PCI DSS

This document explains the purpose and scope of the Payment Card Industry (PCI) Security Scan for merchants and service providers who undergo PCI Security Scans to help validate compliance with the PCI Data Security Standard (DSS). Approved Scanning Vendors (ASVs) also use this document to assist merchants and service providers in determining the scope of the PCI Security Scan.

Download Page

This document is designed for use by assessors conducting onsite reviews for merchants and service providers required to validate compliance with Payment Card Industry (PCI) Data Security Standard (DSS) requirements. The requirements and assessment procedures presented in this document are based on the PCI DSS.

Download Page

The core of the PCI DSS is a group of principles and accompanying requirements, around which the specific elements of the DSS are organized:

Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications

The Payment Card Industry Data Security Standard Compliance Planning Guide is designed to help organizations meet Payment Card Industry Data Security Standard (PCI DSS) requirements. Specifically, this guide is targeted to merchants that accept payment cards, financial institutions that process payment card transactions, and service providers—third-party companies that provide payment card processing or data storage services. IT solutions for each of these groups must meet all PCI DSS requirements.

The guide is intended to augment The Regulatory Compliance Planning Guide, which introduces a framework-based approach to creating IT controls as part of your efforts to comply with multiple regulations and standards. This guide also describes Microsoft products and technology solutions that you can use to implement a series of IT controls to help meet the PCI DSS requirements, as well as any other regulatory obligations your organization may have.

Download Page

- PCI calls for tying the actual users to all logged actions.

- All time on the in-scope systems should be synchronized.

- The CIA of all collected logs should be protected.

- Logs should be regularly reviewed; specific logs should be reviewed at least daily. Automation of such review is not only acceptable, but desirable, since manual review is guaranteed to fail (on high-volume networks)

- All in-scope logs should be retained for at least one year.

- In-scope systems include at least all systems that directly process credit card data (such as PAN and other private cardholder information), including underlying operating systems as well as data processing applications, systems that store such data, network infrastructure for networks where such data is transmitted, and systems that protect any of the above (such as firewalls, network IDS and Internet Protocol Security [IPS]).This also includes systems not specifically segregated from these processing servers and applications.

[Tony Bradley, PCI Compliance]