Next week will be a busy week for us. We have two big customers going for 1st time certification, and re-certification respectively for PCI-DSS. The 1st time cert will be doing PCI v3.0 while the second customer will be doing PCI v2.0. It should be a very interesting and busy time.
Anyway, I have been going through with them respectively on all the aspects of PCI-DSS certification. Here’s just a quick refresher on some parameters that systems need to be configured with:
| Activity | Parameter |
| Session Timeouts (inactivity) | 15 minutes |
| Lockout User | 6 Attempts |
| Lockout Duration | 30 Minutes |
| Password History Prohibition | 4 Previous Passwords |
| Minimum Password Length | 7 Alpha Numeric Characters |
| Vendor/Guest access to Secure Area | 1 Day |
| Review of logs | 1 Day |
| FIM – Changes in critical files/system and application executable file | Weekly |
| Install vendor patches upon release | Within Monthly |
| Address critical vulnerabilities | Within Monthly |
| Remove inactive user accounts | 90 Days |
| Change password | 90 Days |
| Logs availability | 3 months online, 12 months offline |
| Address non critical vulnerabilities | Within 3 months |
| CCTV video storage of secure room access | Minimum 3 months accessible |
| Wireless Access Scan | Quarterly |
| Network Vulnerability/ASV Scan | Quarterly |
| Firewall review and router rule sets | Half Yearly |
| Test terminated users to ensure deactivation | Half Yearly |
| Penetration testing for application and network | Annual |
| Review security for offsite backup storage | Annual |
| Inventory media (req 9.9.1) | Annual |
| Risk Assessment | Annual |
| Training Awareness | Annual |
| Acknowledgement of personnel of policy and procedures | Annual |
| Monitor Service Provider Compliance | Annual |
| Test Incident Response Plan | Annual |
| Review, Document and Validate Compensating Controls | Annual |
