PCI DSS
This is a draft document.
PCI DSS Requirements ASL addresses
Contents |
[edit] 1.2
Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment.
[edit] 1.2.1
Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment.
[edit] 2.2.3
Configure system security parameters to prevent misuse.
[edit] 2.2.4
Remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers.
[edit] 5.1
Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers).
[edit] 5.1.1
Ensure that all anti-virus programs are capable of detecting, removing, and protecting against all known types of malicious software.
[edit] 5.2
Ensure that all anti-virus mechanisms are current, actively running, and generating audit logs.
[edit] 6.1
Ensure that all system components and software are protected from known vulnerabilities by having the latest vendor-supplied security patches installed. Install critical security patches within one month of release.
[edit] 6.2
Establish a process to identify and assign a risk ranking to newly discovered security vulnerabilities.
[edit] 6.5
[edit] 6.5.1
Injection flaws, particularly SQL injection. Also consider OS Command Injection, LDAP and XPath injection flaws as well as other injection flaws.
[edit] 6.5.2
Buffer overflow
[edit] 6.5.5
Improper error handling
[edit] 6.5.6
[edit] 6.5.7
Cross-site scripting (XSS)
[edit] 6.5.9
Cross-site request forgery (CSRF)
[edit] 6.6
For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods: Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes Installing a web-application firewall in front of public-facing web applications
[edit] 7.2
Establish an access control system for systems components with multiple users that restricts access based on a user’s need to know, and is set to ―
RBAC
[edit] 7.2.1
Coverage of all system components
RBAC covers the entire systems
[edit] 7.2.2
Assignment of privileges to individuals based on job classification and function
RBAC does this
[edit] 7.2.3
Default ―deny-all‖ setting
The RBAC is default deny-all
[edit] 8.2
In addition to assigning a unique ID, employ at least one of the following methods to authenticate all users: Something you know, such as a password or passphrase Something you have, such as a token device or smart card Something you are, such as a biometric
ASL enforces key based (two factor) authentication
[edit] 8.3
Incorporate two-factor authentication for remote access (network-level access originating from outside the network) to the network by employees, administrators, and third parties. (For example, remote authentication and dial-in service (RADIUS) with tokens; terminal access controller access control system (TACACS) with tokens; or other technologies that facilitate two-factor authentication.)
ASL enforces key based (two factor) authentication
[edit] 8.4
Render all passwords unreadable during transmission and storage on all system components using strong cryptography.
[edit] 8.5
Password policies, etc. (Enforcement ASL can do)
[edit] 10.1
Establish a process for linking all access to system components (especially access done with administrative privileges such as root) to each individual user.
[edit] 10.2
Implement automated audit trails for all system components to reconstruct events
[edit] 10.5
Secure audit trails so they cannot be altered.
[edit] 10.6
Logs are analyzed in realtime
[edit] 10.7
Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from back-up).
ASL retains logs for 5 years by default
[edit] 11.2
ASL autoscans the systems hourly
[edit] 11.4
Use intrusion-detection systems, and/or intrusion-prevention systems to monitor all traffic at the perimeter of the cardholder data environment as well as at critical points inside of the cardholder data environment, and alert personnel to suspected compromises. Keep all intrusion-detection and prevention engines, baselines, and signatures up-to-date.
ASL includes multiple IDS components, and they are kept up to date automatically.
[edit] 11.5
Deploy file-integrity monitoring tools to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly.
File integrity monitoring is real time in ASL. The RBAC prevents modifications in real time.