(Payment Card Industry Data Security Standard)

Build and maintain a secure "network"

Requirement 1. Install and maintain a firewall configuration to protect data

Requisite 2. Do not use the standard configurations prepared by the supplier regarding the set-up of passwords or other security parameters

Protect cardholder data

Requisite 3. Use mechanisms to restrict access to data of stored owners

Requisite 4. Dealing with data encryption systems (data encryption) the data of the owners and other critical information when these are

transmitted through public domain networks

Adopt and maintain a structured system of detection and management of IT vulnerabilities

Requirement 5. Use and update anti-virus software regularly

Requirement 6. Develop and maintain secure systems and applications

Implement control procedures for data access

Requisite 7. Restrict access to data to personnel authorized normally to its management

Requirement 8. Assign a unique and personal ID to each individual who has access to the system

Requisite 9. Ensure that the physical access to the data of the Owners is limited only to those authorized in the manner provided

Monitor and regularly test the networks

Requisite 10. Trace and monitor all access to network resources and data of the owners

Requirement 11. Regularly test security systems and processes

Maintain a security information policy

Requirement 12. Maintain a policy that disseminates safety information

Please note that the "Payment Card Industry (PCI) Data Security Requirement" applies to all members, merchants and service providers who store, process or transmit credit card details. In addition, these security requirements apply to all components of the system, defined as all network components, servers or applications that contain or are in connection with the data of the owners. Network components include, but are not limited to, firewalls, switches, routers, wireless access points, network tools, and other security tools. Servers include, but are not limited to, web, database, authentication, DNS, mail, proxy and NTP. Applications include both those purchased externally and those developed internally, including web applications for both internal and perimeter use (with external access).

 Build and maintain a secure "network"

Requirement 1: Install and maintain a firewall to protect data

Firewalls are devices installed in computers to control both the traffic of data sent from the outside to the inside of a corporate network, and the traffic of data routed from the inside to the most sensitive areas of the corporate network. All systems, whether they are systems for e-commerce or for accessing data on the desktop or in staff e-mails, need to be protected from unauthorized access from the Internet. Often, seemingly insignificant exchanges to and from the Internet can create unprotected passages in key systems. Firewalls are fundamental security mechanisms for any computer network.

1.1 Build a standard firewall configuration that includes:

1.1.1 A formal process to approve and test all connections to networks outside the system and changes to the firewall structure

1.1.2 An updated diagram of the network with all credit card holder data connections, including all wireless connections

1.1.3 Requirements for a firewall check on each Internet connection and between each DMZ and the intranet

1.1.4 Description of groups, roles and responsibilities for the logical management of network components

1.1.5 Formal lists of services and ports necessary for the business

1.1.6 Justification and documentation for each available protocol in addition to HTTP and SSL, SSH and VPN

1.1.7 Justification and documentation for each permitted risk protocol (FTP, etc.), including the reasons for using the

protocol and the security functions implemented

1.1.8 Periodic revision of the firewall / router rule set

1.1.9 Configuring standards for routers

1.2 Building a firewall that rejects all messages from unsafe networks / hosts, except for:

1.2.1 Web protocols - HTTP (port 80) and Secure Sockets Layer (SSL) (typically port 443)

1.2.2 System administration protocols - Secure Shell (SSH) or Virtual Private network (VPN)

1.2.3 Other protocols required by the business (ISO 8583)

1.3 Configure the firewall to limit the connections between publicly accessible servers and the system components that hold the data of the Holders, including all connections with wireless networks.

  This configuration should include:

1.3.1 Restriction of incoming Internet traffic to IP addresses with DMZ (input filters)

1.3.2 Restriction of Internet traffic entering and leaving ports 80 and 443

1.3.3 Denying the possibility for internal addresses to switch from the Internet to the DMZ (output filters)

1.3.4 Only authorized connections must be allowed on the network. Statefull inspection or dynamic packed filtering techniques are recommended

1.3.5 Database positioning in an internal area of ​​the network, separated from the DMZ

1.3.6 Restricting outgoing traffic exclusively to what is required for card payment

1.3.7 Making the management of the various configuration files of the router secure and synchronized (eg the running configuration files - configuration files - and the start-up -re-booting files configuration files) must have the same security configurations )

1.3.8 Rejection of all remaining inbound and outbound traffic not specifically permitted

1.3.9 Installing perimeter firewalls between all wireless networks and the payment environment and their configuration to reject or control (if such traffic is necessary for business purposes) all connections from the wireless environment

1.3.10 Installation of personal wireless software on all laptops and / or personnel-owned computers with direct Internet connection (eg laptops used by employees) and used to access the corporate network

1.4 Prohibit direct public access between external networks and system components that store information on cardholders (eg database).

