#
Tuna PCI DSS Compliance related Policies and Procedures- [Build and Maintain a Secure Network and Systems]
- [1.1 Establish and implement firewall and router configuration standards.]
- Configuration and Change Management
- [Configuration and Management of Network Controls]
- Threat Detection and Prevention
- [Firewall Protection]
- Configuration and Change Management
- [1.2 Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment.]
- Access
- [Service Accounts]
- Threat Detection and Prevention
- [Firewall Protection]
- Access
- [1.3 Prohibit direct public access between the Internet and any system component in the cardholder data environment.]
- Security Architecture and Operating Model
- [Security Principles]
- HR and Personnel Security
- [Acceptable Use of End-user Computing]
- Access
- [Employee Workstation / Endpoints Usage]
- Data Protection
- [Protecting Data In Transit]
- Security Architecture and Operating Model
- [1.4 Install personal firewall software or equivalent functionality on any portable computing devices (including company and/or employee-owned) that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the CDE.]
- HR and Personnel Security
- [Acceptable Use of End-user Computing]
- Access
- [Employee Workstation / Endpoints Usage]
- Secure Software Development and Product Security
- [Outsourced Software Development]
- HR and Personnel Security
- [1.5 Ensure that security policies and operational procedures for managing firewalls are documented, in use, and known to all affected parties.]
- Security Architecture and Operating Model
- [Security Principles]
- HR and Personnel Security
- [Acceptable Use of End-user Computing]
- Access
- [Employee Workstation / Endpoints Usage]
- Secure Software Development and Product Security
- [Outsourced Software Development]
- Configuration and Change Management
- [Configuration Management Processes]
- Security Architecture and Operating Model
- [2.1 Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network.]
- Configuration and Change Management
- [Configuration and Management of Network Controls]
- [Production Systems Provisioning]
- [Server Hardening Guidelines and Processes]
- Configuration and Change Management
- [2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards. Example sources of accepted system standards include CIS, ISO, NIST, and SANS.]
- Risk Management and Risk Assessment Process
- [Risk Assessment and Analysis]
- Configuration and Change Management
- [Configuration Management Processes]
- [User Endpoint Security Controls and Configuration]
- [Server Hardening Guidelines and Processes]
- Risk Management and Risk Assessment Process
- [2.3 Encrypt all non-console administrative access using strong cryptography. (Do not use Telnet and HTTP for admin access)]
- Security Architecture and Operating Model
- [Security Principles]
- Data Management
- [Data Handling Process]
- Data Protection
- [Protecting Data At Rest]
- [Protecting Data In Transit]
- Security Architecture and Operating Model
- [2.4 Maintain an inventory of system components that are in scope for PCI DSS.]
- Asset Inventory Management
- [Physical Asset Inventory]
- [Digital Asset Inventory]
- Asset Inventory Management
- [2.5 Ensure that security policies and operational procedures for managing vendor defaults and other security parameters are documented, in use, and known to all affected parties.]
- Roles, Responsibilities and Training
- [Policy and Compliance Training]
- Configuration and Change Management
- [Configuration Management Processes]
- [Configuration and Management of Network Controls]
- [Production Systems Provisioning]
- Roles, Responsibilities and Training
- [2.6 Shared hosting providers must protect each entity’s hosted environment and cardholder data.]
- Data Protection
- [Data Protection Implementation and Processes]
- Data Protection
- [1.1 Establish and implement firewall and router configuration standards.]
- [Protect Cardholder Data]
- [3.1 Keep cardholder data storage to a minimum by implementing data retention and disposal policies, procedures and processes.]
- Data Management
- [Data Handling Process]
- Mobile Device Security and Media Management
- [Media Disposal Process]
- Data Management
- [3.5 Document and implement procedures to protect keys used to secure stored cardholder data against disclosure and misuse.]
- Data Protection
- [Data Protection Implementation and Processes]
- [Protecting Data At Rest]
- [Protecting Data In Transit]
- [Encryption Key Management]
- Data Protection
- [3.6 Fully document and implement all key-management processes and procedures for cryptographic keys used for encryption of cardholder data.]
- Data Protection
- [Protecting Data In Transit]
- [Encryption Key Management]
- Data Protection
- [4.1 Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks.]
- HR and Personnel Security
- [Acceptable Use of End-user Computing]
- Data Protection
- [Protecting Data In Transit]
- Secure Software Development and Product Security
- [High Level Application Security Requirements]
- HR and Personnel Security
- [3.1 Keep cardholder data storage to a minimum by implementing data retention and disposal policies, procedures and processes.]
