pci_dss_v1-2 (1027411), страница 2
Текст из файла (страница 2)
Server types include, but are not limited to the following: web,application, database, authentication, mail, proxy, network time protocol (NTP), and domain name server (DNS). Applications include allpurchased and custom applications, including internal and external (Internet) applications.Network SegmentationNetwork segmentation of, or isolating (segmenting), the cardholder data environment from the remainder of the corporate network is not a PCIDSS requirement.
However, it is recommended as a method that may reduce:The scope of the PCI DSS assessmentThe cost of the PCI DSS assessmentThe cost and difficulty of implementing and maintaining PCI DSS controlsThe risk to an organization (reduced by consolidating cardholder data into fewer, more controlled locations)Without adequate network segmentation (sometimes called a "flat network") the entire network is in scope of the PCI DSS assessment.
Networksegmentation can be achieved through internal network firewalls, routers with strong access control lists or other technology that restricts accessto a particular segment of a network.An important prerequisite to reduce the scope of the cardholder data environment is a clear understanding of business needs and processesrelated to the storage, processing or transmission of cardholder data. Restricting cardholder data to as few locations as possible by elimination ofunnecessary data, and consolidation of necessary data, may require reengineering of long-standing business practices.Documenting cardholder data flows via a dataflow diagram helps fully understand all cardholder data flows and ensures that any networksegmentation is effective at isolating the cardholder data environment.If network segmentation is in place and will be used to reduce the scope of the PCI DSS assessment, the assessor must verify that thesegmentation is adequate to reduce the scope of the assessment.
At a high level, adequate network segmentation isolates systems that store,process, or transmit cardholder data from those that do not. However, the adequacy of a specific implementation of network segmentation is highlyvariable and dependent upon such things as a given network's configuration, the technologies deployed, and other controls that may beimplemented.Appendix F: PCI DSS Reviews − Scoping and Selecting Samples provides more information on the effect of scoping during a PCI DSSassessment.PCI DSS Requirements and Security Assessment Procedures, v1.2Copyright 2008 PCI Security Standards Council LLCOctober 2008Page 5WirelessIf wireless technology is used to store, process, or transmit cardholder data (for example, point-of-sale transactions, “line-busting”), or if a wirelesslocal area network (LAN) is connected to or part of the cardholder data environment (for example, not clearly separated by a firewall), the PCI DSSrequirements and testing procedures for wireless environments apply and must be performed as well (for example, Requirements 1.2.3, 2.1.1, and4.1.1).
Before wireless technology is implemented, a company should carefully evaluate the need for the technology against the risk. Considerdeploying wireless technology only for non-sensitive data transmission.Third Parties/OutsourcingFor service providers required to undergo an annual onsite assessment, compliance validation must be performed on all system componentswhere cardholder data is stored, processed, or transmitted.A service provider or merchant may use a third-party provider to store, process, or transmit cardholder data on their behalf, or to managecomponents such as routers, firewalls, databases, physical security, and/or servers.
If so, there may be an impact on the security of the cardholderdata environment.For those entities that outsource storage, processing, or transmission of cardholder data to third-party service providers, the Report onCompliance (ROC) must document the role of each service provider, clearly identifying which requirements apply to the reviewed entity and whichapply to the service provider. There are two options for third-party service providers to validate compliance: 1) They can undergo a PCI DSSassessment on their own and provide evidence to their customers to demonstrate their compliance, or 2) If they do not undergo their own PCIDSS assessment, they will need to have their services reviewed during the course of each of their customer's PCI DSS assessments.
See thebullet beginning “For managed service provider (MSP) reviews” under Part 3 in the “Instructions and Content for Report on Compliance” sectionbelow for more information.Additionally, merchants and service providers must manage and monitor the PCI DSS compliance of all associated third parties with access tocardholder data. Refer to Requirement 12.8 in this document for details.Sampling of Business Facilities and System ComponentsThe assessor may select representative samples of business facilities and system components in order to assess PCI DSS requirements.
Thesesamples must include both business facilities and system components, must be a representative selection of all of the types and locations ofbusiness facilities as well as types of system components, and must be sufficiently large to provide the assessor with assurance that controls areimplemented as expected.Examples of business facilities include corporate offices, stores, franchise merchants, and business facilities in different locations.
