Scribd Logo
Upload

Welcome to Scribd!

  • Pci Dss Saq Navigating Dss

    Uploaded by

    Rex Wu
    31 views49 pages

    Original Title

    pci_dss_saq_navigating_dss

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    31 views49 pages

    Pci Dss Saq Navigating Dss

    Uploaded by

    Rex Wu

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 49

    (PCI)

    PCI DSS

    1.2
    2008 10
    PCI DSS v1.2 2008 10
    Copyright 2008 PCI Security Standards Council LLC i


    2008 10 1 1.2 PCI DSS v1.2 v1.1

    PCI DSS v1.2 2008 10


    Copyright 2008 PCI Security Standards Council LLC ii

    .........................................................................................................................................
    .....................i

    .........................................................................................................................................
    .......................................iii
    .......................................................................................1

    ............................................................................................................................ 2
    1 2
    .........................................................................................................................................
    ................................................ 3
    PCI
    .....................................................................................................4
    1 2
    .............................................................................5
    1
    ......................................................................................... 5
    2
    ...................................................... 10
    3 4
    .................................................................................................13
    3
    .........................................................................................................................................
    ........... 13

    4
    ...................................................................................... 19
    5 6 ...........................................................21
    5
    .......................................................................................................... 21
    6
    ............................................................................................................. 23
    78 9
    ..........................................................29
    7
    .................................................................................................... 29
    8
    ID.......................................................................................................... 30
    9
    ................................................................................................................................ 34
    10 11
    .......................................................................38
    10
    ................................................................................. 38
    11
    ......................................................................................................................... 41
    12
    .................................................................................43
    12
    ............................................................. 43
    A.1 PCI DSS
    ......................................49
    A PCI
    .................................................................................51
    PCI DSS v1.2 2008 10
    Copyright 2008 PCI Security Standards Council LLC iii

    12 (PCI DSS)

    (
    )
    PCI DSS PCI DSS
    (SAQ) PCI DSS PCI
    DSS v1.2
    PCI DSS

    WebProxy
    (NTP)
    (DNS)
    ()

    (QSA)

    PCI DSS

    PCI SSC (QSA)


    PCI QSA

    PCI SSC

    https://www.pcisecuritystandards.org/pdfs/pci_qsa_list.pdf
    PCI DSS v1.2 2008 10
    Copyright 2008 PCI Security Standards Council LLC 1

    (PAN)

    ()
    PAN

    (1) (2) CAV2/CVC2/CVV2/CID (3) PIN/PIN

    (PAN) PCI DSS PA-DSS PAN

    PCI DSS PA-DSS

    PCI DSS 3 4

    3

    CAV2/CVC2/CVV2/CID

    2
    PIN/PIN
    1
    PAN PCI DSS

    ()

    PAN
    PCI DSS
    2
    ()
    3

    PCI DSS v1.2 2008 10


    Copyright 2008 PCI Security Standards Council LLC 2

    () 4
    5

    PIN 6

    PCI DSS PA-DSS

    6
    /
    PIN
    PCI DSS v1.2 2008 10
    Copyright 2008 PCI Security Standards Council LLC 3
    1 2
    ( 1 2)

    1 2

    1 2
    1 2
    79

    40
    PCI DSS v1.2 2008 10
    Copyright 2008 PCI Security Standards Council LLC 4
    PCI

    3
    4

    5
    6

    7
    8 ID
    9

    10
    11

    12
    PCI DSS v1.2 2008 10
    Copyright 2008 PCI Security Standards Council LLC 5
    1 2
    1
    () ()

    ()


    1.1

    1.1.1

    1.1.2

    PCI DSS

    PCI DSS v1.2 2008 10


    Copyright 2008 PCI Security Standards Council LLC 6

    1.1.3
    (DMZ)

    1.1.4

    1.1.5

    ()

    ()

    1.1.6

    (
    )

    PCI DSS v1.2 2008 10


    Copyright 2008 PCI Security Standards Council LLC 7

    1.2

    (
    /)
    ()

    1.2.1

    IP

    (
    )

    1.2.2

    ()

    1.2.3

    (
    )

    ()

    PCI DSS v1.2 2008 10


    Copyright 2008 PCI Security Standards Council LLC 8

    1.3

    ()

    1.3.1 DMZ

    1.3.2 DMZ IP

    IP

    )
    1.3.3

    DMZ

    ( Web )

    1.3.4
    DMZ
    IP

    IP

    (
    )

