PCI DSS Gap Analysis Checklist Ver 1.0
-
Upload
horace-paredes-nava -
Category
Documents
-
view
229 -
download
0
Transcript of PCI DSS Gap Analysis Checklist Ver 1.0
-
PCI DSS Gap Analysis
Sr. No. Content123
Document Control Legend Gap Analysis Sheet
-
Prepared By: Reviewed By: Approved By:Jay Hira
Owner Name: Valid From: Valid Until:
Version No: Status: Document No:1 Published
Version HistoryVersion Date Approver for Change
-
Version HistoryAuthor Description
-
Kindly Note:In the "Compliance Level" field on the Gap Analysis Sheet, select the appropriate level of compliance from the drop-down listIn the "Findings / Comments" field on the Gap Analysis Sheet, summarize the identified issue and substantiate for the level of compliance identified
A conditional formatting has been provided on the "Review Sheet" sheet under "Compliance Level" field
Non-CompliantPartially Compliant
Fully Compliant
-
In the "Compliance Level" field on the Gap Analysis Sheet, select the appropriate level of compliance from the drop-down listIn the "Findings / Comments" field on the Gap Analysis Sheet, summarize the identified issue and substantiate for the level of compliance identified
A conditional formatting has been provided on the "Review Sheet" sheet under "Compliance Level" field
-
In the "Compliance Level" field on the Gap Analysis Sheet, select the appropriate level of compliance from the drop-down listIn the "Findings / Comments" field on the Gap Analysis Sheet, summarize the identified issue and substantiate for the level of compliance identified
-
Req # Control Objective
1.1.1
1.1.2
1.1.3
1.1.4
1.1.5
1.1.6
1.1.7
1.1.8
1.1.9
1.2.0
1.3.1
1.3.2
1.3.2
Requirement 1 :- Install and Maintain a firewall configuration
Requirement 1 :- Install and Maintain a firewall configuration
Requirement 1 :- Install and Maintain a firewall configuration
Requirement 1 :- Install and Maintain a firewall configuration
Requirement 1 :- Install and Maintain a firewall configuration
Requirement 1 :- Install and Maintain a firewall configuration
Requirement 1 :- Install and Maintain a firewall configuration
Requirement 1 :- Install and Maintain a firewall configuration
Requirement 1 :- Install and Maintain a firewall configuration
Requirement 1 :- Install and Maintain a firewall configuration
Requirement 1 :- Install and Maintain a firewall configuration
Requirement 1 :- Install and Maintain a firewall configuration
Requirement 1 :- Install and Maintain a firewall configuration
-
1.3.3
1.3.4
1.3.5
1.3.6
1.3.7
1.3.8
1.4.1
1.4.2
1.5.0
2.1.0
2.1.1
2.3.1
Requirement 1 :- Install and Maintain a firewall configuration
Requirement 1 :- Install and Maintain a firewall configuration
Requirement 1 :- Install and Maintain a firewall configuration
Requirement 1 :- Install and Maintain a firewall configuration
Requirement 1 :- Install and Maintain a firewall configuration
Requirement 1 :- Install and Maintain a firewall configuration
Requirement 1 :- Install and Maintain a firewall configuration
Requirement 1 :- Install and Maintain a firewall configuration
Requirement 1 :- Install and Maintain a firewall configuration
Requirement 2 :- Do not use Vendor Supplied Defaults for system passwords and other security Parameters
Requirement 2 :- Do not use Vendor Supplied Defaults for system passwords and other security Parameters
Requirement 2 :- Do not use Vendor Supplied Defaults for system passwords and other security Parameters
-
2.4.1
1.a.1
1.a.2
1.a.3
1.a.4
3.1.0
4.1.0
4.1.1
4.2.0
5.1.0
6.5.1
6.5.2
6.5.4
Requirement 2 :- Do not use Vendor Supplied Defaults for system passwords and other security Parameters
Requirement A 1 :- Hosting Providers Protect Cardholder data environmentRequirement A 1 :- Hosting Providers Protect Cardholder data environmentRequirement A 1 :- Hosting Providers Protect Cardholder data environmentRequirement A 1 :- Hosting Providers Protect Cardholder data environment
Requirement 3 :- Protect card holder
Requirement 4:- Encrypt Transmission of cardholder across open public networksRequirement 4:- Encrypt Transmission of cardholder across open public networksRequirement 4:- Encrypt Transmission of cardholder across open public networks
Requirement 5:- Use and regularly update Antivirus.
Requirement 6:- Deploy and maintain secure systems and application.
Requirement 6:- Deploy and maintain secure systems and application.
Requirement 6:- Deploy and maintain secure systems and application.
-
6.5.5
6.5.6
6.5.7
6.5.9
6.5.10
6.6.1
7.1.0
8.2.0
8.3.0
8.4.0
8.5.1
9.1.1
Requirement 6:- Deploy and maintain secure systems and application.
Requirement 6:- Deploy and maintain secure systems and application.
Requirement 6:- Deploy and maintain secure systems and application.