1.4.1 Implement a DMZ to filter and monitor traffic in order to prohibit direct connections for incoming and outgoing Internet traffic

1.4.2 Restrict the outbound traffic from the card payment applications to the IP addresses with DMZ

1.5 Implement Internet (IP) protocols designed to mask internal addresses so that they do not appear on the Internet. Use technologies that implement an RFC 1918 space, such as Port Address Translation (PAT) or Network Address Translation (NAT).

 Requisite 2: Do not use password systems or other security parameters defined by default by the supplier

Hackers (internal or external to a company) often use passwords or other elements defined as default by the supplier to compromise

the system. These elements are well known by hackers and easily determinable through information in the public domain.

2.1 Always change the default options from the vendor before installing a system on the network (for example password, SNMP community string and deleting unneeded accounts).

2.1.1 For wireless environments, change the vendor default configurations, including WEP keys, SSID default options, password and SNMP community string and disabling SSID broadcasts. Activate Wi-Fi Protected access (WPA) technology for encryption and authentication in the case of active WPA

2.2 Develop standard configurations for all system components. Ensure that these standards handle all known vulnerabilities and follow system best practices.

2.2.1 Implementing only a basic server function (web server, database server and DNS should be implemented on separate servers)

2.2.2 Deactivate all unnecessary and unsafe services and protocols (services and protocols not directly necessary to manage the specific function of the device)

2.2.3 Configure security parameters to prevent abuse

2.2.4 Eliminate all unnecessary functions, such as scripts, drivers, features, subsystems, system files (for example, unnecessary web servers)

2.3 Remote access must take place on encrypted connections. Use technologies such as SSH, VPN or SSL / TLS for management through a web-based application and all other forms of administrative and non-console access.

Protect cardholder data

Requirement 3: Protect the stored data

Encryption is the ultimate security mechanism, because even if someone could penetrate through all the other defense devices and access the encrypted data, they would not be able to read them except by decrypting the encryption key. The basic principles of this protection mechanism are shown below.

3.1 Minimize the number of stored information related to cardholders. Develop a data maintenance and disposal policy. Limit the breadth of memory and the retention period of data based on the time required for business, legal and / or regulatory purposes, as formalized in the data retention policy.

3.2 Do not store data that will allow the holder to authenticate after the authorization request (even if encrypted).

3.2.1 Do not store the entire contents of any data on the magnetic strip (on the back of the card or in the chip)

3.2.2 Not keeping the card validation code (three or four-digit code printed on the front or back of the payment card (CVV2 and CVC2)

3.2.3 Do not store the PIN (PVV)

2.2.3 Configure security parameters to prevent abuse

2.2.4 Eliminate all unnecessary functions, such as scripts, drivers, features, subsystems, system files (for example, unnecessary web servers)

3.3 Masking the numbers entered when shown on the display (the first 6 and last 4 digits of the card are displayed at most). Note that this does not apply to employees who need to see all credit card numbers.

3.4 Unreachable the sensitive data of the Holders wherever they are stored (including data on mobile media, on backup media and in logs and data received or stored by wireless networks) using one of the following systems:

• Unidirectional hashe, like SHA-1

• Truncation

• Token index and PADs, with the PADs stored securely

• Advanced cryptography, such as Triple-DES 128-bit or 256-bit AES associated with key management processes and procedures

  At least the credit card number must be made unreadable.

