PCI DSS

Complying to the PCI DSS standard need a lot of effort, not only in computer security perspective but also in the documentation and audit perspective. Below list of PCI DSS Audit Questions and Checklist that could be use to comply for your company purpose. List of the question will be included as:

Who has access to a specified file or other resource?
Who has had access to a given file or other resource in the past?
What resources a given individual has access to across your entire enterprise?
That password policies and other directory settings are correct and have remained so over time?
That inactive accounts were deleted within the allowed timeframe?

The PCI Data Security Standard Self-Assessment Questionnaire is a validation tool intended to assist merchants and service providers in self-evaluating their compliance with the Payment Card Industry Data Security Standard (PCI DSS). There are multiple versions of the PCI DSS SAQ to meet various scenarios. This document has been developed to help organizations determine which SAQ best applies to them.

The PCI DSS SAQ is a validation tool for merchants and service providers not required to undergo an on-site data security assessment per the PCI DSS Security assessment Procedures, and may be required by your acquirer or payment brand. Please consult your acquirer or payment brand for details regarding PCI DSS validation requirements.

The PCI DSS SAQ consists of the following components:

The Retina WiFi Scanner application was designed to be a comprehensive wireless detection tool that incorporates Retina Network Security Scanner technology to discover all active wireless devices and connections on a company network.

Installed on a Windows laptop or desktop PC, Retina WiFi enables security and IT professionals to detect wireless access devices, scan for service and generate detailed reports on their wireless security. Retina WiFi Scanner for Windows can push data to eEye's REM Security Management Console to integrate into a company's overall vulnerability management system.

Requirements:
- Internet Explorer Version 4.01 or higher
- System RAM: 64 MB
- Storage: 20 MB
- WiFi wireless LAN capabilities
- Wireless card: Supporting NDIS 5.1 or later

Download page

Download PCI DSS Compliance Checklist:
Who has access to a specified file or other resource?
Who has had access to a given file or other resource in the past?
What resources a given individual has access to across your entire enterprise?
That password policies and other directory settings are correct and have remained so over time?
That inactive accounts were deleted within the allowed timeframe?
That duplicate accounts do not exist?
That account removal, modification, and addition is performed according to policies and requirements?
What security settings are currently in effect in your environment?
What security settings have been in effect in your environment in the past?
That security settings are consistently applied throughout the environment?
What changes have been made to security settings over time?
What privileges have been exercised by users, particularly administrative users?
Audit logs with all access by all users to all resources?
Audit logs with all actions taken by administrators?
Audit logs with all access to auditing information?
Audit logs with all invalid access attempts?
Audit logs with all use of authentication mechanisms such as Active Directory?
Audit logs with all initialization (clearing) of audit logs?
Audit logs with all creation and deletion of system-level objects?
Proof that all systems are up-to-date with the latest service releases?
That you can detect unpatched systems and either correct the problem or alert an administrator to do so?
That the correct policies are in place to ensure secure transmission of cardholder data?
That secure transmission policies have remained in effect continuously?

Simple password rules for PCI DSS Compliance

- User-level passwords must be changed at least every 60 to 90 days.
- Accounts that have system-level privileges must have a unique password from all other accounts held by that user.
- Passwords must not be transmitted over the Internet by e-mail or any other form of communication, without being encrypted.
- Passwords should be a minimum 6 to 8 characters in length, with a combination of upper- and lower-case alpha and numeric characters and special characters as well (e.g., !%@$)
- Passwords should never be written down or shared with anyone.