    1.3.5

    DMZ IP
    DMZ
    DMZ

    DMZ
    PCI DSS v1.2 2008 10
    Copyright 2008 PCI Security Standards Council LLC 9

    1.3.6
    (
    )

    ()

    ()


    1.3.7 DMZ


    DMZ

    1.3.8 RFC 1918 IP


    (NAT)
    (PAT)
    IP


    IP
    IP IP

    1.4
    /
    ()

    / rootkit ()

    PCI DSS v1.2 2008 10


    Copyright 2008 PCI Security Standards Council LLC 10
    2
    ()



    2.1
    (

    (SNMP)
    )
    ()

    2.1.1

    SNMP


    ()


    802.11x (WEP)

    ( WPA/WPA2)
    2.2

    ()

    www.nist.govwww.sans.orgwww.cisecurity.org
    PCI DSS v1.2 2008 10
    Copyright 2008 PCI Security Standards Council LLC 11

    2.2.1


    1. Web

    2.

    ()
    ( UnixLinux Windows )

    2.2.2
    (

    )
    1.1.7 (
    )

    2.2.3

    2.2.4

    Web

    (
    / FTP
    Web )
    2.3
    SSHVPN SSL/TLS Web

    (
    )

    PCI DSS v1.2 2008 10


    Copyright 2008 PCI Security Standards Council LLC 12

    2.4

    A
    PCI DSS

    A
    PCI DSS v1.2 2008 10
    Copyright 2008 PCI Security Standards Council LLC 13
    3 4
    3

    PAN
    PAN
    PCI DSS PA-DSS
    PCI
    DSS

    3.1


    PAN ()

    3.2
    ()

    3.2.1 3.2.3
    () 7

    8
    PIN 9

    PCI DSS PA-DSS

    9
    /
    PIN
    PCI DSS v1.2 2008 10
    Copyright 2008 PCI Security Standards Council LLC 14

    3.2.1 (
    )

    1 2

    (PAN)

    PCI DSS PA-DSS

    3.2.2
    (

    )
    PCI DSS PA-DSS

    / (MO/TO)


    MO/TO
    3.2.3
    (PIN) PIN


    PIN (
    ATM )
    PCI DSS v1.2 2008 10
    Copyright 2008 PCI Security Standards Council LLC 15

    3.3 PAN (

    PAN

    (
    [POS] )

    PAN
    PAN

    PCI
    9 PAN
    PAN
    3.4 PAN

    ()

    PAN
    (
    ) (
    ) PAN
    PAN

    PAN ( PAN)
    PCI DSS PA-DSS


    ( SHA-1)

    (
    )
    PAN (
    )
    PAN PAN (
    PAN)
    Token Pad (Pad
    )
    Token Pad
    Token Token
    PAN Pad

    Pad
    PCI DSS v1.2 2008 10
    Copyright 2008 PCI Security Standards Council LLC 16

    PAN

    PAN B

    PCI
    DSS PA-DSS

    (PCI
    DSS PA-DSS )

    3.4.1 (
    )

    1)
    2)
    3.5

    3.5.1

    3.5.2

    (
    )
    PCI DSS v1.2 2008 10
    Copyright 2008 PCI Security Standards Council LLC 17

    3.6


    ()
    3.6.1 3.6.8
    3.6.1 PCI DSS
    PA-DSS

    3.6.2
    3.5.1
    3.6.3
    ()
    3.6.4

    (
    )

    3.6.5

    (
    )
    ( 3.6.6)

    3.6.6

    3.6.7

    PCI DSS v1.2 2008 10


    Copyright 2008 PCI Security Standards Council LLC 18

    3.6.8

    PCI DSS v1.2 2008 10


    Copyright 2008 PCI Security Standards Council LLC 19
    4


    4.1
    SSL/TLS IPSEC

    PCI DSS


    (GSM)

    (GPRS)

    /
    Web SSL
    URL https
    v3.0 SSL (
    )

    4.1.1

    ( IEEE 802.11i)

    2009 3 31 WEP

    2010 6 30 WEP

    WEP
    WEP WEP
    (IV)

    WEP
    (
    WPA)

    WEP

    PCI DSS v1.2 2008 10


    Copyright 2008 PCI Security Standards Council LLC 20

    4.2 (
    )

    PAN


    PAN

    PCI DSS v1.2 2008 10


    Copyright 2008 PCI Security Standards Council LLC 21
    5 6
    5
    ()

    ()


    5.1
    ()

    ()

    /
    ( CDDVD
    USB )
    (PDA)

