A3.2.6 Mechanisms are implemented for detecting and preventing cleartext PAN from leaving the CDE

Defined Approach Requirements

A3.2.6 Mechanisms are implemented for detecting and preventing cleartext PAN from leaving the CDE via an unauthorized channel, method, or process, including mechanisms that are:

• Actively running.
• Configured to detect and prevent cleartext PAN leaving the CDE via an unauthorized channel, method, or process.
• Generating audit logs and alerts upon detection of cleartext PAN leaving the CDE via an unauthorized channel, method, or process.

PCI DSS Reference: Scope of PCI DSS Requirements, Requirement 12

Customized Approach Objective

This requirement is not eligible for the customized approach.

Defined Approach Testing Procedures

A3.2.6.a Examine documentation and observe implemented mechanisms to verify that the mechanisms are in accordance with all elements specified in this requirement.

A3.2.6.b Examine audit logs and alerts, and interview responsible personnel to verify that alerts are investigated.

Purpose

The use of mechanisms to detect and prevent unauthorized PAN from leaving the CDE allows an organization to detect and prevent situations that may lead to data loss.

Good Practice

Coverage of the mechanisms should include, but not be limited to, e-mails, downloads to removable media, and output to printers.

Examples

Mechanisms to detect and prevent unauthorized loss of cleartext PAN may include the use of appropriate tools such as data loss prevention (DLP) solutions as well as manual processes and procedures.

Sub-Requirements

• A3.2.6.1 Response procedures are implemented