3.5 Protect encryption keys from decryption and abuse.

3.5.1 Restricting access to the keys to the smallest number of people necessary

3.5.2 Store keys securely in the least number of forms and locations

3.6 Document and implement all key management processes and procedures, including:

3.6.1 Generation of strong keys (eg 3D)

3.6.2 Distribution of keys securely

3.6.3 Keeping keys securely

3.6.4 Periodic modification of the keys

3.6.5 Destruction of old keys

3.6.6 Knowledge division and double control of the keys (in this way, to rebuild the whole key are necessary

2 or 3 people, each only aware of their own part)

3.6.7 Prevention of unauthorized replacement of keys

3.6.8 Replacing known or suspected keys that are compromised

3.6.9 Revocation of old or invalid keys (mainly for RSA keys)

3.6.10 Signature of a format by the persons who hold the keys in which their responsibilities are accepted

Requisite 4: Encrypt the data of the owners and the sensitive information when transmitted through public domain networks

Sensitive information must be encrypted during transmission over the Internet, as it is easy for an attacker to intercept data during transit.

4.1 Use cryptographic techniques (at least 128 bit), such as Secure Socket Layer (SSL), Point-to-Point Tunneling Protocol (PPTP), Internet Protocol Security (IPSEC) to protect sensitive data of Holders during transmission through public networks domain.

4.1.1 For wireless networks that transmit the data of the Data Controllers, encrypt the transmission using Wi-Fi Protected Access (WPA) technology in case of active WPA, or a 128-bit VPN or SSL. Never rely solely on WEP to protect confidential data and access to a wireless LAN. Use one of the above technologies together with 128-bit WEP, and alternate the shared WEP keys quarterly and whenever there is a change of personnel.

4.2 Never send information about the owners through unencrypted emails.

Maintain a safety management program

Requirement 5: Use and update anti-virus software regularly

Many viruses enter the network through staff emails. Anti-virus software must be used in all e-mail systems in order to protect the network from software that could damage it.

5.1 Use anti-virus mechanisms on all commonly attacked systems (PC and server).

5.2 Ensure that all anti-virus mechanisms are up-to-date, functioning correctly and capable of generating a log audit.

Requisite 6: Develop and maintain secure systems and applications

The presence of vulnerabilities in security systems can be exploited in an illegal way. Many of these vulnerabilities are eliminated through specific additional components (patches) that can be requested from suppliers (in some cases these updates are automatic). All systems should have up-to-date software to protect themselves against abuse by staff, external hackers and viruses. With regard to internally developed applications, many vulnerabilities can be eliminated through the standardization of systems development processes and through the use of writing techniques that guarantee the generation of a secure code.

6.1 Ensure that all system components and software have the latest version of the programs (with security patch updates).

6.1.1 Install patches no later than one month from the date of their release by the supplier

6.2 Implement a process to update the vulnerability catalog (subscribe to allerting services available for free on the Internet). Update their standards to manage emerging vulnerabilities.

Data Security Standards foreseen by International Circuits 5

6.3 Develop programs based on system best practices and include information security throughout the software development life cycle. Include the following elements:

6.3.1 Testing all changes to programs, patches, systems and software before switching to the production environment

6.3.2 Separation of development and test environments from production environments

6.3.3 Differentiation of data access rights in development and production environments

6.3.4 Prohibition of use of production data in the development environment (real numbers of credit cards must not be used to test or develop the system)

6.3.5 Removal of test data before production systems become active

6.3.6 Removal of data, custom username and password before applications become active and released to customers

6.3.7 Revision of custom code before release in production or to customers, in order to identify any possible vulnerability.

6.4 Follow the control procedures for all changes made to systems or software. The procedures should

to include:

6.4.1 Documentation of the impact

6.4.2 Management of the process of issuing authorizations to proceed by authorized parties

6.4.3 Test to verify the operational functions

6.4.4 Back-out procedures

6.5 Develop applications and software based on secure coding guidelines, such as the "Open Web Application Security Project" guidelines. Check the custom code to identify any vulnerabilities generated in the programming process.

Refer to the "Ten Most Critical Web Application Security Vulnerabilietes" at Preventing the most common vulnerabilities in software development processes, including:

6.5.1 Failure to validate the input

6.5.2 Access control malfunction (malicious use of an accredited user)

6.5.3 Broken authentication / session management (use of credentials and session cookies)

6.5.4 Cross site scripting (XSS)

6.5.5 Buffer overflows

6.5.6 Injection flows (eg SQL injection)

6.5.7 Inadequate error handling

6.5.8 Failure to protect the database

6.5.9 Denial of service

6.5.10 Configuring the unsafe environment

Implement "strong" mechanisms of restriction and access control

Requisite 7: Restrict access to data to staff on the basis of the minimum privilege (need-to-know)

In this way, critical data can only be accessed in an authorized mode.

