Requirement 4
Encrypt transmission of cardholder data across open, public networks
Strong cryptography and Security Protocols are to include the following
Only trusted keys and certificates are accepted, protoco
...
Requirement 4
Encrypt transmission of cardholder data across open, public networks
Strong cryptography and Security Protocols are to include the following
Only trusted keys and certificates are accepted, protocol in use only supports secure versions or configurations, and encryption strength is appropriate for the encryption methodology in use.
Examples of security protocols
TLS, IPSEC, SSH
Testing procedures for verifying secure transmission of sensitive cardholder data
Observe a sample of inbound and outbound transmissions as they occur, Examine keys and certificates to ensure that only trusted keys and certificates are accepted, Examine system configurations to verify that the protocols in use do not support insecure versions or configurations, and examine system configurations to verify that proper encryption strength is implemented for the encryption methodology in use.
What is the testing procedure for TLS implementations?
Examine system configurations to verify that TLS is enabled.
Wireless networks transmitting cardholder data or connected to the cardholder data environment must use what?
Industry best practices (IEEE 802.11i) to implement strong encryption for authentication and transmission.
Example of weak encryption
WEP, SSL
Unprotected PANs can be sent via end-user messaging technologies.
False
Examples of end-user messaging technologies
e-mail, instant messaging, SMS, chat
If end-user messaging technologies are used to send cardholder data, what must be observed?
Sample of outbound transmissions as they occur to verify that PAN is rendered unreadable or secured with strong cryptography whenever it is sent via end-user messaging technologies.
What must be reviewed regarding unprotected PANs related to end-user messaging technologies?
That a written policy exists stating that unprotected PANs are not to be sent via end-user messaging technologies.
What is considered in scope?
System components that:
- store, process, or transmit cardholder data
- interact with cardholder data
- have a connection to the CDE,
- provide security services, facilitate segmentation
Besides technologies, what else is considered in scope?
People and Processes
Examples of systems providing security services:
- Authentication servers (LDAP)
- Time management servers (NTP)
- Patch deployment servers
- Audit log servers and correlation servers
- Anti-virus management servers
- Routers and firewalls filtering network traffic
- System performing cryptographic and/or key management functions
- Systems controlling and/or monitoring physical access
Examples of types of technologies
- Servers, applications, networks, devices
- Physical security systems
- Logical security systems
- Payment terminals and point of sale systems
- Electronic communications
- Backups and disaster recovery "hot" sites
- Telecommunications - POTS vs. VOIP
- Management systems
- Remote access systems
Sampling
An option for assessors to facilitate the assessment process.
Is NOT used to implement PCI DSS requirements or to select requirements to be assessed.
Principles of Sampling
- Must be representative of the entire population
- Business facilities and system components must be considered
- System components must include all combinations
- Must be large enough to provide assurance that controls are implemented as expected
- Sampling methodology must be documented in ROC
Pre-assessment planning includes:
List of interviewees, system components, documentation, facilities.
Familiarity with technologies included in assessment.
If sampling, verify sample selection and size is representative of the entire population.
Identification of the roles and the individuals within each role to be interviewed as part of the assessment.
What are the six goals of the PCI Data Security Standard?
1. Build and Maintain a Secure Network and Systems.
2. Protect Cardholder Data.
3. Maintain a Vulnerability Management Program.
4. Implement Strong Access Control Measures.
5. Regularly Monitor and Test Networks.
6. Maintain an Information Security Policy.
What are the 12 PCI DSS Requirements?
1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
3. Protect stored cardholder data.
4. Encrypt transmission of cardholder data across open, public networks.
5. Protect all systems against malware and regularly update anti-virus software or programs.
6. Develop and maintain secure systems and applications.
7. Restrict access to cardholder data by business need-to-know.
8. Identify and authenticate access to system components.
9. Restrict physical access to cardholder data.
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.
12. Maintain a policy that addresses information security for all personnel.
[Show More]
