for each of these groups must meet all PCI DSS requirements. Payment Card Industry (PCI) compliance is a complex and ever-evolving subject affecting millions of businesses – acquiring banks, Independent Sales Organizations (ISOs), payment processors, Web hosts, shopping carts, ecommerce and retail merchants, and others who accept electronic payments or provide services to those who do. To view the full interactive checklist, download the PDF below. Anyone responsible for implementing PCI compliance; Here's an example IT checklist page from the PDF. Set up a manual or automatic schedule to install the latest security patches for all system components. If you are a merchant of any size accepting credit cards, you must be in compliance with PCI Security Council standards. This site provides: credit card data security standards documents, PCIcompliant software and hardware, qualified security assessors, technical support, merchant guides and more.
- Pci Compliance Test
- Examples Of Export Compliance Manual
- Pci Compliance Guide
- Customs Compliance Manual Example
- Pci Compliance Checklist
- Pci Compliance Policy Template
PCI Compliance Requirement IT Checklist
This post contains part of the text from the SecurityMetrics PCI DSS Compliance IT Checklists. To view the full interactive checklist, download the PDF below.
Our updated interactive PCI Compliance IT Checklists outlines the most important aspects to achieve PCI compliance, breaking down the twelve different requirements of the PCI DSS*. Each of the twelve requirements is broken down into what you'll need to do and have in place for PCI compliance.
With our interactive PDF, you'll be able to track your progress and make assignments for the twelve PCI requirements.
Using this checklist, you'll better ensure that you're not leaving gaps in your security and compliance efforts.
Who this IT Checklist is for:
- CISO
- IT manager/professional
- Risk/compliance officer
- PCI level 4 manager
- Anyone responsible for implementing PCI compliance
Here's an example IT checklist page from the PDF:
*This checklist does not include every requirement and aspect of the PCI DSS. Please refer to the full standard if you have further questions or need to follow additional requirements.
The information described in this checklist is presented as a reference and is not intended to replace security assessments, tests, and services performed by qualified security professionals. Users are encouraged to consult with their companies’ IT professionals to determine their needs to procure security services tailored to those needs.
PCI DSS Compliance IT Checklist
PCI Requirement 1
Firewall Implementation and Review
Assigned to:
Assignment date:
Review date(s):
THINGS YOU WILL NEED TO HAVE
- Firewall(s)
- “Deny All” rule for all other inbound and outbound traffic (1.2.1.b)
- Stateful inspection/dynamic packet filtering (1.3.5)
- Documented business justification for each port or protocol allowed through the firewall (1.1.6a)
THINGS YOU WILL NEED TO DO
- Limit traffic into the CDE to that which is necessary. (1.2.1.a)
- Position firewall(s) to prohibit direct inbound and outbound traffic from the CDE. (1.3)
- Create secure zone(s) for any card data storage, which must be separate from DMZ. (1.3.6)
- Explicitly authorize outbound connections from the CDE. (1.3.4)
- Document all firewall policies and procedures. (1.2.1.a, 1.2.1.b, 1.2.3, 1.3, 1.3.3, 1.3.5, 1.3.6)
THINGS YOU MAY NEED TO DO
- Install a firewall between wireless networks and the CDE (wireless only). (1.2.3)
PCI Requirement 2
Configuration Standards
Assigned to:
Assignment date:
Review date(s):
THINGS YOU WILL NEED TO HAVE
- A secure way to access and manage systems in your environment (2.3)
- An inventory of all hardware and software used in your CDE
- Documented configuration standards for all types of systems in your CDE
THINGS YOU WILL NEED TO DO
- Assign system administrator and knowledgeable personnel the responsibility of configuring system components. (2.2.4)
- Implement a system hardening guide that covers all system components of your CDE. (2.2.a)
Disable and uninstall any unnecessary programs, services, guest accounts, scripts, drivers, features, subsystems, file systems, and web servers. Document which services and programs are allowed. (2.2.2, 2.2.3, 2.2.5) - Change vendor-supplied default usernames and passwords. Remove or disable unnecessary default accounts before installing a system on the network (e.g., operating systems, security software, POS terminals, routers, firewalls, SNMP). (2.1.a, 2.1.b, 2.1.1.b, 2.1.1.c, 2.1.1.d, 2.1.1.e)
- Document security policies and operation procedures for managing vendor defaults and other security settings. Inventory all systems within scope of the payment application environment and keep inventory up to date. (2.4, 2.5)
THINGS YOU MAY NEED TO DO
