pci_dss_v1-2 (Статьи, стандарты, спецификации)
Описание файла
Файл "pci_dss_v1-2" внутри архива находится в следующих папках: Статьи, стандарты, спецификации, PCI DSS. PDF-файл из архива "Статьи, стандарты, спецификации", который расположен в категории "". Всё это находится в предмете "информационное обеспечение разработок" из 11 семестр (3 семестр магистратуры), которые можно найти в файловом архиве МГТУ им. Н.Э.Баумана. Не смотря на прямую связь этого архива с МГТУ им. Н.Э.Баумана, его также можно найти и в других разделах. Архив можно найти в разделе "остальное", в предмете "информационное обеспечение разработок и исследований" в общих файлах.
Просмотр PDF-файла онлайн
Текст из PDF
Payment Card Industry (PCI)Data Security StandardRequirements and Security Assessment ProceduresVersion 1.2October 2008Table of ContentsIntroduction and PCI Data Security Standard Overview ....................................................................................................................3PCI DSS Applicability Information .......................................................................................................................................................4Scope of Assessment for Compliance with PCI DSS Requirements ................................................................................................5Network Segmentation..............................................................................................................................................................................................
5Wireless .................................................................................................................................................................................................................... 6Third Parties/Outsourcing ......................................................................................................................................................................................... 6Sampling of Business Facilities and System Components.......................................................................................................................................
6Compensating Controls ............................................................................................................................................................................................ 7Instructions and Content for Report on Compliance .........................................................................................................................8Report Content and Format ...................................................................................................................................................................................... 8Revalidation of Open Items.....................................................................................................................................................................................
11PCI DSS Compliance – Completion Steps ............................................................................................................................................................. 11Detailed PCI DSS Requirements and Security Assessment Procedures .......................................................................................12Build and Maintain a Secure Network .......................................................................................................................................................................
13Requirement 1: Install and maintain a firewall configuration to protect cardholder data........................................................................................ 13Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters ....................................................... 17Protect Cardholder Data............................................................................................................................................................................................
20Requirement 3: Protect stored cardholder data...................................................................................................................................................... 20Requirement 4: Encrypt transmission of cardholder data across open, public networks....................................................................................... 26Maintain a Vulnerability Management Program ........................................................................................................................................................ 28Requirement 5: Use and regularly update anti-virus software or programs ........................................................................................................... 28Requirement 6: Develop and maintain secure systems and applications ..............................................................................................................
29Implement Strong Access Control Measures ............................................................................................................................................................ 35Requirement 7: Restrict access to cardholder data by business need to know ..................................................................................................... 35Requirement 8: Assign a unique ID to each person with computer access. .......................................................................................................... 37Requirement 9: Restrict physical access to cardholder data..................................................................................................................................
42Regularly Monitor and Test Networks ....................................................................................................................................................................... 46Requirement 10: Track and monitor all access to network resources and cardholder data. ................................................................................. 46Requirement 11: Regularly test security systems and processes..........................................................................................................................
49Maintain an Information Security Policy .................................................................................................................................................................... 52Requirement 12: Maintain a policy that addresses information security for employees and contractors............................................................... 52Appendix A:Appendix B:Appendix C:Additional PCI DSS Requirements for Shared Hosting Providers .........................................................................59Compensating Controls .............................................................................................................................................61Compensating Controls Worksheet..........................................................................................................................62PCI DSS Requirements and Security Assessment Procedures, v1.2Copyright 2008 PCI Security Standards Council LLCOctober 2008Page 1Appendix D: Attestation of Compliance – Merchants ...................................................................................................................64Appendix E: Attestation of Compliance – Service Providers .......................................................................................................68Appendix F: PCI DSS Reviews — Scoping and Selecting Samples.............................................................................................72PCI DSS Requirements and Security Assessment Procedures, v1.2Copyright 2008 PCI Security Standards Council LLCOctober 2008Page 2Introduction and PCI Data Security Standard OverviewThe Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitatethe broad adoption of consistent data security measures globally.
This document, PCI Data Security Standard Requirements and SecurityAssessment Procedures, uses as its foundation the 12 PCI DSS requirements, and combines them with corresponding testing procedures into asecurity assessment tool. It is designed for use by assessors conducting onsite reviews for merchants and service providers who must validatecompliance with the PCI DSS. Below is a high-level overview of the 12 PCI DSS requirements. The next several pages provide background aboutpreparing for, conducting, and reporting a PCI DSS assessment, whereas the detailed PCI DSS requirements begin on page 13.PCI DSS Requirements and Security Assessment Procedures, v1.2Copyright 2008 PCI Security Standards Council LLCOctober 2008Page 3PCI DSS Applicability InformationThe following table illustrates commonly used elements of cardholder and sensitive authentication data; whether storage of each data element ispermitted or prohibited; and whether each data element must be protected.
This table is not exhaustive, but is presented to illustrate the differenttypes of requirements that apply to each data element.StoragePermittedProtectionRequiredPCI DSS Req. 3.4Primary Account Number(PAN)YesYesYesCardholder Name 1YesYes 1NoService Code 1YesYes 1NoYesYes1NoFull Magnetic Stripe Data 3NoN/AN/ACAV2/CVC2/CVV2/CIDNoN/AN/APIN/PIN BlockNoN/AN/AData ElementCardholder DataExpiration DateSensitiveAuthenticationData 21231These data elements must be protected if stored in conjunction with the PAN. This protection should be per PCI DSS requirements for general protection ofthe cardholder data environment. Additionally, other legislation (for example, related to consumer personal data protection, privacy, identity theft, or datasecurity) may require specific protection of this data, or proper disclosure of a company's practices if consumer-related personal data is being collected duringthe course of business.
PCI DSS, however, does not apply if PANs are not stored, processed, or transmitted.Sensitive authentication data must not be stored after authorization (even if encrypted).Full track data from the magnetic stripe, magnetic stripe image on the chip, or elsewhere.PCI DSS Requirements and Security Assessment Procedures, v1.2Copyright 2008 PCI Security Standards Council LLCOctober 2008Page 4Scope of Assessment for Compliance with PCI DSS RequirementsThe PCI DSS security requirements apply to all system components.
“System components” are defined as any network component, server, orapplication that is included in or connected to the cardholder data environment. The cardholder data environment is that part of the network thatpossesses cardholder data or sensitive authentication data. Network components include but are not limited to firewalls, switches, routers,wireless access points, network appliances, and other security appliances.