PCI 30 Seconds newsletter #28 - The PCI Library - What docs are required for compliance?

Blog Post created by dgodart on Apr 2, 2013



Compliance programs are heavily based on documentation and PCI does not make an exception. Technical and non-technical documents are a major part of the PCI journey and certainly of the compliance audit. Documents (technical description, diagram, policies, procedures, standards, audit trails, scan reports, pen test report, risk analysis report, test report,…) are the auditor's food.


Therefore, beside the technical specificities, no one should neglect or underestimate the effort and time necessary to set up and maintain their PCI library. It's a huge part of any PCI project.


If documentation is so important, why is there no official list of required documents on the PCI Standard Web site? Answer: It would be too easy!   Organizations have to make their own interpretation of the requirements in order to uncover the associated list of documents.


To solve this "gap", I decided to complete this exercise once for all and share the outcome here. A new version of the PCI Compliance Dashboard includes this list within the PCI Documentation sheet.


The PCI Library for PCI DSS V2.0

Inventory of technical and non-technical documentation together with the associated PCI requirements.


Technical Documents


Title/SubjectDescription & associated requirements# Req
Global network diagramGlobal network diagram (Confidential)1.1
Includes development/test and production environments6.4
Lightened network diagramNon-confidential for external communication with third party. No internal IP's.Optional
PCI Scope definitionDocument describing the PCI scope, network diagram, components, function, flow, card data storage, processing, transmission1.1 + Scope
Firewall/router rule setsFor each Firewall/router in scope:
Includes a list of secure and unsecure services, protocols and ports together with business justification for each FW and routers.1.1.5
Includes a list of restricted connections between untrusted networks and system components in the cardholder data environment1.2
Includes a description of inbound and outbound traffic1.2.1
Includes a rule stating that Internal addresses cannot pass from the Internet into the DMZ.1.3.4
Includes a requirement for stateful inspection1.3.6
Includes segregation of CDE (Ensure that system components that store cardholder data are on an internal network zone, segregated from the DMZ)1.3.7
System Configuration/hardening for all components in scopeFor each system components in scope:
Includes a list of services, protocols and daemons enabled + business justification.2.2
Includes a list of common security parameter settings for the system components2.2.3
Includes a list of  unnecessary functionalities (for example, scripts, drivers, features, subsystems, file systems, etc.) removed/disabled2.2.4
Includes Removal of Telnet and other remote login commands2.3
Includes the list of anti-virus/anti-malware software and description of associated processes5.1
Includes a description of access control configuration7.2
Includes a description of user authentication method8.2
Includes a description of method ensuring the interity of critical files11.5
Includes the list of  files considered as critical11.5
Encryption / TransmissionLists the  security protocols used in scope wherever cardholder data is transmitted or received over open, public networks.4.1
Patch inventoryInventory/historic of applied patched for each components6.1
IDS/IPS configLists active and static protection systems (IDS/IPS) used within the scope and their associated configuration and processes.11.4


Policies, Procedures, Standards and processes



Title/SubjectDescription & associated requirementsReq
Role and responsibilities for network and security managementDescription of Groups, Roles and Responsibilities for Logical Management of Network Components.