- [Maintain a Vulnerability Management Program]
- [5.1 Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers).]
- HR and Personnel Security
- [Acceptable Use of End-user Computing]
- Configuration and Change Management
- [Server Hardening Guidelines and Processes]
- Threat Detection and Prevention
- [Malware Protection]
- HR and Personnel Security
- [5.2 Ensure that all anti-virus mechanisms are kept current, perform periodic scans and generate audit logs.]
- System Audits, Monitoring and Assessments
- [Types of System Audits]
- Threat Detection and Prevention
- [Malware Protection]
- System Audits, Monitoring and Assessments
- [5.3 Ensure that anti-virus mechanisms are actively running and cannot be disabled or altered by users, unless specifically authorized by management on a case-by-case basis for a limited time period.]
- Access
- [Employee Workstation / Endpoints Usage]
- Threat Detection and Prevention
- [Malware Protection]
- Access
- [5.4 Ensure that security policies and operational procedures for protecting systems against malware are documented, in use, and known to all affected parties.]
- HR and Personnel Security
- [Acceptable Use of End-user Computing]
- Threat Detection and Prevention
- [Malware Protection]
- HR and Personnel Security
- [6.1 Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking to newly discovered security vulnerabilities.]
- Risk Management and Risk Assessment Process
- [Risk Assessment and Analysis]
- System Audits, Monitoring and Assessments
- [Tools Used for Auditing and Security Assessments]
- Vulnerability Management
- [Vulnerability Scanning and Infrastructure Security Testing]
- [Security Findings Reporting, Tracking and Remediation]
- Risk Management and Risk Assessment Process
- [6.2 Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendorsupplied security patches.]
- Secure Software Development and Product Security
- [High Level Application Security Requirements]
- Configuration and Change Management
- [Patch Management Procedures]
- [Server Hardening Guidelines and Processes]
- Secure Software Development and Product Security
- [6.3 Develop internal and external software applications (including web-based administrative access to applications) securely.]
- Security Architecture and Operating Model
- [Security Principles]
- Secure Software Development and Product Security
- [High Level Application Security Requirements]
- [Access Control of the Application (Identification, Authentication, Authorization, Accounting)]
- [Outsourced Software Development]
- Security Architecture and Operating Model
- [6.4 Follow change control processes and procedures for all changes to system components.]
- Security Architecture and Operating Model
- [Security Principles]
- Risk Management and Risk Assessment Process
- [Risk Management Process]
- Secure Software Development and Product Security
- [Software Development Process]
- Configuration and Change Management
- [Configuration Management Processes]
- [Production Deploy / Code Promotion Processes]
- Security Architecture and Operating Model
- [6.5 Address common coding vulnerabilities in software-development processes.]
- Secure Software Development and Product Security
- [High Level Application Security Requirements]
- [Static Application Security Testing (SAST)]
- Vulnerability Management
- [Security Findings Reporting, Tracking and Remediation]
- Secure Software Development and Product Security
- [6.6 For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks via application scanning tools and/or web application firewall.]
- Risk Management and Risk Assessment Process
- [Risk Management Process]
- System Audits, Monitoring and Assessments
- [Tools Used for Auditing and Security Assessments]
- Secure Software Development and Product Security
- [High Level Application Security Requirements]
- Threat Detection and Prevention
- [Firewall Protection]
- Vulnerability Management
- [Vulnerability Scanning and Infrastructure Security Testing]
- Risk Management and Risk Assessment Process
- [6.7 Ensure that security policies and operational procedures for developing and maintaining secure systems and applications are documented, in use, and known to all affected parties.]
- Security Architecture and Operating Model
- [Security Principles]
- Roles, Responsibilities and Training
- [Policy and Compliance Training]
- Secure Software Development and Product Security
- [High Level Application Security Requirements]
- Security Architecture and Operating Model
- [5.1 Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers).]
- [Implement Strong Access Control Measures]
- [7.1 Limit access to system components and cardholder data to only those individuals whose job requires such access.]
- Access
- [Standards for Access Provisioning]
- [Access Reviews]
- Access
- [7.2 Establish an access control system(s) for systems components that restricts access based on a user’s need to know, and is set to “deny all” unless specifically allowed.]
- Access
- [Access Establishment, Modification and Termination]
- Data Management
- [Data Handling Process]
- Access
- [8.1 Define and implement policies and procedures to ensure proper user identification management for non-consumer users and administrators on all system components.]
