Next week will be a busy week for us. We have two big customers going for 1st time certification, and re-certification respectively for PCI-DSS. The 1st time cert will be doing PCI v3.0 while the second customer will be doing PCI v2.0. It should be a very interesting and busy time.
Anyway, I have been going through with them respectively on all the aspects of PCI-DSS certification. Here’s just a quick refresher on some parameters that systems need to be configured with:
Activity | Parameter |
Session Timeouts (inactivity) | 15 minutes |
Lockout User | 6 Attempts |
Lockout Duration | 30 Minutes |
Password History Prohibition | 4 Previous Passwords |
Minimum Password Length | 7 Alpha Numeric Characters |
Vendor/Guest access to Secure Area | 1 Day |
Review of logs | 1 Day |
FIM – Changes in critical files/system and application executable file | Weekly |
Install vendor patches upon release | Within Monthly |
Address critical vulnerabilities | Within Monthly |
Remove inactive user accounts | 90 Days |
Change password | 90 Days |
Logs availability | 3 months online, 12 months offline |
Address non critical vulnerabilities | Within 3 months |
CCTV video storage of secure room access | Minimum 3 months accessible |
Wireless Access Scan | Quarterly |
Network Vulnerability/ASV Scan | Quarterly |
Firewall review and router rule sets | Half Yearly |
Test terminated users to ensure deactivation | Half Yearly |
Penetration testing for application and network | Annual |
Review security for offsite backup storage | Annual |
Inventory media (req 9.9.1) | Annual |
Risk Assessment | Annual |
Training Awareness | Annual |
Acknowledgement of personnel of policy and procedures | Annual |
Monitor Service Provider Compliance | Annual |
Test Incident Response Plan | Annual |
Review, Document and Validate Compensating Controls | Annual |