Compliance programs are heavily based on documentation and PCI does not make an exception. Technical and non-technical documents are a major part of the PCI journey and certainly of the compliance audit. Documents (technical description, diagram, policies, procedures, standards, audit trails, scan reports, pen test report, risk analysis report, test report,…) are the auditor's food.
Therefore, beside the technical specificities, no one should neglect or underestimate the effort and time necessary to set up and maintain their PCI library. It's a huge part of any PCI project.
If documentation is so important, why is there no official list of required documents on the PCI Standard Web site? Answer: It would be too easy! Organizations have to make their own interpretation of the requirements in order to uncover the associated list of documents.
To solve this "gap", I decided to complete this exercise once for all and share the outcome here. A new version of the PCI Compliance Dashboard includes this list within the PCI Documentation sheet.
The PCI Library for PCI DSS V2.0
Inventory of technical and non-technical documentation together with the associated PCI requirements.
Technical DocumentsTitle/SubjectDescription & associated requirements# ReqGlobal network diagramGlobal network diagram (Confidential)1.1Includes development/test and production environments6.4Lightened network diagramNon-confidential for external communication with third party. No internal IP's.OptionalPCI Scope definitionDocument describing the PCI scope, network diagram, components, function, flow, card data storage, processing, transmission1.1 ScopeFirewall/router rule setsFor each Firewall/router in scope:Includes a list of secure and unsecure services, protocols and ports together with business justification for each FW and routers.1.1.5Includes a list of restricted connections between untrusted networks and system components in the cardholder data environment1.2Includes a description of inbound and outbound traffic1.2.1Includes a rule stating that Internal addresses cannot pass from the Internet into the DMZ.1.3.4Includes a requirement for stateful inspection1.3.6Includes segregation of CDE (Ensure that system components that store cardholder data are on an internal network zone, segregated from the DMZ)1.3.7System Configuration/hardening for all components in scopeFor each system components in scope:Includes a list of services, protocols and daemons enabled business justification.2.2Includes a list of common security parameter settings for the system components2.2.3Includes a list of unnecessary functionalities (for example, scripts, drivers, features, subsystems, file systems, etc.) removed/disabled2.2.4Includes Removal of Telnet and other remote login commands2.3Includes the list of anti-virus/anti-malware software and description of associated processes5.1Includes a description of access control configuration7.2Includes a description of user authentication method8.2Includes a description of method ensuring the interity of critical files11.5Includes the list of files considered as critical11.5Encryption / TransmissionLists the security protocols used in scope wherever cardholder data is transmitted or received over open, public networks.4.1Patch inventoryInventory/historic of applied patched for each components6.1IDS/IPS configLists active and static protection systems (IDS/IPS) used within the scope and their associated configuration and processes.11.4
Policies, Procedures, Standards and processesTitle/SubjectDescription & associated requirementsReqRole and responsibilities for network and security managementDescription of Groups, Roles and Responsibilities for Logical Management of Network Components.
Description of Groups, Roles and Responsibilities for security management including key management.1.1.4Firewall/router configuration and change management processFormal process for testing and approval of all network connections and changes to firewall and router configurations1.1Includes a statement enforcing review of firewall and router rule sets at least every six months.1.1.6Includes limitation of inbound and outbound traffic to that which is necessary for the cardholder data environment1.2Includes a statement preventing any disclosure of private IP addresses and routing information to external parties and exceptions1.3.8Includes enabling and activation of audit trails.10.1Configuration Standards (Windows, SQL,…)System configuration and hardening procedures for each type of system component in scope.2.2Includes policy and procedures for changing of Vendor Default Settings2.1Includes a statement enforcing one primary function per system2.2.1Includes a statement enforcing that only necessary services or protocols are enabled. Justifiation2.2.2Includes a list of common security parameter settings for the system components2.2.3Includes a statement enforcing removal of all unnecessary functionality (for example, scripts, drivers, features, subsystems, file systems, etc.)2.2.4Includes a statement enforcing encryption of non-console admin access.2.3Includes a statement ensuring removal/deactivation of Telnet and other remote login commands for use internally2.3Includes a statement enforcing audit trails activation10.1Protection of Laptop/Desktop in scopeDescription of technical measures, configuration and associated processes protecting laptop and desktop. Such as personal firewall and anti-virus.1.4Data retention and disposal policy and processFormal data retention policy identifying what data needs to be retained, and where that data resides so it can be securely destroyed or deleted as soon as it is no longer needed.3.1/3.2.1/3.2.2/3.2.3Includes types of data retained (No sensitive data)Includes a statement preventing presence of card data in
- All logs (for example, transaction, history, debugging, error)
- History files
- Trace files
- Database contentsIncludes a statement preventing storage of CVV and PINIncludes procedure for Obtaining and protecting cardholder dataIncludes procedure for Accessing, Modifying or Transferring cardholder dataIncludes procedures for disposing of and destroying data.Includes business justification for retention of cardholder dataData display protectionPrimary Account Number (PAN) Policy and Procedures for Displaying the PAN Digits3.3Includes a statement enforcing masking of PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed)Includes a list of users/roles having legitimate business reason to access data.Key protection and managementPolicy and procedures associated to the generation and protection of keys used for encryption of cardholder data (PGP, …)3.5/3.6Includes the selection process of key custodians3.6.8Tokenization ProcessDescription of the processes and mechanisms used to generate and protect the token, associated components and dataOptionalAnti-virusInformation about anti-virus technology in used and how it is updated/managed.5.1Security Patch ManagementProcedures for the identification, risk ranking, testing, distribution, deployment and implementation of security Patches6.1Includes a statement enforcing installation of all critical new security patches within one month.Describe the processes used to identify new security vulnerabilities, and