- Use technologies, such as VPN, for web-based management and other nonconsole administrative access. Ensure all traffic is encrypted according to current standards. (2.1.1.d, 2.3)
- If wireless Internet is enabled in your CDE, change wireless default settings including encryption keys, passwords, and SNMP community strings. (2.1.1)
- Enable only one primary function per server (e.g., logging server, web server, DNS). (2.2.1)
PCI Requirement 3
Securing Cardholder Data
Assigned to:
Assignment date:
Review date(s):
THINGS YOU WILL NEED TO HAVE
- A documented data retention policy
- A data flow diagram
THINGS YOU WILL NEED TO DO
- Have employees acknowledge their training and understanding of the policy. (3.1, 3.6.8, 3.7)
- Eliminate storage of sensitive authentication data after card authorization. (3.2.d, 3.2.1, 3.2.2, 3.2.3)
- Mask out PAN on customer receipts. (3.3)
- Understand guidelines for handling and storing cardholder data.
THINGS YOU MAY NEED TO DO
- If PAN data is stored for business or legal reasons, details must be masked, truncated, or secured by strong cryptography. (3.4)
- PAN storage should be accessible by as few employees as possible for business or legal reasons. This includes limited access to cryptographic keys, removable media, or hardcopy of stored details. (3.4.1, 3.5, 3.5.2, 3.5.3, 3.5.4, 3.6, 3.6.1, 3.6.2, 3.6.3, 3.6.4, 3.6.5, 3.6.6, 3.6.7)
PCI Requirement 4
Transmitting Cardholder Data
Assigned to:
Assignment date:
Review date(s):
THINGS YOU WILL NEED TO HAVE
- An in-house policy to ensure you do not send unprotected PANs via end-user
messaging technologies (4.2.b)
THINGS YOU WILL NEED TO DO
- Check all related device configuration for proper encryption. Check with vendors to make sure supplied POS/POI devices are encrypting data appropriately. (Appendix A2)
- Validate that POS/POI devices are not susceptible to any known exploits. Devices and software used to process credit cards need to be PCI DSS compliant. (Appendix A2.1)
- Review all locations where CHD is transmitted or received. Examine system configurations. Review all devices and systems to ensure you use appropriate encryption within your CDE. You must safeguard sensitive cardholder data during transmission over open, public networks. (4.1, 4.1.1)
- Use only trusted keys and certificates. Check inbound/outbound transmissions and verify that encryption keys and certificates are valid. Use secure configurations and proper encryption strengths. Do not support insecure versions or configurations. This means you will continually need to check for the latest encryption vulnerabilities and update as needed. (4.1)
- Review and implement documented encryption standard best practices (4.1.1)
- Review and implement policies and procedures for sending and receiving credit card data. (4.2.b)
- Examine system configuration and adjust encryption configuration as needed. (4.1, 4.1.1)
THINGS YOU MAY NEED TO DO
- Make sure TLS is enabled cardholder data is transmitted or received through web-based services. (4.1.a, 4.1.e)
- Check wireless network encryption standards. (4.1.1)
- Examine keys and certificates. (4.1.b)
- If you are a service provider supporting older POS/POI terminals, review your Risk Mitigation and Migration Plan for environments that still need to use SSL and early TLS. (Appendix A2.2)
- Prohibit the use of WEP–an insecure wireless encryption standard. (4.1.1)
PCI Requirement 5
Anti-Virus Updates
Assigned to:
Assignment date:
Review date(s):
THINGS YOU WILL NEED TO DO
- Deploy anti-virus software on commonly affected systems (5.1, 5.2)
- Protect all systems against malware and regularly update anti-virus software or programs. (5.1, 5.2.b)
- Ensure anti-virus programs can detect, remove, and protect against all known types of malicious software. (5.1.1)
- Maintain and evaluate audit logs with IT staff. (5.2.c)
- Set anti-virus program to scan automatically. (5.2.b)
- Make sure anti-virus program is updated automatically (with definitions kept current). (5.2.a, 5.2.b)
- Ensure anti-virus program cannot be disabled or altered by users (i.e., admin access only). (5.3)
- Document and review malware procedures; review with necessary staff. (5.4)
- Examine system configurations and periodically evaluate malware threats to system. (5.1.2)
PCI Requirement 6
Software Updates
Assigned to:
Assignment date:
Review date(s):
THINGS YOU WILL NEED TO HAVE
- Vendor supported programs, operating systems, and devices (6.2)
- An update server (i.e., repository for systems to get updates)
- A change management process
THINGS YOU WILL NEED TO DO
- Have a process in place to keep up to date with the latest identified security vulnerabilities and their threat level. (6.1, 6.5.6)
- Install all vendor-supplied security patches on all system components. (6.2.a)
- Ensure all security updates are installed within one month of release. (6.2.b)
THINGS YOU MAY NEED TO DO
- Set up a manual or automatic schedule to install the latest security patches for all system components.
