About PCI-DSS Compliance
Understanding the PCI-DSS
PCI-DSS stands for “Payment Card Industry Data Security Standard.” It was developed in the early 2000s, and is updated roughly triannually; the most recent update, PCI-DSS 3.2.1, was released in May of 2018. The purpose of the PCI-DSS is to increase controls around credit card cardholder data and reduce credit card fraud.
PCI-DSS includes six broad objectives, with requirement sections associated to each of them:
Objective | Requirement(s) |
---|---|
Build and Maintain a Secure Network |
PCI-DSS 1: Install and maintain a firewall configuration to protect cardholder data PCI-DSS 2: Do not use vendor-supplied defaults for system passwords and other security parameters |
Protect Cardholder Data |
PCI-DSS 3: Protect stored cardholder data PCI-DSS 4: Encrypt transmission of cardholder data across open, public networks |
Maintain a Vulnerability Management Program |
PCI-DSS 5: Protect all systems against malware and regularly update anti-virus software or programs PCI-DSS 6: Develop and maintain secure systems and applications |
Implement Strong Access Control Measures |
PCI-DSS 7: Restrict access to cardholder data by business need to know PCI-DSS 8: Identify and authenticate access to system components PCI-DSS 9: Restrict physical access to cardholder data |
Regularly Monitor and Test Networks |
PCI-DSS 10: Track and monitor all access to network resources and cardholder data PCI-DSS 11: Regularly test security systems and processes |
Maintain an Information Security Policy |
PCI-DSS 12: Maintain a policy that addresses information security for all personnel |
The full PCI-DSS requirements documentation is available from the PCI Security Standards Council here. PCI DSS v3.2.1 was released in May 2018.
WhiteHat Sentinel and the PCI-DSS
WhiteHat Sentinel and WhiteHat Sentinel Source assist you to address the requirements of PCI-DSS Requirement 6: Develop and maintain secure systems and applications. Specifically, vulnerabilities identified in production (Sentinel) or in source code (Sentinel Source) can be monitored and remediated to ensure compliance with PCI-DSS requirements 6.5.1 through 6.5.10. The PCI 3.2 Compliance Report addresses each of those requirements specifically, and provides information on what categories and what specific vuln classes are failing compliance testing and how to remediate those vulnerabilities.
Service Level Requirements
WhiteHat offers a variety of service levels, from Baseline (BE) through Standard (SE) to Premium (PE). Premium Edition is the service level that provides full business logic analysis and business logic re-testing.
To perform a full PCI Compliance analysis, the asset must be subjected to business logic assessment; therefore, if you need the PCI report to establish compliance, Sentinel PE is the appropriate service to have for that asset.