pci_dss_v1-2 (1027411), страница 3
Текст из файла (страница 3)
Details about Reviewed EnvironmentInclude the following details in this section: A diagram of each piece of the communication link, including LAN, WAN or Internet Description of cardholder data environment, for example:- Document transmission and processing of cardholder data, including authorization, capture, settlement, chargeback and otherflows as applicablePCI DSS Requirements and Security Assessment Procedures, v1.2Copyright 2008 PCI Security Standards Council LLCOctober 2008Page 9List of files and tables that store cardholder data, supported by an inventory created (or obtained from the client) and retainedby the assessor in the work papers.
This inventory should include, for each cardholder data store (file, table, etc.):• List all of the elements of stored cardholder data• How data is secured• How access to data stores are loggedList of hardware and critical software in use in the cardholder data environment, along with description of function/use for eachList of service providers and other entities with which the company shares cardholder data (Note: these entities are subject to PCIDSS Requirement 12.8)List of third-party payment application products and versions numbers in use, including whether each payment application hasbeen validated according to PA-DSS.
Even if a payment application has been PA-DSS validated, the assessor still needs to verifythat the application has been implemented in a PCI DSS compliant manner and environment, and according to the paymentapplication vendor’s PA-DSS Implementation Guide. Note: It is not a PCI DSS requirement to use PA-DSS validated applications.Please consult with each payment brand individually to understand their PA-DSS compliance requirements.List of individuals interviewed and their titlesList of documentation reviewedFor managed service provider (MSP) reviews, the assessor must clearly identify which requirements in this document apply to theMSP (and are included in the review), and which are not included in the review and are the responsibility of the MSP’s customersto include in their reviews.
Include information about which of the MSP’s IP addresses are scanned as part of the MSP’s quarterlyvulnerability scans, and which IP addresses are the responsibility of the MSP’s customers to include in their own quarterly scans.-4. Contact Information and Report DateInclude: Contact information for merchant or service provider and assessor Date of report5. Quarterly Scan ResultsSummarize the four most recent quarterly scan results in the Executive Summary as well as in comments at Requirement 11.2Note: It is not required that four passing quarterly scans must be completed for initial PCI DSS compliance if the assessor verifies1) the most recent scan result was a passing scan, 2) the entity has documented policies and procedures requiring quarterlyscanning going forward, and 3) any vulnerabilities noted in the initial scan have been corrected as shown in a re-scan. Forsubsequent years after the initial PCI DSS review, four passing quarterly scans must have occurred.PCI DSS Requirements and Security Assessment Procedures, v1.2Copyright 2008 PCI Security Standards Council LLCOctober 2008Page 10Scan must cover all externally accessible (Internet-facing) IP addresses in existence at the entity, in accordance with the PCI DSSSecurity Scanning Procedures6.
Findings and ObservationsSummarize in the Executive Summary any findings that may not fit into the standard Report on Compliance template format.All assessors must use the Detailed PCI DSS Requirements and Security Assessment Procedures template to provide detailedreport descriptions and findings on each requirement and sub-requirement.The assessor must review and document any compensating controls considered to conclude that a control is in place.See Compensating Controls section above and Appendices B and C for more details on “compensating controls.”Revalidation of Open ItemsA “controls in place” report is required to verify compliance.
The report is considered non-compliant if it contains “open items,” or items that will befinished at a future date. The merchant/service provider must address these items before validation is completed. After these items are addressedby the merchant/service provider, the assessor will then reassess to validate that the remediation occurred and that all requirements are satisfied.After revalidation, the assessor will issue a new Report on Compliance, verifying that the cardholder data environment is fully compliant, andsubmit it consistent with instructions (see below).PCI DSS Compliance – Completion Steps1.
Complete the Report on Compliance (ROC) according to the section above entitled “Instructions and Content for Report on Compliance.”2. Ensure passing vulnerability scan(s) have been completed by a PCI SSC Approved Scanning Vendor (ASV), and obtain evidence ofpassing scan(s) from the ASV.3. Complete the Attestation of Compliance, for either Service Providers or Merchants as applicable, in its entirety. See Appendices D and Efor Attestations of Compliance.4. Submit the ROC, evidence of a passing scan, and the Attestation of Compliance, along with any other requested documentation, to theacquirer (for merchants) or to the payment brand or other requester (for service providers).PCI DSS Requirements and Security Assessment Procedures, v1.2Copyright 2008 PCI Security Standards Council LLCOctober 2008Page 11Detailed PCI DSS Requirements and Security Assessment ProceduresFor the PCI DSS Requirements and Security Assessment Procedures, the following defines the table column headings:PCI DSS Requirements – This column defines the Data Security Standard and lists requirements to achieve PCI DSS compliance;compliance will be validated against these requirements.Testing Procedures – This column shows processes to be followed by the assessor to validate that PCI DSS requirements are “in place”In Place – This column must be used by the assessor to provide a brief description of controls found in place, including those controlsfound to be in place as a result of compensating controls.
