67
支付 付卡 卡行 行業 (PCI) 安全 全標 標準 和安 安全 全評 評估 估程 2 2 2.0 2010 10

PCI DSS V2.0

Embed Size (px)

Citation preview

  • 1. (PCI)2.0 2010 10

2. 2008 PCI DSS v1.2 PCI DSS PCI DSS 1.2 10 v1.1 PCI PCI DSS 1.1 1.2 PCI DSS v1.1 v1.2 5 6.3.7.a 6.3.7.b thenthan322009 1.2.1 6.5.b 337 642010 2.0 v1.2.1 PCI DSS - PCI DSS 1.1 1.2 10 PCI DSS 2.0 2010 10 2008 PCI Security Standards Council LLC2 3. 2 PCI .............................................................................................................................................................. 5PCI DSS ............................................................................................................................................................................ 7PCI DSS PA-DSS ................................................................................................................................................................. 9PCI DSS ......................................................................................................................................................... 10 ..................................................................................................................................................................10 .................................................................................................................................................................................11/ .....................................................................................................................................................................11/ ...................................................................................................................................................11 ......................................................................................................................................................................12 ...............................................................................................................................................................13 ...........................................................................................................................................................16PCI DSS ................................................................................................................................................16 PCI DSS ................................................................................................................................................ 18 ........................................................................................................................................................................ 19 1 ................................................................................................19 2 ....................................................................23 ............................................................................................................................................................................... 