PCI DSS | Compliance | Fluid Attacks Help

PCI DSS

logo

Summary

PCI DSS is the global data security standard adopted by payment card brands for all entities that process, store or transmit cardholder data and/or sensitive authentication data. It consists of several steps that mirror security best practices. The version used in this section is PCI DSS v4.0, March 2022.

Definitions

Definition Requirements
1_2_2. Network security controls are configured and maintained 266. Disable insecure functionalities
1_2_5. Network security controls are configured and maintained 255. Allow access only to the necessary ports
1_2_6. Network security controls are configured and maintained 266. Disable insecure functionalities
1_3_1. Inbound traffic to the cardholder data environment is restricted 259. Segment the organization network
1_3_2. Outbound traffic to the cardholder data environment is restricted 259. Segment the organization network
1_4_2. Restrict inbound traffic from untrusted networks 255. Allow access only to the necessary ports
1_4_3. Implement anti-spoofing measures 096. Set user's required privileges
173. Discard unsafe inputs
176. Restrict system objects
265. Restrict access to critical processes
1_4_4. Network connections between trusted and untrusted networks are controlled 096. Set user's required privileges
176. Restrict system objects
1_4_5. Do not disclosure of internal IP addresses and routing information 077. Avoid disclosing technical information
261. Avoid exposing sensitive information
1_5_1. Implement security controls on any computing devices 273. Define a fixed security suite
2_2_2. System components are configured and managed securely 034. Manage user accounts
142. Change system default credentials
144. Remove inactive accounts periodically
2_2_4. Remove or disable all unnecessary functionality 154. Eliminate backdoors
266. Disable insecure functionalities
2_2_5. System components are configured and managed securely 330. Verify Subresource Integrity
2_2_6. Configure secure system parameters to prevent misuse 062. Define standard configurations
2_2_7. System components are configured and managed securely 033. Restrict administrative access
185. Encrypt sensitive information
2_3_1. Wireless environments are configured and managed securely 251. Change access point IP
253. Restrict network access
254. Change SSID name
2_3_2. Wireless environments are configured and managed securely 252. Configure key encryption
3_2_1. Retain account data only where necessary and deleted when no longer needed 183. Delete sensitive data securely
360. Remove unnecessary sensitive information
3_3_1. Sensitive authentication data (SAD) is not stored after authorization 314. Provide processing confirmation
315. Provide processed data information
3_3_2. Sensitive authentication data (SAD) is encrypted using strong cryptography 185. Encrypt sensitive information
3_3_3. Sensitive authentication data (SAD) is not stored after authorization 185. Encrypt sensitive information
360. Remove unnecessary sensitive information
3_4_1. Data is masked when displayed 300. Mask sensitive data
3_4_2. Use secure remote-access technologies 181. Transmit data using secure protocols
338. Implement perfect forward secrecy
3_5_1. Primary account number (PAN) is secured wherever it is stored 127. Store hashed passwords
150. Set minimum size for hash functions
3_6_1. Protect cryptographic keys used to protect stored account data 145. Protect system cryptographic keys
3_7_1. Generation of strong cryptographic keys 224. Use secure cryptographic mechanisms
3_7_2. Secure cryptographic key distribution 145. Protect system cryptographic keys
3_7_3. Secure cryptographic key storage 145. Protect system cryptographic keys
146. Remove cryptographic keys from RAM
3_7_7. Prevention of unauthorized substitution of cryptographic keys 095. Define users with privileges
145. Protect system cryptographic keys
176. Restrict system objects
3_7_9. Secure transmission and storage of cryptographic keys 338. Implement perfect forward secrecy
4_2_1. Strong cryptography during transmission 181. Transmit data using secure protocols
338. Implement perfect forward secrecy
4_2_2. Strong cryptography to protect data 224. Use secure cryptographic mechanisms
5_2_1. Deploy an anti-malware solution on system components 273. Define a fixed security suite
5_3_2. Anti-malware mechanisms and processes are active and monitored 266. Disable insecure functionalities
5_3_4. Enable audit logs for the anti-malware solution 075. Record exceptional events in logs
6_2_4. Software engineering techniques to prevent or mitigate common software attacks 029. Cookies with security attributes
169. Use parameterized queries
173. Discard unsafe inputs
174. Transactions without a distinguishable pattern
6_3_3. Security vulnerabilities are identified and addressed 266. Disable insecure functionalities
353. Schedule firmware updates
6_4_1. Public-facing web applications are protected against attacks 029. Cookies with security attributes
175. Protect pages from clickjacking
343. Respect the Do Not Track header
6_4_3. Public-facing web applications are protected against attacks 330. Verify Subresource Integrity
