Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
21 Cards in this Set
- Front
- Back
|
7.1 |
Limit access to system components and cardholder data to only those individuals whose job requires such access.
|
|
|
7.2
|
Establish an access control system for systems components that restricts access based on a user’s need to know, and is set to “deny all” unless specifi cally allowed.
|
|
|
7.3
|
Ensure that related security policies and operational procedures are documented, in use, and known to all affected parties.
|
|
|
8.1
|
Define and implement policies and procedures to ensure proper user identifi cation management for users and administrators on all system components. Assign all users a unique user name before allowing them to access system components or cardholder data.
|
|
|
8.2
|
Employ at least one of these to authenticate all users: something you know, such as a password or passphrase; something you have, such as a token device or smart card; or something you are, such as a biometric. Use strong authentication methods and render all passwords unreadable during transmission and storage using strong cryptography.
|
|
|
8.3
|
Implement two-factor authentication for all remote network access that originates from outside the network, by employees, administrators, and third parties including vendor access for support or maintenance. Examples of two-factor technologies include remote authentication and dial-in service (RADIUS) with tokens; terminal access controller access control system (TACACS) with tokens; or other technologies that facilitate two-factor authentication. Using one factor twice (e.g. using two separate passwords) is not considered two-factor authentication.
|
|
|
8.4
|
Develop, implement, and communicate authentication procedures and policies to all users.
|
|
|
8.5
|
Do not use group, shared, or generic IDs, or other authentication methods. Service providers with access to customer environments must use a unique authentication credential (such as a password/passphrase) for each customer environment. (Note: This requirement for service providers is a best practice until June 30, 2015, after which it becomes a requirement.)
|
|
|
8.6
|
Use of other authentication mechanisms such as physical security tokens, smart cards, and certificates must be assigned to an individual account.
|
|
|
8.7
|
All access to any database containing cardholder data must be restricted: all user access must be through programmatic methods; only database administrators can have direct or query access; and application IDs for database applications can only be used by the applications (and not by users or non-application processes).
|
|
|
8.8
|
Ensure that related security policies and operational procedures are documented, in use, and known to all aff ected parties
|
|
|
9.1
|
Use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment.
|
|
|
9.2
|
Develop procedures to easily distinguish between onsite personnel and visitors, such as assigning ID badges.
|
|
|
9.3
|
Control physical access for onsite personnel to the sensitive areas. Access must be authorized and based on individual job function; access must be revoked immediately upon termination, and all physical access mechanisms, such as keys, access cards, etc. returned or disabled.
|
|
|
9.4
|
Ensure all visitors are authorized before entering areas where cardholder data is processed or maintained; given a physical token that expires and that identifi es visitors as not onsite personnel; and are asked to surrender the physical token before leaving the facility or at the date of expiration. Use a visitor log to maintain a physical audit trail of visitor information and activity, including visitor name, company, and the onsite personnel authorizing physical access. Retain the log for at least three months unless otherwise restricted by law.
|
|
|
9.5
|
Physically secure all media; store media back-ups in a secure location, preferably off site.
|
|
|
9.6
|
Maintain strict control over the internal or external distribution of any kind of media.
|
|
|
9.7
|
Maintain strict control over the storage and accessibility of media.
|
|
|
9.8
|
Destroy media when it is no longer needed for business or legal reasons.
|
|
|
9.9
|
Protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution. This includes periodic inspections of POS device surfaces to detect tampering, and training personnel to be aware of suspicious activity. (Note: Requirement 9.9 is a best practice until June 30, 2015, after which it becomes a requirement.)
|
|
|
9.10
|
Ensure that related security policies and operational procedures are documented, in use, and known to all aff ected parties |