PCI Requirement 7
Establish Access Control
Pci Compliance Test
Assigned to:
Assignment date:
Review date(s):
THINGS YOU WILL NEED TO HAVE
- Written policy detailing access controls for systems in the CDE (7.1, 7.3)
REQUIRED FEATURES
- Documented access control policies based on job classification and function (7.1, 7.1.1, 7.1.2, 7.1.3)
- Roles and privilege levels defined (7.1, 7.1.1)
- “Deny all” rule in place for access control systems (7.2.3)
THINGS YOU WILL NEED TO DO
- Detail a written policy to include access to cardholder data based on job roles with privilege level, and approval/documentation of employee access. (7.1, 7.1.4)
- Document policies in place with each employees’ role/access and train employees on their specific access level. (7.1, 7.3)
THINGS YOU MAY NEED TO DO
- Implement access controls on any systems where cardholder data is stored and handled. (7.2.1)
- Configure access controls to only allow authorized parties and deny all others without prior approval or access. (7.2.2, 7.2.3)
PCI Requirement 8
ID Credentials
Assigned to:
Assignment date:
Review date(s):
THINGS YOU WILL NEED TO HAVE
- Multi-factor authentication for all remote access (8.3)
THINGS YOU WILL NEED TO DO
- Monitor all remote access accounts used by vendors, business partners, or IT support personnel when the account is in use. (8.1.5.b)
- Disable all remote access accounts when not in use. (8.1.5.a)
- Enable accounts used for remote access only when they are needed. (8.1.5.a)
- Implement a multi-factor authentication solution for all remote access sessions.
- Configure multi-factor authentication with at least two of the following methods (8.3):
- Something you know (e.g., password and username)
- Something you have (e.g., one-time password)
- Something you are (e.g., fingerprint or retinal scan)
PCI Requirement 9
Improving Physical Security
Assigned to:
Assignment date:
Review date(s):
Examples Of Export Compliance Manual
THINGS YOU WILL NEED TO HAVE
- Policies and procedures that limit the access to your physical media and devices used for processing
THINGS YOU WILL NEED TO DO
- Restrict access to any publicly accessible network jacks. (9.1.2)
- Keep physical media secure and maintain strict control over any media being
moved within the facility and outside of it. (9.5, 9.5.1, 9.6.a) - Keep electronic media in a secure area with limited access (e.g., a locked
office clearly marked “Management Only”) and require management approval
before the media is moved from its secure location. (9.6.1, 9.6.3, 9.7) - Use a secure courier when sending media through the mail so the location of
the media can be tracked. (9.6.2) - Destroy media in a way that it cannot be reconstructed; if the media is
separated prior to destruction, keep the media in a locked container with a
clear label of “To Be Shredded” or something similar. (9.8, 9.8.1) - Maintain a list of all devices used for processing, and train all employees to inspect devices for evidence of tampering. Training should include a process for verifying the identity of outside vendors wanting access to the machine, a process for reporting suspicious behavior around the machine, and a system to ensure employees know not to replace devices without management approval. (9.9.2, 9.9.3)
THINGS YOU MAY NEED TO HAVE
- A set process to train employees about proper device management and a way to report any suspicious behavior around the processing device.
