Ipads
1.2.5: All services, protocols, and ports are identified, approved and have defined business needs
1.2.6: Security features are defined and implemented for all services, protocols, and ports that are in use and considered to be insecure, such that the risk is mitigated.
1.2.8: Configuration files for NSCs are: Secured from unauthorized access, Kept consistent with active network configurations
1.2.9: Inbound traffic to the CDE is restricted as follows: To only traffic that is necessary, all other traffic is specifically denied
1.3.2: Outbound traffic from the CDE is restricted as follows: to only traffic that is necessary, all other traffic is specifically denied
1.4.2: Inbound traffic from untrusted networks to trusted networks is restricted to: Communications with system components that are authorized to provide publicly accessible services, protocols and ports. Stateful responses to communications initiated by system components in a trusted network. All other traffic is denied.
1.4.4: System components that store cardholder data are not directly accessible from untrusted networks
2.3.1: For wireless environments connected to the CDE ot transmitting account data, all wireless vendor defaults are changed at installation or are confirmed to be secure, including but not limited to: Default wireless encryption keys, passwords on wireless access devices, SNMP defaults, Any other security -related wireless vendor defaults
4.2.1.2: Wireless networks transmitting PAN or connected to the CDE use industry best practices to implement strong cryptography for authentication and transmission
10.6.1: System clocks and time are synchronized using time-synchronization technology 10.6.3: Time synchronization settings and data are protected
12.3.4: Hardware and software technologies in use are reviewed at least once every 12 months
Internal IP addresses are visible to all employees and customers on the stations
1.4.5: The disclosure of internal IP addresses and routing information is limited to only authorized parties
Agreements are not signed previous to giving anyone access to system components
2.2.6: System security parameters are configured to prevent misuse
Backend data storage
3.2.1: Account data storage is kept to a minimum through implementation of data retention and disposal policies, procedures, and processes
3.3.1: SAD is not retained after authorization, even if encrypted. All sensitive data received is rendered unrecoverable upon completion of the authorization process
3.3.3.1: The full contents of any track are not retained upon completion of the authorization process
3.3.2: SAD that is stored electronically prior to completion of authorization is encrypted using strong cryptography
10.2.1: Audit logs are enabled and active for all system components and cardholder data
10.2.1.1: Audit logs capture all individual user access to cardholder data
10.2.1.2: Audit logs capture all actions taken by any individual with administrator
access,including any interactive use of applications or system accounts
10.2.1.3: Audit logs capture all access to audit logs
10.2.1.7: Audit logs capture all creation and deletion of system-level objects
10.2.2: Audit logs record the following detail for each auditable event
10.5.1: Retain audit log history for at least 12 months, with at least the most recent three months immediately available for analysis.
Station additional software
5.2.1: An anti-malware solution(s) is deployed on all system components, except for those system components identified in periodic evaluations
5.2.2: The deployed anti-malware solution(s): Detects all known types of malware, Removes, blocks, or contains all known types of malware
5.2.3: Any system components that are not at risk for malware are evaluated periodically to include the following: A documented list of all system components not at risk for malware, Identification and evaluation of evolving malware threats for those system components. Confirmation whether such system components continue to not require anti-malware protection
Forced OS updates on all hardware
6.3.3: All system components are protected from known vulnerabilities by installing applicable security patches/updates
Backend administrator login
8.2.8: If a user session has been idle for more than 15 minutes, the user is required to re-authenticate to re-activate the session
8.3.6: If passwords/passphrases are used as authentication factors to meet Requirement 8.3.1 they meet the following minimum level of complexity: A minimum length of 12 characters (or IF the system does not support 12 characters, a minimum length of eight characters) Contain both numeric and alphabetic characters
8.4.2: MFA is implemented for all access into all CDE
8.4.3: MFA is implemented for all remote network access originating from outside the entity’s network that could access or impact the CDE
SmartTab directed
11.4.1: A penetration testing methodology is defined, documented, and implemented by the entity
11.5.2: A change-detection mechanism is deployed
12.2.1: Acceptable use policies for end-user technologies are documented and implemented 12.3.4: Hardware and software technologies in use are reviewed at least once every 12 months