没有合适的资源?快使用搜索试试~ 我知道了~
首页PCI DSS 3.2.PDF
资源详情
资源评论
资源推荐
Payment Card Industry (PCI)
Data Security Standard
Requirements and Security Assessment Procedures
Version 3.2
April 2016
Payment Card Industry (PCI) Data Security Standard, v3.2 Page 2
© 2006-2016 PCI Security Standards Council, LLC. All Rights Reserved. April 2016
Document Changes
Date
Version
Description
Pages
October 2008
1.2
To introduce PCI DSS v1.2 as “PCI DSS Requirements and Security Assessment Procedures,”
eliminating redundancy between documents, and make both general and specific changes from
PCI DSS Security Audit Procedures v1.1. For complete information, see PCI Data Security
Standard Summary of Changes from PCI DSS Version 1.1 to 1.2.
July 2009
1.2.1
Add sentence that was incorrectly deleted between PCI DSS v1.1 and v1.2.
5
Correct “then” to “than” in testing procedures 6.3.7.a and 6.3.7.b.
32
Remove grayed-out marking for “in place” and “not in place” columns in testing procedure 6.5.b.
33
For Compensating Controls Worksheet – Completed Example, correct wording at top of page to
say “Use this worksheet to define compensating controls for any requirement noted as ‘in place’
via compensating controls.”
64
October 2010
2.0
Update and implement changes from v1.2.1. See PCI DSS – Summary of Changes from PCI
DSS Version 1.2.1 to 2.0.
November 2013
3.0
Update from v2.0. See PCI DSS – Summary of Changes from PCI DSS Version 2.0 to 3.0.
April 2015
3.1
Update from PCI DSS v3.0. See PCI DSS – Summary of Changes from PCI DSS Version 3.0 to
3.1 for details of changes.
April 2016
3.2
Update from PCI DSS v3.1. See PCI DSS – Summary of Changes from PCI DSS Version 3.1 to
3.2 for details of changes.
Payment Card Industry (PCI) Data Security Standard, v3.2 Page 3
© 2006-2016 PCI Security Standards Council, LLC. All Rights Reserved. April 2016
Table of Contents
Document Changes ........................................................................................................................................................................... 2
Introduction and PCI Data Security Standard Overview ................................................................................................................. 5
PCI DSS Resources .................................................................................................................................................................................................... 6
PCI DSS Applicability Information .................................................................................................................................................... 7
Relationship between PCI DSS and PA-DSS .................................................................................................................................... 9
Applicability of PCI DSS to PA-DSS Applications ....................................................................................................................................................... 9
Applicability of PCI DSS to Payment Application Vendors .......................................................................................................................................... 9
Scope of PCI DSS Requirements .................................................................................................................................................... 10
Network Segmentation .............................................................................................................................................................................................. 11
Wireless ..................................................................................................................................................................................................... 11
Use of Third-Party Service Providers / Outsourcing ................................................................................................................................................. 12
Best Practices for Implementing PCI DSS into Business-as-Usual Processes ........................................................................... 13
For Assessors: Sampling of Business Facilities/System Components ....................................................................................... 15
Compensating Controls .................................................................................................................................................................. 16
Instructions and Content for Report on Compliance .................................................................................................................... 17
PCI DSS Assessment Process ........................................................................................................................................................ 17
PCI DSS Versions ............................................................................................................................................................................ 18
Detailed PCI DSS Requirements and Security Assessment Procedures ..................................................................................... 19
Build and Maintain a Secure Network and Systems ............................................................................................................................................. 20
Requirement 1: Install and maintain a firewall configuration to protect cardholder data ...................................................................................... 20
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters ...................................................... 29
Protect Cardholder Data .......................................................................................................................................................................................... 36
Requirement 3: Protect stored cardholder data .................................................................................................................................................... 36
Requirement 4: Encrypt transmission of cardholder data across open, public networks ..................................................................................... 47
Maintain a Vulnerability Management Program .................................................................................................................................................... 50
Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs ...................................................... 50
Requirement 6: Develop and maintain secure systems and applications ............................................................................................................ 53
Implement Strong Access Control Measures ........................................................................................................................................................ 66
Requirement 7: Restrict access to cardholder data by business need to know ................................................................................................... 66
Payment Card Industry (PCI) Data Security Standard, v3.2 Page 4
© 2006-2016 PCI Security Standards Council, LLC. All Rights Reserved. April 2016
Requirement 8: Identify and authenticate access to system components ............................................................................................................ 69
Requirement 9: Restrict physical access to cardholder data ................................................................................................................................ 79
Regularly Monitor and Test Networks .................................................................................................................................................................... 88
Requirement 10: Track and monitor all access to network resources and cardholder data ................................................................................... 88
Requirement 11: Regularly test security systems and processes. ......................................................................................................................... 96
Maintain an Information Security Policy .............................................................................................................................................................. 105
Requirement 12: Maintain a policy that addresses information security for all personnel. ..................................................................................... 105
Appendix A: Additional PCI DSS Requirements ................................................................................................................... 116
Appendix A1: Additional PCI DSS Requirements for Shared Hosting Providers .................................................................................................... 117
Appendix A2: Additional PCI DSS Requirements for Entities using SSL/early TLS ............................................................................................... 119
Appendix A3: Designated Entities Supplemental Validation (DESV) ...................................................................................................................... 122
Appendix B: Compensating Controls .................................................................................................................................... 136
Appendix C: Compensating Controls Worksheet ................................................................................................................. 137
Appendix D: Segmentation and Sampling of Business Facilities/System Components ................................................... 139
Payment Card Industry (PCI) Data Security Standard, v3.2 Page 5
© 2006-2016 PCI Security Standards Council, LLC. All Rights Reserved. April 2016
Introduction and PCI Data Security Standard Overview
The Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage and enhance cardholder data security and facilitate
the broad adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements
designed to protect account data. PCI DSS applies to all entities involved in payment card processing—including merchants, processors,
acquirers, issuers, and service providers. PCI DSS also applies to all other entities that store, process or transmit cardholder data (CHD) and/or
sensitive authentication data (SAD). Below is a high-level overview of the 12 PCI DSS requirements.
PCI Data Security Standard – High Level Overview
Build and Maintain a Secure
Network and Systems
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other
security parameters
Protect Cardholder Data
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability
Management Program
5. Protect all systems against malware and regularly update anti-virus
software or programs
6. Develop and maintain secure systems and applications
Implement Strong Access
Control Measures
7. Restrict access to cardholder data by business need to know
8. Identify and authenticate access to system components
9. Restrict physical access to cardholder data
Regularly Monitor and Test
Networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information
Security Policy
12. Maintain a policy that addresses information security for all personnel
This document, PCI Data Security Standard Requirements and Security Assessment Procedures, combines the 12 PCI DSS requirements and
corresponding testing procedures into a security assessment tool. It is designed for use during PCI DSS compliance assessments as part of an
entity’s validation process. The following sections provide detailed guidelines and best practices to assist entities prepare for, conduct, and report
the results of a PCI DSS assessment. The PCI DSS Requirements and Testing Procedures begin on page 15.
PCI DSS comprises a minimum set of requirements for protecting account data, and may be enhanced by additional controls and practices to
further mitigate risks, as well as local, regional and sector laws and regulations. Additionally, legislation or regulatory requirements may require
specific protection of personal information or other data elements (for example, cardholder name). PCI DSS does not supersede local or regional
laws, government regulations, or other legal requirements.
剩余138页未读,继续阅读
netmajor
- 粉丝: 0
- 资源: 3
上传资源 快速赚钱
- 我的内容管理 收起
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
会员权益专享
最新资源
- stc12c5a60s2 例程
- Android通过全局变量传递数据
- c++校园超市商品信息管理系统课程设计说明书(含源代码) (2).pdf
- 建筑供配电系统相关课件.pptx
- 企业管理规章制度及管理模式.doc
- vb打开摄像头.doc
- 云计算-可信计算中认证协议改进方案.pdf
- [详细完整版]单片机编程4.ppt
- c语言常用算法.pdf
- c++经典程序代码大全.pdf
- 单片机数字时钟资料.doc
- 11项目管理前沿1.0.pptx
- 基于ssm的“魅力”繁峙宣传网站的设计与实现论文.doc
- 智慧交通综合解决方案.pptx
- 建筑防潮设计-PowerPointPresentati.pptx
- SPC统计过程控制程序.pptx
资源上传下载、课程学习等过程中有任何疑问或建议,欢迎提出宝贵意见哦~我们会及时处理!
点击此处反馈
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功
评论1