Tuna PCI DSS Compliance related Policies and Procedures

  • [Build and Maintain a Secure Network and Systems]
  • [Protect Cardholder Data]
    • [3.1 Keep cardholder data storage to a minimum by implementing data retention and disposal policies, procedures and processes.]
    • [3.5 Document and implement procedures to protect keys used to secure stored cardholder data against disclosure and misuse.]
      • Data Protection
        • [Data Protection Implementation and Processes]
        • [Protecting Data At Rest]
        • [Protecting Data In Transit]
        • [Encryption Key Management]
    • [3.6 Fully document and implement all key-management processes and procedures for cryptographic keys used for encryption of cardholder data.]
    • [4.1 Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks.]
  • [Maintain a Vulnerability Management Program]
  • [Implement Strong Access Control Measures]
    • [7.1 Limit access to system components and cardholder data to only those individuals whose job requires such access.]
      • Access
        • [Standards for Access Provisioning]
        • [Access Reviews]
    • [7.2 Establish an access control system(s) for systems components that restricts access based on a user’s need to know, and is set to “deny all” unless specifically allowed.]
    • [8.1 Define and implement policies and procedures to ensure proper user identification management for non-consumer users and administrators on all system components.]
    • [8.1.1 Assign all users a unique ID before allowing them to access system components or cardholder data.]
      • Access
        • [Standards for Access Provisioning]
    • [8.1.2 Control addition, deletion, and modification of user IDs, credentials, and other identifier objects.]
      • Access
        • [Standards for Access Provisioning]
        • [Access Establishment, Modification and Termination]
    • [8.1.3 Immediately revoke access for any terminated users.]
      • Access
        • [Standards for Access Provisioning]
        • [Access Establishment, Modification and Termination]
    • [8.1.4 Remove/disable inactive user accounts within 90 days.]
      • Access
        • [Standards for Access Provisioning]
        • [Access Establishment, Modification and Termination]
    • [8.2 In addition to assigning a unique ID, ensure proper user-authentication management for non-consumer users and administrators on all system components.]
    • [8.2.3 Passwords/passphrases must require a minimum length of at least seven characters and contain both numeric and alphabetic characters. Alternatively, the passwords/passphrases must have complexity and strength at least equivalent to the parameters specified previously.]
    • [8.2.4 Change user passwords/passphrases at least once every 90 days.]
    • [8.2.5 Do not allow an individual to submit a new password/passphrase that is the same as any of the last four passwords/passphrases he or she has used.]
    • [8.2.6 Set passwords/passphrases for first-time use and upon reset to a unique value for each user, and change immediately after the first use.]
    • [8.3 Secure all individual non-console administrative access and all remote access to the CDE using multi-factor authentication.]
      • Access
        • [Multi-factor Authentication]
    • [8.3.1 Incorporate multi-factor authentication for all non-console access into the CDE for personnel with dministrative access.]
      • Access
        • [Multi-factor Authentication]
    • [8.3.2 Incorporate multi-factor authentication for all remote network access (both user and administrator, and including third-party access for support or maintenance) originating from outside the entity’s network.]
      • Access
        • [Multi-factor Authentication]
    • [8.4 Document and communicate authentication policies and procedures to all users.]
    • [8.5 Do not use group, shared, or generic IDs, passwords, or other authentication methods.]
      • Access
        • [Standards for Access Provisioning]
        • [Password Management]
    • [8.6 Where other authentication mechanisms are used (e.g. physical or logical security tokens, smart cards, certificates, etc.), authentication mechanisms must be assigned to an individual account and controls must be in place to ensure only the intended account gain access.]
      • Access
        • [Temporary Access to AWS Accounts and Resources]
        • [Access Establishment, Modification and Termination]
    • [8.7 All access to any database containing cardholder data (including access by applications, administrators, and all other users) is restricted.]
      • Access
        • [Production Data Access]
    • [8.8 Ensure that security policies and operational procedures for identification and authentication are documented, in use, and known to all affected parties.]
    • [9.1 Use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment.]
    • [9.2 Develop procedures to easily distinguish between onsite personnel and visitors.]
    • [9.3 Control physical access for onsite personnel to sensitive areas.]
    • [9.4 Implement procedures to identify and authorize visitors.]
    • [9.5 Physically secure all media.]
    • [9.6 Maintain strict control over the internal or external distribution of any kind of media.]
    • [9.7 Maintain strict control over the storage and accessibility of media.]
    • [9.8 Destroy media when it is no longer needed for business or legal reasons.]
    • [9.8.1 Shred, incinerate, or pulp hardcopy materials so that cardholder data cannot be reconstructed. Secure storage containers used for materials that are to be destroyed.]
    • [9.8.2 Render cardholder data on electronic media unrecoverable so that cardholder data cannot be reconstructed.]
  • [Regularly Monitor and Test Networks]
    • [10.1 Implement audit trails to link all access to system components to each individual user.]
    • [10.2 Implement automated audit trails for all system components to reconstruct the in-scope events.]
    • [10.3 Record at least the following audit trail entries for all system components for each event: User identification; Type of event; Date and time; Success or failure indication; Origination of event; Identity or name of affected data, system component, or resource.]
    • [10.4 Using time-synchronization technology, synchronize all critical system clocks and times and ensure that the following is implemented for acquiring, distributing, and storing time.]
    • [10.5 Secure audit trails so they cannot be altered.]
    • [10.6 Review logs and security events for all system components to identify anomalies or suspicious activity.]
    • [10.7 Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from backup).]
    • [10.9 Ensure that security policies and operational procedures for monitoring all access to network resources and cardholder data are documented, in use, and known to all affected parties.]
    • [11.1 Implement processes to test for the presence of wireless access points (802.11), and detect and identify all authorized and unauthorized wireless access points on a quarterly basis.]
    • [11.2 Run internal and external network vulnerability scans at least quarterly and after any significant change in the network.]
    • [11.3 Implement a methodology for penetration testing.]
    • [11.4 Use intrusion-detection and/or intrusion-prevention techniques to detect and/or prevent intrusions into the network.]
    • [11.5 Deploy a change-detection mechanism (e.g. file-integrity monitoring tools) to alert personnel to unauthorized modification of critical system files, configuration files, or content files.]
    • [11.6 Ensure that security policies and operational procedures for security monitoring and testing are documented, in use, and known to all affected parties.]
  • [Maintain an Information Security Policy]
    • [12.1 Establish, publish, maintain, and disseminate a security policy.]
    • [12.2 Implement a risk-assessment process.]
    • [12.3 Develop usage policies for critical technologies and define proper use of these technologies.]
    • [12.4 Ensure that the security policy and procedures clearly define information security responsibilities for all personnel.]
    • [12.5 Assign to an individual or team the information security management responsibilities.]
    • [12.6 Implement a formal security awareness program to make all personnel aware of the cardholder data security policy and procedures.]
    • [12.7 Screen potential personnel prior to hire to minimize the risk of attacks from internal sources.]
    • [12.8 Maintain and implement policies and procedures to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data.]
    • [12.8.1 Maintain a list of service providers including a description of the service provided.]
    • [12.8.2 Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess or otherwise store, process or transmit on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment.]
    • [12.8.3 Ensure there is an established process for engaging service providers including proper due diligence prior to engagement.]
    • [12.8.4 Maintain a program to monitor service providers’ PCI DSS compliance status at least annually.]
    • [12.8.5 Maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity.]
    • [12.10 Implement an incident response plan. Be prepared to respond immediately to a system breach.]
    • [12.10.1 Create the incident response plan to be implemented in the event of system breach.]