- Roles, Responsibilities and Training
- [Assignment of Roles and the Security Committee]
- System Audits, Monitoring and Assessments
- [Types of System Audits]
- Access
- [Standards for Access Provisioning]
- [Multi-factor Authentication]
- [Temporary Access to AWS Accounts and Resources]
- [Access Establishment, Modification and Termination]
- Roles, Responsibilities and Training
- [8.1.1 Assign all users a unique ID before allowing them to access system components or cardholder data.]
- Access
- [Standards for Access Provisioning]
- Access
- [8.1.2 Control addition, deletion, and modification of user IDs, credentials, and other identifier objects.]
- Access
- [Standards for Access Provisioning]
- [Access Establishment, Modification and Termination]
- Access
- [8.1.3 Immediately revoke access for any terminated users.]
- Access
- [Standards for Access Provisioning]
- [Access Establishment, Modification and Termination]
- Access
- [8.1.4 Remove/disable inactive user accounts within 90 days.]
- Access
- [Standards for Access Provisioning]
- [Access Establishment, Modification and Termination]
- Access
- [8.2 In addition to assigning a unique ID, ensure proper user-authentication management for non-consumer users and administrators on all system components.]
- System Audits, Monitoring and Assessments
- [Audit Trails - System and Application Security Events Logging Standard]
- Access
- [Standards for Access Provisioning]
- [Multi-factor Authentication]
- [Password Management]
- System Audits, Monitoring and Assessments
- [8.2.3 Passwords/passphrases must require a minimum length of at least seven characters and contain both numeric and alphabetic characters. Alternatively, the passwords/passphrases must have complexity and strength at least equivalent to the parameters specified previously.]
- Access
- [Password Management]
- Access
- [8.2.4 Change user passwords/passphrases at least once every 90 days.]
- Access
- [Password Management]
- Access
- [8.2.5 Do not allow an individual to submit a new password/passphrase that is the same as any of the last four passwords/passphrases he or she has used.]
- Access
- [Password Management]
- Access
- [8.2.6 Set passwords/passphrases for first-time use and upon reset to a unique value for each user, and change immediately after the first use.]
- Access
- [Password Management]
- Access
- [8.3 Secure all individual non-console administrative access and all remote access to the CDE using multi-factor authentication.]
- Access
- [Multi-factor Authentication]
- Access
- [8.3.1 Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access.]
- Access
- [Multi-factor Authentication]
- Access
- [8.3.2 Incorporate multi-factor authentication for all remote network access (both user and administrator, and including third-party access for support or maintenance) originating from outside the entity’s network.]
- Access
- [Multi-factor Authentication]
- Access
- [8.4 Document and communicate authentication policies and procedures to all users.]
- Roles, Responsibilities and Training
- [Assignment of Roles and the Security Committee]
- [Policy and Compliance Training]
- Roles, Responsibilities and Training
- [8.5 Do not use group, shared, or generic IDs, passwords, or other authentication methods.]
- Access
- [Standards for Access Provisioning]
- [Password Management]
- Access
- [8.6 Where other authentication mechanisms are used (e.g. physical or logical security tokens, smart cards, certificates, etc.), authentication mechanisms must be assigned to an individual account and controls must be in place to ensure only the intended account gain access.]
- Access
- [Temporary Access to AWS Accounts and Resources]
- [Access Establishment, Modification and Termination]
- Access
- [8.7 All access to any database containing cardholder data (including access by applications, administrators, and all other users) is restricted.]
- Access
- [Production Data Access]
- Access
- [8.8 Ensure that security policies and operational procedures for identification and authentication are documented, in use, and known to all affected parties.]
- Roles, Responsibilities and Training
- [Policy and Compliance Training]
- System Audits, Monitoring and Assessments
- [Types of System Audits]
- Access
- [Access Establishment, Modification and Termination]
- [Access Reviews]
- Roles, Responsibilities and Training
- [9.1 Use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment.]
- Facility Access and Physical Security
- [Data Center Security]
- Facility Access and Physical Security
- [9.2 Develop procedures to easily distinguish between onsite personnel and visitors.]
- Facility Access and Physical Security
- [Data Center Security]
- Facility Access and Physical Security
- [9.3 Control physical access for onsite personnel to sensitive areas.]
- Facility Access and Physical Security
- [Data Center Security]
- Facility Access and Physical Security
- [9.4 Implement procedures to identify and authorize visitors.]
- [9.5 Physically secure all media.]
- HR and Personnel Security
- [Acceptable Use of End-user Computing]
- Facility Access and Physical Security
- [Data Center Security]
- Asset Inventory Management
- [Physical Asset Inventory]
- Mobile Device Security and Media Management
- [Media Disposal Process]
- HR and Personnel Security
- [9.6 Maintain strict control over the internal or external distribution of any kind of media.]
