Identify all components in the cardholder data environment (CDE)
2
Evaluate all third-party service providers for PCI compliance
3
Create data-flow maps to understand how cardholder data moves throughout the network
4
Deploy system for tracking and monitoring all access to network resources and cardholder data
5
Securely dispose or anonymise stored cardholder data that is no longer needed for business or legal reasons
6
Protection of cardholder data with strong cryptography and security protocols
7
Regular testing of security systems and processes
8
Establish a formal, documented IT security policy
9
Ensure all default system passwords and other default security parameters are changed
10
Approval: IT Specialist on Fully Configured Firewall and Router Configuration
11
Conduct Employee PCI Training
12
Maintain an Inventory of Physical Devices and Systems
13
Perform Regularly Scheduled PCI Compliance Audits
14
Approval: Management on PCI Compliance Audit Reports
15
Create Incident Response Plan
16
Identify and Rank Threats and Vulnerabilities
17
Test and Improve Security Systems Regularly
18
Keep Software and Systems Up-To-Date
19
Demonstrate Enforcement of Policies and Procedures
Identify all components in the cardholder data environment (CDE)
This task involves identifying all the different components that make up the cardholder data environment (CDE). By understanding the various pieces involved in processing and storing cardholder data, you can ensure compliance with PCI standards. The desired result is to have a comprehensive list of all CDE components, including servers, databases, applications, and network segments. Think about the different types of components and how they interact with each other. Are there any challenges in identifying all the components? How will you overcome them?
Evaluate all third-party service providers for PCI compliance
This task involves evaluating all the third-party service providers involved in handling cardholder data to ensure they are compliant with PCI standards. The desired result is to have a list of compliant service providers. Consider the different types of third-party service providers, such as payment gateways, hosting providers, and payment processors. What criteria will you use to evaluate their compliance? Are there any challenges in evaluating them? How will you address those challenges?
Create data-flow maps to understand how cardholder data moves throughout the network
This task requires creating data-flow maps to visualize how cardholder data moves throughout your network. By understanding the flow of data, you can identify potential vulnerabilities and ensure compliance with PCI standards. The desired result is to have clear and comprehensive data-flow maps. Consider the different ways cardholder data can be transmitted and stored. Are there any challenges in creating these maps? How will you address those challenges?
Deploy system for tracking and monitoring all access to network resources and cardholder data
This task involves deploying a system for tracking and monitoring all access to network resources and cardholder data. By implementing such a system, you can detect and respond to potential security breaches, ensuring compliance with PCI standards. The desired result is to have a functioning tracking and monitoring system in place. What tools or resources will you need to deploy this system? How will you ensure it is effective?
1
Logs
2
SIEM
3
Firewall
4
IDS/IPS
Securely dispose or anonymise stored cardholder data that is no longer needed for business or legal reasons
This task involves securely disposing or anonymizing stored cardholder data that is no longer needed for business or legal reasons. By properly disposing or anonymizing data, you can minimize the risk of unauthorized access and maintain PCI compliance. The desired result is to have a documented process for secure disposal or anonymization. How will you ensure that data is disposed of or anonymized securely? Are there any legal or regulatory requirements to consider?
Protection of cardholder data with strong cryptography and security protocols
This task involves implementing strong cryptography and security protocols to protect cardholder data. By using robust encryption methods and following security best practices, you can prevent unauthorized access to sensitive data and maintain PCI compliance. The desired result is to have cardholder data adequately protected. What encryption methods and security protocols will you implement? How will you ensure their effectiveness?
1
AES
2
RSA
3
DES
4
3DES
1
TLS
2
SSL
3
IPSec
Regular testing of security systems and processes
This task involves regularly testing the security systems and processes in place to ensure they are effective in protecting cardholder data. By conducting regular tests, you can identify vulnerabilities or weaknesses and make necessary improvements to maintain PCI compliance. The desired result is to have a documented testing schedule and process. How frequently will you perform security testing? What methods or tools will you use?
