PCI DSS v3.2
This page provides an overview of the PCI DSS 3.2 compliance policy and the current PCI requirements & controls monitored in Secberus.
Overview
The Payment Card Industry Data Security Standard (PCI DSS) is a standard developed by the credit card industry to ensure the protection of credit card information in online transactions. PCI DSS applies to all entities that store, process, or transact with cardholder data.
Secberus provides unified PCI visibility across technical PCI DSS 3.2 requirements relevant to cloud infrastructure and services. This allows you to continuously assess, report, and manage your PCI posture across multi-cloud environments. Official documentation for PCI DSS is available here.
Supported PCI DSS v3.2 Controls
Requirement 1: Install and Maintain a Firewall Configuration to Protect Cardholder Data
| Req. Number | Summary | Description |
|---|---|---|
| 1.2.1 | Restrict Inbound & Outbound Traffic | Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic. |
| 1.3 | Prohibit Public Access | Prohibit direct public access between the Internet and any system component in the cardholder data environment. |
| 1.3.4 | Do Not Allow Unauthorized Outbound Traffic | Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet. |
Requirement 3: Protect Stored Cardholder Data
| Req. Number | Summary | Description |
|---|---|---|
| 3.4.1 | Disk Encryption Logical Access | If disk encryption is used (rather than file- or column-level database encryption), logical access must be managed separately and independently of native operating system authentication and access control mechanisms (for example, by not using local user account databases or general network login credentials). Decryption keys must not be associated with user accounts. |
| 3.5 | Key Protection | Document and implement procedures to protect keys used to secure stored cardholder data against disclosure and misuse |
| 3.6.4 | Expire Cryptographic Keys | Cryptographic key changes for keys that have reached the end of their crypto-period (for example, after a defined period of time has passed and/or after a certain amount of cipher-text has been produced by a given key), as defined by the associated application vendor or key owner, and based on industry best practices and guidelines (for example, NIST Special Publication 800-57). |
Requirement 4: Encrypt Transmission of Cardholder Data Across Open, Public Networks
| Req. Number | Summary | Description |
|---|---|---|
| 4.1 | Encrypt Data in Transit | Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks, including the following: _ Only trusted keys and certificates are accepted. _ The protocol in use only supports secure versions or configurations. * The encryption strength is appropriate for the encryption methodology in use. |
Requirement 7: Restrict Access to Cardholder Data by Business Need to Know
| Req. Number | Summary | Description |
|---|---|---|
| 7.1 | Limit access | Limit access to system components and cardholder data to only those individuals whose job requires such access. |
Requirement 8: Identify and Authenticate Access to System Components
| Req. Number | Summary | Description |
|---|---|---|
| 8.1.4 | Remove/Disable Inactive User Accounts Within 90 Days | Observe user accounts to verify that any inactive accounts over 90 days old are either removed or disabled. |
| 8.2.3 | Implement Strong Password Policies | Passwords/passphrases must meet the following: _ Require a minimum length of at least seven characters. _ Contain both numeric and alphabetic characters. Alternatively, the passwords/ passphrases must have complexity and strength at least equivalent to the parameters specified above. |
| 8.2.4 | Change User Passwords/Passphrases at Least Once Every 90 Days. | For a sample of system components, inspect system configuration settings to verify that user password/passphrase parameters are set to require users to change passwords at least once every 90 days. |
| 8.2.5 | Do Not Allow Repeat Passwords | Do not allow an individual to submit a new password/passphrase that is the same as any of the last four passwords/passphrases he or she has used. |
| 8.3 | Apply Multi-Factor Authentication | Secure all individual non-console administrative access and all remote access to the CDE using multi-factor authentication. |
Requirement 10: Track and Monitor All Access to Network Resources and Cardholder Data
| Req. Number | Summary | Description |
|---|---|---|
| 10.1 | Implement Audit Trails | Implement audit trails to link all access to system components to each individual user. |
| 10.2.6 | Ensure Initialization, Stopping or Pausing of the Audit Logs | Verify the following are logged: _ Initialization of audit logs _ Stopping or pausing of audit logs. |
| 10.5 | Secure Audit Trails | Secure audit trails so they cannot be altered. |
If there is a specific requirement not included here that you would like to monitor, please email [email protected].
Updated 6 months ago