PCI DSS v3.2

This page provides an overview of the PCI DSS 3.2 compliance policy and the current PCI requirements & controls monitored in Secberus.

Overview

The Payment Card Industry Data Security Standard (PCI DSS) is a standard developed by the credit card industry to ensure the protection of credit card information in online transactions. PCI DSS applies to all entities that store, process, or transact with cardholder data.

Secberus provides unified PCI visibility across technical PCI DSS 3.2 requirements relevant to cloud infrastructure and services. This allows you to continuously assess, report, and manage your PCI posture across multi-cloud environments. Official documentation for PCI DSS is available here.

Supported PCI DSS v3.2 Controls

Requirement 1: Install and Maintain a Firewall Configuration to Protect Cardholder Data

Req. NumberSummaryDescription
1.2.1Restrict Inbound & Outbound TrafficRestrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.
1.3Prohibit Public AccessProhibit direct public access between the Internet and any system component in the cardholder data environment.
1.3.4Do Not Allow Unauthorized Outbound TrafficDo not allow unauthorized outbound traffic from the cardholder data environment to the Internet.

Requirement 3: Protect Stored Cardholder Data

Req. NumberSummaryDescription
3.4.1Disk Encryption Logical AccessIf disk encryption is used (rather than file- or column-level database encryption), logical access must be managed separately and independently of native operating system authentication and access control mechanisms (for example, by not using local user account databases or general network login credentials). Decryption keys must not be associated with user accounts.
3.5Key ProtectionDocument and implement procedures to protect keys used to secure stored cardholder data against disclosure and misuse
3.6.4Expire Cryptographic KeysCryptographic key changes for keys that have reached the end of their crypto-period (for example, after a defined period of time has passed and/or after a certain amount of cipher-text has been produced by a given key), as defined by the associated application vendor or key owner, and based on industry best practices and guidelines (for example, NIST Special Publication 800-57).

Requirement 4: Encrypt Transmission of Cardholder Data Across Open, Public Networks

Req. NumberSummaryDescription
4.1Encrypt Data in TransitUse strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks, including the following:

_ Only trusted keys and certificates are accepted.

_ The protocol in use only supports secure versions or configurations.

* The encryption strength is appropriate for the encryption methodology in use.

Requirement 7: Restrict Access to Cardholder Data by Business Need to Know

Req. NumberSummaryDescription
7.1Limit accessLimit access to system components and cardholder data to only those individuals whose job requires such access.

Requirement 8: Identify and Authenticate Access to System Components

Req. NumberSummaryDescription
8.1.4Remove/Disable Inactive User Accounts Within 90 DaysObserve user accounts to verify that any inactive accounts over 90 days old are either removed or disabled.
8.2.3Implement Strong Password PoliciesPasswords/passphrases must meet the following:

_ Require a minimum length of at least seven characters.

_ Contain both numeric and alphabetic characters.

Alternatively, the passwords/ passphrases must have complexity and strength at least equivalent to the parameters specified above.
8.2.4Change User Passwords/Passphrases at Least Once Every 90 Days.For a sample of system components, inspect system configuration settings to verify that user password/passphrase parameters are set to require users to change passwords at least once every 90 days.
8.2.5Do Not Allow Repeat PasswordsDo not allow an individual to submit a new password/passphrase that is the same as any of the last four passwords/passphrases he or she has used.
8.3Apply Multi-Factor AuthenticationSecure all individual non-console administrative access and all remote access to the CDE using multi-factor authentication.

Requirement 10: Track and Monitor All Access to Network Resources and Cardholder Data

Req. NumberSummaryDescription
10.1Implement Audit TrailsImplement audit trails to link all access to system components to each individual user.
10.2.6Ensure Initialization, Stopping or Pausing of the Audit LogsVerify the following are logged:

_ Initialization of audit logs

_ Stopping or pausing of audit logs.
10.5Secure Audit TrailsSecure audit trails so they cannot be altered.

❗️

If there is a specific requirement not included here that you would like to monitor, please email [email protected].