PCI Design Plan
a. Create timeline for scans to occur
i. Schedule scans according to the PCI DSS
Req 1.1.8 Quarterly Review of Firewall and Router Rule Sets
a. Feb 4 All systems including PCI
b. May 12 PCI systems
c. Aug 4 All systems including PCI
d. Nov 3 PCI systems
Req 11.2 Quarterly Internal and External Vulnerability Scans
a. 1st of the month except in May and December
Req 11.3A Annual Penetration Testing
a. June 16
Req 12.1.2 Annual process to identify Vulnerabilities, resulting in a
Formal Risk Assessment
a. June 18
Req 12.1.3 Annual Review of Security Policy
a. October 20
Req 12.6.1 Annual Education of Employees about Security
a. November 17
Req 12.9.2 Annual Testing of Incident Response Plan
a. September 16
b. Schedule scans appropriately for each department
i. Confirm that planned scan times will not conflict with each department’s
ii. Resolve conflicts by making scheduling changes when necessary
c. Scheduled scan times with regard for change management and freeze windows
i. Ensure that scans will not interfere with UTS freeze windows
ii. For any scan that may impact UTS systems operations, schedule scans
within a change management window
d. Include scans in daily operations (EPMS)
i. Scans will become a new duty for each department participating in PCI
compliance and must be assigned to a task owner’s EPMS.
ii. When a scan is completed, the results of the scan will be interpreted by
the task owner
iii. Recommendations will be made by the task owner to the appropriate
department on what changes, if any, should be made to comply with PCI
e. Create a PCI DSS procedural template for UTS
i. Create a list of PCI Impacted Systems
This list will reside with other non-published procedural
ii. Create a template for Managing Department Operations. This document
is intended to address those requirements of PCI that can apply to all
systems and should map back to ISO 27002.
Local Security Procedures
Human Resources Procedures
Physical and Environmental Security
Communications and Operations Management
Systems Acquisition, Development and Maintenance
Business Continuity Management
iii. Create a PCI DSS procedural template for Managing PCI Impacted
This document is intended to address the systems included in the
list of PCI Impacted Systems. Due to resources and other
constraints, these procedures cannot be applied to all systems.
f. Apply template to appropriate SAQs to create procedures
g. Include process to update procedures as necessary
1. Host Intrusion Prevention System (HIPs)(6.5A, 6.5B, 6.5C, 6.6, 11.4A, 11.4B)
a. HIPs requirements based on SAQs
Scan web applications based on secure coding guidelines such as the
Open Web Application Security Project guidelines.
Scan custom application code to identify coding vulnerabilities.
Provide prevention of common coding vulnerabilities covered in software
development processes. Coding Vulnerabilities include Unvalidated input,
Broken access control (for example, malicious use of user IDs), Cross-site
scripting (XSS) attacks, Buffer overflows, Injection flaws (for example,
structured query language (SQL) injection), Improper error handling,
Insecure storage, Denial of service and Insecure configuration
Scan web-facing applications against known attacks
Provide network intrusion detection systems, host-based intrusion
detection systems, and intrusion prevention systems to monitor all
network traffic and alert personnel to suspected compromises.
Provide intrusion detection and keep prevention engines kept up-to date.
b. Procure HIPs solution
c. Configure HIPs based on SAQs
2. File Integrity Checking System (FICs)(10.5A, 10.5.5, 11.5A, 11.5B)
a. FICs requirements based on SAQs
Secure audit trails that cannot be altered.
Log data cannot be changed without generating alerts (although new
data being added should not cause an alert).
Alert personnel to unauthorized modification of critical system or content
Perform critical file comparisons at least weekly.
Critical files are not necessarily only those containing cardholder data.