(Note: that this column must not be used for items that are not yet in place or foropen items to be completed at a future date.)Not in Place – This column must be used by the assessor to provide a brief description controls that are not in place. Note that a noncompliant report should not be submitted to a payment brand or acquirer unless specifically requested. See Appendix D and Appendix E:Attestations of Compliance for further instructions on non-compliant reports.Target Date/Comments – For those controls “Not In Place” the assessor may include a target date that the merchant or service providerexpects to have controls “In Place”.
Any additional notes or comments may be included here as well.PCI DSS Requirements and Security Assessment Procedures, v1.2Copyright 2008 PCI Security Standards Council LLCOctober 2008Page 12Build and Maintain a Secure NetworkRequirement 1: Install and maintain a firewall configuration to protect cardholder dataFirewalls are computer devices that control computer traffic allowed between a company’s network (internal) and untrusted networks (external), aswell as traffic into and out of more sensitive areas within a company’s internal trusted network.
The cardholder data environment is an example ofa more sensitive area within the trusted network of a company.A firewall examines all network traffic and blocks those transmissions that do not meet the specified security criteria.All systems must be protected from unauthorized access from untrusted networks, whether entering the system via the Internet as e-commerce,employees’ Internet access through desktop browsers, employees’ e-mail access, dedicated connection such as business to businessconnections, via wireless networks, or via other sources.
Often, seemingly insignificant paths to and from untrusted networks can provideunprotected pathways into key systems. Firewalls are a key protection mechanism for any computer network.PCI DSS Requirements1.1Establish firewall and routerconfiguration standards that include thefollowing:Testing ProceduresIn PlaceNot inPlaceTarget Date/Comments1.1 Obtain and inspect the firewall and router configurationstandards and other documentation specified below to verifythat standards are complete. Complete the following:1.1.1 A formal process for approvingand testing all network connections andchanges to the firewall and routerconfigurations1.1.1 Verify that there is a formal process for testing andapproval of all network connections and changes tofirewall and router configurations.1.1.2 Current network diagram with allconnections to cardholder data, includingany wireless networks1.1.2.a Verify that a current network diagram (forexample, one that shows cardholder data flows over thenetwork) exists and that it documents all connections tocardholder data, including any wireless networks.1.1.2.b Verify that the diagram is kept current.1.1.3 Requirements for a firewall ateach Internet connection and between anydemilitarized zone (DMZ) and the internalnetwork zone1.1.3 Verify that firewall configuration standards includerequirements for a firewall at each Internet connection andbetween any DMZ and the internal network zone.
Verifythat the current network diagram is consistent with thefirewall configuration standards.1.1.4 Description of groups, roles, andresponsibilities for logical management ofnetwork components1.1.4 Verify that firewall and router configurationstandards include a description of groups, roles, andresponsibilities for logical management of networkcomponents.PCI DSS Requirements and Security Assessment Procedures, v1.2Copyright 2008 PCI Security Standards Council LLCOctober 2008Page 13PCI DSS Requirements1.1.5 Documentation and businessjustification for use of all services,protocols, and ports allowed, includingdocumentation of security featuresimplemented for those protocolsconsidered to be insecureTesting ProceduresIn PlaceNot inPlaceTarget Date/Comments1.1.5.a Verify that firewall and router configurationstandards include a documented list of services, protocolsand ports necessary for business—for example, hypertexttransfer protocol (HTTP) and Secure Sockets Layer (SSL),Secure Shell (SSH), and Virtual Private Network (VPN)protocols.1.1.5.b Identify insecure services, protocols, and portsallowed; and verify they are necessary and that securityfeatures are documented and implemented by examiningfirewall and router configuration standards and settings foreach service.
![](https://s.studizba.com/z.php?f=/templates/si/i/noavatar.png&w=100&h=100&t=1"){kind=avatar}