26 3.................................................................................................................................26 4 ......................................................................................32 ............................................................................................................................................................................ 34 5 ..................................................................................................................34 6 ..................................................................................................................35 ................................................................................................................................................................. 40 7 ......................................................................................40 8 ID ...................................................................................................41PCI DSS 2.0 2010 10 2008 PCI Security Standards Council LLC3 4. 9 ......................................................................................................................45 ........................................................................................................................................................................ 49 10 .........................................................................................49 11 .........................................................................................................................53 ............................................................................................................................................................................ 57 12..........................................................................................57 A PCI DSS ............................................................................................................ 62 B ............................................................................................................................................................ 64 C ................................................................................................................................................. 65 ...................................................................................................................................................... 66 D / ........................................................................................................................ 67 PCI DSS 2.0 2010 10 2008 PCI Security Standards Council LLC 4 5. PCI (PCI) (DSS) PCI DSSPCI DSSPCIDSS 12 PCI DSS (PCI ) 12 PCI DSS PCI DSS PCI DSS PCI DSS 19 PCI DSS 2.0 2010 10 2008 PCI Security Standards Council LLC 5 6. PCI (PCI SSC) (www.pcisecuritystandards.org) PCI DSS PCI DSS PCI DSS PCI DSS PA-DSS PCI DSSFAQ () www.pcisecuritystandards.org PCI DSS 2.0 2010 10 2008 PCI Security Standards Council LLC6 7. PCI DSS PCI DSS (PAN) CAV2/CVC2/CVV2/CID PIN/PIN PCI DSS (PAN) PCI DSS PAN PCI DSS PA-DSS / PAN PCI DSS PAN 3.3 3.4 PCI DSS()PCI DSSPCI DSS 2.0 2010 10 2008 PCI Security Standards Council LLC 7 8. 