The Payment Card Industry Data Security Standard (PCI DSS) presents many compliance challenges, 特别是对于大, 复杂的组织. 在这些挑战中,有各种周期性的挑战.g., monthly, quarterly, semi-annually) control requirements found throughout the standard. Achieving and maintaining PCI compliance requires a continuous management approach to successfully execute these control requirements and then demonstrate execution during the annual assessment. 在一年的时间里, 什么是典型的评估期, it is not uncommon for organizations to overlook execution of one or more of these requirements. This could necessitate an extension to the assessment period to make up for the overlooked task or, 在最坏的情况下, 会导致不符合要求的评估吗. Execution of these periodic requirements is often overlooked due to the departure of assigned personnel or other organizational factors and are not attributable to mere negligence. 不管, the PCI DSS requires these periodic tasks to be executed according to the prescribed schedule and omission of one or more instances is cause for an assessor to find the entity non-compliant.

而不是风险遗漏的定期控制要求, it is essential that entities pro-actively monitor these requirements for completion. 首先,也是最重要的, ownership of each control must be formally assigned to a responsible individual or team. 第二个, resources must be implemented to remind owners to execute controls, 记录执行结果, 促进管理监督. Commonly leveraged resources range from simple calendar reminders to more sophisticated governance, 风险, 和遵从性(GRC)应用程序套件. Entities must take responsibility for ensuring these tasks are successfully executed as there may be few, 如果有任何, opportunities to demonstrate execution after the period has passed.

Following is a summary of periodic control requirements found in PCI DSS version 3.2.1, along with some helpful guidance for executing and evidencing each requirement for the assessment. Depending on an entity’s scope of compliance and associated reporting obligations, 有些要求可能不适用. Entities are encouraged to contact their acquiring bank and consult with a PCI Qualified Security Assessor (QSA) to confirm their reporting and attestation obligations.

日常控制要求

要求10.6.1:执行日志审查

  • 这可以通过手动或自动评审方法来实现.
  • Prescribed security event types must be reviewed for all cardholder data environment (CDE) system components.
  • Logs for servers and system components that perform security functions must also be reviewed.

每周的控制要求

要求11.5:关键文件比较

  • This may be satisfied via change detection mechanisms such as file integrity monitoring (FIM) software.
  • 必须对所有CDE系统执行比较.
  • Must facilitate identification of unauthorized modification (including changes, 增加和删除)的关键系统文件, 配置文件, 或内容文件.

每月的控制要求

要求6.2:安装关键安全补丁

  • This must be executed for all CDE system components and software applications.
  • Entities must have a formal vulnerability management program in place to define and identify critical security vulnerabilities.

季度控制要求

要求3.识别并安全地删除已存储的持卡人数据(CHD)

  • 实体必须首先定义一个CHD保留期. 这通常通过数据分类策略来实现.
  • Entities then must review data storage repositories to ensure stored CHD does not exceed the defined retention period.
  • A secure deletion mechanism must be utilized to ensure data is not recoverable.

要求8.1.4:至少90天移除/禁用非活动用户帐户

  • 必须对所有帐户目录执行此操作, 无论是内部还是外部, 用于控制对CDE的访问.
  • This may be accomplished via automated review and disabling mechanisms.

要求11.1:测试是否存在无线接入点

  • Manual or automated mechanisms may be utilized to detect and identify all authorized and unauthorized wireless access points.
  • This requirement applies whether any wireless networks are utilized in the CDE and/or are in scope for compliance.

要求11.2:执行内部和外部网络漏洞扫描

  • 所有CDE系统必须接受漏洞扫描.
  • 用于外部ASV扫描, vulnerabilities must be remediated and rescanned until a passing scan is achieved for each quarter.
  • 通过ASV报告的日期必须相隔不超过90天.
  • 扫描 报告, not raw scan results, must be produced for each quarter’s internal vulnerability scans.

要求12.11: (Service Providers Only) Perform Reviews to Confirm Personnel are Following Security Policies and Operational Procedures

  • 本要求不取代其他定期要求, rather is intended as an additional requirement for oversight of the following processes:
    • 每天日志评论
    • 防火墙规则集的评论
    • 将配置标准应用于新系统
    • 响应安全警报
    • 变更管理流程

要求12.11.1: (Service Providers Only) Maintain Documentation of Quarterly Review Process

  • Entities should record execution of oversight activities separately from the activities themselves.
  • Must include review and sign-off of results by personnel assigned responsibility for the PCI DSS compliance program.

半年一次的控制要求

要求1.1.7:审查防火墙和路由器规则集

  • Must include review of rule sets for all CDE firewalls and routers.
  • Records should include results of the review and any resulting remediation activities.

要求11.3.4.1:(仅服务提供商)测试分割控制

  • Must be performed if segmentation is employed to isolate the CDE from other networks.
  • Must also be performed after any changes to segmentation controls/methods.
  • This requirement does not supersede annual penetration testing requirements.

年度控制要求

识别范围 & 验证:如PCI DSS v .第10页所述.3.2.1

  • “至少每年一次,并在年度评估之前, the assessed entity should confirm the accuracy of their PCI DSS scope by identifying all locations and flows of cardholder data, 并识别所有连接的系统, 或者如果妥协, 会影响CDE (e.g. authentication servers) to ensure they are included in the PCI DSS scope.”
  • The assessor will validate the defined scope as part of the assessment.

