<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview
[{$pagename}] ([PCI DSS])  is a proprietary information security standard for organizations that handle branded [Payment Cards] from the [Payment Card Industry] members. 

[{$pagename}] is mandated by the card brands and administered by the [Payment Card Industry Security Standards Council]. 

[{$pagename}] was created to increase controls around [Cardholder Data] to reduce [credit card fraud|Payment Card Fraud]. 

Validation of compliance is performed periodically, either by an external [Qualified Security Assessor] ([QSA]) that creates a [Report on Compliance] ([ROC]) for organizations handling large volumes of transactions, or by [Self-Assessment Questionnaire] ([SAQ]) for companies handling smaller volumes.

!! [{$pagename}] Requirements
[{$pagename}] specifies twelve requirements for [compliance], organized into six logically related groups called &quot;control objectives&quot;.

Each version of [{$pagename}] has divided these twelve requirements into a number of sub-requirements differently, but the twelve high-level requirements have not changed since the inception of the standard.

!! Control objectives [PCI DSS] requirements
! Build and Maintain a Secure Network and Systems
* 1. Install and maintain a firewall configuration to protect cardholder data
* 2. Do __NOT__ use vendor-supplied defaults for system passwords and other security parameters Protect [Cardholder Data] 
* 3. Protect stored [Cardholder Data] 
* 4. [Encrypt] transmission of [Cardholder Data] across open, [public networks|Internet]

! Maintain a Vulnerability Management Program
* 5. Protect all systems against [malware] and regularly update antivirus software or programs
* 6. Develop and maintain secure systems and applications

! Implement Strong [Access Control] Measures
* 7. Restrict access to [Cardholder Data] by business [need to know]
* 8. [Identify and Authenticate access to system components]
* 9. Restrict physical access to [Cardholder Data]

! Regularly Monitor and Test [Networks]
* 10. Track and [monitor|Monitoring] all [access] to network [resources] and [Cardholder Data]
* 11. Regularly test security systems and processes

! Maintain an [Information security] [Policy]
* 12. Maintain a [policy] that addresses [information security] for all personnel


!! Many Versions
* [PCI Data Security Standard v3.1] - Jan [2015|Year 2015]
* [PCI Data Security Standard v3.2] - Apr [2016|Year 2016]
* [PCI Data Security Standard v3.2.1] - Apr [2018|Year 2018]

!! &quot;Secure Version of [TLS]&quot;
&quot;Secure Version of [TLS]&quot; is used in several of their documents which has been clarified &quot;as defined by [NIST.SP.800-52]&quot;

!! [Multi-Factor Authentication][2]
[{$pagename}] requirement 8.3, requires the use of [Multi-Factor Authentication] for all remote network access that originates from outside the network to a [Cardholder Data Environment] ([CDE]).

Beginning with PCI-DSS version 3.2, the use of [Multi-Factor Authentication] is also required for all __administrative access__ to the [Card Data Environment|Cardholder Data Environment] ([CDE]), even if the user is within a trusted network.

Some clarification on [{$pagename}] and [Multi-Factor Authentication]

Troy Leach, [Payment Card Industry Data Security Standard]'s Chief Technology Officer clarifies this further by stating,[3]
{{{
[A] significant change in PCI DSS 3.2 adds multi-factor authentication as a requirement for any personnel with administrative access into the cardholder data environment, so that a password alone is not enough to verify the user’s identity 
and grant access to sensitive information, even if they are within a trusted network…
The most important point is that the change to the requirement is intended for all administrative access into the cardholder data environment, even from within a company’s own network. 
This applies to any administrator, whether it be a third party or internal, that has the ability to change systems and other credentials within that network to potentially compromise the security of the environment.
}}}

!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [Payment_Card_Industry_Data_Security_Standard|Wikipedia:Payment_Card_Industry_Data_Security_Standard/|target='_blank'] - based on information obtained 2016-07-15- 
* [#2] - [Multi-factor_authentication|Wikipedia:Multi-factor_authentication|target='_blank'] - based on information obtained 2017-03-19
* [#3] - [For PCI Multi-Factor Authentication is Now Required for Everyone…and You Better Hurry|http://blog.centrify.com/pci-multi-factor-authentication-mfa/|target='_blank'] - based on information obtained 2017-03-19
</pre>