| PCI requirement | Vendor responsibility in | ||
---|---|---|---|---|
SaaS | PaaS | IaaS | ||
1 | Install and maintain a firewall configuration to protect cardholder data | Yes | Yes | Yes |
2 | Do not use vendor-supplied defaults for system passwords and other security parameters | Yes | Yes | No |
3 | Protect stored cardholder data | Yes | Yes | No |
4 | Encrypt transmission of cardholder data across open, public networks | Yes | Yes | No |
5 | Use and regularly update anti-virus software | Yes | Yes | No |
6 | Develop and maintain secure systems and applications | Yes | No | No |
7 | Restrict access to cardholder data by business need-to-know | Yes | Yes | Yes |
8 | Assign a unique ID to each person with computer access | Yes | Yes | No |
9 | Restrict physical access to cardholder data | Yes | Yes | No |
10 | Track and monitor all access to network resources and cardholder data | Yes | Yes | Yes |
11 | Regularly test security systems and processes | Yes | Yes | Yes |
12 | Maintain a policy that addresses information security | Yes | No | No |