    Unix ()
    PCI DSS 6.2

    Unix ( AIXSolaris
    HP-Unix)
    6.2


    PCI DSS v1.2 2008 10
    Copyright 2008 PCI Security Standards Council LLC 22

    5.1.1

    5.2

    PCI DSS v1.2 2008 10


    Copyright 2008 PCI Security Standards Council LLC 23
    6


    6.1

    (
    )

    ()


    30
    2-3
    6.2
    (
    )
    PCI DSS 2.2

    6.3 PCI DSS (


    )

    PCI DSS v1.2 2008 10


    Copyright 2008 PCI Security Standards Council LLC 24

    6.3.1

    6.3.1.1 (

    )
    6.3.1.2
    6.3.1.3
    6.3.1.4
    6.3.1.5 (RBAC)

    6.3.2 /

    6.3.3 /

    6.3.4
    ( PAN)

    ()
    6.3.5

    6.3.6

    ID

    ID

    PCI DSS v1.2 2008 10


    Copyright 2008 PCI Security Standards Council LLC 25

    6.3.7


    ()
    PCI DSS 6.3

    PCI DSS 6.6


    Web

    6.4

    6.4.1

    6.4.2

    6.4.3

    6.4.4

    PCI DSS v1.2 2008 10


    Copyright 2008 PCI Security Standards Council LLC 26

    6.5 Web (
    Web )
    Web (OWASP)

    PCI DSS v1.2


    6.5.1 6.5.10
    OWASP OWASP

    6.5.1 (XSS)

    Web XSS XSS

    6.5.2 SQL
    LDAPXpath

    SQL Web


    Web
    Web

    6.5.3
    (RFI)

    PHPXML

    PCI DSS v1.2 2008 10


    Copyright 2008 PCI Security Standards Council LLC 27

    6.5.4 URL
    (
    )

    6.5.5 (CSRF)
    Token CSRF
    Web

    CSRF Web
    6.5.6


    Web


    ID

    6.5.7


    Token Token
    Token

    6.5.8 Web

    6.5.9

    PCI DSS v1.2 2008 10


    Copyright 2008 PCI Security Standards Council LLC 28

    6.5.10 URL URL
    URL

    URL

    6.6 Web

    Web

    Web
    Web
    Web

    Web
    Web

    /
    Web
    Web

    6.6 Web
    (www.pcisecuritystandards.org)

    PCI DSS v1.2 2008 10


    Copyright 2008 PCI Security Standards Council LLC 29
    78 9
    7


    7.1


    7.1.1 ID

    7.1.2

    7.1.3

    7.1.4

    RBAC

    7.2

    7.2.1
    7.2.2


    7.2.3

    (
    )

    PCI DSS v1.2 2008 10


    Copyright 2008 PCI Security Standards Council LLC 30
    8 ID
    (ID)


    8.1 ID

    (
    ID)

    8.2 ID

    (Token
    )
    ID
    ID (
    ID
    )
    8.3
    (
    )

    (RADIUS)
    Token (TACACS)
    VPN ( SSL/TLS
    IPSEC)
    (
    )

    (
    []

    / [])
    8.4 (
    PCI DSS PA-DSS
    )

    ID /

    ID
    ID

    8.5

    PCI DSS v1.2 2008 10


    Copyright 2008 PCI Security Standards Council LLC 31

    8.5.1 ID

    ID

    ID
    8.5.2

    (
    )
    ID (
    )

    8.5.3

    8.5.4



    /
    HR

    8.5.5 /
    90

    8.5.6

    ( POS )

    12.3.8 12.3.9
    8.5.7

    (
    )

    PCI DSS v1.2 2008 10


    Copyright 2008 PCI Security Standards Council LLC 32

    8.5.8

    8.5.9 90

    8.5.10

    8.5.11

    8.5.12

    ID
    ( Windows)

    8.5.13
    ID

    ()

    8.5.14 30
    ID

    (
    30 )

    ()
    8.5.15 15

    /
    PCI DSS v1.2 2008 10
    Copyright 2008 PCI Security Standards Council LLC 33

    8.5.16


    ()
    (
    DBA )
    PCI DSS v1.2 2008 10
    Copyright 2008 PCI Security Standards Council LLC 34
    9


    9.1

    9.1.1

    9.1.2


    (
    )

    9.1.3

    PCI DSS v1.2 2008 10


    Copyright 2008 PCI Security Standards Council LLC 35


    9.2

    ()

    9.3
    (
    )

    9.3.1

    9.3.2 (
    )

