PCI DSS 3.2

  • Self Assessment Questionnaire
  • Pin Transaction Security (Encrypting Pin Pad Device)
  • Validated Payment Applications

These were best practices, now these are mandated requirements from February 1st 2018.

List of Controls

  1. Install and maintain firewall configuration to protect card data.
  2. Do not use system defaults.
  3. Protect stored cardholder data.
  4. Encrypt transmission of card data across open public network.
  5. Protect system against malware and regularly update antivirus software.
  6. Develop and Maintain secure system and applications.
  7. Restrict access to card data environment by business need.
  8. Identify and Authenticate access to system components.
  9. Restrict physical access to cardholder data.
  10. Track and monitor all access to network resources and card data.
  11. Regularly test security systems and processes.
  12. Maintain a policy that addresses information security for all personnel.

PCI DSS 2.0 3.0 and 3.1

Provides clarification, additional guidance and puts in evolving requirements.

  • Network Diagram essential
  • Maintain system component inventory
  • Mitigation of malware threats
  • Usage of antivirus software mandatory
  • Coding practices for Broken Authentication & Session Management
  • Password Complexity requirements
  • Authentication on remote access
  • Physical Access
  • Point Of Sale (POS)  Device Security
  • User Identification and Authorization
  • Audit Logs
  • Inventory of authorized wireless access points
  • Scheduled Penetration Testing
  • Cardholder Data Environment [CDE] isolation
  • Annual Risk Assessment
  • Compliance of Service Providers
  • Written Acknowledgement

3.1 Change log

  • SSL no longer secure technology
  • From June 30th 2016, TLS 1.2 is mandatory
  • Disable / Remove Inactive accounts by 90 days