PCI-DSS Requirements vs

Security Controls

September 19, 2021

Document Properties

Title PCI-DSS Requirements vs Security Controls

Version 1
Authors Hadir Labib

Reviewed By

Approved By

Version Control

Version Date
1 19-Sep-2021

ITS GDC Confidential

 Review History

ecurity Controls

Author Description
Hadir Labib Initial Draft

ITS GDC Confidential

istory

ITS GDC Confidential

ITS GDC Confidential
Goal Requirement
Build and Maintain a Secure 1.Install and maintain a firewall configuration to protect
Network cardholder data

2.Do not use vendor-supplied defaults for system passwords

and other security parameters

Protect Cardholder Data 3.Protect stored cardholder data

 4.Encrypt transmission of cardholder data across open, public
networks

Maintain a Vulnerability 5.Use and regularly update anti-virus software

Management Program

6.Develop and maintain secure systems and applications

Implement Strong Access 7.Restrict Access to cardholder data by business need-to-

Control Measures know

8.Assign a unique ID to each person with computer access

9.Restrict physical access to cardholder data

Monitor and Test Networks 10.Track and monitor access to network resources and
cardholder data

11.Regularly test security systems and processes

Maintain an Information Security 12.Maintain a policy that addresses information security
Policy
Security Controls
1- Ensure Firewalls are implemented at DMZ, Perimeter and Internal
Network.
2-Establish and enforce security configuration standard for all network ,
communication and security devices (routers, switches and firewalls).
3-Establish and enforce change management process that shall address
also roll back plan.
4- Enable anti-spoofing , Nating.
5-Develop and maintain Network Diagram reflecting current architecture
which shall be reviewed every six months or after major changes
6-Develop and maintain cardholder data flow diagram.
7- Establish a process to ensure that firewall rules are reviewed every six
months.
8-Perform Segmentation testing every six months.
9-Utilize synchronized network time management protocol (NTP) server
across infrastructure components.

1-Establish configuration baseline for all infrastructure components.

2-Create a user access matrix for all infrastructure components.
3- Delete or disable all vendor and default accounts across infrastructure
components.
4-Utilize synchronized network time management protocol (NTP) server
across infrastructure components.
5-Implement one function per server.
6-Disable all insecure services if any.
7-Encrypt all non-console administrative access using strong cryptography

1-Prohibit the storage of any sensitive authentication data.

2-Keep cardholder data storage to minimal.
3-Encrypt either on physical storage level , table or column encryption on
storing data.
4-Do not store full track data , CVV or PIN.
5-Restict access to encryption keys.
6-Build cryptographic keys inventory.
7-Develop key management process.
1- Establish and enforce cardholder data security policy that shall address
how CHD is protected during storage , process and transit either internally
or over public networks utilizing strong encryption following industry best
practices ( e.g.: NIST)
2- Establish and enforce an encryption policy that shall cover :
o Acceptance of only trusted keys and/or certificates.
o The protocol in use to only support secure versions and
configurations (that insecure versions or configurations are not
supported).
o Implementation of proper encryption strength per the encryption
methodology in use.
3- Establish a wireless configuration standard.
4-Establish and enforce end-user messaging policy, which indicates that
PAN is rendered unreadable or secured with strong cryptography
whenever it is sent via end-user messaging technologies..

1-Ensure Anti-virus is implemented on all in scope computing system, this

shall include users as well not only servers.
2- Ensure signature is updated and scans are scheduled
1- Establish and enforce a vulnerability and patch management process.
2- Establish SDLC process.
3-Ensure all development team receives secure code training.
4- Segment between prod, test and dev. Environments.
5-Ensure that production data is not used in test environment.
6-Subject all applications to penetration Testing.
7-Ensure all externally published applications are protected behind a WAF
8-Review custom code prior to release to production or customers

1-Develop and document user access matrix with corresponding roles and
responsibilities.
2-Document and centralize user access requests.

1-Assign users unique access IDs.

2-Enforce strong password, lockout and session timeout polices.
3-Enable MFA for all administrative and remote access.
4-Perform user access review every 90 days disabling inactive accounts,
dormant and terminated users.
1-Use appropriate facility entry controls to limit and monitor physical
access to systems in the cardholder data environment.
2-Enable port security.
3-Develop procedures to easily distinguish between onsite personnel and
visitors.
4-Document clearance level based on each job role.
5-Secure all media and backups physically and logically.
6-Devolpe data retention and deletion policy.
1-Enable logging across all infrastructure components on both operating
systems and applications level.
2-Configure audit trails to log :
o User identification
type of event
o Date and time
success or failure indication
origination of event
identity or name of affected data, system component, or resource.
3-Alert when logging is stopped or disabled.
4-Gather all the logs to centralized logging system.
5-Use centralized NTP server.
6-Ensure that logs are retained for a year (3 months online and 9 months
offline)

1-Use file-integrity monitoring or change-detection software on logs to

ensure that existing log data cannot be changed without generating alerts.
2- Perform below tests/ scans on timely manners:
wireless scans.(quarterly)
o Internal and external vulnerability scans (quarterly).
o Internal and external penetration testing(annually).
o Segmentation testing (every six months)
o Risk assessment (annually).
3-Test incident response plan by performing table top exercise.
1-Establish and enforce information Security policies that may include but
are not limited to the following:
o Information Security Policy
o Organization of Information Security
o Human Resource Security Policy
o Access Control Policy
o Password Policy
o Antivirus Policy
o Information Asset Management Policy
o Cryptographic Controls Policy
o Clear Desk and Clear Screen Policy
o Internet Security Policy
o Email Security Policy
o IT Operations Security Policy
o Information Backup Security Policy
o Log Management and Monitoring Policy
o Mobile Computing Security Policy
o Network Security Policy
o Remote Access Security Policy
o Information System Acquisition and Development Policy
o Physical and Environmental Security Policy
o Information Security Incident Management Policy
o Third Party Security Policy
o Business Continuity and Disaster Recovery Policy
o Acceptable Use Policy
o Data Classification Policy
o Data Retention Policy
2-Enroll all employees in security awareness programs. This includes all
new and existing hires.
3-Develop a cardholder annual awareness program.
4-Develop and maintain PCI charter mentioning project stakeholders and