3.4 (PAN) 2 3.2 1 CAV2/CVC2/CVV2/CID 3.2 PIN/PIN 3.2 PCI DSS 3.3 3.4 PAN PAN PCI DSS 3.4 PAN PCI DSS / PAN 1 ()2 PCI DSS 2.0 2010 10 2008 PCI Security Standards Council LLC 8 9. PCI DSS PA-DSS PA-DSS PCI DSS PCI DSSPA-DSS ( PA-DSS 13.1) (PA-DSS) PCI DSS ()PCI DSS Error! Hyperlink reference notvalid. PCI-DSS PCI DSS (CAV2CIDCVC2CVV2) PIN / PCI DSS ()PA-DSS PA-DSS PA-DSSPA-DSS () PCI DSS PA-DSS PA-DSS www.pcisecuritystandards.org PCI DSS 2.0 2010 10 2008 PCI Security Standards Council LLC 9 10. PCI DSS PCI DSS PCI DSS//HypervisorWeb (NTP) (DNS) () PCI DSS PCI DSS PCI DSS PCI DSS (CDE) PCI DSS () PCI DSS CDE /CDE PCI DSS PCI DSS / () PCI DSS PCI DSS PCI DSS PCI DSS () () PCI DSSPCI DSS 2.0 2010 10 2008 PCI Security Standards Council LLC 10 11. PCI DSS D / PCI DSS () (WLAN) () PCI DSS (1.2.32.1.1 4.1.1)// (ROC) 1) PCI DSS 2) PCI DSS PCI DSS 3 (MSP) PCI DSS 12.8/ PCI DSS / PCIDSSPCI DSS 2.0 2010 10 2008 PCI Security Standards Council LLC 11 12. / PCI DSS PCI DSS PCI DSS PCI DSS Apache WWW Sun Oracle Windows HP-UX MYSQL Linux ( Windows 7 Solaris 10) (Web )// PCI DSS///(/)/ PCI DSS/// PCI DSS PCI DSS D/ B C ( C) PCI DSS ROC B C PCI DSS 2.0 2010 10 2008 PCI Security Standards Council LLC 12 13. 1. - / - ()- (- (MOTO))- () ()- - POS Web ()- ()PCI DSS 2.0 2010 10 2008 PCI Security Standards Council LLC 13 14. 2. PCI DSS - - - - ( Internet ) PCI DSS (/) - - - - PCI DSS / - - / PCI DSS PCI DSS LAN / ( POS ) PCI DSS PCI DSS 2.0 2010 10 2008 PCI Security Standards Council LLC 14 15. 3. ( LANWAN Internet) - - () () / PCI DSS 12.8) PA-DSS PA-DSS PCI DSS PA-DSS PA-DSS PCI DSS PA-DSS ) (MSP) MSP() MSP MSP IP MSP IP MSP PCI DSS 2.0 2010 10 2008 PCI Security Standards Council LLC 15 16. 4. 5. 11.2.2 4 ASV PCI DSS 1) 2) 3) PCI DSS PCI (ASV) ( Internet) IP 6. PCI DSS N/A B C// ()PCI DSS 1. (ROC) 2. PCI SSC (ROC) ASV PCI DSS 2.0 2010 10 2008 PCI Security Standards Council LLC 16 17. 3. PCI SSC (www.pcisecuritystandards.org) 4. () () ROCPCI DSS 2.0 2010 10 2008 PCI Security Standards Council LLC 17 18. PCI DSS PCI DSS PCI DSS - PCI DSS - PCI DSS - PCI SSC (www.pcisecuritystandards.org)/ - PCI DSS 2.0 2010 10 2008 PCI Security Standards Council LLC 18 19. 1 () () Internet Internet 1 1 PCI DSS / 1.1 1.1 1.1.11.1.1 1.1.21.1.2.a () ()1.1.2.b 1.1.31.1.3.a DMZ (DMZ)1.1.3.b 1.1.41.1.4 PCI DSS 2.0 2010 10 2008 PCI Security Standards Council LLC 19 20. PCI DSS / 1.1.51.1.5.a ( (HTTP) (SSL) (SSH) (VPN) ) 1.1.5.b FTPTelnetPOP3IMAP SNMP 1.1.61.1.6.a 6 1.1.6.b 6 1.2 1.2/ 1.2.11.2.1.a 1.2.1.b 1.2.2 1.2.2 ()() 1.2.31.2.3 () () PCI DSS 2.0 2010 10 2008 PCI Security Standards Council LLC 20 21. PCI DSS / 1.3 Internet 1.3 DMZ DMZ 1.3.1 1.3.1 DMZ DMZ 1.3.2 DMZ IP 1.3.2 DMZ IP Internet Internet 1.3.3 Internet 1.3.3 Internet 1.3.4 Internet DMZ1.3.4 Internet DMZ 1.3.51.3.5 Internet Internet 1.3.61.3.6 ()( ( ) ) 1.3.7 1.3.7 ()DMZ DMZ 1.3.8 IP1.3.8.a IP Internet IP (NAT)PCI DSS 2.0 2010 10 2008 PCI Security Standards Council LLC 21 22. PCI DSS / 1.3.8.b IP / RFC1918 1.4 Internet 1.4.a Internet/ /()() 1.4.b/PCI DSS 2.0 2010 10 2008 PCI Security Standards Council LLC 22 23. 