PCI Requirement No. |
Current PCI DSS Standard(as of October 2013) |
Proposed PCI DSS Update for 3.0 on top of existing standards |
Purpose |
1 |
Install and maintain a firewall configuration to protect cardholder data. |
Have a current diagram that shows cardholder data flows. |
To clarify that documented cardholder data flows are an important component of network diagrams. |
2 |
Do not use vendor-supplied defaults for system passwords and other security parameters. |
Maintain an inventory of system components in scope for PCI DSS. |
To support effective scoping practices. |
3 |
Protect stored cardholder data. |
No change from the existing version. |
|
4 |
Encrypt transmission of cardholder data across open, public networks. |
No change from the existing version |
|
5 |
Use and regularly update antivirus software. |
Evaluate evolving malware threats for systems not commonly affected by malware. |
To promote ongoing awareness and due diligence to protect systems from malware |
6 |
Develop and maintain secure systems and applications. |
Update list of common vulnerabilities in alignment with OWASP, NIST, and SANS for inclusion in secure coding practices. |
To keep current with emerging threats. |
7 |
Restrict access to cardholder data by business need-to-know. |
No change from the existing version |
|
8 |
Assign a unique ID to each person with computer access. |
Security considerations for authentication mechanisms such as physical security tokens, smart cards, and certificates. |
To address feedback about requirements for securing authentication methods, other than passwords, that need to be included. |
9 |
Restrict physical access to cardholder data. |
Protect POS terminals and devices from tampering or substitution. |
To address the need for physical security of payment terminals. |
10 |
Track and monitor all access to network resources and cardholder data. |
No change from the existing version |
|
11 |
Regularly test security systems and processes. |
Implement a methodology for penetration
testing, and perform penetration tests to verify that the segmentation
methods are operational and effective. |
To address requests for more details about penetration tests, and for more stringent scoping verification. |
12 |
Maintain a policy that addresses information security. |
Maintain information about which PCI DSS requirements are managed by service providers and which are managed by the entity.
Service providers need to accept responsibility for maintaining applicable PCI DSS requirements. |
To address feedback from the 3rd-Party Security Assurance SIG. |