Critical files are usually those that do not regularly change, but the
modification of which could indicate a system compromise or risk of
Other critical files, such as those for custom applications, must be
evaluated and defined by the entity (that is the merchant or service
b. Procure FICs solution
c. Configure FICs based on SAQs
Test Web Based console (tripwire)
ensure that file comparisons occur at least weekly
Software has to be configured to check log files
Software should be installed on log aggregation server and PCI Impacted
3. Vulnerability Scanner(11.3.1, 11.3.2, 11.3A)
a. Define scanner requirements based on SAQs
Penetration tests include network-layer penetration tests
Penetration tests include application-layer penetration tests
b. Procure scanner solution
c. Configure scanner based on SAQs
Penetration testing performed at least once a year and after any
significant infrastructure or application upgrade or modification (such
as an operating system upgrade, a subnetwork added to the
environment, or a web server added to the environment)
4. Log Aggregation Tool (LAT)(8.5.1, 8.5.4, 8.5.6, 8.5.7, 8.5.8, 8.5.9, 8.5.10, 8.5.11,
8.5.12, 8.5.13, 8.5.15, 8.5.16, 10.1, 10.2.1, 10.2.2, 10.6, 10.7)
a. LAT requirements based on SAQs
Proper user authentication and password management controls for:
Addition, deletion, and modification of user IDs, credentials, and
other identifier objects.
Access from any terminated users to be immediately revoked.
Accounts used by vendors for remote maintenance to be enabled
only during the time period needed.
Group, shared, or generic accounts and passwords are not
Passwords to be changed at least every 90 days, with a minimum
password length of at least seven characters containing both
numeric and alphabetic characters
An individual to submit a new password that is different from any
of the last four passwords he or she has used.
Repeated access attempts to be limited by locking out the user ID
after no more than six attempts
A session idle for more than 15 minutes will require the user re-
enter the password to re-activate the terminal
All access to any database containing cardholder data to be
authenticated. (This includes access by applications,
administrators, and all other users.)
Link all access to system components (especially access done with
administrative privileges such as root) to each individual user.
Automated audit trails are implemented for all system components to
reconstruct all individual user accesses to cardholder data
Automated audit trails are implemented for all system components to
reconstruct all actions taken by any individual with root or administrative
Logs for all system components, including those servers that perform
security functions like intrusion detection system (IDS) and
authentication, authorization, and accounting protocol (AAA) servers (for
Audit trail history retained for at least one year
b. Procure LAT solution
c. Configure LAT based on SAQs
Password procedures and policies must communicated to all users who
have access to cardholder data
Logs for all system components must be reviewed at least daily.
Audit trail history must be retained for at least one year, with a minimum
of three months online availability.
Enforce policies on Linux systems and on Windows systems not joined to
Specific policy for PCI systems joined to AD.
Configure an Event Management System.
Require unique user ID
5. Security Camera(9.1.1A, 9.1.1B)
a. Camera requirements based on SAQs
Cameras must monitor sensitive areas.
Data from video cameras is audited and correlated with other entries.
b. Procure camera solution
c. Setup cameras based on SAQs
Video date/time stamping system should sync with log aggregation tool.
Video files should be available to managers upon request.
6. DCO Administrative Tool(12.1.1, 12.1.2, 12.1.3)
a. Administrative Console requirements based on SAQs
A central administrative tool geared to managing systems that are not
within a domain environment or cannot be moved into AD due to legacy
software requirements or configuration is necessary to centrally manage
policy and insure PCI compliance standards. Tools need to be brought in
and tested to find out what works best for our needs.
Define manual process to complete tasks
Individually set policy standards on 200 servers that are not within
AD having no method of insuring that policy settings related to
compliance standards have not been altered, intentionally or
To manually review the PCI systems individually would take
several days, whereas the review of the Server Farm would take
months to complete.
PCI DSS indicates this to be an annual review process, unless
environmental changes dictate it to occur more often.
Define automated process to complete tasks
Procure an Administrative Console which would facilitate
compliance with the related PCI issues by automating the policy
standards management. Such issues would be drive shares, NTFS
File permissions, Local policy, audit settings, local user accounts,
local user account permissions, etc.
Define the ROI for administrative tool purchase
Man hours may cost more than the tool purchase ( for one
complete cycle )
Learning curve for software purchase is very low, quick return on
b. Procure administrative tool solution
c. Configure administrative tool based on SAQs