Description of Groups, Roles and Responsibilities for  security management including key management.
Firewall/router configuration and change management processFormal process for testing and approval of all network connections and changes to firewall and router configurations1.1
Includes a statement enforcing review of firewall and router rule sets at least every six months.1.1.6
Includes limitation of inbound and outbound traffic to that which is necessary for the cardholder data environment1.2
Includes a statement preventing any disclosure of private IP addresses and routing information to external parties and exceptions1.3.8
Includes enabling and activation of audit trails.10.1
Configuration Standards (Windows, SQL,…)System configuration and hardening procedures for each type of system component in scope.2.2
Includes policy and procedures for changing of Vendor Default Settings2.1
Includes a statement enforcing one primary function per system2.2.1
Includes a statement enforcing that only necessary services or protocols are enabled. + Justifiation2.2.2
Includes a list of common security parameter settings for the system components2.2.3
Includes a statement enforcing removal of all unnecessary functionality (for example, scripts, drivers, features, subsystems, file systems, etc.)2.2.4
Includes a statement enforcing encryption of non-console admin access.2.3
Includes a statement ensuring removal/deactivation of  Telnet and other remote login commands for use internally2.3
Includes a statement enforcing audit trails activation10.1
Protection of Laptop/Desktop  in scopeDescription of technical measures, configuration and associated processes protecting laptop and desktop. Such as personal firewall and anti-virus.1.4
Data retention and disposal policy and processFormal data retention policy identifying what data needs to be retained, and where that data resides so it can be securely destroyed or deleted as soon as it is no longer needed.3.1/3.2.1/3.2.2/3.2.3
Includes types of data retained (No sensitive data)
Includes a statement preventing presence of card data in
- All logs (for example, transaction, history, debugging, error)
- History files
- Trace files
- Database contents
Includes a statement preventing storage of CVV and PIN
Includes procedure for Obtaining and protecting cardholder data
Includes procedure for Accessing, Modifying or Transferring cardholder data
Includes procedures for disposing of and destroying data.
Includes business justification for retention of cardholder data
Data display protectionPrimary Account Number (PAN) Policy and Procedures for Displaying the PAN Digits3.3
Includes a statement enforcing masking of PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed)
Includes a list of users/roles having legitimate business reason to access data.
Key protection and managementPolicy and procedures associated to the generation and protection of keys used for encryption of cardholder data (PGP, …)3.5/3.6
Includes the selection process of key custodians3.6.8
Tokenization ProcessDescription of the processes and mechanisms used to generate and protect the token, associated components and dataOptional
Anti-virusInformation about anti-virus technology in used and how it is updated/managed.5.1
Security Patch ManagementProcedures for the identification, risk ranking, testing, distribution, deployment and implementation of security Patches6.1
Includes a statement enforcing installation of all critical new security patches within one month.
Describe the processes used to identify new security vulnerabilities, and that a risk ranking is assigned to such vulnerabilities6.2
Includes a list of online Resources for Patch Management, Alerts, Security and Support, As Applicable .
Software Development processesDescription of the software development processes in used6.3
Lists of industry standards and/or best practices.
Includes a statement enforcing to take Security into account  throughout the life cycle.
Includes a statement enforcing review of Custom application code changes prior to release to production or customers in order to identify any potential coding vulnerability.
Includes a statement enforcing separation of development/test and production environments6.4
Includes a statement enforcing separation of duties between development/test and production environments6.4.2
Secure coding/TestingSoftware Development Secure Coding Guidelines and Training Policy and Procedures6.5-6.5.9
Includes a statement enforcing training of developers in secure coding technique6.5
Includes a description of the testing process used to ensure apps are not  vulnerable to coding mistake (SQL Inj,…)6.6
Test proceduresPolicy and procedures associated to the test of applications
Includes a statement preventing usage of Live PAN in test environment6.4.3
Includes a statement enforcing removal of Test data and accounts before production6.4.4
Change control procedures for implementation of security patches and software modificationsProcedures for the implementation of security patches and software modification6.4.5
Includes statements enforcing:
i. Documentation of impact
ii. Documented approval by authorized parties
iii. Testing of functionality to ensure the change does not adversely impact the security of the system
iv. Testing of all custom code updates for compliance with PCI DSS Requirement 6.5 (to address the vulnerabilities identified in 6.5.1 – 6.5.9)
