PCI DSS
Requirement
Correct
02.03
Encrypt all administrative access ?
-
Justification:
All administrative and control communications to your web server and payment application must be encrypted. This is usually accomplished with https, but other mechanisms are available.
03.02
The CCVC or PIN is only kept to process the transaction. ?
-
Justification:
The CCVC is only allowed to be kept or stored long enough to process the initial transaction. Even if encrypted, you are not allowed to save the CCVC from one transaction to the next.
03.03
The Credit Card Number is masked when displayed (allow first 6 or last 4 (not both) digits of card), except when processing the transaction or otherwise conducting specific business. ?
-
Justification:
The credit card number cannot be displayed on receipts, orders, invoices, or web page, except when processing the transaction or for use when conducting specific business. You may keep the first six or last four digits in a database or on paper receipts.
04.01
Use SSL/TLS to encrypt all Internet communications involving cardholder data ?
-
Justification:
All communications between your web site and the user or your web site and the gateway processor that involve cardholder data (e.g., credt card number) must be encrypted.
04.02
Do not use email for CC numbers ?
-
Justification:
Credit card information is not allowed to be sent using email, even if the email is encrypted. Email passes through multiple servers and may remain on a server long enough to be backed up and archived. Encryption keys may also be tracked causing the contents of the email to be easily decrypted.
05.01
Deploy anti-virus software on all non-Unix (or non-Linux) systems with access to cardholder data ?
-
Justification:
Virus, trojan horses, and other malware are very prevalent on Windows-based computers. Macintosh starting with OSX are based on Unix, so remain significanly less likely targets. Anti-virus software are available for all systems in a range of prices.
07.01
Limit access to cardholder information to those individuals whose job requires access ?
-
Justification:
Access to cardholder data needs to be limited at all times to just those employees and contractors who need access to perform their job. This applies to all media, including printed receipts, electronic lists, etc.
08.05
Maintain secure and proper user authentication (including password management) for all non-consumer accounts. ?
-
Justification:
All non-consumer accounts on the system must authenticate (verify identity) using a password or some other established verification mechanism. The passwords mustly be sufficiently complex and maintained in a secure manner.
09.06
Physically secure all paper and electronic media that contain cardholder data ?
-
Justification:
All media (electronic and paper) need to be locked up when not being used to process the transaction or being used for business purposes. A safe is sufficient for this purpose.
09.07
Maintain strict control over distribution of any media that contains cardholder data ?
-
Justification:
Media containing cardholder data cannot be distributed without controls. The media must be shredded (paper) or erased (electronic) prior to disposal.
09.08
Management approves all media transfers out of a secure area ?
-
Justification:
This is necessary for auditing and tracability.
09.09
Maintain strict control of stores and accessibility of media containing cardholder data ?
-
Justification:
It is necessary to control which and when individuals have access to cardholder information. This may include logging access to the media storage area.
09.10
Destroy media that contains cardholder data when it is no longer needed ?
-
Justification:
Properly destroyed and displosed media cannot compromise cardholder information.
10.01
Establish a process for unambiguously determining who accessed system components ?
-
Justification:
This is easiest done by maintaining a system access log that tracks individual accounts and ensuring that each individual has their own account.
12.01
Establish, publish, maintain, and disseminate a security policy ?
-
Justification:
The policy does not need to be complex or involved. It needs to cover the basics of handling cardholder data and who is responsible.
12.08
Include these requirements in contracts with other service provides if they have access to cardholder data ?
-
Justification:
Security and protection of cardholder information does not stop with your company. You must ensure that information you collect is protected throughout the life of that information.
