Skip to main content

Tuna PCI DSS Compliance Related Policies and Procedures#

  • [Install and Maintain Network Security Controls]

  • [Apply Secure Configurations to All System Components]

  • [Protect Stored Account Data]

    • [3.1 Processes and mechanisms for protecting stored account data are defined and understood]

    • [3.2 Storage of account data is kept to a minimum]

    • [3.3 Sensitive authentication data (SAD) is not stored after authorization]

    • [3.4 Access to displays of full PAN and ability to copy cardholder data are restricted]

    • [3.5 Primary account number (PAN) is secured wherever it is stored]

    • [3.6 Cryptographic keys used to protect stored account data are secured]

    • [3.7 Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented]

  • [Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks]

  • [Protect All Systems and Networks from Malicious Software]

    • [5.1 Processes and mechanisms for protecting all systems and networks from malicious software are defined and understood]

    • [5.2 Malicious software (malware) is prevented, or detected and addressed]

    • [5.3 Anti-malware mechanisms and processes are active, maintained, and monitored]

    • [5.4 Anti-phishing mechanisms protect users against phishing attacks]

  • [Develop and Maintain Secure Systems and Software]

  • [Restrict Access to System Components and Cardholder Data by Business Need to Know]

    • [7.1 Processes and mechanisms for restricting access to system components and cardholder data by business need to know are defined and understood]

      • Access
        • [Access Control Policy]
        • [Access Management]

    • [7.2 Access to system components and data is appropriately defined and assigned]

      • Access
        • [Access Management]
        • [Role Based Access]

    • [7.3 Access to system components and data is managed via an access control system(s)]

      • Access
        • [Access Controls]
        • [System Configuration]

  • [Identify Users and Authenticate Access to System Components]

    • [8.1 Processes and mechanisms for identifying users and authenticating access to system components are defined and understood]

      • Access
        • [Authentication Standards]
        • [Identity Management]

    • [8.2 User identification and related accounts for users and administrators are strictly managed throughout an account's lifecycle]

      • Access
        • [User Management]
        • [Authentication Controls]

    • [8.3 Strong authentication for users and administrators is established and managed]

      • Access
        • [Authentication Security]
        • [Credential Management]

    • [8.4 Multi-factor authentication (MFA) is implemented to secure access into the CDE]

      • Access
        • [MFA Implementation]
        • [Authentication Controls]

    • [8.5 Multi-factor authentication (MFA) systems are configured to prevent misuse]

      • Access
        • [MFA Management]
        • [System Configuration]

    • [8.6 Use of application and system accounts and associated authentication factors is strictly managed]

      • Access
        • [Account Management]
        • [System Access]

  • [Restrict Physical Access to Cardholder Data]

    • [9.1 Processes and mechanisms for restricting physical access to cardholder data are defined and understood]

    • [9.2 Physical access controls manage entry into facilities and systems containing cardholder data]

    • [9.3 Physical access for personnel and visitors is authorized and managed]

    • [9.4 Media with cardholder data is securely stored, accessed, distributed, and destroyed]

    • [9.5 Point of interaction (POI) devices are protected from tampering and unauthorized substitution]

  • [Log and Monitor All Access to System Components and Cardholder Data]

  • [Test Security of Systems and Networks Regularly]

    • [11.1 Processes and mechanisms for regularly testing security of systems and networks are defined and understood]

    • [11.2 Wireless access points are identified and monitored, and unauthorized wireless access points are addressed]

    • [11.3 External and internal vulnerabilities are regularly identified, prioritized, and addressed]

    • [11.4 External and internal penetration testing is regularly performed, and exploitable vulnerabilities and security weaknesses are corrected]

    • [11.5 Network intrusions and unexpected file changes are detected and responded to]

    • [11.6 Unauthorized changes on payment pages are detected and responded to]

  • [Support Information Security with Organizational Policies and Programs]