pci_dss_v1-2 (1027411), страница 13
Текст из файла (страница 13)
Note that compensating controls should also be documented inthe Report on Compliance in the corresponding PCI DSS requirement section.Note: Only companies that have undertaken a risk analysis and have legitimate technological ordocumented business constraints can consider the use of compensating controls to achieve compliance.Requirement Number and Definition:Information Required1. ConstraintsList constraints precluding compliancewith the original requirement.2. ObjectiveDefine the objective of the originalcontrol; identify the objective met by thecompensating control.3.
Identified RiskIdentify any additional risk posed by thelack of the original control.4. Definition ofCompensatingControlsDefine the compensating controls andexplain how they address the objectivesof the original control and the increasedrisk, if any.5. Validation ofCompensatingControlsDefine how the compensating controlswere validated and tested.6. MaintenanceDefine process and controls in place tomaintain compensating controls.PCI DSS Requirements and Security Assessment Procedures, v1.2Appendix C: Compensating Controls WorksheetExplanationOctober 2008Page 62Compensating Controls Worksheet – Completed ExampleUse this worksheet to define compensating controls for any requirement where “YES” was checked andcompensating controls were mentioned in the “Special” column.Requirement Number: 8.1—Are all users identified with a unique user name before allowing them toaccess system components or cardholder data?Information RequiredExplanation1.
ConstraintsList constraints precludingcompliance with the originalrequirement.Company XYZ employs stand-alone UnixServers without LDAP. As such, they eachrequire a “root” login. It is not possible forCompany XYZ to manage the “root” login noris it feasible to log all “root” activity by eachuser.2. ObjectiveDefine the objective of theoriginal control; identify theobjective met by thecompensating control.The objective of requiring unique logins istwofold. First, it is not considered acceptablefrom a security perspective to share logincredentials. Secondly, having shared loginsmakes it impossible to state definitively that aperson is responsible for a particular action.3.
Identified RiskIdentify any additional riskposed by the lack of theoriginal control.Additional risk is introduced to the accesscontrol system by not ensuring all users havea unique ID and are able to be tracked.4. Definition ofCompensatingControlsDefine the compensatingcontrols and explain howthey address the objectivesof the original control andthe increased risk, if any.Company XYZ is going to require all users tolog into the servers from their desktops usingthe SU command.
SU allows a user to accessthe “root” account and perform actions underthe “root” account but is able to be logged inthe SU-log directory. In this way, each user’sactions can be tracked through the SUaccount.5. Validation ofCompensatingControlsDefine how thecompensating controls werevalidated and tested.Company XYZ demonstrates to assessor thatthe SU command being executed and thatthose individuals utilizing the command arelogged to identify that the individual isperforming actions under root privileges6. MaintenanceDefine process and controlsin place to maintaincompensating controls.Company XYZ documents processes andprocedures to ensure SU configurations arenot changed, altered, or removed to allowindividual users to execute root commandswithout being individually tracked or loggedPCI DSS Requirements and Security Assessment Procedures, v1.2Appendix C: Compensating Controls WorksheetOctober 2008Page 63Appendix D: Attestation of Compliance – MerchantsPayment Card Industry (PCI)Data Security StandardAttestation of Compliance forOnsite Assessments – MerchantsVersion 1.2October 2008Instructions for SubmissionThis document must be completed by a Qualified Security Assessor (QSA) or merchant (if merchant internal auditperforms validation) as a declaration of the merchant’s compliance status with the Payment Card Industry DataSecurity Standard (PCI DSS).
Complete all applicable sections and submit to the acquirer or requesting paymentbrand.Part 1. Qualified Security Assessor Company InformationCompany Name:Lead QSA Contact Name:Title:Telephone:E-mail:Business Address:City:State/Province:Country:ZIP:URL:Part 2. Merchant Organization InformationCompany Name:DBA(s):Contact Name:Title:Telephone:E-mail:Business Address:City:State/Province:Country:ZIP:URL:Part 2a. Type of Merchant Business (check all that apply)RetailerTelecommunicationGrocery and SupermarketsPetroleumE-CommerceMail/Telephone-OrderTravel & EntertainmentOthers (please specify):List facilities and locations included in PCI DSS review:Part 2b.
RelationshipsDoes your company have a relationship with one or more third-party agents (for example, gateways, webYesNohosting companies, airline booking agents, loyalty program agents, etc)?Does your company have a relationship with more than one acquirer?YesNoPart 2c. Transaction ProcessingPayment Application in use:Payment Application Version:PCI DSS Requirements and Security Assessment Procedures, v1.2Appendix D: Attestation of Compliance for Onsite Assessment – MerchantsOctober 2008Page 65Part 3.
PCI DSS ValidationBased on the results noted in the Report on Compliance (“ROC”) dated (date of ROC), (QSA Name/MerchantName) asserts the following compliance status for the entity identified in Part 2 of this document as of (date)(check one):Compliant: All requirements in the ROC are marked “in place4,” and a passing scan has beencompleted by the PCI SSC Approved Scanning Vendor (ASV Name) thereby (Merchant CompanyName) has demonstrated full compliance with the PCI DSS (insert version number).Non-Compliant: Some requirements in the ROC are marked “not in place,” resulting in an overallNON-COMPLIANT rating, or a passing scan has not been completed by a PCI SSC Approved ScanningVendor, thereby (Merchant Company Name) has not demonstrated full compliance with the PCI DSS.Target Date for Compliance:An entity submitting this form with a status of Non-Compliant may be required to complete the ActionPlan in Part 4 of this document.
Check with your acquirer or the payment brand(s) before completingPart 4, since not all payment brands require this section.Part 3a. Confirmation of Compliant StatusQSA/Merchant confirms:The ROC was completed according to the PCI DSS Requirements and Security AssessmentProcedures, Version (insert version number), and was completed according to the instructions therein.All information within the above-referenced ROC and in this attestation fairly represents the results ofthe assessment in all material respects.The merchant has confirmed with the payment application vendor that their payment application doesnot store sensitive authentication data after authorization.The merchant has read the PCI DSS and recognizes that they must maintain full PCI DSS complianceat all times.No evidence of magnetic stripe (i.e., track) data5, CAV2, CVC2, CID, or CVV2 data6, or PIN data7storage after transaction authorization was found on ANY systems reviewed during this assessment.Part 3b.
QSA and Merchant AcknowledgmentsSignature of Lead QSA ÇLead QSA Name:Date:Title:Signature of Merchant Executive Officer ÇMerchant Executive Officer Name:45Date:Title:“In place” results should include compensating controls reviewed by the QSA/merchant Internal Audit. If compensating controlsare determined to sufficiently mitigate the risk associated with the requirement, the QSA should mark the requirement as “inplace”.Data encoded in the magnetic stripe used for authorization during a card-present transaction.
Entities may not retain fullmagnetic stripe data after transaction authorization. The only elements of track data that may be retained are account number,expiration date, and name.6The three- or four-digit value printed on the signature panel or face of a payment card used to verify card-not-presenttransactions.7Personal Identification Number entered by cardholder during a card-present transaction, and/or encrypted PIN block presentwithin the transaction message.PCI DSS Requirements and Security Assessment Procedures, v1.2Appendix D: Attestation of Compliance for Onsite Assessment – MerchantsOctober 2008Page 66Part 4.
![](https://s.studizba.com/z.php?f=/templates/si/i/noavatar.png&w=100&h=100&t=1"){kind=avatar}