that a risk ranking is assigned to such vulnerabilities6.2Includes a list of online Resources for Patch Management, Alerts, Security and Support, As Applicable .Software Development processesDescription of the software development processes in used6.3Lists of industry standards and/or best practices.Includes a statement enforcing to take Security into account throughout the life cycle.Includes a statement enforcing review of Custom application code changes prior to release to production or customers in order to identify any potential coding vulnerability.Includes a statement enforcing separation of development/test and production environments6.4Includes a statement enforcing separation of duties between development/test and production environments6.4.2Secure coding/TestingSoftware Development Secure Coding Guidelines and Training Policy and Procedures6.5-6.5.9Includes a statement enforcing training of developers in secure coding technique6.5Includes a description of the testing process used to ensure apps are not vulnerable to coding mistake (SQL Inj,…)6.6Test proceduresPolicy and procedures associated to the test of applicationsIncludes a statement preventing usage of Live PAN in test environment6.4.3Includes a statement enforcing removal of Test data and accounts before production6.4.4Change control procedures for implementation of security patches and software modificationsProcedures for the implementation of security patches and software modification6.4.5Includes statements enforcing:
i. Documentation of impact
ii. Documented approval by authorized parties
iii. Testing of functionality to ensure the change does not adversely impact the security of the system
iv. Testing of all custom code updates for compliance with PCI DSS Requirement 6.5 (to address the vulnerabilities identified in 6.5.1 – 6.5.9)
v. Back-out procedures6.4.5Includes a statement enforcing execution of internal and external scans after any significant change.11.2.3Data control/
Access Control/Data Control & Access Control Policies and Procedures.Includes a statement restricting access rights for privileged user IDs to least privileges necessary to perform job responsibilities.7.1.1Includes a statement enforcing assignment of privileges are based on job classification and function7.1.2Includes a statement enforcing documented approval by authorized parties (in writing or electronically) for all access, and that it must specify required privileges7.1.3Includes a statement requiring implemntation of access controls via an automated access control system.7.1.4Includes a statement enforcing that access control systems are in place on all system components.7.2.1Includes a statement requiring configuration of access control systems to enforce privileges assigned to individuals based on job classification and function7.2.2Includes a statement enforcing that access control systems have a default “deny-all” setting.7.2.3Includes a statement enforcing assignment of a unique userId to users before being allowed to access system components or cardholder data8.1Describes authentication method in used8.2Includes a statement enforcing usage of two-factor authenticationfor all remote network access.8.3Proper Authentication & Password ManagementPolicy and procedures associated to access management and password management (Request, authorization, creation/modification/deletion/revokation change control process)8.5Includes Password initialization/reset process8.5.2Includes a statement enforcing removal or disabling of inactive user accounts over 90 days old8.5.5Includes management of Vendor remote access (for maintenance)8.5.6Includes a statement preventing Generic /Share and exception management8.5.8Includes a statement prohibiting group and shared passwords or other authentication methods8.5.8Includes a statement enforcing change of user passwords at least every 90 days8.5.9Includes a statement enforcing a minimum password length of at least seven characters.8.5.10Includes a statement enforcing that passwords contain both numeric and alphabetic characters.8.5.11Includes a statement prohibiting submition of a new password identical to the last four passwords.8.5.11Includes a statement enforcing UserId lock out after not more than six attempts.8.5.12Includes a statement enforcing a lockout duration of 30 min minimum or until administrator enables the user ID8.5.13Includes a statement requiring user re-authentication whenever a session has been idle for more than 15 minutes8.5.14Job ClassificationLists the Roles, privileges, access requirements, security responsibilities7.1, 7.2, 12.4Security classificationLists the classification levels related to the confidentiality of the dataUser access inventoryLists who have access to whatPhysical access protectionPolicy and procedures associated to the Protection of physical areas, Visitor handling, Visitor Checklist9.1
9.5/9.6Media Distribution, Classification and destructionPolicy and procedures for Media distribution and classification9.7/9.8Includes policy and procedures Storage, maintenance and description of Hardcopy and Electronic Media Policy and Procedures9.9/9.10Monitoring/loggingPolicy and procedures associated to monitoring/loggingIncludes a statement enforcing that audit trails are enablement and activation for system components.10.1Includes a statement enforcing logging of access to credit card data10.2.1Includes a statement enforcing logging of actions taken by root administrators10.2.2Includes a statement enforcing logging of access to audit trails10.2.3Includes a statement enforcing logging of invalid access10.2.4Includes a statement enforcing logging of the mechanism used to identify and authenticate10.2.5Includes a statement enforcing logging of initialization of audit logs is logged10.2.6Includes a statement enforcing creation/deletion of system components10.2.7Lists the type of data to be logged: UserId, type of event, Date and time,Success or failure,origin of event, affected data, system component or resource.10.3Includes a statement enforcin the use of Time synchronization technology10.4Describes the measures taken for the protection of audit trails10.5Describes the process associated to the review of Logs (When, How)10.6/12.2Includes a statement enforcing log retention for one year10.7Detection of WAPPolicy and procedures associated to the detection and identification of wireless access points on a quarterly basis11.1Lists all WAP and their business reasonsASV Scan process and scan reportsProcedures associated to quarterly ASV scans and internal scans remediation11.2Includes a list of past scans, results reportsPenetration testingProcedures associated to the execution of pen testsIncludes a statement requiring execution of penetration testing at least annually and after any significant changes to the environment.11.3Includes a list of past pen tests, results ReportsIntrusion detection process/configurationProcedures associated to the use and configuration of IDS/IPS11.4Includes a statement enforcing the use IDS at entry points and other critical points11.4Lists IDS/IPS and locationFile-integrity tools usedProcedures and configuration associated to the File-Integrity tools11.5Lists file-integrity tools used and the critical files they are protecting.
