CERTIKIT PCI DSS Implementation Guide v6

Page 16

PCI DSS Implementation Guide

• • •

Unusual patterns of activity, for example, late at night Changes to system settings Suspicious network activity

Audit logging is required to detect and report on the following types of events: • • • • • • •

User identification Dates and times of key events, for example, log on/log off Success and failure in system access attempts Success and failure in data and other resource access attempts (i.e. cardholder data) Changes to system parameters and configurations Use of system utilities and applications Actions taken by users with administrative privileges

A time synchronization mechanism needs to be in place to ensure all systems are synced with an industry-accepted time source. This means that, when reviewing logs, the correct time and date of an event is shown, regardless of the device involved. Finally, it is required that security policies and operational procedures for monitoring all access to network resources and cardholder data are documented, in use, and known to all affected parties.

3.11 Requirement 11: Regularly test security systems and processes Relevant Toolkit Documents • • • • • • • • •

Technical Vulnerability Management Policy Network Security Policy CDE Asset Inventory Database Security Incident Response Procedure Risk Assessment and Mitigation Process Risk Mitigation Plan Change Management Process Procedure for Monitoring the Use of IT Systems Information Security Policy

One of the best ways to ensure the organization’s security controls are enough is to perform regular vulnerability testing. This requirement ensures that testing is completed frequently, and against industry-known best practices. Testing is broken down into several areas below and PCI DSS requires each test to be completed at certain times annually. Areas to be tested include: • •

Internal and external vulnerability scans – to be completed at least quarterly by an approved scanning vendor (a list of these can be found on the PCI DSS website) External penetration scan at least annually or after any significant change that could affect the CDE

Page 16 of 21

Turn static files into dynamic content formats.

Create a flipbook

Articles inside

3.12 Requirement 12: Maintain a policy that addresses information security for all staff

1min
page 17

Page 2 of

0
page 21

3.13 Appendix A: Additional PCI DSS requirements

1min
pages 18-19

3.11 Requirement 11: Regularly test security systems and processes

1min
page 16

3.7 Requirement 7: Restrict access to cardholder data by business need to know

2min
page 13

2.2 The prioritized approach

1min
page 8

3 The 12 requirements of PCI DSS

2min
page 9

3.10 Requirement 10: Track and monitor access to network resources and cardholder data

1min
page 15
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.