Payment Card Industry Data Security Standard v4.0.1
Global security standard for organisations that store, process, or transmit cardholder data. Defines 12 requirements across 6 control objectives for protecting payment card data.
| Clause | Title | SP 800-53 Controls |
|---|---|---|
| 1.1 | Processes and mechanisms for installing and maintaining network security controls are defined and understood | |
| 1.2 | Network security controls (NSCs) are configured and maintained | |
| 1.2.1 | Configuration standards for NSC rulesets are defined, implemented, maintained | |
| 1.2.5 | All services, protocols, and ports allowed are identified, approved, and have a defined business need | |
| 1.2.8 | Configuration files for NSCs are secured from unauthorized access and kept consistent with active network configurations | |
| 1.3 | Network access to and from the cardholder data environment is restricted | |
| 1.4 | Network connections between trusted and untrusted networks are controlled | |
| 1.5 | Risks to the CDE from computing devices that are able to connect to both untrusted networks and the CDE are mitigated | |
| 2.1 | Processes and mechanisms for applying secure configurations to all system components are defined and understood | |
| 2.2 | System components are configured and managed securely | |
| 2.2.1 | Vendor default accounts are managed: changed, removed, or disabled | |
| 2.2.2 | Vendor default accounts are managed if used | |
| 2.2.5 | All unnecessary functionality is removed or disabled | |
| 2.2.7 | All non-console administrative access is encrypted using strong cryptography | |
| 3.1 | Processes and mechanisms for protecting stored account data are defined and understood | |
| 3.2 | Storage of account data is kept to a minimum | |
| 3.3 | Sensitive authentication data (SAD) is not stored after authorization | |
| 3.4 | Access to displays of full PAN and ability to copy cardholder data are restricted | |
| 3.5 | Primary account number (PAN) is secured wherever it is stored | |
| 3.6 | Cryptographic keys used to protect stored account data are secured | |
| 3.7 | Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented | |
| 4.1 | Processes and mechanisms for protecting cardholder data with strong cryptography during transmission over open, public networks are defined and understood | |
| 4.2 | PAN is protected with strong cryptography during transmission | |
| 5.1 | Processes and mechanisms for protecting all systems and networks from malicious software are defined and understood | |
| 5.2 | Malicious software (malware) is prevented, or detected and addressed | |
| 5.3 | Anti-malware mechanisms and processes are active, maintained, and monitored | |
| 5.4 | Anti-phishing mechanisms protect users against phishing attacks | |
| 6.1 | Processes and mechanisms for developing and maintaining secure systems and software are defined and understood | |
| 6.2 | Bespoke and custom software are developed securely | |
| 6.2.1 | Bespoke and custom software are developed securely: training | |
| 6.2.3 | Bespoke and custom software is reviewed prior to being released into production to identify and correct potential coding vulnerabilities | |
| 6.3 | Security vulnerabilities are identified and addressed | |
| 6.3.3 | All system components are protected from known vulnerabilities by installing applicable security patches/updates | |
| 6.4 | Public-facing web applications are protected against attacks | |
| 6.5 | Changes to all system components are managed securely | |
| 7.1 | Processes and mechanisms for restricting access to system components and cardholder data by business need to know are defined and understood | |
| 7.2 | Access to system components and data is appropriately defined and assigned | |
| 7.3 | Access to system components and data is managed via an access control system(s) | |
| 8.1 | Processes and mechanisms for identifying users and authenticating access to system components are defined and understood | |
| 8.2 | User identification and related accounts for users and administrators are strictly managed throughout an account's lifecycle | |
| 8.3 | Strong authentication for users and administrators is established and managed | |
| 8.3.6 | If passwords/passphrases are used as authentication factors, minimum level of complexity requirements | |
| 8.3.9 | If passwords/passphrases are used as the only authentication factor for user access, passwords/passphrases are changed at least every 90 days | |
| 8.4 | Multi-factor authentication (MFA) is implemented to secure access into the CDE | |
| 8.5 | Multi-factor authentication (MFA) systems are configured to prevent misuse | |
| 8.6 | Use of application and system accounts and associated authentication factors is strictly managed | |
| 9.1 | Processes and mechanisms for restricting physical access to cardholder data are defined and understood | |
| 9.2 | Physical access controls manage entry into facilities and systems containing cardholder data | |
| 9.3 | Physical access for personnel and visitors is authorized and managed | |
| 9.4 | Media with cardholder data is securely stored, accessed, distributed, and destroyed | |
| 9.5 | Point of interaction (POI) devices are protected from tampering and unauthorized substitution | |
| 10.1 | Processes and mechanisms for logging and monitoring all access to system components and cardholder data are defined and understood | |
| 10.2 | Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events | |
| 10.3 | Audit logs are protected from destruction and unauthorized modifications | |
| 10.4 | Audit logs are reviewed to identify anomalies or suspicious activity | |
| 10.5 | Audit log history is retained and available for analysis | |
| 10.6 | Time-synchronization mechanisms support consistent time settings across all systems | |
| 10.7 | Failures of critical security control systems are detected, reported, and responded to promptly | |
| 11.1 | Processes and mechanisms for regularly testing security of systems and networks are defined and understood | |
| 11.2 | Wireless access points are identified and monitored, and unauthorized wireless access points are addressed | |
| 11.3 | External and internal vulnerabilities are regularly identified, prioritized, and addressed | |
| 11.4 | External and internal penetration testing is regularly performed, and exploitable vulnerabilities and security weaknesses are corrected | |
| 11.5 | Network intrusions and unexpected file changes are detected and responded to | |
| 11.6 | Unauthorized changes on payment pages are detected and responded to | |
| 12.1 | A comprehensive information security policy that governs and provides direction for protection of the entity's information assets is known and current | |
| 12.2 | Acceptable use policies for end-user technologies are defined and implemented | |
| 12.3 | Risks to the cardholder data environment are formally identified, evaluated, and managed | |
| 12.4 | PCI DSS compliance is managed (for service providers) | |
| 12.5 | PCI DSS scope is documented and validated | |
| 12.6 | Security awareness education is an ongoing activity | |
| 12.7 | Personnel are screened to reduce risks from insider threats | |
| 12.8 | Risk to information assets associated with third party service provider (TPSP) relationships is managed | |
| 12.9 | Third-party service providers (TPSPs) support their customers' PCI DSS compliance (for TPSPs) | |
| 12.10 | Suspected and confirmed security incidents that could impact the CDE are responded to immediately |