- Application executables
- Configuration and parameter files
- Centrally stored, historical or archived, log and audit filesRisk Assessment ProcessRisk assessment process12.1Annual Risk AssessmentAnnual risk assessment reports12.1Daily Operational and security proceduresList of tasks/processes to be performed on a regular basis12.3Usage Policies and ProceduresPolicy and procedures associated to the use of critical technology12.3Includes a statemente requiring explicit approval from authorized parties to use the technologies.12.3.1Includes a statement requiring that all technology use be authenticated with user ID and password or other authentication item (for example, token)12.3.2Includes a statement requiring a list of all devices and personnel authorized to use the devices.12.3.3Includes a statement requiring labeling of devices with information that can be correlated to owner, contact information and purpose.12.3.4Includes a statement requiring acceptable uses for the technology.12.3.5Includes a statement requiring acceptable network locations for the technology.12.3.6Includes a statement requiring a list of company- approved products.12.3.7Lists company approved productsIncludes a statement requiring automatic disconnect of sessions for remote-access technologies after a specific period of inactivity12.3.8Includes a statement requiring activation of remote- access technologies used by vendors and business partners only when needed by vendors and business partners, with immediate deactivation after use.12.3.9Includes a statement prohibiting copying, moving, or storing of cardholder data onto local hard drives and removable electronic media when accessing such data via remote-access technologies.12.3.10Security PolicySecurity policy for employee and contractors12.1Describes Information Security responsibilities for Employees and Contractors12.4Lists formal assignment of information security to a Chief Security Officer or other security-knowledgeable member of management.12.5Includes assignment of responsibility for creating and distributing security policies and procedures12.5.1Includes assignment of responsibility for monitoring and analyzing security alerts and distributing information to appropriate information security and business unit management personnel is formally assigned.12.5.2Includes assignment of responsibility for creating and distributing security incident response and escalation procedures is formally assigned.12.5.3Includes assignment of responsibility for administering user account and authentication management12.5.4Includes assignment of responsibility for monitoring and controlling all access to data12.5.5Security Awareness programDefine a formal security awareness program for all personnel12.6Includes multiple methods of communicating awareness and educating personnel (for example, posters, letters, memos, web based training, meetings, and promotions).12.6.1Requires personnel to acknowledge, in writing or electronically, at least annually that they have read and understand the information security policy.12.6.2Listing of security awareness delivery. Proof that personnel attend awareness training upon hire and at least annually.12.6.1HR Screening processDescription of HR screening process or associated law limiting/preventing such due diligence12.7Service Provider management policies and proceduresPolicy and procedures associated to the management of Service Providers12.8Includes proper due diligence prior to engaging any service provider.12.8.3Includes a program to monitor its service providers' PCI DSS compliance status at least annually.12.8.4Written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess.12.8.2List of service providers12.8.1Incident response PlanIncident response plan12.9Includes:
Roles, responsibilities, and communication strategies in the event of a compromise including notification of the payment brands, at a minimum:
- Specific incident response procedures
- Business recovery and continuity procedures
- Data back-up processes
- Analysis of legal requirements for reporting compromises (for example, California Bill 1386 which requires notification of affected consumers in the event of an actual or suspected compromise for any business with California residents in their database)
- Coverage and responses for all critical system components
- Reference or inclusion of incident response procedures from the payment brands12.9.1Includes Assignment of specific personnel to be available on a 24/7 basis to respond to alerts.12.9.3Includes annual testing12.9.2Includes appropriate training to staff with security breach response responsibilities.12.9.4Includes a process to modify and evolve the incident response plan according to lessons learned and to incorporate industry developments.Previous Incident or alert reports12.9.1
Do you agree with the list?
How do you manage your PCI Library?
Did you read our previous newsletter: PCI 30 second newsletter #27 - Static versus active protection systems what impact on quarterly scans?
PS: Download the new version of the PCI Compliance Dashboard with the above list.