- A secure location to keep media, including a second secure location, if business practice is to separate media no longer needed.
PCI Requirement 10
Logging and Log Management
Assigned to:
Assignment date:
Review date(s):
THINGS YOU WILL NEED TO HAVE
- An automated audit log tracking all security-related events for all system components
- Audit logs that track:
- Any action taken by an individual with root or administrative privileges (10.2.2)
- Failed log-in attempts (10.2.4)
- Changes to accounts–including elevation of privileges, account additions, and account deletions (10.2.5)
- Identification of user, what the event type was, date and time of the event, whether the event was a success or failure, where the event originated from, and the name of affected data, system component, or resource (10.3.1-10.3.6)
THINGS YOU WILL NEED TO DO
- Have a process in place to review logs and security events at least daily, in addition to any system component reviews, as defined by your organization for risk management strategy or other policies. (10.6.1.b, 10.6.2.b)
- Have a process in place to respond to anomalies and exceptions. (10.6.3.b)
- Keep all audit log records for at least one year and keep the last three months’ logs readily available for analysis. (10.7.b, 10.7.c)
PCI Requirement 11
Vulnerability Scanning and Penetration Testing
Assigned to:
Assignment date:
Review date(s):
THINGS YOU WILL NEED TO HAVE
- A process for detecting and identifying wireless access points on a quarterly basis. The method should be able to identify all of the following wireless access points:
- WLAN cards inserted into system components
- Mobile devices used to create wireless access points (by USB or other means)
- Wireless devices attached to a network port or device (11.1.a, 11.1.b, 11.1.c)
- An inventory of authorized wireless access points with listed business justifications (11.1.1)
- A change-detection mechanism installed within the CDE to detect unauthorized modifications to critical system files, configuration files, or content files (11.5.a)
THINGS YOU WILL NEED TO DO
- Run quarterly internal vulnerability scans using a qualified internal resource or external third party (in either case, organizational independence must exist), and then re-scan all scans until high-risk (as defined in requirement 6.1) vulnerabilities are resolved. (11.2.1)
- Run quarterly external vulnerability scans (through an ASV) and then re-scan until all scans obtain a passing status (i.e., no vulnerability scores over 4.0). (11.2.2)
- Run internal and external scans, using a qualified resource, after any significant change to the network, and re-scan until resolved:
- For external scans: No vulnerabilities scoring 4.0 or higher exist (11.2.2)
- For internal scans: All high-risk vulnerabilities are resolved (11.2.3)
- Configure your change-detection mechanism to alert personnel to unauthorized modification of critical system files, configuration files, or content files; configure the tools to perform critical file comparisons at least weekly. (11.5.b)
- Have a process in place to respond to alerts generated by your change detection mechanism. (11.5.1)
THINGS YOU MAY NEED TO DO
- If wireless scanning is used to identify wireless access points, scans must be run at least quarterly. (11.1.c)
- If automated monitoring is used, monitoring should generate alerts to notify personnel. (11.1.d)
- Create a plan of action in your business’s incident response plan for responding to the detection of unauthorized wireless access points, and take action if unauthorized wireless access points are found. (11.1.2)
- If network segmentation exists, penetration testing procedures must confirm that segmentation is operational and isolates all out-of-scope systems from systems in your CDE. (11.3.4.a)
PCI Requirement 12
Corporate Policy and Documentation
Assigned to:
Assignment date:
Review date(s):
THINGS YOU WILL NEED TO HAVE
- Written compliance and security policies
- Charter for PCI DSS compliance program
- Service providers must perform quarterly reviews to confirm policies and procedures are being followed
THINGS YOU WILL NEED TO DO
- Ensure that each employee working in the CDE completes annual security awareness training. (12.6, 12.6.1)
THINGS YOU MAY NEED TO DO
- Create a company policy documenting all critical devices and services within the payment processing environment. Some examples include laptops, tablets, email and Internet usage, remote access, and wireless access technologies. This policy should include acceptable uses and storage of these technologies. The general purpose of this policy is to thoroughly explain each employee’s role in the CDE. Review your policy and lists annually. (12.1-12.4)
