PCI DSS Gap Analysis Checklist Ver 1.0

PCI DSS Gap Analysis

Sr. No. Content123

Document Control Legend Gap Analysis Sheet

Prepared By: Reviewed By: Approved By:Jay Hira

Owner Name: Valid From: Valid Until:

Version No: Status: Document No:1 Published

Version HistoryVersion Date Approver for Change

Version HistoryAuthor Description

Kindly Note:In the "Compliance Level" field on the Gap Analysis Sheet, select the appropriate level of compliance from the drop-down listIn the "Findings / Comments" field on the Gap Analysis Sheet, summarize the identified issue and substantiate for the level of compliance identified

A conditional formatting has been provided on the "Review Sheet" sheet under "Compliance Level" field

Non-CompliantPartially Compliant

Fully Compliant

In the "Compliance Level" field on the Gap Analysis Sheet, select the appropriate level of compliance from the drop-down listIn the "Findings / Comments" field on the Gap Analysis Sheet, summarize the identified issue and substantiate for the level of compliance identified

A conditional formatting has been provided on the "Review Sheet" sheet under "Compliance Level" field

In the "Compliance Level" field on the Gap Analysis Sheet, select the appropriate level of compliance from the drop-down listIn the "Findings / Comments" field on the Gap Analysis Sheet, summarize the identified issue and substantiate for the level of compliance identified

Req # Control Objective

1.1.1

1.1.2

1.1.3

1.1.4

1.1.5

1.1.6

1.1.7

1.1.8

1.1.9

1.2.0

1.3.1

1.3.2

1.3.2

Requirement 1 :- Install and Maintain a firewall configuration













1.3.3

1.3.4

1.3.5

1.3.6

1.3.7

1.3.8

1.4.1

1.4.2

1.5.0

2.1.0

2.1.1

2.3.1










Requirement 2 :- Do not use Vendor Supplied Defaults for system passwords and other security Parameters



2.4.1

1.a.1

1.a.2

1.a.3

1.a.4

3.1.0

4.1.0

4.1.1

4.2.0

5.1.0

6.5.1

6.5.2

6.5.4


Requirement A 1 :- Hosting Providers Protect Cardholder data environmentRequirement A 1 :- Hosting Providers Protect Cardholder data environmentRequirement A 1 :- Hosting Providers Protect Cardholder data environmentRequirement A 1 :- Hosting Providers Protect Cardholder data environment

Requirement 3 :- Protect card holder

Requirement 4:- Encrypt Transmission of cardholder across open public networksRequirement 4:- Encrypt Transmission of cardholder across open public networksRequirement 4:- Encrypt Transmission of cardholder across open public networks

Requirement 5:- Use and regularly update Antivirus.

Requirement 6:- Deploy and maintain secure systems and application.



6.5.5

6.5.6

6.5.7

6.5.9

6.5.10

6.6.1

7.1.0

8.2.0

8.3.0

8.4.0

8.5.1

9.1.1







Requirement 7 :- Restrict access to cardholder data by business need to know.

Requirement 8:- Assign a unique ID to each person with computer access.




Requirement 9:- Restrict Physical access to cardholder data.

9.1.2

9.1.3

9.3.1

9.3.2

9.3.3

9.4.0

9.5.0

9.6.0

10.2.1

10.5.1

10.6.0

11.1.0

11.2.0









Requirement 10:- Track and monitor all access to network resources and cardholder data



Requirement 11:- Regulatory test security system and process


11.3.0

11.4.0

11.5.0




Basic Control

Establish firewall configuration standard that include the following









Build a firewall configuration that denies all traffic from untrusted network and hosts, except for protocols necessary for the cardholder data environment.

Build a firewall configuration that restricts connection between publically accessible servers and any system component storing card holder data.









Prohibit direct public access between external network and any system component that access card holder data.

Prohibit direct public access between external network and any system component that access card holder data.

Implement IP masquerading to prevent internal addresses from being translated and revealed on the internet. Use techniques like PAT and NAT.

Always change vendor supplied defaults before installing a system on the network.

Always change vendor supplied defaults before installing a system on the network.

Encrypt all non console administrative access. Use technology such as SSH, VPN or SSL/ TLS for web based management and other non console administrative access.

Protect Each entity

Protect Each entity

Protect Each entity

Protect Each entity

Never Send Unencrypted PAN by E-mail.

Hosting providers must protect each entity's hosted environment and data. These providers must meet specific requirements as provided in Requirement 1 A

Keep cardholder data storage to a minimum. Develop a data retention and disposal policy. Limit storage amount and retention time to that which is required for business, legal and/or regulatory purpose as documented in the data retention policy.

