PCI Compliance Requirments
Definitive Points of the Requirements of PCI Required by Crown Information Management
Requirement 9: Restrict physical access to cardholder data
Any physical access to data or systems that house cardholder data provides the opportunity for persons to access and/or remove devices, data, systems or hardcopies, and should be appropriately restricted. “Onsite personnel” are full- and part-time employees, temporary employees, contractors, and consultants who are physically present on the entity’s premises. “Visitors” are vendors and guests that enter the facility for a short duration – usually up to one day. “Media” is all paper and electronic media containing cardholder data.
9.1 Use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment.
9.2 Develop procedures to easily distinguish between onsite personnel and visitors, such as assigning ID badges.
9.3 Control physical access for onsite personnel to the sensitive areas. Access must be authorized and based on individual job function; access must be revoked immediately upon termination, and all physical access mechanisms, such as keys, access cards, etc. returned or disabled.
PHYSICALLY SECURE THE PAYMENT SYSTEM
Businesses must physically secure or restrict access to printouts of cardholder data, to media where it is stored, and devices used for accessing or storing cardholder data. It’s important to understand that PCI is about protecting both electronic data and paper receipts as well.
9.4 Ensure all visitors are authorized before entering areas where cardholder data is processed or maintained; given a physical token that expires and that identifies visitors as not onsite personnel; and are asked to surrender the physical token before leaving the facility or at the date of expiration.
Use a visitor log to maintain a physical audit trail of visitor information and activity, including visitor name, company, and the onsite personnel authorizing physical access. Retain the log for at least three months unless otherwise restricted by law.
9.5 Physically secure all media; store media back-ups in a secure location, preferably off site.
9.6 Maintain strict control over the internal or external distribution of any kind of media.
9.7 Maintain strict control over the storage and accessibility of media.
9.8 Destroy media when it is no longer needed for business or legal reasons.
9.9 Protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution. This includes periodic inspections of POS device surfaces to detect tampering, and training personnel to be aware of suspicious activity. (Note: Requirement 9.9 is a best practice until June 30, 2015, after which it becomes a requirement.)
9.10 Ensure that related security policies and operational procedures are documented, in use, and known to all affected parties.
Requirement 12: Maintain a policy that addresses information security for all personnel
12.1 Establish, publish, maintain, and disseminate a security policy; review the security policy at least annually and update when the environment changes.
12.2 Implement a risk assessment process that is performed at least annually and upon significant changes to the environment that identifies critical assets, threats, and vulnerabilities, and results in a formal assessment.
12.3 Develop usage policies for critical technologies to define their proper use by all personnel. These include remote access, wireless, removable electronic media, laptops, tablets, handheld devices, email and Internet.
12.4 Ensure that the security policy and procedures clearly define information security responsibilities for all personnel.
12.5 Assign to an individual or team information security responsibilities defined by 12.5 subsections. “With version 3.0, PCI DSS is more mature than ever, and covers a broad base of technologies and processes such as encryption, access control, and vulnerability scanning to offer a sound baseline of security. The range of supporting standards, roadmaps,
guidance, and methodologies is expanding. And our research suggests that organizations are complying at a higher rate than in previous years.”
12.6 Implement a formal security awareness program to make all personnel aware of the importance of cardholder data security.
12.7 Screen potential personnel prior to hire to minimize the risk of attacks from internal sources. Example screening includes previous employment history, criminal record, credit history, and reference checks.
12.8 Maintain and implement policies and procedures to manage service providers with which cardholder data is shared, or that could affect the security of cardholder data.
12.9 Additional requirement for service providers only: Service providers acknowledge in writing to customers that they are responsible for the security of cardholder data that they possess or otherwise store, process, or transmit on behalf of the customer, or to the extent they could impact the security of the customer’s cardholder data environment. (Note: This requirement is a best practice until June 30, 2015, after which it becomes a requirement.)
12.10 Implement an incident response plan. Be prepared to respond immediately to a system breach.