2 () PCI DSS /2.12.1 () (SNMP) ( Internet/)2.1.12.1.1 2.1.1.a SNMP 2.1.1.b SNMP 2.1.1.c / 2.1.1.d 2.1.1.e ()PCI DSS 2.0 2010 10 2008 PCI Security Standards Council LLC 23 24. PCI DSS /2.2 2.2.a2.2.b 6.2 2.2.c (CIS)2.2.d (2.2.1 2.2.4) (ISO) (SANS) (NIST) 2.2.12.2.1.a (Web DNS2.2.1.b ) 2.2.22.2.2.a 2.2.2.b SSHS-FTPSSL IPSec VPN NetBIOSTelnetFTP 2.2.3 2.2.3.a/2.2.3.bPCI DSS 2.0 2010 10 2008 PCI Security Standards Council LLC 24 25. PCI DSS / 2.2.3.c 2.2.42.2.4.a () 2.2.4.b. Web 2.2.4.c. 2.32.3 Web 2.3.a SSHVPN SSL/TLS 2.3.b Telnet2.3.c Web2.4 A.1.1 A.1.4 2.4 A A PCI DSS) PCI DSS APCI DSS ()PCI DSS 2.0 2010 10 2008 PCI Security Standards Council LLC 25 26. 3() PAN PANPCI DSS PA-DSS PCI DSS PCI DSS / 3.1 3.1 3.1.13.1.1.a ( Y X ) 3.1.1.b3.1.1.c 3.1.1.d () ()()3.1.1.ePCI DSS 2.0 2010 10 2008 PCI Security Standards Council LLC 26 27. PCI DSS / 3.2 3.2.a() / 3.2.1 3.2.3 3.2.b3.2.c 3.2.1 3.2.1 ( ) 1 2 () (PAN) 3.2.2 3.2.2 () (CVV2CVC2CIDCAV2 ) () 3.2.3 (PIN) 3.2.3PCI DSS 2.0 2010 10 2008 PCI Security Standards Council LLC 27 28. PCI DSS / PIN PIN PIN () 3.3 PAN 3.3 PAN () () (PAN) PAN PAN (POS)3.4 3.4.a PAN /PAN () PAN ( ) ( PAN) ( PAN) 3.4.b PAN () Token Pad (Pad)3.4.c () PAN PAN 3.4.d PAN PAN PAN PANPCI DSS 2.0 2010 10 2008 PCI Security Standards Council LLC 28 29. PCI DSS / 3.4.1 3.4.1.a () () () 3.4.1.b () 3.4.1.c 3.5 3.5 3.5.1 3.5.1 3.5.2 3.5.2.a 3.5.2.b 3.6 3.6.a PCI DSS 2.0 2010 10 2008 PCI Security Standards Council LLC 29 30. PCI DSS / 3.6.b ( 3.6.1 - 3.6.8NIST) http://csrc.nist.gov3.6.c 3.6.1 3.6.1 3.6.2 3.6.2 3.6.3 3.6.3 3.6.4 3.6.4 (/ ) (NIST 800-57) 3.6.5 3.6.5.a () (/) 3.6.5.b () 3.6.5.c / PCI DSS 2.0 2010 10 2008 PCI Security Standards Council LLC 30 31. PCI DSS / 3.6.6 3.6.6 ( ) 3.6.7 3.6.7 3.6.8 3.6.8 () PCI DSS 2.0 2010 10 2008 PCI Security Standards Council LLC 31 32. 4 PCI DSS /4.1 4.1(SSL/TLSIPSEC SSH ) PCI DSS4.1.a Internet 4.1.b / (GSM) (GPRS)4.1.c (/) 4.1.e SSL/TLS HTTPS (URL) HTTPS URL 4.1.1 4.1.1 ( IEEE ( IEEE802.11i) 802.11i) 2010 6 30 WEP 4.2 4.2.a PAN PAN(PCI DSS 2.0 2010 10 2008 PCI Security Standards Council LLC 32 33. PCI DSS / ) PAN4.2.b PAN PCI DSS 2.0 2010 10 2008 PCI Security Standards Council LLC 33 34. 5 (malware)InternetPCI DSS /5.1 5.1 () 5.1.1 5.1.1 ( rootkit)5.2 5.25.2.a 5.2.b 5.2.c5.2.d PCI DSS 10.7 PCI DSS 2.0 2010 10 2008 PCI Security Standards Council LLC 34 35. 6PCI DSS / 6.1 6.1.a6.1.b()6.2 6.2.a (6.2.b 4.0 CVSS// 6.2.a 2012 6 30 PCI DSS 2.0 2010 10 2008 PCI Security Standards Council LLC 35 36. PCI DSS / 6.3 PCI DSS6.3.aa()/( WEB 6.3.b) 6.3.c PCI DSS6.3.d 6.3.1 6.3.1 ID / ID 6.3.2 6.3.2.a () ()( PCI DSS 6.5) Web () PCI DSS6.3.2.b 6.6 6.3.2.a 6.4 6.4 () 6.4.1 /6.4.1 / PCI DSS 2.0 2010 10 2008 PCI Security Standards Council LLC 36 37. PCI DSS / 6.4.2 6.4.2 // 6.4.3 ( PAN)6.4.3 ( PAN) 6.4.4 6.4.4 6.4.5 6.4.5.a 6.4.5.1 6.4.5.4 