Payment Card Industry (pci) Data Security Standard Self-Assessment Questionnaire c-vt and Attestation of Compliance Web-Based Virtual Terminal, No Electronic Cardholder Data Storage Version 0




старонка6/6
Дата канвертавання28.04.2016
Памер287.9 Kb.
1   2   3   4   5   6

Maintain an Information Security Policy

Requirement 12: Maintain a policy that addresses information security for all personnel








PCI DSS Question Response:

Yes

No

Special*

12.1

Is a security policy established, published, maintained, and disseminated to all relevant personnel??

For the purposes of Requirement 12, “personnel” refers to full-time part-time employees, temporary employees and personnel, and contractors and consultants who are “resident” on the entity’s site or otherwise have access to the company’s site cardholder data environment.





     

12.1.3


Is the information security policy reviewed at least once a year and updated as needed to reflect changes to business objectives or the risk environment?





     




12.3

  1. Are usage policies for critical technologies (for example, remote-access technologies, wireless technologies, removable electronic media, laptops, tablets, personal data/digital assistants [PDAs], e-mail, and Internet usage) developed to define proper use of these technologies for all personnel, and require the following:










12.3.1

Explicit approval by authorized parties to use the technologies?





     




12.3.3

A list of all such devices and personnel with access?





     




12.3.5

Acceptable uses of the technologies?





     




12.4

Do the security policy and procedures clearly define information security responsibilities for all personnel?





     

12.5

Are the following information security management responsibilities formally assigned to an individual or team:










12.5.3

Establishing, documenting, and distributing security incident response and escalation procedures to ensure timely and effective handling of all situations?





     




12.6

(a) Is a formal security awareness program in place to make all personnel aware of the importance of cardholder data security?





     

12.8

If cardholder data is shared with service providers, are policies and procedures maintained and implemented to manage service providers, as follows:










12.8.1

Is a list of service providers maintained?





     




12.8.2

Is a written agreement maintained that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possesses?





     




12.8.3

Is there an established process for engaging service providers, including proper due diligence prior to engagement?





     




12.8.4

Is a program maintained to monitor service providers’ PCI DSS compliance status, at least annually?





     



Appendix A: (not used)



This page intentionally left blank

Appendix B: Compensating Controls


Compensating controls may be considered for most PCI DSS requirements when an entity cannot meet a requirement explicitly as stated, due to legitimate technical or documented business constraints, but has sufficiently mitigated the risk associated with the requirement through implementation of other, or compensating, controls.

Compensating controls must satisfy the following criteria:



  1. Meet the intent and rigor of the original PCI DSS requirement.

  2. Provide a similar level of defense as the original PCI DSS requirement, such that the compensating control sufficiently offsets the risk that the original PCI DSS requirement was designed to defend against. (See Navigating PCI DSS for the intent of each PCI DSS requirement.)

  3. Be “above and beyond” other PCI DSS requirements. (Simply being in compliance with other PCI DSS requirements is not a compensating control.)

When evaluating “above and beyond” for compensating controls, consider the following:

Note: The items at a) through c) below are intended as examples only. All compensating controls must be reviewed and validated for sufficiency by the assessor who conducts the PCI DSS review. The effectiveness of a compensating control is dependent on the specifics of the environment in which the control is implemented, the surrounding security controls, and the configuration of the control. Companies should be aware that a particular compensating control will not be effective in all environments.

      1. Existing PCI DSS requirements CANNOT be considered as compensating controls if they are already required for the item under review. For example, passwords for non-console administrative access must be sent encrypted to mitigate the risk of intercepting clear-text administrative passwords. An entity cannot use other PCI DSS password requirements (intruder lockout, complex passwords, etc.) to compensate for lack of encrypted passwords, since those other password requirements do not mitigate the risk of interception of clear-text passwords. Also, the other password controls are already PCI DSS requirements for the item under review (passwords).

      2. Existing PCI DSS requirements MAY be considered as compensating controls if they are required for another area, but are not required for the item under review. For example, two-factor authentication is a PCI DSS requirement for remote access. Two-factor authentication from within the internal network can also be considered as a compensating control for non-console administrative access when transmission of encrypted passwords cannot be supported. Two-factor authentication may be an acceptable compensating control if; (1) it meets the intent of the original requirement by addressing the risk of intercepting clear-text administrative passwords; and (2) it is set up properly and in a secure environment.

      3. Existing PCI DSS requirements may be combined with new controls to become a compensating control. For example, if a company is unable to render cardholder data unreadable per requirement 3.4 (for example, by encryption), a compensating control could consist of a device or combination of devices, applications, and controls that address all of the following: (1) internal network segmentation; (2) IP address or MAC address filtering; and (3) two-factor authentication from within the internal network.

  1. Be commensurate with the additional risk imposed by not adhering to the PCI DSS requirement.

The assessor is required to thoroughly evaluate compensating controls during each annual PCI DSS assessment to validate that each compensating control adequately addresses the risk the original PCI DSS requirement was designed to address, per items 1-4 above. To maintain compliance, processes and controls must be in place to ensure compensating controls remain effective after the assessment is complete.