7.1 Restrict access to information on the Data Controllers only to staff whose duties require it.

7.2 Adopt mechanisms that restrict access to data on the basis of the need to know principle, so that each operator must be able to see only the data on which he is authorized to operate according to his duties. On the same data, the unauthorized subjects, as their task does not require the use of the data in question, will not be able to access.

Requisite 8: Restricting access to data to staff on the basis of the minimum privilege (need-to-know)

This ensures that operations on sensitive data are carried out by known and authorized users, which can be tracked.

8.1 Identify all users through a personal username before allowing access to the system components or data of the Owners.

8.2 Use at least one of the following systems, in addition to personal identification, to authenticate all users:

• Password

• Tokens (for example, SecureID, certificates, or public keys)

• Biometric methods

Data Security Standards foreseen by International Circuits 6

8.3 Implement two authentication elements for remote access to the network by staff, administrators and third parties. Use technologies such as RADIUS or TACACS with token, or VPN with individual certificates

8.4 Encrypt all passwords during transmission and authentication on all system components.

8.5 Ensure appropriate user authentication and password management for non-user data users and for administrators on all system components.

6.5.1 Check the addition, deletion, and modification of user IDs, credentials and other identifying elements

6.5.2 Verify the user's identity before resetting passwords

6.5.3 For the first access establish a specific password for each user and ask to change it immediately after the first use

6.5.4 Immediately revoke access to users who have concluded the employment relationship

6.5.5 Remove inactive user contacts at least every 90 days

6.5.6 Activate contacts used by vendors for remote maintenance only for the time required

6.5.7 Distribute password procedures to all users who have access to information on the owners

6.5.8 Do not use generic groups, shares or passwords

6.5.9 Change password at least every 90 days

6.5.10 Request a minimum password length of at least 7 characters

6.5.11 Use passwords containing both alphabetic and numeric characters

6.5.12 Do not allow the user to enter a new password that is equal to one of the last four passwords used

6.5.13 Restrict repeated login attempts by blocking the user ID after no more than six attempts

6.5.14 Set the length of the block to 30 minutes or until a person reactivates the user ID

6.5.15 If a session is idle for more than 15 minutes, prompt the user to reenter the password and re-activate the terminal

6.5.16 Authenticate all accesses to each database containing information on the owners. This includes the application accesses from

administrative tools and from any available access point.

Requisite 9: Restrict physical access to data of the holder

Any physical access to systems that contain data from the Data Controllers gives the opportunity to access data and remove systems or copies

physical and should be properly restricted.

9.1 Carry out appropriate controls to limit and monitor physical access to the systems that store, process or transmit data of the Owners.

9.1.1 Use cameras to monitor sensitive areas. Check the data collected and compare them with other access areas

9.1.2 Restricting physical access to publicly accessible network pre-connections

9.1.3 Restrict physical access to wireless access points, gateways and manual devices

9.1.4 Immediately revoke access to users who have concluded the employment relationship

9.2 Develop procedures that help all staff to distinguish between employees and visitors, especially in areas where data on cardholders are accessible.

Employees are defined as full time, part time and temporary staff and consultants who work permanently in the organization. For visitors, we mean the suppliers, the guests of the employees, the service staff or anyone who needs to enter the data retention area for a short duration, generally no more than one day.

9.3 Make sure all visitors:

9.3.1 Authorized before entering the areas where the data of the owners are processed or stored

9.3.2 Have received physical support (such as a badge or access device) that expires and identifies them as non-employees

9.3.3 Return the physical media before leaving the area or on the expiration date

9.4 Use a log to track visitor activity. Keep this log for a minimum of three months, unless otherwise specified by law.

9.5 Keep the supports that contain the back-ups in a different site from the one in which the production system is located, for example using housing services made available by the companies specialized in managing alternative sites.

9.6 Make physically secure all paper and electronic media (computers, electronic media, hardware, telecommunications lines, paper invoices, paper and fax reports) that contain information on the owners.

Data Security Standards foreseen by International Circuits 7

9.7 Maintain strict control over the internal or external distribution of any kind of media containing information on the owners.

