16. 25
INVENTORY
SYSTEM Local
Windows
Active Directory
Service
AD Domain
A
uditingLocal Admin
root
Adm
inistrator
LinuxUNIX
AIX
Red Hat
SUSE
Microsoft SQL Server
Oracle
sa
A
ccount
Type
remote login
su
password age
Account Expiration Date
lock
Computer Name
AD
Bridge
Account GroupCompliance
R6
mainframe
Account Category
Password Last Set
( )
( )
稽
24. 35
Protect Cardholder Data
Requirement 3 Protect stored cardholder data
3.5.1
3.5.2
3.6
3.4
3.5
Restrict access to cryptographic keys to the fewest number of custodians necessary.
Fully document and implement all key-management processes and procedures for cryptographic keys
used for encryption of cardholder data.
PCI-DSS 3.1 Compliance Combination(detail)
Document and implement procedures to protect keys used to secure stored cardholder data against
disclosure and misuse.
3.5.3 Store cryptographic keys in the fewest possible locations.
Always Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs)
by using any of the following approaches: One-way hashes based on strong cryptography Truncation Index tokens
and pads Strong cryptography with associated key-management processes and procedures.
Store secret and private keys used to encrypt/decrypt cardholder data in one (or more) of the following forms at all
times: Encrypted with a key-encrypting key Within a secure cryptographic device As at least two full-length key
components or key shares, in accordance with an industry- accepted method.
Requirement 4 Encrypt transmission of cardholder data across open, public networks
4.1 Use strong cryptography and security protocols (for example, TLS, IPSEC, SSH, etc.) to safeguard sensitive cardholder
data during transmission over open, public networks.
要求 ).4
使用zg任d作法使所有位置 包括可攜 式數位媒體、備份媒體和
日誌k) 儲存的 P2N 均無法讀取0
1 使用強式加密法的單向雜湊型函數 雜湊必須要有完整的 P2N)
1 截詞 不能用雜湊替y P2N 被截詞的部分)
1 索引記號和索引簿 索引簿必須安全地儲存)
1 使用相關金鑰管理流程和程序的強式加密法
>aFeNeQ TMIeLHVaQHML
符合 ).4, P2N
25. 36
Protect Cardholder Data
Requirement 3 Protect stored cardholder data
3.5.1
3.5.2
3.6
3.4
3.5
Restrict access to cryptographic keys to the fewest number of custodians necessary.
Fully document and implement all key-management processes and procedures for cryptographic keys
used for encryption of cardholder data.
PCI-DSS 3.1 Compliance Combination(detail)
Document and implement procedures to protect keys used to secure stored cardholder data against
disclosure and misuse.
3.5.3 Store cryptographic keys in the fewest possible locations.
Always Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs)
by using any of the following approaches: One-way hashes based on strong cryptography Truncation Index tokens
and pads Strong cryptography with associated key-management processes and procedures.
Store secret and private keys used to encrypt/decrypt cardholder data in one (or more) of the following forms at all
times: Encrypted with a key-encrypting key Within a secure cryptographic device As at least two full-length key
components or key shares, in accordance with an industry- accepted method.
Requirement 4 Encrypt transmission of cardholder data across open, public networks
4.1 Use strong cryptography and security protocols (for example, TLS, IPSEC, SSH, etc.) to safeguard sensitive cardholder
data during transmission over open, public networks.
要求 ).5.(
始終zg面d種 或多種) 形式儲存用於加密/解密持卡v
資料的機密金鑰和私密金鑰0
1 使用至少和資料加密金鑰d樣等級的強式加密為金鑰加密,並將此
金鑰和資料加密金鑰分開儲存
1 在安全加密裝置 如l機安全模組 6>:) 或通過 PT> 核可的tr點裝置)
1 根據產業認可的方法,採用至少兩個全 長度金鑰元件或金鑰共u
>aFeNeQ 8ey>eCure使用多層式架構的
金鑰再次加密金鑰。i設備通過 57P> 14&-( 9eSel )
標準,支援)國政府確保金鑰管理不會受•竄改的要求。
>QMrage>eCure同時o是d台強大的加密
裝置,通過 57P> 14&-( 認證,可由單d
設備提供集k式的金鑰管理和加密金
鑰儲存。
26. 37
Protect Cardholder Data
Requirement 3 Protect stored cardholder data
3.5.1
3.5.2
3.6
3.4
3.5
Restrict access to cryptographic keys to the fewest number of custodians necessary.
