PCI DSS Gap Analysis Checklist Ver 1.0

PCI DSS Gap Analysis
Sr. No.
1
2
3
Content
Document Control
Legend
Gap Analysis Sheet
Prepared By:
Reviewed By:
Approved By:
Owner Name:
Valid From:
Valid Until:
Version No:
Status:
Document No:
Published
Version
Date
Jay Hira
Version History
Approver for Change
History
Author
Description
Kindly Note:
In the "Compliance Level" field on the Gap Analysis Sheet, select the appropriate level of c
In the "Findings / Comments" field on the Gap Analysis Sheet, summarize the identified iss
A conditional formatting has been provided on the "Review Sheet" sheet under "Complian
Non-Compliant
Partially Compliant
Fully Compliant
elect the appropriate level of compliance from the drop-down list

t, summarize the identified issue and substantiate for the level of compliance identified
Sheet" sheet under "Compliance Level" field
ntified
Req #
Control Objective
1.1.1
Requirement 1 :- Install and

Maintain a firewall
configuration
1.1.2

Maintain a firewall
configuration
1.1.3

Maintain a firewall
configuration
1.1.4

Maintain a firewall
configuration
1.1.5

Maintain a firewall
configuration
1.1.6

Maintain a firewall
configuration
1.1.7

Maintain a firewall
configuration
1.1.8

Maintain a firewall
configuration
1.1.9

Maintain a firewall
configuration
1.2.0

Maintain a firewall
configuration
1.3.1

Maintain a firewall
configuration
1.3.2

Maintain a firewall
configuration
1.3.2

Maintain a firewall
configuration
1.3.3

Maintain a firewall
configuration
1.3.4

Maintain a firewall
configuration
1.3.5

Maintain a firewall
configuration
1.3.6

Maintain a firewall
configuration
1.3.7

Maintain a firewall
configuration
1.3.8

Maintain a firewall
configuration
1.4.1

Maintain a firewall
configuration
1.4.2

Maintain a firewall
configuration
1.5.0

Maintain a firewall
configuration
2.1.0
Requirement 2 :- Do not
use Vendor Supplied
Defaults for system
passwords and other
security Parameters
2.1.1
use Vendor Supplied
Defaults for system
passwords and other
security Parameters
2.3.1
use Vendor Supplied
Defaults for system
passwords and other
security Parameters
2.4.1
use Vendor Supplied
Defaults for system
passwords and other
security Parameters
1.a.1
Requirement A 1 :- Hosting
Providers Protect
Cardholder data
environment
1.a.2
Providers Protect
Cardholder data
environment
1.a.3
Providers Protect
Cardholder data
environment
1.a.4
Providers Protect
Cardholder data
environment
3.1.0
Requirement 3 :- Protect
card holder
4.1.0
Requirement 4:- Encrypt

Transmission of cardholder
across open public
networks
4.1.1

across open public
networks
4.2.0

across open public
networks
5.1.0
Requirement 5:- Use and

regularly update Antivirus.
6.5.1
Requirement 6:- Deploy and

maintain secure systems
and application.
6.5.2

and application.
6.5.4

and application.
6.5.5

and application.
6.5.6

and application.
6.5.7

and application.
6.5.9

and application.
6.5.10

and application.
6.6.1

and application.
7.1.0
Requirement 7 :- Restrict
access to cardholder data
by business need to know.
8.2.0
Requirement 8:- Assign a

unique ID to each person
with computer access.
8.3.0

8.4.0

8.5.1

9.1.1
Requirement 9:- Restrict

Physical access to
cardholder data.
9.1.2

Physical access to
cardholder data.
9.1.3

Physical access to
cardholder data.
9.3.1

Physical access to
cardholder data.
9.3.2

Physical access to
cardholder data.
9.3.3

Physical access to
cardholder data.
9.4.0

Physical access to
cardholder data.
9.5.0

Physical access to
cardholder data.
9.6.0

Physical access to
cardholder data.
10.2.1
Requirement 10:- Track and

monitor all access to
network resources and
cardholder data
10.5.1

cardholder data
10.6.0

cardholder data
11.1.0
Requirement 11:Regulatory test security

system and process
11.2.0

system and process
11.3.0

system and process
11.4.0

system and process
11.5.0

system and process
Basic Control
Establish firewall configuration standard that include the following
Build a firewall configuration that denies all traffic from untrusted

network and hosts, except for protocols necessary for the cardholder
data environment.
Build a firewall configuration that restricts connection between
publically accessible servers and any system component storing card
holder data.
holder data.
data environment.

