PCI DSS Compliance Questionnaire
The Payment Card Industry (PCI) Data security Standards (DSS) are a set of compliance guidelines that protect confidential cardholder data. Here is a list of examples of the kinds of questions that are included on the PCI DSS compliance questionnaire to help you better understand the actions required to maintain PCI compliance.
PCI DSS Self Assessment
The PCI DSS Compliance Questionnaire consists of 12 security requirements, each targeting a specific area of security. According to the official PCI DSS website, "The merchant is responsible for ensuring that each section is completed by the relevant parties, as applicable. Contact acquirer (merchant bank) or the payment brands to determine reporting and submission procedures."
A business must be able to answer yes or not applicable to every question on the questionnaire to be considered PCI DSS compliant. Some of the requirements covered in the PCI DSS questionnaire include:
1. Install and maintain a firewall configuration
- Is there a formal process for approving and testing all network connections and changes to the firewall and router configurations?
- Is the current network diagram consistent with the firewall configuration standards?
- Is inbound and outbound traffic restricted to that which is necessary for the cardholder data environment?
- Is direct public access prohibited between the internet and any system component in the cardholder data environment?
- Are system components that store cardholder data placed in an internal network zone, segregated from the DMZ and other untrusted networks?
- Are security policies and operational procedures for managing firewalls documented, known to all affected parties and currently in use?
2. Do not use vendor-supplied defaults for system passwords
- Are unnecessary default accounts removed before installing a system on the network?
- Are encryption keys changed from default during installation?
- Are encryption keys changed anytime a person with a knowledge of the keys changes positions or leaves the company?
- Are system configuration standards applied when new systems are configured?
3. Protect stored cardholder data
- Are there defined processes in place for securely deleting cardholder data?
- Does all stored data meet data-retention policy requirements?
- Is the PAN masked when displayed?
- Are cryptographic keys stored in the fewest possible locations?
4. Encrypt transmission of cardholder data across public networks
- Are only trusted keys or certificates accepted?
- Do implemented security protocols only use secure configurations?
- Are PANs rendered unreadable when they are sent via end-user messaging technologies?
5. Protect all systems against malware and regularly update anti-virus programs
- Do current anti-virus programs effectively detect, remove and protect against viruses, worms, spyware, Trojans, rootkits and adware?
- Are anti-virus software regularly updated?
- Does the organization keep audit logs and retain those logs in accordance with PCI DSS requirements?
- Are all anti-virus mechanisms actively running?
6. Develop and maintain secure systems and applications
- Are vendor-supplied security patches in place to protect against known vulnerabilities?
- Is information security included throughout the software-development cycle?
- Are processes based on industry standards and best practices?
7. Restrict access to cardholder data by business need-to-know
- Is access to cardholder data limited to those whose jobs require such access?
- Are access needs for each role clearly defined?
- Do access control systems have a default deny-all setting?
8. Identify and authenticate access to system components
- Are all users assigned a unique ID?
- Is access for terminated users immediately removed?
- Once a user account is locked out, is the lockout duration set to a minimum of 30 minutes?
9. Restrict physical access to cardholder data
- Is physical access to the cardholder data environment protected by facility entry controls?
- Are video cameras protected from tampering?
- Are hardcopy materials shredded so that data cannot be reconstructed?
10. Track and monitor all access to network resources and cardholder data
- Are audit trails enabled?
- Are critical system docks and times synchronized through time synchronization technology?
- Are audit trails secured to limit risk of alterations?
11. Regularly test security systems and processes
- Do processes detect and identify both authorized and unauthorized wireless access points?
- Are internal vulnerability scans performed on a quarterly basis?
- Are vulnerabilities during penetration testing corrected?
12. Maintain a policy that addresses information security for all personnel
- Is a security policy maintained and disseminated to all relevant personnel?
- Is a risk assessment implemented on an annual basis?
- Do security policy and procedures clearly define information security responsibilities for all personnel?
- Are personnel educated upon hire and at least annually?
This is just an overview of the official PCI DSS Compliance Questionnaire. You can read through the PCI DSS Compliance Questionnaire in its entirety by visiting the PCI DSS website.
SolarWinds MSP Ensures PCI DSS Compliance
Remote management solutions from SolarWinds MSP (formerly LOGICnow) help ensure PCI DSS compliance by streamlining the security process across all departments of an organization. With SolarWinds MSP, all transmissions are encrypted, users can enable IP whitelisting and two-factor authentication, all application activity is logged and no system can be accessed without a unique user ID and password. To learn more about the PCI compliance questionnaire, visit the Security Standards Council website.
To try SolarWinds MSP for yourself, start a free no obligation 30-day trial.