9.7.1 Label the medium so that it can be identified as confidential

9.7.2 Send support through safe couriers or a shipping mechanism that can be accurately tracked

9.8 Ensure that management approves all media moves from a safe area (especially when media is delivered to people).

9.9 Maintaining a strict control on the conservation and accessibility of the media containing information on the Data Controllers:

9.9.1 Keep an inventory of all media and make sure it is stored securely

9.10 Destroy the media containing information about the owners when they are no longer necessary for the business or for legal reasons:

9.10.1 Tear or incinerate material copies

9.10.2 Demagnetize, break into pieces or otherwise destroy electronic media so that data from the owners can not be rebuilt

Monitor and regularly test the networks

Requisite 10: Trace and monitor all access to network resources and data of the Owners

The mechanisms for recognizing and monitoring user activities are essential. The presence of recognition elements in all areas makes it possible to trace and analyze any problems. Determining the cause of a dysfunction is very difficult without recognition systems.

10.1 Trace accesses in such a way that all accesses to system components are traceable to the users recognized and assigned individually to authorized personnel.

10.2 Implement automatic Audit trails mechanisms in such a way that, for each component of the system, the following events can be reconstructed:

10.2.1 All user access to owner data

10.2.2 All actions performed by users with administrator or root privileges

10.2.3 Access to all audit and audit trails

10.2.4 Invalid access attempts

10.2.5 Use of identification and authentication mechanisms

10.2.6 Deleting or resetting parameters and log files

10.2.7 Creating and deleting system-level elements

10.3 For each event, on each component of the system, record at least the following elements:

10.3.1 User identification

10.3.2 Type of the operation / event

10.3.3 Date and time

10.3.4 Indication of the result of the operation (executed, interrupted, not started, failed etc.)

10.3.5 Origin of the operation (cause of the occurrence eg: name of the program that requested access, code of the abend etc.)

10.3.6 Identification code of the system component that was the object of the event (data, application, user, environment, etc.)

10.4 Synchronize all the clocks of the systems.

10.5 Protect log and audit files so that they can not be altered.

10.5.1 Restrict access to audit trails to those whose jobs require it

10.5.2 Protect files containing control paths from unauthorized changes

10.5.3 Immediately back up files containing control paths on a centralized server or on hard-to-alter media

10.5.4 Copy recognition elements for a wireless network on a server in the internal LAN

10.5.5 Use software to detect unauthorized modifications (eg Trypwire) carried out on log and audit files, so that any intervention on these files gives rise to an alarm signal.

Data Security Standards foreseen by International Circuits 8

10.6 Analyze logs for all system components at least daily. The review of the logs should include those servers that perform security functions such as IDS and authentication server (AAA) (for example RADIUS).

10.7 Keep track of the audit trail for a period consistent with the needs of use and the rules imposed by law.

A memory of the audit trails generally covers a period of at least one year, with a minimum of three months of online availability.

Requirement 11: Testing safety systems and processes regularly

New vulnerabilities are continually discovered by hackers and researchers and introduced by new software. Personal systems, processes and software should be tested frequently to ensure that security is maintained over time and after any changes.

11.1 Testing security monitoring systems, limitations, network connections and restrictions periodically to ensure that they are able to properly identify and block any unauthorized access attempts.

When wireless technology is used, periodically use a wireless analyzer to identify all wireless devices in use.

11.2 Scan vulnerabilities of internal and external networks at least quarterly and after any significant changes in the network (eg installation of new system components, changes in network topology, changes in firewall rules, product upgrades). Note that the scanning of external vulnerabilities must be performed by a payment card-enabled provider.

11.3 Perform extensive testing of network infrastructure and applications at least once a year and after any significant improvement or modification of the infrastructure or applications (for example, upgrade of operating systems, addition of sub-networks, addition of web servers).

11.4 Use intrusion detection systems in the network, intrusion detection systems on the server and / or intrusion detection systems to monitor all network traffic and alert staff in case of suspected intrusions. Keep all detection and prevention mechanisms for up-to-date intrusions.

11.5 Implement file integrity monitoring to alert staff to unauthorized changes to critical systems or file content and to make critical file comparisons at least daily (or more frequently if the process can be automated).

  Critical files are not necessarily those containing data from the owners. For the purposes of monitoring file integrity, critical files are those that are not regularly modified but whose modification could indicate a system corruption or the risk of corruption. File integrity monitoring products are usually preconfigured with critical files for their operating system. Other critical files, such as those for personal applications, must be evaluated and defined by the operator or server supplier.