6.4.5.b / 6.4.5.1 6.4.5.1 6.4.5.2 6.4.5.2 6.4.5.3 6.4.5.3.a 6.4.5.3.b PCI DSS 6.5 6.4.5.4 6.4.5.4 6.5 6.5.a 6.5.b 6.5.1 6.5.9 PCI DSS 6.5.c. (OWASP SANS CWE 25CERT)PCI DSS 2.0 2010 10 2008 PCI Security Standards Council LLC 37 38. PCI DSS / 6.5.1 SQL 6.5.1 SQL OS( LDAP Xpath ) 6.5.2 6.5.2 () 6.5.3 6.5.3 ( ) 6.5.4 6.5.4 () 6.5.5 6.5.5 () 6.5.6 6.5.6 PCI DSS 6.2 ( PCI DSS 6.2 ) 2012 6 30 6.5.7 - 6.5.9 Web () 6.5.7 (XSS)6.5.7 (XSS) () 6.5.8 6.5.8 ( URL URL ) ( ) 6.5.9 (CSRF)6.5.9 (CSRF)()PCI DSS 2.0 2010 10 2008 PCI Security Standards Council LLC 38 39. PCI DSS / 6.6 Web 6.6 Web Web ()- - Web- - Web - Web Web Web Web PCI DSS 2.0 2010 10 2008 PCI Security Standards Council LLC 39 40. 7PCI DSS /7.1 7.1 7.1.1 ID7.1.1 ID7.1.2 7.1.2 ( RBAC)7.1.37.1.3 ()7.1.4 7.1.4 7.27.27.2.1 7.2.1 7.2.27.2.2 7.2.3 7.2.3 PCI DSS 2.0 2010 10 2008 PCI Security Standards Council LLC 40 41. 8 ID(ID) () 8.18.2 8.5.8 - 8.5.15 ()PCI DSS /8.1 8.1 ID ID8.2 ID8.2 ID () 8.3 8.3 () ()((RADIUS)(TACACS)) ( 8.2)()PCI DSS 2.0 2010 10 2008 PCI Security Standards Council LLC 41 42. PCI DSS / 8.4 8.4.a8.4.b8.5 8.5 8.5.1 8.5.1 IDID ID ID() 8.5.2 8.5.2 / 8.5.3 8.5.3 8.5.4 8.5.4 ID 8.5.5 908.5.5 90 / 8.5.6 8.5.6.a 8.5.6.b PCI DSS 2.0 2010 10 2008 PCI Security Standards Council LLC 42 43. PCI DSS / 8.5.7 8.5.7 ID 8.5.8 8.5.8.a ID ID ID ID ID 8.5.8.b / 8.5.8.c 8.5.9 908.5.9.a 90 8.5.9.b / 8.5.108.5.10.a 8.5.10.b / 8.5.118.5.11.a 8.5.11.b / 8.5.128.5.12.a PCI DSS 2.0 2010 10 2008 PCI Security Standards Council LLC 43 44. PCI DSS / 8.5.12.b / 8.5.13 8.5.13.a ID 8.5.13.b / 8.5.14 308.5.14 ID 30 8.5.15 8.5.15 15/ 15 8.5.168.5.16.a 8.5.16.b () () 8.5.16.c 8.5.16.d ID ID () PCI DSS 2.0 2010 10 2008 PCI Security Standards Council LLC 44 45. 99 () PCI DSS /9.1 9.1 () 9.1.1 9.1.1.a /// 9.1.1.b / 9.1.1.c / 9.1.2 9.1.2 9.1.3 9.1.3 / / PCI DSS 2.0 2010 10 2008 PCI Security Standards Council LLC 45 46. PCI DSS / 9.2 9.2.a 9.2.b b9.2.c9.3 9.3 9.3.1 9.3.1 ID ID 9.3.2 9.3.2.a ID 9.3.2.b () 9.3.3 9.3.3 ID PCI DSS 2.0 2010 10 2008 PCI Security Standards Council LLC 46 47. PCI DSS /9.4 9.4.a9.4.b9.5 9.5.a9.5.b 9.6 9.6 ()9.7 9.7 () 9.7.1 9.7.1 9.7.2 9.7.2 9.8 9.8() 9.9 9.99.9.1 9.9.1 9.109.10 PCI DSS 2.0 2010 10 2008 PCI Security Standards Council LLC 47 48. PCI DSS / 9.10.19.10.1.a 9.10.1.b 9.10.29.10.2 ()PCI DSS 2.0 2010 10 2008 PCI Security Standards Council LLC 48 49. 10 ()PCI DSS / 10.1 10.1() 10.2 10.2 10.2.1 10.2.1 10.2.2 10.2.2 10.2.3 10.2.3 10.2.4 10.2.4 10.2 5 10.2.5 10.2.6 10.2.6 10.2.7 10.2.7 10.3 10.3 ( 10.2) 10.3.1 10.3.1 10.3.2 10.3.2 PCI DSS 2.0 2010 10 2008 PCI Security Standards Council LLC 49 50. PCI DSS / 10.3.3 10.3.3 10.3.4 10.3.4 10.3.5 10.3.5 10.3.6 10.3.6 10.4 10.4.a PCI DSS 6.1 6.2 10.4.b (NTP) 10.4.1 10.4.1.a UTC10.4.1.b 10.4.2 10.4.2.a10.4.2.b 10.4.3 10.4.3 () IP()PCI DSS 2.0 2010 10 2008 PCI Security Standards Council LLC 50 51. PCI DSS / 10.5 10.5 10.5.1 10.5.1 10.5.2 10.5.2 / 10.5.3 10.5.3 10.5.4 10.5.4 LAN(DNS) 10.5.5 10.5.5 () 10.6 10.6.a (IDS) 10.6.b (AAA) ( RADIUS) 10.610.7 10.7.a()PCI DSS 2.0 2010 10 2008 PCI Security Standards Council LLC 51 52. PCI DSS / 10.7.b PCI DSS 2.0 2010 10 2008 PCI Security Standards Council LLC 52 53. 