Here are the 10 key compliance factors of PCI DSS.
- The company has previously been PCI certified by a PCI-QSA
When the company has previously been validated by a QSA, this provides a level of comfort knowing that they have all the proper controls in place. This will really speed up the process.
- Centralized policies and procedures are in place.
When a company has all the policies and procedures in place, you are reasonably expect that they follow those documents.
- Internal network segmentation (via firewalls or router/switch based ACLs) is in place.
This will determine the scope of the assessment. Network segmentation reduces the scope of your PCI assessment. Internal network should be segmented from the DMZ environment. In-scope components should be segmented from other components.
- Cardholder data is NOT stored in clear text.
Cardholder data should be encrypted in transit and at rest.
- Formal key management processes are in place.
It is important to document how the encryption keys are being maintained and how often it should be changed. The keys should be changed annual as a best practice.
- Logging is enabled for all in-scope system components.
This is self-explanatory. All activities of the components should be recorded in a log. These logs should be kept and shipped to a centralized log management tool.
- Logs are stored in a centralized log management system.
The centralized log management system, a.k.a. SIEM, should be reviewed on a daily basis.
- Quarterly perimeter (via an ASV) and internal vulnerability scans are taking place.
These scans should be done regularly and vulnerabilities should be addressed immediately.
- Annual perimeter and internal (application and network based) penetration tests are taking place.
Penetration tests should be performed annually and anomalies should be addressed.
- Developers are formally trained on secure coding practices.
All employees should be trained and refreshed annually on security awareness, and all developers should be trained on how to write secure code.
Must Read: Top 10 Questions To PCI Compliance
We hope you find this PCI DSS article informative. Please share it with your friends, colleagues, and on all your favorite social sites. Let us know what interests you, and we will write it. Don’t forget to leave a comment.