Escolar Documentos
Profissional Documentos
Cultura Documentos
Sr. No.
1
2
3
Content
Document Control
Legend
Gap Analysis Sheet
Prepared By:
Reviewed By:
Approved By:
Owner Name:
Valid From:
Valid Until:
Version No:
Status:
Document No:
Published
Version
Date
Jay Hira
Version History
Approver for Change
History
Author
Description
Kindly Note:
In the "Compliance Level" field on the Gap Analysis Sheet, select the appropriate level of c
In the "Findings / Comments" field on the Gap Analysis Sheet, summarize the identified iss
A conditional formatting has been provided on the "Review Sheet" sheet under "Complian
Non-Compliant
Partially Compliant
Fully Compliant
ntified
Req #
Control Objective
1.1.1
1.1.2
1.1.3
1.1.4
1.1.5
1.1.6
1.1.7
1.1.8
1.1.9
1.2.0
1.3.1
1.3.2
1.3.2
1.3.3
1.3.4
1.3.5
1.3.6
1.3.7
1.3.8
1.4.1
1.4.2
1.5.0
2.1.0
Requirement 2 :- Do not
use Vendor Supplied
Defaults for system
passwords and other
security Parameters
2.1.1
Requirement 2 :- Do not
use Vendor Supplied
Defaults for system
passwords and other
security Parameters
2.3.1
Requirement 2 :- Do not
use Vendor Supplied
Defaults for system
passwords and other
security Parameters
2.4.1
Requirement 2 :- Do not
use Vendor Supplied
Defaults for system
passwords and other
security Parameters
1.a.1
Requirement A 1 :- Hosting
Providers Protect
Cardholder data
environment
1.a.2
Requirement A 1 :- Hosting
Providers Protect
Cardholder data
environment
1.a.3
Requirement A 1 :- Hosting
Providers Protect
Cardholder data
environment
1.a.4
Requirement A 1 :- Hosting
Providers Protect
Cardholder data
environment
3.1.0
Requirement 3 :- Protect
card holder
4.1.0
4.1.1
4.2.0
5.1.0
6.5.1
6.5.2
6.5.4
6.5.5
6.5.6
6.5.7
6.5.9
6.5.10
6.6.1
7.1.0
Requirement 7 :- Restrict
access to cardholder data
by business need to know.
8.2.0
8.3.0
8.4.0
8.5.1
9.1.1
9.1.2
9.1.3
9.3.1
9.3.2
9.3.3
9.4.0
9.5.0
9.6.0
10.2.1
10.5.1
10.6.0
11.1.0
11.2.0
11.3.0
11.4.0
11.5.0
Basic Control
Establish firewall configuration standard that include the following
Review logs for all system components at least daily. Log reviews
must include of those like IDS/AAA Server.
Extended Control
A Formal Process for approving and testing all external network
connections and changes to the firewall configuration
Not allowing internal address to pass from the internet into the DMZ.
Compliance Level
Ensure That each entity only has access to own cardholder data
environment
Restrict each entity's access and privileges to own card holder data.
Ensure logging and audit trails are enabled and unique to each
entity's cardholder data environment and consistent with PCI DSS
requirement 10
Enable process to provide for timely forensic investigation in the
event of a compromise to any hosted merchant or service provider.
Unvalidated input
XSS
Buffer overflows
Denial of service
They have all the custom application code reviewed for common
vulnerabilities by an organization that specializes in application
security.
Given a physical token that expires and that identifies the visitor as
non- employees.
Findings / Comments