要求6.5:开发培训

  • Development personnel must be trained in up-to-date secure coding techniques, 包括如何避免常见的编码漏洞.
  • 培训可以通过内部或外部项目提供.
  • Training records, preferably certificates of completion, should be retained.

要求6.6:审查面向公众的Web应用

  • This must be conducted against all public-facing web applications utilized for card payment activities.
  • Either manual or automated application vulnerability security assessment tools or methods may be used.
  • This requirement does not apply if Web Application Firewalls are utilized for continual monitoring.

要求9.5.1:检查媒体备份位置的安全性

  • 这只适用于CHD的存储(任何媒体格式) at off-site facilities.
  • 当面审查虽然最有效,但没有规定.

要求9.7.1: Properly Maintain Inventory Logs of All Media and Conduct Media Inventories

  • 这只适用于CHD的存储(任何媒体格式).
  • The results of inventory review should be recorded and provided to the assessor.

要求11.执行外部和内部渗透测试

  • Testing must be performed in accordance with documented methodology.
  • 如果适用的话, internal penetration testers must be able to demonstrate qualifications such as through education, 培训, 和/或认证记录.
  • Testing records must demonstrate follow-up testing to validate correction of initial findings.

要求11.3.4:执行分段验证测试

  • Must be performed if segmentation is employed to isolate the CDE from other networks.
  • Must also be performed after any changes to segmentation controls/methods.

要求12.1.1:查看和更新安全策略

  • This may be accomplished by one-time or ongoing review of CDE policies.
  • Records should include results of review and, ideally, be recorded in the body of each policy.

要求12.2:进行风险评估

  • This must be a formal review of organizational 风险s including those that impact the CDE.
  • The PCI DSS assessment itself does not qualify as a 风险 assessment.

要求12.6:确保员工参加安全意识培训

  • 培训可以通过内部或外部项目提供.
  • Entities must be able to provide records of successful completion by all CDE personnel.

要求12.6.2:人员必须确认安全策略

  • Acknowledgements may be solicited as part of annual 培训 or separately.
  • 确认可以通过电子方式或签名方式获得.

要求12.8.4: Maintain a Program to Monitor Service Providers’ PCI DSS 合规 Status

  • This applies only to service providers with whom cardholder data is shared, 或者这会影响持卡人数据的安全.
  • Entities should review service provider attestations for applicability, completeness, and validity.

要求12.10.2:测试事件响应计划

  • This should be a formal testing activity such as an active simulation or tabletop exercise.
  • Entities should be able to provide testing records to the assessor.

杂项周期需求

几个要求包括定期执行的规定. 在每一种情况下,没有规定期限, however entities should define these periods in policies and procedures and be able to demonstrate execution accordingly.

要求3.6.4:加密密钥更改

  • Entities should define a cryptoperiod for changing keys used to encrypt CHD.
  • Policies should also mandate changing keys in the event of a suspected compromise.

要求5.1.2:演进恶意软件威胁的评估

  • Entities must review the threat landscape to determine whether antivirus software should be installed on any non-Windows systems utilized in the CDE.
  • 这些审查的记录应该提供给评估员.

要求5.2:防病毒扫描

  • 必须配置防病毒软件进行定期扫描.
  • 扫描s should ideally be full system scans, not just targeted file scans.

要求9.8:媒体破坏

  • 这一要求适用于存储CHD的所有媒体格式.
  • 销毁记录应提供给评估人员

要求9.9.2:支付设备篡改检查

  • Inspections should ideally be conducted by responsible personnel or trusted support vendors.
  • Personnel who are assigned inspection duties must be subject to 培训.
  • 检查记录应提供给评估员.

要求12.10.4:安全违规应对培训

  • Incident response personnel must be trained in up-to-date breach response techniques, 包括事件分析和取证.
  • 培训可以通过内部或外部项目提供.
  • Training records, preferably certificates of completion, should be retained.

提供必要的证据

Active management of these periodic control requirements can eliminate situations where an organization is unprepared to demonstrate compliance during an assessment. 上面列出的每一项活动, 适用于实体和CDE, 在PCI评估时由评估员进行评估. 所有组织都经历过员工流动和, 不幸的是, these departures can negatively impact the continuity of security operations and compliance programs. 然而, entities must be able to demonstrate that controls have been maintained and operational throughout the assessment period and allow the assessor to validate the effectiveness of the controls. 另外, 尽管在大多数情况下控制周期和目标是确定的, 满足要求的方法可能不止一种. An experienced and knowledgeable assessor can review control strategies and tactics as they are being implemented to validate that both the intent of the requirement and periodic execution obligations are satisfied.

Whether you’re looking to strengthen your entire network security program or your PCI compliance program specifically, 我们在LBMC信息安全部门的团队可以提供帮助. 请随意查看明升体育app下载资源库和播客, which provide specific insights you can use to enhance every area of cybersecurity. Connect with our team to learn more about how we can help develop an effective PCI compliance program.

参考:支付卡行业,安全标准理事会. 遵从性报告,v3.2.1. http://www.pcisecuritystandards.org/document_library.

友情链接: 1 2 3 4 5 6 7 8 9 10