LBMC is a proud PCI Qualified Security Assessor Company and has been a part of the PCI compliance community since the inception of the PCI Data Security Standard (PCI DSS). Our team of skilled and experienced QSAs have 行为ed assessments and consulting engagements for both merchants and service providers of all sizes across all major industries. 

QSA透视系列 这个由六部分组成的博客系列是在分享我们对理解的看法吗, 解释, PCI DSS的应用. 该系列的主题包括:

  • 持卡人数据环境
  • 连接/安全影响系统
  • 网络和数据流图
  • 服务提供商和嵌套第三方
  • 云审计——它真的有那么不同吗?
  • 云审计——AWS、Azure、客户端——谁负责什么?

的 goal of the series is to share knowledge and provide our perspective on the fundamentals of compliance and how these fundamentals can be applied to help entities achieve and maintain PCI DSS compliance. It is our hope that this series provides valuable insight into how QSAs interpret the PCI DSS and approach compliance assessments.

持卡人资料环境

成功规划, 行为, 然后完成评估, 准确定义合规的范围是至关重要的. 在PCI术语中,这个作用域称为 持卡人资料环境.  的 PCI Security Standards Council has established that it is the entity’s responsibility to define their 持卡人资料环境, or CDE, so that the PCI control requirements can be properly applied and successfully assessed. 虽然概念简单, accurately defining the CDE is most often the greatest challenge to an entity seeking compliance as well as to assessors. This is why scope validation is among the very first activities 行为ed in an assessment. 没有正确定义的CDE, 评估的界限是无法确定的, 因此, there can be no confidence that the assessment has included all relevant card payment operations and components. 不幸的是, 许多评估, 特别是对于寻求初始认证的实体, 由于没有正确定义CDE而受到负面影响.

那么,PCI DSS对于定义CDE有什么要说的呢? 很简单,它说"CDE是由人组成的, 存储的过程和技术, 过程, 或传输持卡人数据或敏感身份验证数据.” While a simple statement, it nevertheless leaves room for misinterpretation. 持卡人资料,或 冠心病,由完整的主帐号组成,或 , 你信用卡正面或背面的16位字符串是哪一个, 持卡人的姓名, 截止日期, 和/或服务代码. 的 service code is generally encoded into the magnetic stripe and should not be confused with the card’s security code, 通常印在卡片背面的3位或4位代码是哪一个. 虽然所有这些值都被认为是冠心病, PCI DSS认为锅是“持卡人数据的定义因素”.” If the 完整的锅 is not present, then the other elements are not considered 冠心病. You read that right; even if 持卡人的姓名, 显示过期日期和/或服务代码, 如果不包括完整的锅, 那么你没有持卡人的数据. 相反, 如果完整的锅附有名称, 过期日期和/或服务代码, then all those elements are considered 冠心病 to be secured in accordance with the PCI DSS. 顺便说一下,你可能已经学会了这个词 完整的锅 在这些定义中. If no more than the first 6 and last 4 digits of the 锅 are present, that is not considered the 锅. 超过这个数就等同于完整的锅.

敏感认证数据,或 悲伤的 is the card’s security-related information including full track data (encoded on the magnetic stripe or chip), 卡安全码, 针, 和PIN块. 的se elements are used to authenticate cardholders and/or authorize payment card transactions.

的 point of beginning with these definitions is that they are the foundational elements for determining an entity’s scope of PCI compliance. 的 entity and their assessor must identify all instances of cardholder data to be able to define and validate the cardholder data environment. 现在, recall that the PCI Council also established that the CDE is comprised of 人员、流程和技术. This means that it’s not just computer systems and networks to be considered in scope, but also the people that interact with 冠心病 and the 流程 and technologies, 无论是手动还是自动, that these people use to facilitate credit card payments and all associated activities. 面试是定义CDE的基本练习, 观察他们的过程, 并在评估中包括每一个. 尽管实体在其CDE中可能有任意数量的人员和流程, 以下是一些常见的例子:

  • 客户服务代表
  • 零售商店助理
  • 会计部人员
  • 邮件收发室人员
  • IT系统管理员
  • 软件开发人员
  • 数据库管理员

Here are some common 流程 these people (or the systems they administer) may 行为:

  • 客户服务代理通过电话付款
  • 零售收银员通过支付终端刷卡
  • 会计支持人员处理退款和退款
  • 收发室的工作人员正在扫描付款单
  • 安装销售点系统的系统管理员
  • 为网络支付创建api的软件开发人员
  • 数据库管理员查询支付数据表

最后,在这些过程中使用的技术可能包括:

  • ip语音电话系统
  • 通话录音软件
  • 销售点系统和外部支付终端
  • 基于云的软件即服务应用程序
  • 打印机和扫描仪
  • 各种服务器平台.g.、文件、数据库、主机等.
  • 网络交换机和路由器

现在, 你可能会想, “这些都是很好的信息, 但为我定义这个范围不是评估员的工作吗?“事实上是这样, the PCI DSS clearly establishes the shared nature of determining that the CDE is been accurately defined. 根据PCI DSS,

至少每年或在年度评估之前, the assessed entity should confirm the accuracy of its PCI DSS scope by identifying all locations and flows of cardholder data, 识别所有连接到或的系统, 如果妥协, 会影响CDE(例如, 身份验证服务器),以确保它们包含在PCI DSS范围内. 实体保留了显示如何确定PCI DSS范围的文档. 的 documentation is retained for assessor review and/or for reference during the next annual PCI DSS scope confirmation activity. 每次PCI DSS评估, the assessor is required to validate that the scope of the assessment is accurately defined and documented.”

简而言之, the entity is responsible for identifying the CDE and determining their scope of compliance, 评估员的角色是验证实体所决定的内容. Together the two parties arrive at an accurately defined CDE before beginning the assessment.

PCI DSS范围中的常见错误

值得重复的是, 虽然概念简单, 准确定义CDE通常是最大的遵从性挑战. 下面是一些常见的错误实体, 甚至是评估员, 在定义和验证CDE和合规范围时所做的:

  • 省略非标准或支持过程(例如.g.(邮件收发室、会计).
  • Overlooking locations such as storage closets or offsite records facilities where hardcopy cardholder data is stored.
  • Excluding third parties involved in accepting payments or administering systems.
  • Assuming encrypted data is out of scope (even encrypted data is cardholder data).
  • Using incorrect and/or incomplete network and data flow diagrams to represent the CDE.
  • Maintaining incomplete inventories of all systems that store, 过程, or transmit cardholder data.

结论

你可能还记得古老的数据处理格言, 垃圾进,垃圾出.  它也适用于为评估PCI遵从性而定义实体的CDE. 如果实体的CDE没有准确定义, 那么评估的结果就不准确了. Entities and their assessors are responsible for understanding what qualifies and cardholder data and then carefully and methodically identifying all people, 流程, 以及支付过程中涉及的技术. 在本系列的下一篇文章中, we will consider another element of the PCI DSS’s scoping criteria: connected-to and security-impacting systems.