|
| Control objectives | PCI DSS security requirements | PA DSS security requirements |
|
| CO1: build and maintain a secure network | R1: install and maintain a firewall configuration to protect cardholder data | RA1: do not retain full track data, card verification code, or value |
| R2: do not use vendor-supplied defaults for system passwords and other security parameter | RA2: protect stored cardholder data |
| CO2: protect cardholder data | R3: protect stored cardholder data | RA3: provide secure authentication features |
| R4: encrypt transmission of cardholder data across open, public networks | RA4: log payment application activity |
| CO3: maintain a vulnerability management program | R5: protect all systems against malware and regularly update antivirus software or programs | RA5: develop secure payment applications |
| R6: develop and maintain secure systems and applications | RA6: protect wireless transmissions |
| CO4: implement strong access control measures | R7: restrict access to cardholder data by business need to know | RA7: test payment applications to address vulnerabilities and maintain payment application updates |
| R8: identify and authenticate access to system components | RA8: facilitate secure network implementation |
| R9: restrict physical access to cardholder data | RA9: cardholder data must never be stored on a server connected to the Internet |
| CO5: regularly monitor and test networks | R10: track and monitor all access to network resources and cardholder data | RA10: facilitate secure remote access to payment application |
| R11: regularly test security systems and processes | RA11: encrypt sensitive traffic over public networks |
| CO6: maintain an information security policy | R12: maintain a policy that addresses information security for all personnel | RA12: encrypt all nonconsole administrative access |
| | RA13: maintain a PA-DSS implementation guide for customers, resellers, and integrators |
| | RA14: assign PA-DSS responsibilities for personnel and maintain training programs for personnel, customers, resellers, and integrators |
|
