Next week will be a busy week for us. We have two big customers going for 1st time certification, and re-certification respectively for PCI-DSS. The 1st time cert will be doing PCI v3.0 while the second customer will be doing PCI v2.0. It should be a very interesting and busy time.

Anyway, I have been going through with them respectively on all the aspects of PCI-DSS certification. Here’s just a quick refresher on some parameters that systems need to be configured with:

Activity Parameter
Session Timeouts (inactivity) 15 minutes
Lockout User 6 Attempts
Lockout Duration 30 Minutes
Password History Prohibition 4 Previous Passwords
Minimum Password Length 7 Alpha Numeric Characters
Vendor/Guest access to Secure Area 1 Day
Review of logs 1 Day
FIM – Changes in critical files/system and application executable file Weekly
Install vendor patches upon release Within Monthly
Address critical vulnerabilities Within Monthly
Remove inactive user accounts 90 Days
Change password 90 Days
Logs availability 3 months online, 12 months offline
Address non critical vulnerabilities Within 3 months
CCTV video storage of secure room access Minimum 3 months accessible
Wireless Access Scan Quarterly
Network Vulnerability/ASV Scan Quarterly
Firewall review and router rule sets Half Yearly
Test terminated users to ensure deactivation Half Yearly
Penetration testing for application and network Annual
Review security for offsite backup storage Annual
Inventory media (req 9.9.1) Annual
Risk Assessment Annual
Training Awareness Annual
Acknowledgement of personnel of policy and procedures Annual
Monitor Service Provider Compliance Annual
Test Incident Response Plan Annual
Review, Document and Validate Compensating Controls Annual