Samplingshould include system components for each business facility. For example, for each business facility, include a variety of operating systems,functions, and applications that are applicable to the area under review. Within each business facility, the reviewer could choose Sun serversrunning Apache WWW, Windows servers running Oracle, mainframe systems running legacy card processing applications, data transfer serversrunning HP-UX, and Linux Servers running MYSQL. If all applications run from a single OS (for example, Windows or Sun), then the samplePCI DSS Requirements and Security Assessment Procedures, v1.2Copyright 2008 PCI Security Standards Council LLCOctober 2008Page 6should still include a variety of applications (for example, database servers, web servers, data transfer servers).
(See Appendix F: PCI DSSReviews – Scoping and Sampling.)When selecting samples of business facilities and system components, assessors should consider the following: If there are standard, required PCI DSS processes in place that each facility must follow, the sample can be smaller than is necessary ifthere are no standard processes, to provide reasonable assurance that each facility is configured per the standard process. If there is more than one type of standard process in place (for example, for different types of system components or facilities), then thesample must be large enough to include system components or facilities secured with each type of process. If there are no standard PCI DSS processes in place and each facility is responsible for their processes, then sample size must be largerto be assured that each facility understands and implements PCI DSS requirements appropriately.Please also refer to Appendix F: PCI DSS Reviews – Scoping and Selecting Samples.Compensating ControlsOn an annual basis, any compensating controls must be documented, reviewed and validated by the assessor and included with the Report onCompliance submission, per Appendix B: Compensating Controls and Appendix C: Compensating Controls Worksheet.For each and every compensating control, the Compensating Controls Worksheet (Appendix C) must be completed.
Additionally, compensatingcontrol results should be documented in the ROC in the corresponding PCI DSS requirement section.See the above-mentioned Appendices B and C for more details on “compensating controls.”PCI DSS Requirements and Security Assessment Procedures, v1.2Copyright 2008 PCI Security Standards Council LLCOctober 2008Page 7Instructions and Content for Report on ComplianceThis document must be used as the template for creating the Report on Compliance. The assessed entity should follow each payment brand’srespective reporting requirements to ensure each payment brand acknowledges the entity’s compliance status.
Contact each payment brand todetermine reporting requirements and instructions.Report Content and FormatFollow these instructions for report content and format when completing a Report on Compliance:1. Executive SummaryInclude the following:Describe the entity’s payment card business, including:- Their business role with payment cards, which is how and why they store, process, and/or transmit cardholder dataNote: This is not intended to be a cut-and-paste from the entity’s web site, but should be a tailored description that shows theassessor understands payment and the entity’s role.- How they process payment (directly, indirectly, etc.)- What types of payment channels they serve, such as card-not-present, (for example, mail-order-telephone-order (MOTO), eCommerce), or card-present- Any entities that they connect to for payment transmission or processing, including processor relationshipsA high-level network diagram (either obtained from the entity or created by assessor) of the entity’s networking topography thatincludes:- Connections into and out of the network- Critical components within the cardholder data environment, including POS devices, systems, databases, and web servers, asapplicable- Other necessary payment components, as applicablePCI DSS Requirements and Security Assessment Procedures, v1.2Copyright 2008 PCI Security Standards Council LLCOctober 2008Page 82.
Description of Scope of Work and Approach TakenDescribe the scope, per the Scope of Assessment section of this document, including the following:Environment on which assessment focused (for example, client’s Internet access points, internal corporate network, processingconnections)If network segmentation is in place and was used to reduce scope of the PCI DSS review, briefly explain that segmentation andhow assessor validated the effectiveness of the segmentationDocument and justify sampling used for both entities (stores, facilities, etc.) and system components selected, including:- Total population- Number sampled- Rationale for sample selected- Why sample size is sufficient to allow assessor to place reasonable reliance that controls reviewed represent controls in placethroughout entity- Describe any locations or environments that store, process, or transmit cardholder data that were EXCLUDED from the scopeof the review, and why these locations/environments were excluded List any wholly-owned entities that require compliance with the PCI DSS, and whether they are reviewed separately or as part ofthis assessment List any International entities that require compliance with the PCI DSS, and whether they are reviewed separately or as part of thisassessment List any wireless LANs and/or wireless payment applications (for example, POS terminals) that are connected to, or could impactthe security of the cardholder data environment, and describe security in place for these wireless environments The version of the PCI DSS Requirements and Security Assessment Procedures document used to conduct the assessment Timeframe of assessment3.
![](https://s.studizba.com/z.php?f=/templates/si/i/noavatar.png&w=100&h=100&t=1"){kind=avatar}