- Asset Inventory Management
- [Physical Asset Inventory]
- Mobile Device Security and Media Management
- [Media Disposal Process]
- Asset Inventory Management
- [9.7 Maintain strict control over the storage and accessibility of media.]
- HR and Personnel Security
- [Acceptable Use of End-user Computing]
- Asset Inventory Management
- [Physical Asset Inventory]
- Mobile Device Security and Media Management
- [Media Disposal Process]
- HR and Personnel Security
- [9.8 Destroy media when it is no longer needed for business or legal reasons.]
- Asset Inventory Management
- [Paper Records]
- Mobile Device Security and Media Management
- [Media Disposal Process]
- Asset Inventory Management
- [9.8.1 Shred, incinerate, or pulp hardcopy materials so that cardholder data cannot be reconstructed. Secure storage containers used for materials that are to be destroyed.]
- Asset Inventory Management
- [Paper Records]
- Mobile Device Security and Media Management
- [Media Disposal Process]
- Asset Inventory Management
- [9.8.2 Render cardholder data on electronic media unrecoverable so that cardholder data cannot be reconstructed.]
- Mobile Device Security and Media Management
- [Media Disposal Process]
- Mobile Device Security and Media Management
- [7.1 Limit access to system components and cardholder data to only those individuals whose job requires such access.]
- [Regularly Monitor and Test Networks]
- [10.1 Implement audit trails to link all access to system components to each individual user.]
- System Audits, Monitoring and Assessments
- [Types of System Audits]
- [Audit Trails - System and Application Security Events Logging Standard]
- System Audits, Monitoring and Assessments
- [10.2 Implement automated audit trails for all system components to reconstruct the in-scope events.]
- System Audits, Monitoring and Assessments
- [Types of System Audits]
- [Audit Trails - System and Application Security Events Logging Standard]
- System Audits, Monitoring and Assessments
- [10.3 Record at least the following audit trail entries for all system components for each event: User identification; Type of event; Date and time; Success or failure indication; Origination of event; Identity or name of affected data, system component, or resource.]
- System Audits, Monitoring and Assessments
- [Types of System Audits]
- [Audit Trails - System and Application Security Events Logging Standard]
- System Audits, Monitoring and Assessments
- [10.4 Using time-synchronization technology, synchronize all critical system clocks and times and ensure that the following is implemented for acquiring, distributing, and storing time.]
- Configuration and Change Management
- [Server Hardening Guidelines and Processes]
- Configuration and Change Management
- [10.5 Secure audit trails so they cannot be altered.]
- System Audits, Monitoring and Assessments
- [Audit Trail Integrity - Security Controls and Log Retention]
- System Audits, Monitoring and Assessments
- [10.6 Review logs and security events for all system components to identify anomalies or suspicious activity.]
- System Audits, Monitoring and Assessments
- [Types of System Audits]
- [Security Event Analysis]
- System Audits, Monitoring and Assessments
- [10.7 Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from backup).]
- System Audits, Monitoring and Assessments
- [Audit Trail Integrity - Security Controls and Log Retention]
- System Audits, Monitoring and Assessments
- [10.9 Ensure that security policies and operational procedures for monitoring all access to network resources and cardholder data are documented, in use, and known to all affected parties.]
- Roles, Responsibilities and Training
- [Policy and Compliance Training]
- System Audits, Monitoring and Assessments
- [Types of System Audits]
- Roles, Responsibilities and Training
- [11.1 Implement processes to test for the presence of wireless access points (802.11), and detect and identify all authorized and unauthorized wireless access points on a quarterly basis.]
- [11.2 Run internal and external network vulnerability scans at least quarterly and after any significant change in the network.]
- Vulnerability Management
- [Vulnerability Scanning and Infrastructure Security Testing]
- Vulnerability Management
- [11.3 Implement a methodology for penetration testing.]
- Secure Software Development and Product Security
- [Application Penetration Testing]
- Secure Software Development and Product Security
- [11.4 Use intrusion-detection and/or intrusion-prevention techniques to detect and/or prevent intrusions into the network.]
- Threat Detection and Prevention
- [Network Intrusion Detection]
- Threat Detection and Prevention
- [11.5 Deploy a change-detection mechanism (e.g. file-integrity monitoring tools) to alert personnel to unauthorized modification of critical system files, configuration files, or content files.]