Use Strong cryptography and security protocols such as SSL/TLS and IPSec to safeguard sensitive cardholder data during transmission over open public networks

Use Strong cryptography and security protocols such as SSL/TLS and IPSec to safeguard sensitive cardholder data during transmission over open public networks

Deploy anti-virus Software on all systems commonly affected by viruses.

Develop all web application based on secure coding guidelines such as OWASP. Review custom application code to identify coding vulnerabilities. Cover prevention of common coding vulnerability in software development process.



Ensure that all web facing application are protected.






Limit access to computing resources and cardholder information only to those individuals whose job require such access.

In addition to assigning a unique ID Employ at least one of the following methods to authenticate all users.:- Passwords, token devices, biometrics

Implement two factor authentication for remote access to the network by employees. Admins and third parties. Like RADIUS, SSL,TLS or IPSec

Encrypt all passwords during transmission and storage on all system components.

Ensure proper user authentication and password management for non consumer users and administrators on all system components.

Use appropriate facility entry controls to limits and monitor physical access to system that store, process or transmit card holder data.

Security procedure for visitors



Use a visitor log to maintain a physical audit of visitors activity.

Secure audit trails so they cannot be altered.

Test Security Control, Limitation, network connections and



Store media back-up in a secure location, preferable in an off site facility, such as an alternate or backup site, or a commercial storage facility.

Physically secure all paper and electronic media that contains card holder data

Implement automated audit trails for all system components to reconstruct --->

Review logs for all system components at least daily. Log reviews must include of those like IDS/AAA Server.

Run Internal and external vulnerability scans at least quarterly and after any significant change in the network.

Perform penetration testing at least once a year and after any significant infrastructure change or upgrade.

Use network intrusion detection system, host based intrusion detection system and intrusion prevention system to monitor all network traffic and warn personnel.

Deploy file integrity monitoring software to alert personnel to unauthorized modification of critical system or content files and configure the software to perform critical file comparison.

Extended Control Compliance Level

Documented list of ports and services necessary for business.

Quarterly review of the router and firewall rules-base.

Configuration standard for Router.

Not allowing internal address to pass from the internet into the DMZ.

A Formal Process for approving and testing all external network connections and changes to the firewall configuration

A Current Network diagram with all connection to card holder data, Including wireless networks.

Requirements for a firewall at each internet connection and between DMZ and internal network.

Description of groups, roles and responsibilities for logical management of network.

Justification and documentation for any available protocols besides HTTP, SSL/TLS, SSH and VPN.

Justification and documentation for any non-secure protocols like FTP, which includes the reason for use of the protocol and security features implemented.

Restricting inbound internet traffic to internet protocol address within the DMZ.

Implementing stateful inspection also known as dynamic packet filtering

Securing and Synchronizing the router configuration.

Placing the database in an internal network zone, Segregated from the DMZ

Restricting inbound and outbound traffic to that which is necessary for the cardholder environment.

Denying all other inbound and outbound traffic not specifically allowed.

Installing perimeter firewall between and wireless networks and cardholder data environment, and configuring these firewalls to deny any traffic from the wireless environment or from controlling any traffic.

Installing personal firewall software on any mobile and employee owned computer with direct connectivity to the internet, which are used to access organization's network.

Implement a DMZ to filter and screen all traffic and to prohibit direct routes for inbound and outbound traffic.

Restrict outbound traffic from payment card application within the DMZ

For wireless environments change wireless vendor defaults, including but not limited to, (WEP) keys, default (SSID's), passwords and SNMP community strings Disable SSID broadcast. Enable WPA for encryption and authentication

Restrict each entity's access and privileges to own card holder data.

Unvalidated input

Broken Access control.

XSS

Ensure That each entity only has access to own cardholder data environment

Ensure logging and audit trails are enabled and unique to each entity's cardholder data environment and consistent with PCI DSS requirement 10

Enable process to provide for timely forensic investigation in the event of a compromise to any hosted merchant or service provider.

For wireless networks transmitting cardholder data encrypt the transmission.

Buffer overflows

Injection flaws (SQL Injection)

Improper error handling

Denial of service

Insecure Configuration management

Use Cameras to monitor sensitive areas.

They have all the custom application code reviewed for common vulnerabilities by an organization that specializes in application security.

Restrict Physical access to publically accessible network jacks

Restrict physical access to wireless access points and gateways and handheld devices.

Visitors are authorized before entering areas where cardholder data is processed or maintained.

Given a physical token that expires and that identifies the visitor as non- employees.

Asked to surrender the physical token before leaving the facility or at the date of expiration.

Findings / Comments

Navigation SheetDocument ControlLegendGap Analysis Sheet

Documents

PCI DSS Gap Analysis Checklist Ver 1.0