Appendix C: Compensating Controls Worksheet


Use this worksheet to define compensating controls for any requirement where “YES” was checked and compensating controls were mentioned in the “Special” column.

Note: Only companies that have undertaken a risk analysis and have legitimate technological or documented business constraints can consider the use of compensating controls to achieve compliance.

Requirement Number and Definition:      




Information Required

Explanation

  1. Constraints

List constraints precluding compliance with the original requirement.

     

  1. Objective

Define the objective of the original control; identify the objective met by the compensating control.

     

  1. Identified Risk

Identify any additional risk posed by the lack of the original control.

     

  1. Definition of Compensating Controls

Define the compensating controls and explain how they address the objectives of the original control and the increased risk, if any.

     

  1. Validation of Compensating Controls

Define how the compensating controls were validated and tested.

     

  1. Maintenance

Define process and controls in place to maintain compensating controls.

     



Compensating Controls Worksheet—Completed Example


Use this worksheet to define compensating controls for any requirement where “YES” was checked and compensating controls were mentioned in the “Special” column.

Requirement Number: 8.1—Are all users identified with a unique user name before allowing them to access system components or cardholder data?




Information Required

Explanation

  1. Constraints

List constraints precluding compliance with the original requirement.

Company XYZ employs stand-alone Unix Servers without LDAP. As such, they each require a “root” login. It is not possible for Company XYZ to manage the “root” login nor is it feasible to log all “root” activity by each user.

  1. Objective

Define the objective of the original control; identify the objective met by the compensating control.

The objective of requiring unique logins is twofold. First, it is not considered acceptable from a security perspective to share login credentials. Secondly, having shared logins makes it impossible to state definitively that a person is responsible for a particular action.

  1. Identified Risk

Identify any additional risk posed by the lack of the original control.

Additional risk is introduced to the access control system by not ensuring all users have a unique ID and are able to be tracked.

  1. Definition of Compensating Controls

Define the compensating controls and explain how they address the objectives of the original control and the increased risk, if any.

Company XYZ is going to require all users to log into the servers from their desktops using the SU command. SU allows a user to access the “root” account and perform actions under the “root” account but is able to be logged in the SU-log directory. In this way, each user’s actions can be tracked through the SU account.

  1. Validation of Compensating Controls

Define how the compensating controls were validated and tested.

Company XYZ demonstrates to assessor that the SU command being executed and that those individuals utilizing the command are logged to identify that the individual is performing actions under root privileges

  1. Maintenance

Define process and controls in place to maintain compensating controls.

Company XYZ documents processes and procedures to ensure SU configurations are not changed, altered, or removed to allow individual users to execute root commands without being individually tracked or logged

Appendix D: Explanation of Non-Applicability


If “N/A” or “Not Applicable” was entered in the “Special” column, use this worksheet to explain why the related requirement is not applicable to your organization.

Requirement

Reason Requirement is Not Applicable

Example:

12.8

Cardholder data is never shared with service providers.

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     



1To determine the appropriate Self-Assessment Questionnaire, see PCI Data Security Standard: Self-Assessment Guidelines and Instructions, “Selecting the SAQ and Attestation That Best Apply to Your Organization.”

2 Data encoded in the magnetic stripe or equivalent data on a chip used for authorization during a card-present transaction. Entities may not retain full magnetic-stripe data after transaction authorization. The only elements of track data that may be retained are account number, expiration date, and name.

3 The three- or four-digit value printed on or to the right of the signature panel or on the face of a payment card used to verify card-not-present transactions.

4 Personal Identification Number entered by cardholder during a card-present transaction, and/or encrypted PIN block present within the transaction message.

* “Not Applicable” (N/A) or “Compensating Control Used.” Organizations using this section must complete the Compensating Control Worksheet or Explanation of Non-Applicability Worksheet, as appropriate, in the Appendix.

* “Not Applicable” (N/A) or “Compensating Control Used.” Organizations using this section must complete the Compensating Control Worksheet or Explanation of Non-Applicability Worksheet, as appropriate, in the Appendix.

* “Not Applicable” (N/A) or “Compensating Control Used.” Organizations using this section must complete the Compensating Control Worksheet or Explanation of Non-Applicability Worksheet, as appropriate, in the Appendix.

* “Not Applicable” (N/A) or “Compensating Control Used.” Organizations using this section must complete the Compensating Control Worksheet or Explanation of Non-Applicability Worksheet, as appropriate, in the Appendix.

* “Not Applicable” (N/A) or “Compensating Control Used.” Organizations using this section must complete the Compensating Control Worksheet or Explanation of Non-Applicability Worksheet, as appropriate, in the Appendix.

* “Not Applicable” (N/A) or “Compensating Control Used.” Organizations using this section must complete the Compensating Control Worksheet or Explanation of Non-Applicability Worksheet, as appropriate, in the Appendix.
1   2   3   4   5   6


База данных защищена авторским правом ©shkola.of.by 2016
звярнуцца да адміністрацыі

    Галоўная старонка