PCI-DSS v3.2.1 Standard Flashcards
Requirement 1
Install and maintain a firewall configuration to protect cardholder data.
Requirement 1.1
Inspect the firewall and router configuration stnadards and other documentation specified below and verify that standards are complete and implmeneted as follows.
Requirement 1.1.1
A formal process for approving and testing all network connections and changes to the firewall and router configurations.
Requirement 1.1.1.a
Examine documented procedures to verify there is a formal process for testing and approval of all network connections and changes to firewall and router configurations.
Requirement 1.1.1.b
For a sample of network connections, interview responsible personnel and examine records to verify that network connections were approved and tested.
Requirement 1.1.1.c
Identify a sample of actual changes made to firewall and router configurations, compare to the change records, and interview responsible personnel to verify the changes were approved and tested.
Requirement 1.1.2
Current diagram that identifies all connections between the cardholder data environment and other networks, including any wireless networks.
Requirement 1.1.2.a
Examine the diagram(s) and observer network configurations to verify that a current network diagram exists and that it documents all connections to the cardholder data environment, including any wireless networks.
Requirement 1.1.2.b
Interview responsible personnel to verify that the diagram is kept current.
Requirement 1.1.3
Current diagram that shows all cardholder data flows across systems and networks.
Requirement 1.1.3.a
Examine data flow diagrams and interview personnel to verify the diagram shows all cardholder dta flows across systems and networks and is kept current and updated as needed upon changes to the environment.
Requirement 1.1.4
Requirements for a firewall at each internet connection and between any demilitarized zone (DMZ) and the internal network.
Requirement 1.1.4.a
Examine the firewall configuration standards and verfiy that they include requirements for a firewall at each internet connection and between any DMZ and the internal network zone.
Requirement 1.1.4.b
Verify that the current network diagram is consistent with the firewall configuration standards.
Requirement 1.1.4.c
Observe network configurations to verify that a firewall is in place at each internet connection and between any demilitarized zone (DMZ) and the internal network zone, per the documented configuration standards and network zone.
Requirement 1.1.5
Description of groups, roles, and responsibilities for management of network components.
Requirement 1.1.5.a
Verify that firewall and router configuration standards include a description of groups, roles, and responsibilites for management of network components.
Requirement 1.1.5.b
Interview personnel responsible for management of network components to confirm that roles and responsibilities are assigned as documented.
Requirement 1.1.6
Documentation and business justification for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure (examples of insecure services, protocols, or ports include but are not limited to FTP, Telnet, POP3, IMAP, and SNMP v1 and v2)
Requirement 1.1.6.a
Verify that firewall and router configuration standards include a documented list of all services, protocols, and ports, including business justification for each - for example, hypertext transfer protocol (HTTP) and Secure Sockets Layer (SSL), Secure Shell (SSH), and Virtual Private Network (VPN) protocols.
Requirement 1.1.6.b
Identify insecure services, protocols, and ports allowed; and verify that security features are documented for each service.
Requirement 1.1.6.c
Examine firewall and router configurations to verify that the documented security features are implemented for each insecure service, protocol, and port.
Requirement 1.1.7
Requirement to review firewall and router rule sets at least every six months.
Requirement 1.1.7.a
Verify that firewall and router configuration standards require review of firewall and router rule sets at least every six months.
Requirement 1.1.7.b
Examine documentation relating to rule set reviews and interview responsible personnel to verify that rule sets are reviewed at least every six months.
Requirement 1.2
Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment. // Note: an untrusted network is any network that is external to the networks belonging to the entity under review and/or which is out of the entity’s ability to control or manage. // Examien firewall and router configurations and perform the following to verify that connections are restricted between untrusted networks and system components in teh cardholder data environment.
Requirement 1.2.1
Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically denty all other traffic.
Requirement 1.2.1.a
Examine firewall and router configuration standards to verify that they identify inbound and outboud traffic necessary for the cardholder data environment.
Requirement 1.2.1.b
Examine firewall and router configurations to verify that inbound and outboud traffic is limited to that which is necessary for the cardholder data environment.
Requirement 1.2.1.c
Examine firewall and router configurations to verify that all other inbound and outbound traffic is specifically denied, for example by using an explicit “deny all” or an implicit deny after allow statement.
Requirement 1.2.2
Secure and synchronise router configuration files
Rquirement 1.2.2.a
Examine router configuration files to verify they are secured from unauthorised access.
Requirement 1.2.2.b
Examine router configurations to verify they are synchronized - for example, the running (or active) configuration matches the start-up configuration (used when machines are booted)
Requirement 1.2.3
Install perimeter firewalls between all wireless networks and the cardholder data environment, and configure these firewalls to deny or, if traffic is necessary for business purposes, permit only authorised traffic between the wireless environment and the cardholder data environment.
Requirement 1.2.3.a
Examine fireall and router configurations to verify that there are perimeter firewalls installed between all wireless networks and the cardholder data environment.
Requirement 1.2.3.b
Verify that the firewalls deny or, if traffic is necessary for business purposes, permit only authorised traffic between the wireless environment and the cardholder data environment.
Requirement 1.3
Prohibit direct public access between the internet and any sysstem component in the cardholder data environment // Examine firewall and router configurations 0 including but not limited ot the choke router at the internet, the DMZ router and firewall, the DMZ cardholder segment, the perimeter router, and the internal cardholder network segment - and perform the following to determine that there is no direct access between the internet and system components in the internal carholder network segment.
Requirement 1.3.1
Implement a DMZ to limit inbound traffic on only system components that provide authorised publically accessible srvices, protocols, and ports // Examine firewall and router configurations to verify that a DMZ is implemented to limit inbound traffic to only system components that provide authorised publically accessible services, protocols, and ports.