holder data.
holder data.
data environment.
holder data.
holder data.
holder data.
Prohibit direct public access between external network and any
system component that access card holder data.
Prohibit direct public access between external network and any

system component that access card holder data.
Implement IP masquerading to prevent internal addresses from being
translated and revealed on the internet. Use techniques like PAT and
NAT.
Always change vendor supplied defaults before installing a system on

the network.
Always change vendor supplied defaults before installing a system on

the network.
Encrypt all non console administrative access. Use technology such

as SSH, VPN or SSL/ TLS for web based management and other non
console administrative access.
Hosting providers must protect each entity's hosted environment and

data. These providers must meet specific requirements as provided in
Requirement 1 A
Protect Each entity
Protect Each entity
Protect Each entity
Protect Each entity
Keep cardholder data storage to a minimum. Develop a data

retention and disposal policy. Limit storage amount and retention
time to that which is required for business, legal and/or regulatory
purpose as documented in the data retention policy.
Use Strong cryptography and security protocols such as SSL/TLS and
IPSec to safeguard sensitive cardholder data during transmission
over open public networks
Use Strong cryptography and security protocols such as SSL/TLS and
IPSec to safeguard sensitive cardholder data during transmission
over open public networks
Never Send Unencrypted PAN by E-mail.
Deploy anti-virus Software on all systems commonly affected by

viruses.
Develop all web application based on secure coding guidelines such
as OWASP. Review custom application code to identify coding
vulnerabilities. Cover prevention of common coding vulnerability in
software development process.

Ensure that all web facing application are protected.
Limit access to computing resources and cardholder information only

to those individuals whose job require such access.
In addition to assigning a unique ID Employ at least one of the

following methods to authenticate all users.:- Passwords, token
devices, biometrics
Implement two factor authentication for remote access to the
network by employees. Admins and third parties. Like RADIUS,
SSL,TLS or IPSec
Encrypt all passwords during transmission and storage on all system
components.
Ensure proper user authentication and password management for

non consumer users and administrators on all system components.
Use appropriate facility entry controls to limits and monitor physical

access to system that store, process or transmit card holder data.


Security procedure for visitors
Use a visitor log to maintain a physical audit of visitors activity.
Store media back-up in a secure location, preferable in an off site

facility, such as an alternate or backup site, or a commercial storage
facility.
Physically secure all paper and electronic media that contains card
holder data
Implement automated audit trails for all system components to

reconstruct --->
Secure audit trails so they cannot be altered.
Review logs for all system components at least daily. Log reviews
must include of those like IDS/AAA Server.
Test Security Control, Limitation, network connections and
Run Internal and external vulnerability scans at least quarterly and

after any significant change in the network.
Perform penetration testing at least once a year and after any

significant infrastructure change or upgrade.
Use network intrusion detection system, host based intrusion
detection system and intrusion prevention system to monitor all
network traffic and warn personnel.
Deploy file integrity monitoring software to alert personnel to
unauthorized modification of critical system or content files and
configure the software to perform critical file comparison.
Extended Control
A Formal Process for approving and testing all external network
connections and changes to the firewall configuration
A Current Network diagram with all connection to card holder data,

Including wireless networks.
Requirements for a firewall at each internet connection and between

DMZ and internal network.
Description of groups, roles and responsibilities for logical

management of network.
Documented list of ports and services necessary for business.
Justification and documentation for any available protocols besides