Requirement 6:- Deploy and maintain secure systems and application.
Requirement 6:- Deploy and maintain secure systems and application.
Requirement 6:- Deploy and maintain secure systems and application.
Requirement 7 :- Restrict access to cardholder data by business need to know.
Requirement 8:- Assign a unique ID to each person with computer access.
Requirement 8:- Assign a unique ID to each person with computer access.
Requirement 8:- Assign a unique ID to each person with computer access.
Requirement 8:- Assign a unique ID to each person with computer access.
Requirement 9:- Restrict Physical access to cardholder data.
-
9.1.2
9.1.3
9.3.1
9.3.2
9.3.3
9.4.0
9.5.0
9.6.0
10.2.1
10.5.1
10.6.0
11.1.0
11.2.0
Requirement 9:- Restrict Physical access to cardholder data.
Requirement 9:- Restrict Physical access to cardholder data.
Requirement 9:- Restrict Physical access to cardholder data.
Requirement 9:- Restrict Physical access to cardholder data.
Requirement 9:- Restrict Physical access to cardholder data.
Requirement 9:- Restrict Physical access to cardholder data.
Requirement 9:- Restrict Physical access to cardholder data.
Requirement 9:- Restrict Physical access to cardholder data.
Requirement 10:- Track and monitor all access to network resources and cardholder data
Requirement 10:- Track and monitor all access to network resources and cardholder data
Requirement 10:- Track and monitor all access to network resources and cardholder data
Requirement 11:- Regulatory test security system and process
Requirement 11:- Regulatory test security system and process
-
11.3.0
11.4.0
11.5.0
Requirement 11:- Regulatory test security system and process
Requirement 11:- Regulatory test security system and process
Requirement 11:- Regulatory test security system and process
-
Basic Control
Establish firewall configuration standard that include the following
Establish firewall configuration standard that include the following
Establish firewall configuration standard that include the following
Establish firewall configuration standard that include the following
Establish firewall configuration standard that include the following
Establish firewall configuration standard that include the following
Establish firewall configuration standard that include the following
Establish firewall configuration standard that include the following
Establish firewall configuration standard that include the following
Build a firewall configuration that denies all traffic from untrusted network and hosts, except for protocols necessary for the cardholder data environment.
Build a firewall configuration that restricts connection between publically accessible servers and any system component storing card holder data.
Build a firewall configuration that restricts connection between publically accessible servers and any system component storing card holder data.
Build a firewall configuration that denies all traffic from untrusted network and hosts, except for protocols necessary for the cardholder data environment.
-
Build a firewall configuration that restricts connection between publically accessible servers and any system component storing card holder data.
Build a firewall configuration that restricts connection between publically accessible servers and any system component storing card holder data.
Build a firewall configuration that denies all traffic from untrusted network and hosts, except for protocols necessary for the cardholder data environment.
Build a firewall configuration that restricts connection between publically accessible servers and any system component storing card holder data.
Build a firewall configuration that restricts connection between publically accessible servers and any system component storing card holder data.
Build a firewall configuration that restricts connection between publically accessible servers and any system component storing card holder data.
Prohibit direct public access between external network and any system component that access card holder data.
Prohibit direct public access between external network and any system component that access card holder data.
Implement IP masquerading to prevent internal addresses from being translated and revealed on the internet. Use techniques like PAT and NAT.
Always change vendor supplied defaults before installing a system on the network.
Always change vendor supplied defaults before installing a system on the network.
Encrypt all non console administrative access. Use technology such as SSH, VPN or SSL/ TLS for web based management and other non console administrative access.
-
Protect Each entity
Protect Each entity
Protect Each entity
Protect Each entity
Never Send Unencrypted PAN by E-mail.
Hosting providers must protect each entity's hosted environment and data. These providers must meet specific requirements as provided in Requirement 1 A
Keep cardholder data storage to a minimum. Develop a data retention and disposal policy. Limit storage amount and retention time to that which is required for business, legal and/or regulatory purpose as documented in the data retention policy.
Use Strong cryptography and security protocols such as SSL/TLS and IPSec to safeguard sensitive cardholder data during transmission over open public networks
Use Strong cryptography and security protocols such as SSL/TLS and IPSec to safeguard sensitive cardholder data during transmission over open public networks
Deploy anti-virus Software on all systems commonly affected by viruses.
Develop all web application based on secure coding guidelines such as OWASP. Review custom application code to identify coding vulnerabilities. Cover prevention of common coding vulnerability in software development process.
Develop all web application based on secure coding guidelines such as OWASP. Review custom application code to identify coding vulnerabilities. Cover prevention of common coding vulnerability in software development process.
Develop all web application based on secure coding guidelines such as OWASP. Review custom application code to identify coding vulnerabilities. Cover prevention of common coding vulnerability in software development process.
-
Ensure that all web facing application are protected.
Develop all web application based on secure coding guidelines such as OWASP. Review custom application code to identify coding vulnerabilities. Cover prevention of common coding vulnerability in software development process.