- Create and document an approval process for allowing employee access to technologies. Keep lists readily available and review them annually. (12.1-12.4)
- Create an incident response plan in the event that cardholder data is compromised (12.10.1). Your plan should include the following:
- Roles and contact strategies in the event of compromise
- Specific incident response procedures
- Business continuity and recovery procedures
- Data backup processes
- Analysis of legal requirements in reporting possible compromise
- Critical systems coverage and response plans
- Notification of merchant processor and payment card brands
- Create and update a current list of third-party service providers (e.g., your IT provider, credit card machine vendor, and credit card receipt shredder)
- The following will need to be completed annually regarding your service providers (12.8, 12.8.1):
- Establish a process for engaging with third-party providers. Best practice would be to contact them by phone rather than taking inbound calls. Work by appointment with service providers onsite. (12.8.3)
- Obtain or update a written agreement from third-party providers acknowledging their responsibility for the cardholder information they possess. Ensure they are following PCI compliance requirements themselves. (12.8.2)
- Establish a process for engaging new providers, including research prior to selecting a provider.
This topic describes how to upgrade an installed version of the Splunk App for PCI Compliance version 3.0 or later to the latest release.
Pci Compliance Guide
To review the migration steps for a 2.x version of the Splunk App for PCI Compliance, see the instructions in Upgrade Splunk App for PCI Compliance in the version 3.0.x Installation and Upgrade Manual.
Order of operations for upgrading
- Review the planning topic.
- Upgrade Splunk platform instances.
- If installing the Splunk App for PCI Compliance (for Splunk Enterprise Security), upgrade the Splunk Enterprise Security search head instance. See Planning an upgrade of Splunk Enterprise Security in the Splunk Enterprise Security Installation and Upgrade Manual.
- Download the Splunk App for PCI Compliance.
- Install the latest version of the Splunk App for PCI Compliance.
- Set up the Splunk App for PCI Compliance.
- Validate the upgrade.
- Review, upgrade, and deploy add-ons.
To install the Splunk App for PCI Compliance on a search head cluster, see Upgrade Splunk App for PCI Compliance on a search head cluster.
Review the planning topic
Review the planning topic and back up your system before you upgrade.
- See Plan the upgrade in this manual.
- Perform a full backup of the search head or your single instance deployment.
Download the Splunk App for PCI Compliance
Obtain the new version of the Splunk App for PCI Compliance.
- Download the version of the Splunk App for PCI Compliance that you are upgrading.
- Splunk App for PCI Compliance (for Splunk Enterprise).
- Splunk App for PCI Compliance (for Splunk Enterprise Security).
- Download the app and save the product file to your desktop.
- Log in to the PCI instance or search head as an administrator.
Customs Compliance Manual Example
Install the latest version of the Splunk App for PCI Compliance
- On the Splunk platform search page, select Apps > Manage Apps and select Install App from File.
- Select Upgrade app to start the upgrade.
- Select Choose File and browse to the Splunk App for PCI Compliance product file.
- Click Upload to begin the installation.
- Select Set up now to begin the Splunk App for PCI Compliance setup.
Run the setup procedure promptly after the upload completes. If the setup procedure is not run promptly after the upload completes, errors display in the Splunk App for PCI Compliance.
Set up the Splunk App for PCI Compliance
- Select Start.
- The Splunk App for PCI Compliance Post-Install Configuration page indicates the upgrade status as it moves through the stages of installation.
- Choose to exclude selected add-ons from being installed, or install and disable them. When the setup is done, the page will prompt you to restart Splunk platform services.
- Select Restart Splunk to finish the installation.
Validate the upgrade
The Splunk App for PCI Compliance upgrade process is now complete. Objects disabled during the upgrade process will automatically be enabled. Validate success of the upgrade.
- On the Splunk App for PCI Compliance menu bar, Select Audit > ES Configuration Health.