HTTP, SSL/TLS, SSH and VPN.
Justification and documentation for any non-secure protocols like FTP,
which includes the reason for use of the protocol and security
features implemented.
Quarterly review of the router and firewall rules-base.
Configuration standard for Router.
Restricting inbound internet traffic to internet protocol address within

the DMZ.
Not allowing internal address to pass from the internet into the DMZ.
Implementing stateful inspection also known as dynamic packet

filtering
Compliance Level
Placing the database in an internal network zone, Segregated from

the DMZ
Restricting inbound and outbound traffic to that which is necessary

for the cardholder environment.
Securing and Synchronizing the router configuration.
Denying all other inbound and outbound traffic not specifically

allowed.
Installing perimeter firewall between and wireless networks and
cardholder data environment, and configuring these firewalls to deny
any traffic from the wireless environment or from controlling any
traffic.
Installing personal firewall software on any mobile and employee
owned computer with direct connectivity to the internet, which are
used to access organization's network.
Implement a DMZ to filter and screen all traffic and to prohibit direct
routes for inbound and outbound traffic.
Restrict outbound traffic from payment card application within the

DMZ
For wireless environments change wireless vendor defaults, including

but not limited to, (WEP) keys, default (SSID's), passwords and SNMP
community strings Disable SSID broadcast. Enable WPA for
encryption and authentication
Ensure That each entity only has access to own cardholder data
environment
Restrict each entity's access and privileges to own card holder data.
Ensure logging and audit trails are enabled and unique to each
entity's cardholder data environment and consistent with PCI DSS
requirement 10
Enable process to provide for timely forensic investigation in the
event of a compromise to any hosted merchant or service provider.
For wireless networks transmitting cardholder data encrypt the

transmission.
Unvalidated input
Broken Access control.
XSS
Buffer overflows
Injection flaws (SQL Injection)
Improper error handling
Denial of service
Insecure Configuration management
They have all the custom application code reviewed for common
vulnerabilities by an organization that specializes in application
security.
Use Cameras to monitor sensitive areas.
Restrict Physical access to publically accessible network jacks
Restrict physical access to wireless access points and gateways and

handheld devices.
Visitors are authorized before entering areas where cardholder data

is processed or maintained.
Given a physical token that expires and that identifies the visitor as
non- employees.
Asked to surrender the physical token before leaving the facility or at

the date of expiration.
Findings / Comments

PCI DSS Gap Analysis Checklist Ver 1.0

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

PCI DSS Gap Analysis Checklist Ver 1.0

Uploaded by

Copyright:

Available Formats

PCI DSS Gap Analysis

elect the appropriate level of compliance from the drop-down list

Sheet" sheet under "Compliance Level" field

Requirement 1 :- Install and

Requirement 1 :- Install and

Requirement 1 :- Install and

Requirement 1 :- Install and

Requirement 1 :- Install and

Requirement 1 :- Install and

Requirement 1 :- Install and

Requirement 1 :- Install and

Requirement 1 :- Install and

Requirement 1 :- Install and

Requirement 1 :- Install and

Requirement 1 :- Install and

Requirement 1 :- Install and

Requirement 1 :- Install and

Requirement 1 :- Install and

Requirement 1 :- Install and

Requirement 1 :- Install and

Requirement 1 :- Install and

Requirement 1 :- Install and

Requirement 1 :- Install and

Requirement 1 :- Install and

Requirement 1 :- Install and

Requirement 4:- Encrypt

Requirement 4:- Encrypt

Requirement 4:- Encrypt

Requirement 5:- Use and

Requirement 6:- Deploy and

Requirement 6:- Deploy and

Requirement 6:- Deploy and

Requirement 6:- Deploy and

Requirement 6:- Deploy and

Requirement 6:- Deploy and

Requirement 6:- Deploy and

Requirement 6:- Deploy and

Requirement 6:- Deploy and

Requirement 8:- Assign a

Requirement 8:- Assign a

Requirement 8:- Assign a

Requirement 8:- Assign a

Requirement 9:- Restrict

Requirement 9:- Restrict

Requirement 9:- Restrict

Requirement 9:- Restrict

Requirement 9:- Restrict

Requirement 9:- Restrict

Requirement 9:- Restrict

Requirement 9:- Restrict

Requirement 9:- Restrict

Requirement 10:- Track and

Requirement 10:- Track and

Requirement 10:- Track and

Requirement 11:Regulatory test security

Requirement 11:Regulatory test security

Requirement 11:Regulatory test security

Requirement 11:Regulatory test security

Requirement 11:Regulatory test security

Establish firewall configuration standard that include the following

Establish firewall configuration standard that include the following

Establish firewall configuration standard that include the following

Establish firewall configuration standard that include the following

Establish firewall configuration standard that include the following