v. Back-out procedures
Includes a statement enforcing execution of internal and external scans after any significant change.11.2.3
Data control/
Access Control/
Data Control & Access Control Policies and Procedures.
Includes a statement restricting access rights for privileged user IDs to least privileges necessary to perform job responsibilities.7.1.1
Includes a statement enforcing assignment of privileges are based on job classification and function7.1.2
Includes a statement enforcing documented approval by authorized parties (in writing or electronically) for all access, and that it must specify required privileges7.1.3
Includes a statement requiring implemntation of access controls via an automated access control system.7.1.4
Includes a statement enforcing that access control systems are in place on all system components.7.2.1
Includes a statement requiring configuration of access control systems to enforce privileges assigned to individuals based on job classification and function7.2.2
Includes a statement enforcing that access control systems have a default “deny-all” setting.7.2.3
Includes a statement enforcing assignment of  a unique userId to users before being allowed to access system components or cardholder data8.1
Describes authentication method in used8.2
Includes a statement enforcing usage of two-factor authenticationfor all remote network access.8.3
Proper Authentication & Password ManagementPolicy and procedures associated to access management and password management (Request, authorization, creation/modification/deletion/revokation change control process)8.5
Includes Password initialization/reset process8.5.2
Includes a statement enforcing removal or disabling of inactive user accounts over 90 days old8.5.5
Includes management of Vendor remote access (for maintenance)8.5.6
Includes a statement preventing Generic /Share and exception management8.5.8
Includes a statement prohibiting group and shared passwords or other authentication methods8.5.8
Includes a statement enforcing change of user passwords at least every 90 days8.5.9
Includes a statement enforcing a minimum password length of at least seven characters.8.5.10
Includes a statement enforcing that passwords contain both numeric and alphabetic characters.8.5.11
Includes a statement prohibiting submition of a new password identical to the last four passwords.8.5.11
Includes a statement enforcing UserId lock out after not more than six attempts.8.5.12
Includes a statement enforcing a lockout duration of 30 min minimum or until administrator enables the user ID8.5.13
Includes a statement requiring user re-authentication whenever   a session has been idle for more than 15 minutes8.5.14
Job ClassificationLists the Roles, privileges, access requirements, security responsibilities7.1, 7.2, 12.4
Security classificationLists the classification levels related to the confidentiality of the data
User access inventoryLists  who have access to what
Physical access protectionPolicy and procedures associated to the Protection of physical areas, Visitor handling, Visitor Checklist9.1
Media Distribution, Classification and destructionPolicy and procedures for Media distribution and classification9.7/9.8
Includes policy and procedures Storage, maintenance and description of Hardcopy and Electronic Media Policy and Procedures9.9/9.10
Monitoring/loggingPolicy and procedures associated to monitoring/logging
Includes a statement enforcing that audit trails are enablement and activation for system components.10.1
Includes a statement enforcing logging of access to credit card data10.2.1
Includes a statement enforcing logging of actions taken by root administrators10.2.2
Includes a statement enforcing logging of access to audit trails10.2.3
Includes a statement enforcing logging of invalid access10.2.4
Includes a statement enforcing logging of the mechanism used to identify and authenticate10.2.5
Includes a statement enforcing logging of initialization of audit logs is logged10.2.6
Includes a statement enforcing creation/deletion of system components10.2.7
Lists the type of data to be logged: UserId, type of event, Date and time,Success or failure,origin of event, affected data, system component or resource.10.3
Includes a statement enforcin the use of Time synchronization technology10.4
Describes the measures taken for the protection of audit trails10.5
Describes the process associated to the review of Logs (When, How)10.6/12.2
Includes a statement enforcing log retention for one year10.7
Detection of WAPPolicy and procedures associated to the detection and identification of wireless access points on a quarterly basis11.1
Lists all WAP and their business reasons
ASV Scan process and scan reportsProcedures associated to quarterly ASV scans and internal scans + remediation11.2
Includes a list of past scans, results + reports
Penetration testingProcedures associated to the execution of pen  tests
Includes a statement requiring execution of penetration testing at least annually and after any significant changes to the environment.11.3
Includes a list of past pen tests, results + Reports
Intrusion detection process/configurationProcedures associated to the use and configuration of IDS/IPS11.4
Includes a statement enforcing the use IDS at entry points and other critical points11.4