Fully document and implement all key-management processes and procedures for cryptographic keys
used for encryption of cardholder data.
PCI-DSS 3.1 Compliance Combination(detail)
Document and implement procedures to protect keys used to secure stored cardholder data against
disclosure and misuse.
3.5.3 Store cryptographic keys in the fewest possible locations.
Always Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs)
by using any of the following approaches: One-way hashes based on strong cryptography Truncation Index tokens
and pads Strong cryptography with associated key-management processes and procedures.
Store secret and private keys used to encrypt/decrypt cardholder data in one (or more) of the following forms at all
times: Encrypted with a key-encrypting key Within a secure cryptographic device As at least two full-length key
components or key shares, in accordance with an industry- accepted method.
Requirement 4 Encrypt transmission of cardholder data across open, public networks
4.1 Use strong cryptography and security protocols (for example, TLS, IPSEC, SSH, etc.) to safeguard sensitive cardholder
data during transmission over open, public networks.
要求 ).,
充分記錄並實作用於持卡v資料加密的所有金鑰
管理流程和程序,包括0
1 ).,.4 根據相關應用程式供應商或金鑰所有v的規定,並根據產業最佳作法
和指南 例如《N7>T 特刊 .&&-5-a),在金鑰週期結束時 例 如指定期限過後
和/或給定金鑰產生d定量的密文後) 對金鑰進行 變更。
1 ).,.5 金鑰的完整性變弱 例如知道
負責明文元件的員工離職)或懷疑金
鑰遭受威脅時,認為有必要註銷或替
換 例如歸檔、銷毀和/或撤銷)金鑰
1 ).,., 若使用手動明文金鑰管理操
作,則必須透 過 劃分知識和雙重控
制來管理這s操作。
1 ).,.- 防止未經授權替換加密金鑰
1 ).,.. 有關金鑰保管v正式確認理
解並接受加密金 鑰保管責v的要求
).,.4 ─ 8ey>eCure 可集k管理加密金鑰和政策─涵蓋所有金鑰管理周期,並遍及整
個企業和:擬資料k心及公共雲環境。8ey>eCure 提供金鑰輪轉機制, z讓客戶可
z高效率地根據安全政策輪轉金鑰。
).,.5 ─ 金鑰永遠z加密形式儲存在8ey>eCure裝置k。8ey>eCure 的集k 式管理
功能包─詳細的日誌和稽核追蹤,可…握所有金鑰狀態變更、系統管理員存取和政
策變更的情形。稽核紀錄會被安全地儲存和簽(z避免否認。
).,., ─ 透過 8ey>eCure 超過 (& 個的管理存取控制清單,可z支援不
同v員 建立和刪除/存取金鑰的情形。安全團隊可z要求兩個系統
管理員必須同時核准特定類型的操作方能進行─例如產生金鑰等。
40. 54
Requirement 2 Do not use vendor-supplied defaults for system passwords and other security parameters
2.3
2.1
2.2
Protect Cardholder Data
Requirement 3 Protect stored cardholder data
3.6
3.4
3.5
Requirement 4 Encrypt transmission of cardholder data across open, public networks
4.1
Maintain a Vulnerability Management Program
Requirement 6 Develop and maintain secure systems and applications
6.3
6.1
6.2
6.6
6.4
6.5
6.7
Implement Strong Access Control Measures
Requirement 7 Restrict access to cardholder data by business need to know
7.3
7.1
7.2
PCI-DSS 3.1
Compliance
Combination
Build and Maintain a Secure Network and System
Requirement 1 Install and maintain a firewall configuration to protect cardholder data
1.3
54
41. 55
Implement Strong Access Control Measures
Requirement 8 Identify and authenticate access to system components
8.3
8.1
8.2
10.1
10.3
10.8
10.6
10.7
Additional PCI DSS Requirements for Shared Hosting Providers
Requirement A.1 Shared hosting providers must protect the cardholder data environment
A.1
8.5
8.7
Regularly Monitor andTest Networks
Requirement 10 Track and monitor all access to network resources and cardholder data
10.2
10.4
10.5
Regularly Monitor andTest Networks
Requirement 11 Regularly test security systems and processes
11.1
PCI-DSS 3.1
Compliance
Combination