1
Quarterly
2
Biannually
3
Annually
Establish a formal, documented IT security policy
This task involves establishing a formal, documented IT security policy that outlines the guidelines and procedures for protecting cardholder data. By having a clear policy in place, you can ensure all employees and stakeholders understand their responsibilities and comply with PCI standards. The desired result is to have a comprehensive IT security policy. How will you communicate the policy to all relevant parties? How will you enforce compliance with the policy?
Ensure all default system passwords and other default security parameters are changed
This task involves ensuring that all default system passwords and other default security parameters are changed to unique and secure values. By changing default settings, you can prevent unauthorized access and maintain PCI compliance. The desired result is to have a documented process for changing default passwords and security parameters. How will you ensure all defaults are identified and changed?
1
Default passwords
2
Default usernames
3
Default IP addresses
Approval: IT Specialist on Fully Configured Firewall and Router Configuration
Will be submitted for approval:
Deploy system for tracking and monitoring all access to network resources and cardholder data
Will be submitted
Conduct Employee PCI Training
This task involves conducting PCI training for all employees who handle cardholder data. By providing training, you can educate employees on their roles and responsibilities in maintaining PCI compliance. The desired result is to have all employees trained and knowledgeable about PCI standards. What topics will the training cover? How will you track and document employee training?
1
Data security
2
PCI standards
3
Incident response
4
Handling customer data
Maintain an Inventory of Physical Devices and Systems
This task involves maintaining an inventory of all physical devices and systems that are part of the cardholder data environment. By keeping an updated inventory, you can ensure all devices and systems are accounted for and comply with PCI standards. The desired result is to have a documented inventory of physical devices and systems. How will you track changes in the inventory? How frequently will you update it?
Perform Regularly Scheduled PCI Compliance Audits
This task involves performing regularly scheduled PCI compliance audits to assess the implementation and effectiveness of security controls. By conducting audits, you can identify areas of non-compliance and take corrective actions to maintain PCI compliance. The desired result is to have audit reports indicating compliance status and any corrective actions taken. How frequently will you perform audits? What criteria will you use to assess compliance?
Approval: Management on PCI Compliance Audit Reports
Will be submitted for approval:
Perform Regularly Scheduled PCI Compliance Audits
Will be submitted
Create Incident Response Plan
This task involves creating an incident response plan to outline the steps and procedures to follow in the event of a security breach or incident involving cardholder data. By having a well-defined plan, you can respond effectively to incidents and minimize their impact on PCI compliance. The desired result is to have a documented incident response plan. What steps and procedures will you include in the plan? How will you ensure all relevant parties are aware of the plan?
Identify and Rank Threats and Vulnerabilities
This task involves identifying and ranking threats and vulnerabilities that could pose risks to cardholder data security. By understanding the potential risks, you can implement appropriate security controls and mitigation strategies to maintain PCI compliance. The desired result is to have a list of identified threats and vulnerabilities ranked by their severity. What methods or tools will you use to identify and rank threats and vulnerabilities? How will you prioritize mitigation efforts?
1
Low
2
Medium
3
High
Test and Improve Security Systems Regularly
This task involves regularly testing and improving the security systems in place to ensure they are resilient against potential threats and vulnerabilities. By testing and making necessary improvements, you can enhance the overall security posture and maintain PCI compliance. The desired result is to have a documented testing and improvement process. How frequently will you perform security testing? How will you prioritize improvement efforts?
1
Monthly
2
Quarterly
3
Annually
Keep Software and Systems Up-To-Date
This task involves regularly updating software and systems to ensure they have the latest security patches and updates. By keeping software and systems up-to-date, you can mitigate potential vulnerabilities and maintain PCI compliance. The desired result is to have a documented process for patch management and system updates. How frequently will you check for updates? How will you ensure updates are applied timely?
1
Operating system
2
Antivirus software
3
Payment applications
Demonstrate Enforcement of Policies and Procedures
This task involves demonstrating the enforcement of policies and procedures related to PCI compliance. By ensuring consistent enforcement, you can maintain a culture of compliance and minimize the risk of non-compliance. The desired result is to have documented evidence of policy enforcement. How will you communicate and monitor policy enforcement? What measures will you take in case of non-compliance?