Develop all web application based on secure coding guidelines such as OWASP. Review custom application code to identify coding vulnerabilities. Cover prevention of common coding vulnerability in software development process.
Develop all web application based on secure coding guidelines such as OWASP. Review custom application code to identify coding vulnerabilities. Cover prevention of common coding vulnerability in software development process.
Develop all web application based on secure coding guidelines such as OWASP. Review custom application code to identify coding vulnerabilities. Cover prevention of common coding vulnerability in software development process.
Develop all web application based on secure coding guidelines such as OWASP. Review custom application code to identify coding vulnerabilities. Cover prevention of common coding vulnerability in software development process.
Limit access to computing resources and cardholder information only to those individuals whose job require such access.
In addition to assigning a unique ID Employ at least one of the following methods to authenticate all users.:- Passwords, token devices, biometrics
Implement two factor authentication for remote access to the network by employees. Admins and third parties. Like RADIUS, SSL,TLS or IPSec
Encrypt all passwords during transmission and storage on all system components.
Ensure proper user authentication and password management for non consumer users and administrators on all system components.
Use appropriate facility entry controls to limits and monitor physical access to system that store, process or transmit card holder data.
-
Security procedure for visitors
Security procedure for visitors
Security procedure for visitors
Use a visitor log to maintain a physical audit of visitors activity.
Secure audit trails so they cannot be altered.
Test Security Control, Limitation, network connections and
Use appropriate facility entry controls to limits and monitor physical access to system that store, process or transmit card holder data.
Use appropriate facility entry controls to limits and monitor physical access to system that store, process or transmit card holder data.
Store media back-up in a secure location, preferable in an off site facility, such as an alternate or backup site, or a commercial storage facility.
Physically secure all paper and electronic media that contains card holder data
Implement automated audit trails for all system components to reconstruct --->
Review logs for all system components at least daily. Log reviews must include of those like IDS/AAA Server.
Run Internal and external vulnerability scans at least quarterly and after any significant change in the network.
-
Perform penetration testing at least once a year and after any significant infrastructure change or upgrade.
Use network intrusion detection system, host based intrusion detection system and intrusion prevention system to monitor all network traffic and warn personnel.
Deploy file integrity monitoring software to alert personnel to unauthorized modification of critical system or content files and configure the software to perform critical file comparison.
-
Extended Control Compliance Level
Documented list of ports and services necessary for business.
Quarterly review of the router and firewall rules-base.
Configuration standard for Router.
Not allowing internal address to pass from the internet into the DMZ.
A Formal Process for approving and testing all external network connections and changes to the firewall configuration
A Current Network diagram with all connection to card holder data, Including wireless networks.
Requirements for a firewall at each internet connection and between DMZ and internal network.
Description of groups, roles and responsibilities for logical management of network.
Justification and documentation for any available protocols besides HTTP, SSL/TLS, SSH and VPN.
Justification and documentation for any non-secure protocols like FTP, which includes the reason for use of the protocol and security features implemented.
Restricting inbound internet traffic to internet protocol address within the DMZ.
Implementing stateful inspection also known as dynamic packet filtering
-
Securing and Synchronizing the router configuration.
Placing the database in an internal network zone, Segregated from the DMZ
Restricting inbound and outbound traffic to that which is necessary for the cardholder environment.
Denying all other inbound and outbound traffic not specifically allowed.
Installing perimeter firewall between and wireless networks and cardholder data environment, and configuring these firewalls to deny any traffic from the wireless environment or from controlling any traffic.
Installing personal firewall software on any mobile and employee owned computer with direct connectivity to the internet, which are used to access organization's network.
Implement a DMZ to filter and screen all traffic and to prohibit direct routes for inbound and outbound traffic.
Restrict outbound traffic from payment card application within the DMZ
For wireless environments change wireless vendor defaults, including but not limited to, (WEP) keys, default (SSID's), passwords and SNMP community strings Disable SSID broadcast. Enable WPA for encryption and authentication
-
Restrict each entity's access and privileges to own card holder data.
Unvalidated input
Broken Access control.
XSS
Ensure That each entity only has access to own cardholder data environment
Ensure logging and audit trails are enabled and unique to each entity's cardholder data environment and consistent with PCI DSS requirement 10
Enable process to provide for timely forensic investigation in the event of a compromise to any hosted merchant or service provider.
For wireless networks transmitting cardholder data encrypt the transmission.
-
Buffer overflows
Injection flaws (SQL Injection)
Improper error handling
Denial of service
Insecure Configuration management
Use Cameras to monitor sensitive areas.
They have all the custom application code reviewed for common vulnerabilities by an organization that specializes in application security.
-
Restrict Physical access to publically accessible network jacks
Restrict physical access to wireless access points and gateways and handheld devices.
Visitors are authorized before entering areas where cardholder data is processed or maintained.
Given a physical token that expires and that identifies the visitor as non- employees.
Asked to surrender the physical token before leaving the facility or at the date of expiration.
-
Findings / Comments
-
Navigation SheetDocument ControlLegendGap Analysis Sheet