- System Audits, Monitoring and Assessments
- [Security Event Analysis]
- [Audit Trails - System and Application Security Events Logging Standard]
- System Audits, Monitoring and Assessments
- [11.6 Ensure that security policies and operational procedures for security monitoring and testing are documented, in use, and known to all affected parties.]
- Roles, Responsibilities and Training
- [Policy and Compliance Training]
- System Audits, Monitoring and Assessments
- [Types of System Audits]
- [Audit Related Training, Education, Awareness and Responsibilities]
- Roles, Responsibilities and Training
- [10.1 Implement audit trails to link all access to system components to each individual user.]
- [Maintain an Information Security Policy]
- [12.1 Establish, publish, maintain, and disseminate a security policy.]
- Roles, Responsibilities and Training
- [Assignment of Roles and the Security Committee]
- Policy Management
- [Policy Management Process]
- Roles, Responsibilities and Training
- [12.2 Implement a risk-assessment process.]
- Risk Management and Risk Assessment Process
- [Risk Assessment and Analysis]
- [Risk Mitigation and Monitoring]
- Risk Management and Risk Assessment Process
- [12.3 Develop usage policies for critical technologies and define proper use of these technologies.]
- Roles, Responsibilities and Training
- [Assignment of Roles and the Security Committee]
- HR and Personnel Security
- [Acceptable Use of End-user Computing]
- Access
- [Remote Access / VPN]
- Roles, Responsibilities and Training
- [12.4 Ensure that the security policy and procedures clearly define information security responsibilities for all personnel.]
- Roles, Responsibilities and Training
- [Assignment of Roles and the Security Committee]
- [Policy and Compliance Training]
- Roles, Responsibilities and Training
- [12.5 Assign to an individual or team the information security management responsibilities.]
- Roles, Responsibilities and Training
- [Assignment of Roles and the Security Committee]
- Incident Response
- [Security Incident Response Team (SIRT)]
- [Incident Management Process]
- Roles, Responsibilities and Training
- [12.6 Implement a formal security awareness program to make all personnel aware of the cardholder data security policy and procedures.]
- Roles, Responsibilities and Training
- [Policy and Compliance Training]
- [Ongoing Security Awareness Training]
- Roles, Responsibilities and Training
- [12.7 Screen potential personnel prior to hire to minimize the risk of attacks from internal sources.]
- HR and Personnel Security
- [Employee Screening Procedures]
- Secure Software Development and Product Security
- [Outsourced Software Development]
- HR and Personnel Security
- [12.8 Maintain and implement policies and procedures to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data.]
- Third Party Security and Vendor Risk Management
- [Vendor Risk Assessment]
- [Vendor Contractual Agreements]
- [Software and Systems Acquisition Process]
- Third Party Security and Vendor Risk Management
- [12.8.1 Maintain a list of service providers including a description of the service provided.]
- Third Party Security and Vendor Risk Management
- [Software and Systems Acquisition Process]
- Third Party Security and Vendor Risk Management
- [12.8.2 Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess or otherwise store, process or transmit on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment.]
- Third Party Security and Vendor Risk Management
- [Vendor Contractual Agreements]
- Third Party Security and Vendor Risk Management
- [12.8.3 Ensure there is an established process for engaging service providers including proper due diligence prior to engagement.]
- Third Party Security and Vendor Risk Management
- [Vendor Risk Assessment]
- Third Party Security and Vendor Risk Management
- [12.8.4 Maintain a program to monitor service providers’ PCI DSS compliance status at least annually.]
- Third Party Security and Vendor Risk Management
- [Vendor Contractual Agreements]
- Third Party Security and Vendor Risk Management
- [12.8.5 Maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity.]
- Third Party Security and Vendor Risk Management
- [Vendor Contractual Agreements]
- Third Party Security and Vendor Risk Management
- [12.10 Implement an incident response plan. Be prepared to respond immediately to a system breach.]
- Incident Response
- [Incident Management Process]
- [Incident Categories and Playbooks]
- Breach Investigation and Notification
- [Breach Investigation and Notification Process]
- [Points of Contact for Authorities]
- [Platform Customer Responsibilities in a Possible Breach]
- Incident Response
- [12.10.1 Create the incident response plan to be implemented in the event of system breach.]
- Incident Response
- [Incident Management Process]
- [Incident Categories and Playbooks]
- Breach Investigation and Notification
- [Breach Investigation and Notification Process]
- [Points of Contact for Authorities]
- [Platform Customer Responsibilities in a Possible Breach]
- Incident Response
- [12.1 Establish, publish, maintain, and disseminate a security policy.]