Maintain a security information policy

Requirement 12: Adopt a policy that disseminates security information

An appropriate security policy spreads its principles throughout the company and is concerned with letting employees know what is expected of them. All staff should be aware of the sensitivity of the data and their responsibilities to protect them.

12.1 Building, publicizing, maintaining and disseminating a security policy.

12.1.1 Disseminate all the rules contained in this document

12.1.2 Implement a process on an annual basis that identifies threats, vulnerabilities and results in a formal risk assessment document

12.1.3 Establish a review of the document at least once a year and update it when there are changes

12.2 Develop daily operational security procedures based on the rules contained in this document (for example, user account maintenance procedures, log review procedures).

12.3 Develop usage policies for particular user interface technologies, such as modem and wireless, in order to define an appropriate use for all personnel. Make sure these policies require:

Data Security Standards foreseen by International Circuits 9

12.3.1 Explicit management approval

12.3.2 Authentication for the use of technology

12.3.3 A list of all devices and personnel with access

12.3.4 Labeling of devices with indication of owner and its references

12.3.5 Uses permitted by type of technology (eg use of the laptop)

12.3.6 Logistic limitations to the use of mobile technology and rules for networking and accessibility (eg use of the connected laptop

off-site wireless)

12.3.7 A list of products accepted by the company

12.3.8 Automatic disconnection of modems after a certain period of inactivity

12.3.9 Activating modems for merchants only when they need them, with immediate deactivation after use

12.3.10 During remote access via modem to the data of the owners, deactivate the memory containing the data on local drives, floppy disks or other external media. Also disable printing and cutting, copying and pasting functions during remote access.

12.4 Ensure that security procedures and policies clearly define responsibilities for the security of information for all staff.

12.5 Assign to a person or group the following responsibilities regarding the management of information security:

12.5.1 Define, formalize and disseminate security procedures and policies

12.5.2 Monitor and analyze safety information and alarms and communicate them to competent personnel

12.5.3 Define, formalize and spread procedures to respond to security incidents to ensure a timely and effective management of all situations

12.5.4 Administer user accounts, including additions, deletions and changes

12.5.5 Monitor and control all data accesses

12.6 Make all personnel aware of the importance of the security of information on the owners.

12.6.1 Educating staff (eg with posters, letters, memos, meetings and promotions)

12.6.2 Ask employees to sign a declaration stating that they have read and understood the company's safety procedures and policies

12.7 Control employees with access to data to minimize the risk of abuse by internal resources. For those employees who have access to a card's data just for the time to make the transaction, such as store clerks, it's just a recommendation.

12.8 Contractually request external parties with access to the data of the Owners to join the "Payment Card Industry Security Requirements". At a minimum, the contract should contain the following indications:

12.8.1 Awareness that the external party is responsible for the data security of the owners in their possession

12.8.2 Possession by each brand of payment cards, Acquirer and owner of the data of the Owners and awareness that such data may be used exclusively to complete a transaction, support a loyalty program, help the fraud control services or to other uses specifically required by law

12.8.3 Continuation of business in the event of major destruction, disaster and failure

12.8.4 Legal conditions that ensure that a representative of the Payment Card Industry or an external party approved by it is given full cooperation and free access to perform a security review after a possible intrusion. The review will validate the adhesion to the "Payment Card Industry Data Security Standard" to protect the data of the Data Controllers

12.8.5 Conditions relating to the termination of the contract that ensure that the third party will continue to process the data on the Data Controllers as confidential

12.9 Define a plan of reaction to possible accidents. Be prepared to respond immediately to a possible system violation.

12.9.1 Create a reaction plan to be used in case the security system is compromised. Ensure that the plan includes, as a minimum, specific reaction procedures, procedures for protection and continuation of the business, data copy processes, roles and responsibilities, communication strategies (for example, informing acquirers and associations on credit cards)

12.9.2 Test the plan at least annually

12.9.3 Designate certain employees to be available at all times to respond to alarms

12.9.4 Ensure adequate training for employees with responsibility for responding to security breaches

12.9.5 Include alarms for intrusion detection and prevention and file integrity monitoring systems

12.9.6 Have a process that allows you to adapt the pattern of reaction management of cyber incidents based on history

registered in the company and acquiring the best industry practices