Lists IDS/IPS and location
File-integrity tools usedProcedures and configuration associated to the File-Integrity tools11.5
Lists file-integrity tools used and the critical files they are protecting.
-System executables
- Application executables
- Configuration and parameter files
- Centrally stored, historical or archived, log and audit files
Risk Assessment ProcessRisk assessment process12.1
Annual Risk AssessmentAnnual risk assessment reports12.1
Daily Operational and security proceduresList of tasks/processes to be performed on a regular basis12.3
Usage Policies and ProceduresPolicy and procedures associated to the use of critical technology12.3
Includes a statemente requiring explicit approval from authorized parties to use the technologies.12.3.1
Includes a statement requiring that all technology use be authenticated with user ID and password or other authentication item (for example, token)12.3.2
Includes a statement requiring a list of all devices and personnel authorized to use the devices.12.3.3
Includes a statement requiring labeling of devices with information that can be correlated to owner, contact information and purpose.12.3.4
Includes a statement requiring acceptable uses for the technology.12.3.5
Includes a statement requiring acceptable network locations for the technology.12.3.6
Includes a statement requiring a list of company- approved products.12.3.7
Lists company approved products
Includes a statement requiring automatic disconnect of sessions for remote-access technologies after a specific period of inactivity12.3.8
Includes a statement requiring activation of remote- access technologies used by vendors and business partners only when needed by vendors and business partners, with immediate deactivation after use.12.3.9
Includes a statement prohibiting copying, moving, or storing of cardholder data onto local hard drives and removable electronic media when accessing such data via remote-access technologies.12.3.10
Security PolicySecurity policy for employee and contractors12.1
Describes Information Security responsibilities for Employees and Contractors12.4
Lists formal assignment of information security to a Chief Security Officer or other security-knowledgeable member of management.12.5
Includes assignment of responsibility for creating and distributing security policies and procedures12.5.1
Includes assignment of responsibility for monitoring and analyzing security alerts and distributing information to appropriate information security and business unit management personnel is formally assigned.12.5.2
Includes assignment of responsibility  for creating and distributing security incident response and escalation procedures is formally assigned.12.5.3
Includes assignment of responsibility for administering user account and authentication management12.5.4
Includes assignment of responsibility for monitoring and controlling all access to data12.5.5
Security Awareness programDefine a formal security awareness program for all personnel12.6
Includes multiple methods of communicating awareness and educating personnel (for example, posters, letters, memos, web based training, meetings, and promotions).12.6.1
Requires personnel to acknowledge, in writing or electronically, at least annually that they have read and understand the information security policy.12.6.2
Listing of security awareness delivery. Proof that personnel attend awareness training upon hire and at least annually.12.6.1
HR Screening processDescription of HR screening process or associated law limiting/preventing such due diligence12.7
Service Provider management policies and proceduresPolicy and procedures associated to the management of Service Providers12.8
Includes proper due diligence prior to engaging any service provider.12.8.3
Includes a program to monitor its service providers’ PCI DSS compliance status at least annually.12.8.4
Written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess.12.8.2
List of service providers12.8.1
Incident response PlanIncident response plan12.9
Roles, responsibilities, and communication strategies in the event of a compromise including notification of the payment brands, at a minimum:
- Specific incident response procedures
- Business recovery and continuity procedures
- Data back-up processes
- Analysis of legal requirements for reporting compromises (for example, California Bill 1386 which requires notification of affected consumers in the event of an actual or suspected compromise for any business with California residents in their database)
- Coverage and responses for all critical system components
- Reference or inclusion of incident response procedures from the payment brands
Includes Assignment of specific personnel to be available on a 24/7 basis to respond to alerts.12.9.3
Includes annual testing12.9.2
Includes appropriate training to staff with security breach response responsibilities.12.9.4
Includes a process to modify and evolve the incident response plan according to lessons learned and to incorporate industry developments.
Previous Incident or alert reports12.9.1




Do you agree with the list?

How do you manage your PCI Library?


Did you read our previous newsletter: PCI 30 second newsletter #27 - Static versus active protection systems what impact on quarterly scans?


PS: Download the new version of the PCI Compliance Dashboard with the above list.