- Select a version of 4.0.x to match the 3.0.x version of the Splunk App for PCI Compliance that you are upgrading from. For example, if you are upgrading from Splunk App for PCI Compliance version 3.0.2, select 4.0.2 as your previous version.
- Review potential conflicts and changes to the default settings. For more information, see ES Configuration Health in the Splunk Enterprise Security User Manual.
Upgrade Splunk App for PCI Compliance on a search head cluster
Upgrade the Splunk App for PCI Compliance (for Splunk Enterprise) on a search head cluster. Review the instructions before beginning the upgrade.
Prerequisites
Upgrade Splunk platform on all search head instances as required. For more information on upgrading the Splunk platform instances that make up a search head cluster, see Upgrade a search head cluster in the Distributed Search Manual.
Prepare a staging instance
The staging instance is used to compare the deployer's copy of the Splunk App for PCI Compliance with the latest release. If you have a clean testing or QA instance in your environment, you may use that instance for staging the upgrade if no other apps are installed.
- Prepare a single instance of Splunk Enterprise to use for staging an upgrade. This instance is for staging only, and should not connect to indexers or search peers.
- Copy the Splunk App for PCI Compliance (for Splunk Enterprise) installation from the deployer instance path
$SPLUNK_HOME/etc/shcluster/apps
to the staging instance path$SPLUNK_HOME/etc/apps
. The deployer's copy of the Splunk App for PCI Compliance represents the prior release, and includes configuration settings that are deployed to the search head cluster. It does not include the runtime knowledge object changes replicated between the search head cluster nodes.
Upgrade staging to the latest version of the Splunk App for PCI Compliance
Follow the upgrade steps.
- Review the planning topic.
- Download the Splunk App for PCI Compliance.
- Install the latest version of the Splunk App for PCI Compliance.
- Set up the Splunk App for PCI Compliance.
After the upgrade is complete, reconcile customized configurations.
- Reconcile configurations and settings in the deployed version of the Splunk App for PCI Compliance with the latest release.
- Remove deprecated apps and add-ons. The upgrade process automatically disables deprecated apps and add-ons and displays an alert in Messages on the staging instance to identify the deprecated items.
Migrate the upgraded instance to the deployer
Migrate the upgraded contents from the staging instance to the deployer and deploy the upgraded version to the search head cluster members.
- On the staging instance, copy
$SPLUNK_HOME/etc/apps
to$SPLUNK_HOME/etc/shcluster/apps
on the deployer. - On the deployer, remove any deprecated apps or add-ons in
$SPLUNK_HOME/etc/shcluster/apps
that were noted during the upgrade on staging.
Pci Compliance Checklist
Deploy the changes to the cluster members
On the deployer, deploy the Splunk App for PCI Compliance while retaining lookup file content created on the cluster members. Use the preserve-lookups true
switch. See Maintain lookup files across app upgrades in the Splunk Enterprise Distributed Search Manual.
Validate the configuration on the search cluster
After the deployer distributes the upgraded version of the Splunk App for PCI Compliance to the search head cluster members, compare the cluster-replicated knowledge objects to the latest Splunk App for PCI Compliance installation.
- On each search head cluster member, open the Splunk App for PCI Compliance and select Audit > ES Configuration Health.
- Select a version of 4.x.x to match whichever version of Splunk App for PCI Compliance 3.x.x you are upgrading from.
- Review any changes.
Migrate an existing search head to a search cluster
A Splunk App for PCI Compliance installation on a single instance or search head pool member cannot be added to a search head cluster.
Migrate Splunk App for PCI Compliance configurations to a search head cluster.
- Identify any custom configurations and modifications in the previous Splunk App for PCI Compliance installation.
- Implement a new search head cluster.
- Deploy the latest version of the Splunk App for PCI Compliance on the search head cluster.
- Review and migrate the customized configurations to the search head cluster deployer for replication to the cluster members.
- Shut down the old Splunk App for PCI Compliance search head.
For more information on settings migration, see Migrate from a standalone search head to a search head cluster in the Splunk Enterprise Distributed Search Manual.
Pci Compliance Policy Template
For assistance in planning a Splunk App for PCI Compliance deployment migration, contact the Splunk Professional Services team.