PC I Requirement Implementation Technology
Install and maintain a A firewall must be used to segregate traffic from public external and Stateful packet
firewall configuration to internal untrusted networks. inspection firewalls
protect cardholder data. Application/
Do not use defaults
Most security products come with default passwords and
configurations, which often don’t provide adequate protection.
Resetting to an organization’s unique needs and threats is best
Credit Card Personal Account Numbers (PANs) should be truncated Data
or masked whenever stored and necessary storage of these Encryption
numbers should be eliminated. The full content of magnetic stripe
data, PINs, and credit card validation numbers should never be
stored. PANs that are stored should be encrypted.
Vendors and Products
Check Point Software Technology Fire Wall- 1, Secure Computing Side Winder G2
Sonic WALL Pro , Cisco PIX, Fortinet Fortigate, Juniper ISG
Citrix Application Firewall, F5 Networks Big-IP, Protegrity Threat Management System
Barracuda Web Application Controllers, Breach Security Web Defend,
Imperva Secure Sphere Web Application Firewall
LCPSoft LCP, DoubleUp Software PWDDoubleCheck, Elcomsoft Proactive Password
Bastille Hardening, Microsoft Baseline Security Analyzer, PivX
Protect stored NetLib Encryptionizer, Protegrity Data Protection System, Vormetric Data Security
cardholder data Expert, Application Security, Db Encrypt, Decru DataFort, RSA Security Database
Database Guardium Security Suite, IPLocks Suite, Protegrity Enterprise Security Reporter
Monitoring Tizor Systems Mantra, Sentrigo Hedgehog
Encrypt transmission of Transmission of cardholder data over open, public networks should Transport Encryption VeriSign, Comodo, Thawte, Geo Trust, Entrust
cardholder data across be protected by transport encryption such as secure socket layer open, public networks (SSL), transport layer security ( TLS) and Internet Protocol Security Wireless Security AirMagnet Enterprise, AirDefense Enterprise, Cisco Wireless LAN Security (IPSec) VPNs. Wireless transmissions must use WiFi Protected Management
Access ( WPA) encryption with a minimum of 104-bit encryption
with 24-bit initialization value.
Any systems that can potentially be infected by viruses must Antivirus
have antivirus systems that can detect and remove malware, and
generate audit logs.
Use and regularly
Process and systems should be in place for identifying vulnerabilities
and installing patches on a regular basis. Custom-developed
applications should follow current secure coding techniques. Web-facing applications need to be reviewed for common vulnerabilities or
protected using a Web application fire wall (not required until June).
Restrict access to Access should be limited to only authorized users who must have
cardholder data by access to perform business duties.
Develop and maintain
secure systems and
CA Antivirus, McAfee Virus Scan, Symantec Norton Antivirus, Kaspersky Lab Antivi-
rus, Sophos Antivirus, Trend Micro Antivirus
Lumension Sanctuary, Bit9 Parity, Cisco IPS, IBM Proventia
Juniper IDP, McAfee IntruShield, TippingPoint/3Com IPS
Symantec Altiris SecurityExpressions, Mc Afee/Citadel Security Soft ware, Lumension
Security Management Console, Qualys Guard PCI, Shavlik Security Intelligence
Assign a unique identity Actions by every user should be trackable by assigning each one
to each person with an individual identity and by monitoring their activities. Strong
computer access authentication techniques should be employed.
Restrict physical access Develop procedures to physically limit access to data center
to cardholder data equipment containing cardholder information.
Track and monitor all Implement a method to log access to cardholder data and maintain
access to network this audit trail for at least a year, with three months of online
resources and availability. Inspect audit trail daily for problems (can use log
cardholder data harvesting, parsing and alerting tools to accomplish this).
CA SiteMinder, Evidian Web Access Manager, Entegrity AssureAccess
IBM Tivoli Federated Identity Manager, Oracle Access Manager
Entrust GetAccess, Novell Web Access Manager
BMC Software User Administration and Provisioning, CA e Trust, Hewlett-Packard
Provisioning Manager, IBM Tivoli
Guardium Security Suite, IPLocks Suite, Protegrity Enterprise Security Reporter, Tizor
Systems Mantra, Sentrigo Hedgehog
RSA Security (EMC) SecurID, VASCO Digipass, BioPassword, Entrust IdentityGuard,
Aladdin e Token, ActivIdentity ActivClient, CRYPTOCard CRYP TO-Shield, Authenex
Strong Authentication System
CA, IBM Tivoli Federated Identity Manager, MaXware SAP Net Weaver, Imprivata
OneSign, ActivIdentity ActivID, Novell Identity Manager, Sun Microsystems Identity
HID badge systems (Biometrics system are also acceptable)
Regularly test security
systems and processes
Maintain a policy that
security for employees
Database Monitoring See Above
Network ConSentry LANShield, Cisco Systems ASA 5580 Series, StillSecure SafeAccess,
Access Control Juniper Networks Unified Access Control
Log LogLogic 4, SenSage Event Data Warehouse, Q1 Labs Qradar, Arcsight Logger, Intel-aggregation tools litactics Log Acquisition Appliance, Prism Microsystems Event Tracker
Security Information Intellitactics, TriGeo Networks SIM, netForensics nFX Open Security Platform, RSA
Management envision, ArcSight ESM
Net work Penetration Core Security Technologies Core Impact, Nessus (open source) , SAINT (open source),
and Vulnerability IBM (ISS) Net work Scanner, Symantec, Mc Afee (Foundstone), Qualys, White Hat
The policy should include usage guidelines for all employee-facing Policy Creation Symantec BindView Policy Manager, Polivec Enterprise Governance Solution, NetIQ
technology, information security duties to individual I T staffers and VigilEnt Policy Center, Cisco Security Policy Builder, Enterasys NetSight Policy Manager
security awareness program component.
Risk Assesment and Citicus ONE, Risk Watch for Information Systems, Telos/Xacta IA Manager, Securac
BASELINE FEBRUARY 2008
Use an approved vendor to conduct quarterly vulnerability scans
and conduct full penetration testing at least yearly.