11 PCI DSS / 11.111.1.a11.1.b/ WLAN (NAC) IDS/IPS ( USB )11.1.c11.1.d ( IDS/IPSNAC)11.1.e ( 12.9)PCI DSS 2.0 2010 10 2008 PCI Security Standards Council LLC 53 54. PCI DSS / 11.2 11.2 ()PCI DSS 1)2) 3) PCI DSS 11.2.1 11.2.1.a 12 11.2.1.b PCI DSS 6.2 11.2.1.c ( QSA ASV) 11.2.211.2.2.a (PCI SSC) 12 (ASV) (PCI SSC) 11.2.2.b ASV (ASV) ( CVSS 4.0 )PCI DSS 2.0 2010 10 2008 PCI Security Standards Council LLC 54 55. PCI DSS / 11.2.2.c (PCI SSC) (ASV) 11.2.311.2.3.a 11.2.3.b CVSS 4.0 PCI DSS 6.2 11.2.3.c ( QSA ASV)11.311.3.a11.3.b () 11.3.c ( QSA ASV) 11.3.1 11.3.1 11.3.2 11.3.2 6.5 11.411.4.a/ /PCI DSS 2.0 2010 10 2008 PCI Security Standards Council LLC 55 56. PCI DSS /11.4.b IDS / IPS11.4.c IDS/IPS IDS/IPS11.511.5.a 11.5.b ()()PCI DSS 2.0 2010 10 2008 PCI Security Standards Council LLC 56 57. 12 12 PCI DSS / 12.1 12.1 () 12.1.1 PCI DSS 12.1.1 PCI DSS 12.1.212.1.2.a (12.1.2.b OCTAVEISO 27005 NIST SP 800- 30) 12.1.312.1.3 12.2 12.2 ()12.3 12.3 (/(PDA)) 12.3.1 12.3.1 PCI DSS 2.0 2010 10 2008 PCI Security Standards Council LLC 57 58. PCI DSS / 12.3.2 12.3.2 ID () 12.3.312.3.3 12.3.412.3.4 12.3.5 12.3.5 12.3.6 12.3.6 12.3.7 12.3.7 12.3.812.3.8 12.3.912.3.9 12.3.10 12.3.10.a 12.3.10.b PCI DSS 12.412.4 12.512.5 12.5.112.5.1 PCI DSS 2.0 2010 10 2008 PCI Security Standards Council LLC 58 59. PCI DSS / 12.5.212.5.2 12.5.312.5.3 12.5.412.5.4 12.5.5 12.5.5 12.612.6.a 12.6.b 12.6.112.6.1.a () 12.6.1.b 12.6.212.6.2 () 12.712.7 ()()()PCI DSS 2.0 2010 10 2008 PCI Security Standards Council LLC 59 60. PCI DSS /12.812.8 () 12.8.1 12.8.1 12.8.212.8.2 12.8.312.8.3 () () 12.8.412.8.4 PCI DSS PCI DSS 12.912.9 12.9.112.9.1.a (California Bill 1386 ) 12.9.1.b 12.9.2 12.9.2 PCI DSS 2.0 2010 10 2008 PCI Security Standards Council LLC 60 61. PCI DSS / 12.9.3 24 712.9.3 24 7 IDS / 12.9.412.9.44 12.9.512.9.5 () 12.9.612.9.6 PCI DSS 2.0 2010 10 2008 PCI Security Standards Council LLC 61 62. A PCI DSS A.1 12.8 () PCI DSS 2.4 / A.1 A.1.1 A.1 PCI DSSA.1.4 ( ()) (Microsoft Windows Unix/Linux) A.1.1 A.1.4 PCI DSS PCI DSS () A.1.1A.1.1 () ID ID CGI ID A.1.2A.1.2.a ID (/) A.1.2.b ()(chrootjailshell ) A.1.2.c PCI PA-DSS 2.0 2010 10 2008 PCI Security Standards Council LLC 62 63. /A.1.2.d A.1.2.e (race)CPU A.1.3A.1.3 PCI DSS 10 A.1.4A.1.4 PCI PA-DSS 2.0 2010 10 2008 PCI Security Standards Council LLC 63 64. B PCI DSS 1. PCI DSS 2. PCI DSS PCI DSS ( PCI DSS PCI DSS )3. PCI DSS ( PCI DSS ) PCI DSS a) c) PCI DSS a) PCI DSSPCI DSS () () PCI DSS b) PCI DSS PCI DSS(1)(2) c) PCI DSS 3.4()(1) (2) IP MAC (3)4. PCI DSS 1-4 PCI DSS PCI DSSPCI PA-DSS 2.0 2010 10 2008 PCI Security Standards Council LLC 64 65. C PCI DSS PCI DSS 1. 2. 3. 4. () 5. 6. PCI PA-DSS 2.0 2010 10 2008 PCI Security Standards Council LLC 65 66. 8.1 1. XYZ LDAP Unix XYZ 2. 3. ID 4. XYZ SU SU () SU SU 5. XYZ SU 6. XYZ SU PCI PA-DSS 2.0 2010 10 2008 PCI Security Standards Council LLC 66 67. D / PCI DSS v2.0 2010 10 2008 PCI Security Standards Council LLC 67