Avatar of unrealone1
Flag for United Kingdom of Great Britain and Northern Ireland

asked on 

PCI compliance

Hi Experts,

We mainly offer workstation and server support in the UK. The client here has broadband with another supplier, and we supplied the router only. However, now we have been asked a comprehensive questionnaire for PCI compliance (Credit card payments). We are wondering how to respond because it’s fairly involved. Any advice please?

Is there a current network diagram that documents all connections between the cardholder data environment and other networks, including any wireless networks?

Is there a process to ensure the diagram is kept current?

Is a firewall required and implemented at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone?

Is the current network diagram consistent with the firewall configuration standards?

Do firewall and router configuration standards include a documented list of services, protocols, and ports, including business justification and approval for each?

Are all insecure services, protocols, and ports identified, and are security features documented and implemented for each identified service?

Is inbound and outbound traffic restricted to that which is necessary for the cardholder data environment?

Is all other inbound and outbound traffic specifically denied (for example by using an explicit "deny all" or an implicit deny after allow statement)?

Are perimeter firewalls installed between all wireless networks and the cardholder data environment, and are these firewalls configured to deny or, if traffic is necessary for business purposes, permit only authorized traffic between the wireless environment and the cardholder data environment?

Are anti-spoofing measures implemented to detect and block forged sourced IP addresses from entering the network?
(For example, block traffic originating from the internet with an internal address.)

Is outbound traffic from the cardholder data environment to the Internet explicitly authorized?

Are only established connections permitted into the network

Are only trusted keys and/or certificates accepted?

Are security protocols implemented to use only secure configurations, and to not support insecure versions or configurations?

Is the proper encryption strength implemented for the encryption methodology in use (check vendor recommendations/best practices)?

For TLS implementations, is TLS enabled whenever cardholder data is transmitted or received?
For example, for browser-based implementations:
"HTTPS" appears as the browser Universal Record Locator (URL) protocol, and
Cardholder data is only requested if "HTTPS" appears as part of the URL.

Are industry best practices used to implement strong encryption for authentication and transmission for wireless networks transmitting cardholder data or connected to the cardholder data environment?

Are policies in place that state that unprotected PANs are not to be sent via end-user messaging technologies?

Is there a process to identify security vulnerabilities, including the following:
Using reputable outside sources for vulnerability information?
Assigning a risk ranking to vulnerabilities that includes identification of all "high" risk and "critical" vulnerabilities?
Are all system components and software protected from known vulnerabilities by installing applicable vendor-supplied security patches?

Are critical security patches installed within one month of release?

Are penetration-testing procedures defined to test all segmentation methods, to confirm they are operational and effective, and isolate all out-of-scope systems from systems in the CDE?

Does penetration testing to verify segmentation controls meet the following?
   Performed at least annually and after any changes to segmentation controls/methods
   Covers all segmentation controls/methods in use
   Verifies that segmentation methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE.

Are tests performed by a qualified internal resource or qualified external third party, and if applicable, does organizational independence of the tester exist (not required to be a QSA or ASV)?

Avatar of undefined
Last Comment

8/22/2022 - Mon