    9.3.3

    9.4

    9.5

    PCI DSS v1.2 2008 10


    Copyright 2008 PCI Security Standards Council LLC 36

    9.6

    9.7

    9.7.1

    9.6

    9.7.2

    ()

    9.8
    (
    )

    9.6

    9.9

    9.6

    9.9.1

    9.6

    PCI DSS v1.2 2008 10


    Copyright 2008 PCI Security Standards Council LLC 37

    9.10

    9.10.1

    9.10.2

    PC CD

    9.6

    PCI DSS v1.2 2008 10


    Copyright 2008 PCI Security Standards Council LLC 38
    10 11
    10


    10.1
    ()

    10.2

    10.2.1

    10.2.2

    10.2.3
    10.2.4
    10.2.5

    10.2.6
    10.2.7


    (
    )

    PCI DSS v1.2 2008 10


    Copyright 2008 PCI Security Standards Council LLC 39

    10.3

    10.3.1
    10.3.2
    10.3.3
    10.3.4
    10.3.5
    10.3.6

    10.2

    10.4

    10.5

    10.5.1

    10.5.2

    10.5.3

    10.5.4
    LAN
    (
    )
    ()
    (DNS )

    PCI DSS v1.2 2008 10


    Copyright 2008 PCI Security Standards Council LLC 40

    10.5.5

    ()

    10.6

    (IDS)
    (AAA)
    RADIUS
    10.6


    10.7

    (
    )

    PCI DSS v1.2 2008 10


    Copyright 2008 PCI Security Standards Council LLC 41
    11


    11.1

    IDS/IPS

    IDS/IPS

    11.2 (


    (PCI SSC)
    (ASV)

    PCI DSS

    PCI DSS v1.2 2008 10


    Copyright 2008 PCI Security Standards Council LLC 42

    11.3

    Web )

    11.3.1
    11.3.2

    ( 2.2)

    11.4 /

    ()
    /

    ()


    11.5


    ()
    ()

    (FIM)


    FIM

    PCI DSS v1.2 2008 10


    Copyright 2008 PCI Security Standards Council LLC 43
    12
    12


    12.1

    12.1.1 PCI DSS

    12.1.2

    12.1.3

    12.2
    (

    12.3 (

    /
    (PDA))

    PCI DSS v1.2 2008 10


    Copyright 2008 PCI Security Standards Council LLC 44

    12.3.1

    12.3.2 ( ID
    TokenVPN )

    12.3.3

    12.3.4

    12.3.5
    12.3.6

    12.3.7

    12.3.8

    12.3.9


    ( POS )

    15
    8.5.6
    12.3.10

    12.4

    PCI DSS v1.2 2008 10


    Copyright 2008 PCI Security Standards Council LLC 45

    12.5

    12.5.1

    12.5.2

    12.5.1

    12.5.4

    12.5.5

    12.6

    12.6.1

    12.6.2

    (
    )
    /

    12.7 (
    9.2)

    (
    )

    PAN

    ()

    PCI DSS v1.2 2008 10


    Copyright 2008 PCI Security Standards Council LLC 46

    12.8

    12.8.1

    12.8.2

    12.8.3

    12.8.4
    PCI DSS
    PCI DSS

    12.9

    PCI DSS v1.2 2008 10


    Copyright 2008 PCI Security Standards Council LLC 47

    12.9.1

    12.9.2

    12.9.3

    12.9.4

    12.9.5

    PCI DSS v1.2 2008 10


    Copyright 2008 PCI Security Standards Council LLC 48

    12.9.6

    PCI DSS v1.2 2008 10


    Copyright 2008 PCI Security Standards Council LLC 49
    A.1 PCI DSS
    A.1
    12.8 ()

    PCI DSS 2.4



    A.1 A.1.1 A.1.4
    (
    )

    PCI DSS


    PCI DSS (
    )
    PCI DSS A
    /
    PCI DSS PCI DSS

    A.1.1

    ID

    A.1.2

    (1) Web
    ID (2)
    (3) (4)
    (5)

    A.1.3

    PCI DSS 10

    PCI DSS v1.2 2008 10


    Copyright 2008 PCI Security Standards Council LLC 50

    A.1.4

    PCI DSS v1.2 2008 10


    Copyright 2008 PCI Security Standards Council LLC 51
    A PCI
    PCI


    PCI
    PCI DSS
    PCI

    PCI A 10
    PCI B 10
    PCI C 10

    PCI D 10

    PCI DSS PA-DSS


    10
    PCI
    SAQ

    You might also like