This information was presented by Emma Sutcliffe, Director of Standards Coordination, PCI Security Standards Council
Req 4 - Encrypt encryption across public networks
Use strong cryptology, such as:
- Secure Sockets Layer (SSL) [link],
- IP Security (IPSEC) [link],
- Secure Shell (SSH) [link]
Never send unprotected Personal Account Numbers (PAN) by end user technologies such as email, chat, instant messaging (IM), etc.
Req 5 - Use and regularly update anti-virus
Use on all systems
Make sure antivirus is current and running.
Generate audit logs
Retain logs for 12 months, ensure that 3 months are readily viewable.
Req 6 - Develop and maintain secure systems and applications
Install vendor-supplied security patches within one month of release.
You must have the most recently released patches
Identify and assign a risk ranking to newly discovered vulnerabilities
Address critical issues within one month
Address less critical issues within three months
Develop software based on industry standard best practices
Follow change control [link]
Address threats and vulnerabilities on an ongoing basis.