About PCI-DSS Compliance

Understanding the PCI-DSS

PCI-DSS stands for “Payment Card Industry Data Security Standard.” It was developed in the early 2000s, and is updated roughly triannually; the most recent update, PCI-DSS 3.2.1, was released in May of 2018. The purpose of the PCI-DSS is to increase controls around credit card cardholder data and reduce credit card fraud.

PCI-DSS includes six broad objectives, with requirement sections associated to each of them:

Objective	Requirement(s)
Build and Maintain a Secure Network	PCI-DSS 1: Install and maintain a firewall configuration to protect cardholder data PCI-DSS 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data	PCI-DSS 3: Protect stored cardholder data PCI-DSS 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program	PCI-DSS 5: Protect all systems against malware and regularly update anti-virus software or programs PCI-DSS 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures	PCI-DSS 7: Restrict access to cardholder data by business need to know PCI-DSS 8: Identify and authenticate access to system components PCI-DSS 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks	PCI-DSS 10: Track and monitor all access to network resources and cardholder data PCI-DSS 11: Regularly test security systems and processes
Maintain an Information Security Policy	PCI-DSS 12: Maintain a policy that addresses information security for all personnel

Objective

Requirement(s)

Build and Maintain a Secure Network

PCI-DSS 1: Install and maintain a firewall configuration to protect cardholder data

PCI-DSS 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

PCI-DSS 3: Protect stored cardholder data

PCI-DSS 4: Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

PCI-DSS 5: Protect all systems against malware and regularly update anti-virus software or programs

PCI-DSS 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures

PCI-DSS 7: Restrict access to cardholder data by business need to know

PCI-DSS 8: Identify and authenticate access to system components

PCI-DSS 9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks

PCI-DSS 10: Track and monitor all access to network resources and cardholder data

PCI-DSS 11: Regularly test security systems and processes

Maintain an Information Security Policy

PCI-DSS 12: Maintain a policy that addresses information security for all personnel

The full PCI-DSS requirements documentation is available from the PCI Security Standards Council here. PCI DSS v3.2.1 was released in May 2018.

WhiteHat Sentinel and the PCI-DSS

WhiteHat Sentinel and WhiteHat Sentinel Source assist you to address the requirements of PCI-DSS Requirement 6: Develop and maintain secure systems and applications. Specifically, vulnerabilities identified in production (Sentinel) or in source code (Sentinel Source) can be monitored and remediated to ensure compliance with PCI-DSS requirements 6.5.1 through 6.5.10. The PCI 3.2 Compliance Report addresses each of those requirements specifically, and provides information on what categories and what specific vuln classes are failing compliance testing and how to remediate those vulnerabilities.

Service Level Requirements

WhiteHat offers a variety of service levels, from Baseline (BE) through Standard (SE) to Premium (PE). Premium Edition is the service level that provides full business logic analysis and business logic re-testing.

To perform a full PCI Compliance analysis, the asset must be subjected to business logic assessment; therefore, if you need the PCI report to establish compliance, Sentinel PE is the appropriate service to have for that asset.