PCI DSS和PA DSS v3.0正式发布
2013-11-11
2013年11月7日 - 支付卡行业安全标准委员会(PCI SSC:Payment Card Industry Security Standards Council)发布了支付卡行业数据安全标准(PCI DSS:PCI Data Security Standard)和支付应用数据安全标准(PA DSS:Payment Application Data Security Standard)的新版本标准 – Version 3.0版本,最新标准可以在PCI SSC的官方网站上下载获取。3.0版本将于2014年1月开始生效并启用,2.0版本可以继续有效使用直到2014年12月31日,从而确保被合规机构有充足的时间执行新版本标准合规的过渡。
根据PCI DSS和PA DSS开发生命周期以及全球产业需要和反馈,该标准每三年执行一次正式变更。3.0新版本协助机构引入更大的灵活性,且更加关注于教育、意识和具有分享责任(如第三方)的安全性,使得将支付安全作为业务日常的活动。
新版本的变更包括特定的建议,使得PCI DSS融入到日常业务流程和最佳实践,从而维护持续的PCI DSS合规;更新了标准的指导Navigating PCI DSS(标准的指导文件之一);并增强了测试流程,从而为每个要求澄清评估级别。
新的标准要求包括如下条目(英文原文):
PCI DSS
Req. 5.1.2 - evaluate evolving malware threats for any systems not considered to be commonly affected
Req. 8.2.3 - combined minimum password complexity and strength requirements into one, and increased flexibility for alternatives
Req. 8.5.1 - for service providers with remote access to customer premises, use unique authentication credentials for each customer*
Req. 8.6 - where other authentication mechanisms are used (for example, physical or logical security tokens, smart cards, certificates, etc.) these must be linked to an individual account and ensure only the intended user can gain access
Req. 9.3 - control physical access to sensitive areas for onsite personnel, including a process to authorize access, and revoke access immediately upon termination
Req. 9.9 - protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution*
Req. 11.3 and 11.3.4 - implement a methodology for penetration testing if segmentation is used to isolate the cardholder data environment from other networks, perform penetration tests to verify that the segmentation methods are operational and effective*
Req. 11.5.1 - implement a process to respond to any alerts generated by the change-detection mechanism
Req. 12.8.5 - maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity
Req. 12.9 - for service providers, provide the written, agreement/acknowledgment to their customers as specified at requirement 12.8.2*
PA-DSS
Req. 5.1.5 – payment application developers to verify integrity of source code during the development process
Req. 5.1.6 – payment applications to be developed according to industry best practices for secure coding techniques
Req. 5.4 - payment application vendors to incorporate versioning methodology for each payment application
Req. 5.5 - payment application vendors to incorporate risk assessment techniques into their software development process
Req. 7.3 - application vendor to provide release notes for all application updates
Req. 10.2.2 - vendors with remote access to customer premises (for example, to provide support/maintenance services) use unique authentication credentials for each customer
Req. 14.1 – provide information security and PA-DSS training for vendor personnel with PA-DSS responsibility at least annually
更详细的标准变更摘要可以在PCI DSS官方网站上获取。
atsec将于12月12日和13日在深圳开展全面的PCI DSS培训,并将关注PCI DSS v3.0介绍和变更的影响分析研讨。详细课程信息请点击:atsec PCI培训招生简章。
关于艾特赛克(atsec)信息安全
艾特赛克信息安全(atsec information security)是一家独立且基于标准的信息技术(IT:Information Technology)安全服务公司(www.atsec.com),它很好地将商业导向的信息安全方法和深入的技术知识以及全球的经验相结合。atsec在德国慕尼黑成立于2000年,并且通过美国、德国、瑞典和中国的办公室开展了广泛的国际业务。atsec提供的服务包括正式的实验室测试和评估、独立的测试和评估以及信息安全咨询。
atsec提供PCI SSC体系下的服务,并且atsec是一家能够提供PCI DSS和PA-DSS标准的评估服务的QSA公司。atsec中国是目前唯一一家在中国以独立的实体获得了PCI SSC的QSA、ASV和PA QSA资质的中立的信息安全评估机构。atsec的渗透测试、应用安全、ASV(Approved Scanning Vendor)服务和信息安全咨询服务,作为评估服务工作的有力支撑。atsec是一家独立的公司,并且与其它产品供应商没有任何商业关系。
atsec提供美国国家标准与技术研究委员会(NIST:National Institute of Standards and Technology)和加拿大通讯安全协会(CSEC:Communications Security Establishment Canada)制定的密码模块验证体系下的密码模块和算法测试服务。atsec同时提供NIST个人身份验证体系(NPIVP)、密码算法测试(CAVP:Cryptographic Algorithm Validation Program)和安全内容自动化协议(SCAP:Security Content Automation Protocol Program)下的正式的测试,以及GSA FIPS 201 EP下的产品认可测试。
atsec愿意与任何公司合作,无论其规模大小,只要其重视IT安全。