6_5_4. Changes to all system components are managed securely 095. Define users with privileges
6_5_5. Changes to all system components are managed securely 156. Source code without sensitive information
180. Use mock data
261. Avoid exposing sensitive information
6_5_6. Changes to all system components are managed securely 171. Remove commented-out code
360. Remove unnecessary sensitive information
7_2_2. Access to system components and data is appropriately defined and assigned 096. Set user's required privileges
7_2_3. Required privileges are approved by authorized personnel 035. Manage privilege modifications
7_2_5. Access to system components and data is defined and assigned 176. Restrict system objects
186. Use the principle of least privilege
7_2_6. Access to system components and data is defined and assigned 229. Request access credentials
7_3_1. Access to system components and data is managed via an access control system 229. Request access credentials
7_3_2. Access to system components and data is managed via an access control system 096. Set user's required privileges
229. Request access credentials
7_3_3. Access control system is set to deny by default 341. Use the principle of deny by default
8_2_1. Assign a unique ID before access to system components 143. Unique access credentials
8_2_3. User identification for users and administrators are strictly managed 176. Restrict system objects
8_2_4. User identification for users and administrators are strictly managed 034. Manage user accounts
095. Define users with privileges
8_2_5. Access for terminated users is immediately revoked 023. Terminate inactive user sessions
8_2_6. Inactive user accounts are removed within 90 days of inactivity 144. Remove inactive accounts periodically
8_2_8. User identification for users and administrators are strictly managed 141. Force re-authentication
8_3_1. Strong authentication for users and administrators is established 229. Request access credentials
8_3_2. Strong authentication for users and administrators is established 338. Implement perfect forward secrecy
8_3_3. Strong authentication for users and administrators is established 264. Request authentication
8_3_5. Initial or reset password or passphrase used by authorized user 140. Define OTP lifespan
347. Invalidate previous OTPs
8_3_6. Passwords or passphrases with minimum level of complexity 132. Passphrases with at least 4 words
133. Passwords with at least 20 characters
139. Set minimum OTP length
8_3_7. A previously used password cannot be used to gain access to an account 129. Validate previous passwords
8_3_9. A password or passphrase cannot be used indefinitely 130. Limit password lifespan
8_3_11. An authentication factor cannot be used by anyone other than the user assigned 362. Assign MFA mechanisms to a single account
8_4_1. Multi-factor authentication (MFA) is implemented to secure access 328. Request MFA for critical systems
8_4_2. Multi-factor authentication (MFA) is implemented to secure access 328. Request MFA for critical systems
8_4_3. Multi-factor authentication (MFA) is implemented to secure access 328. Request MFA for critical systems
8_5_1. Multi-factor authentication (MFA) systems are configured to prevent misuse 319. Make authentication options equally secure
8_6_3. Use of application and associated authentication factors is strictly managed 130. Limit password lifespan
9_2_2. Physical access controls manage entry into systems containing data 255. Allow access only to the necessary ports
9_2_3. Physical access controls manage entry into systems containing data 249. Locate access points
253. Restrict network access
9_4_1. Media with cardholder data is securely stored and accessed 231. Implement a biometric verification component
9_4_3. Media is secured and tracked when transported 147. Use pre-existent mechanisms
181. Transmit data using secure protocols
9_4_7. Media is secured and tracked when transported 183. Delete sensitive data securely
10_2_1. Audit logs are enabled and active for all system components 075. Record exceptional events in logs
10_3_2. Audit logs are protected from destruction and unauthorized modifications 080. Prevent log modification
10_6_1. System clocks and time are synchronized 363. Synchronize system clocks
10_7_2. Failures of critical security control systems are detected and responded to promptly 266. Disable insecure functionalities
11_2_1. Wireless access points are identified and monitored 249. Locate access points
12_9_1. Third-party service providers support their customers 315. Provide processed data information
3_6_1_1. Protect cryptographic keys used to protect stored account data 351. Assign unique keys to each device
361. Replace cryptographic keys
3_6_1_2. Protect cryptographic keys used to protect stored account data 151. Separate keys for encryption and signatures
10_2_1_3. Audit logs are enabled and active for all system components 085. Allow session history queries
10_2_1_4. Audit logs are enabled and active for all system components 075. Record exceptional events in logs
Free trial message
Free trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.