(PCI DSS)

2.0
2010


PCI DSS .................................................................................................................................................................... 4
PCI DSS ................................................................................................................................................................................. 5
PCI DSS PA-DSS ............................................................................................................................................ 7
PCI DSS ......................................................................................................................................... 8
.......................................................................................................................................................................................................... 8
....................................................................................................................................................................................................... 9
........................................................................................................................................................................................ 9
........................................................................................................................................................... 10
............................................................................................................................................................................................... 11
..................................................................................... 12
.................................................................................................................................................................................... 12
............................................................................................................................................................................... 15
PCI DSS .......................................................................................................................................... 16
PCI DSS ............................................................................................................... 16
................................................................................................................................................ 17
1: .......................... 17
2: , ..................................... 23
....................................................................................................................................................................... 28
3: ...................................................................................................... 28
4. ................................ 39
..................................................................................................................................................................................... 41
5: ....................................................................... 41
6: .......................................................................................... 43
PCI DSS , 2.0
Copyright 2010 PCI Security Standards Council LLC. PCIDSS.RU.

2010
. 2

 ......................................................................................................................................................... 51
7: ................................................ 51
8: , .................... 53
9: ............................................................................................................ 61
................................................................................................................................................... 67
10: ......................................... 67
11: ............................................................. 72
.................................................................................................................................... 78
12: ........................ 78
A:

PCI DSS ................................................... 88

B:

........................................................................................................................................................ 91

C:

.......................................................................................................... 92

D:

.......................................................................................................................... 94

........................................................................................................................................................................................ 95

PCI DSS , 2.0

Copyright 2010 PCI Security Standards Council LLC. PCIDSS.RU.

2010
. 3

 PCI DSS
(PCI DSS) ,
. PCI DSS
, .
,
- , , -, , ,
, , . PCI DSS
, ,
. 12 PCI DSS.

PCI DSS

1: .
2: , .

3: .
4: .

5: .
6: .

7: .
8: , .
9: .

10: .
11: .

12: .

, PCI DSS, 12
PCI DSS.
PCI DSS .
,
PCI DSS. PCI DSS 18.
PCI DSS , 2.0
Copyright 2010 PCI Security Standards Council LLC. PCIDSS.RU.

2010
. 4

 PCI SSC (PCI Security Standards Council) (www.pcisecuritystandards.org) ,

:

PCI DSS: PCI DSS
, PCI DSS PA-DSS
FAQs

: PCI DSS
PCI DSS, ,
.
www.pcisecuritystandards.org

PCI DSS
PCI DSS , , .
:

:
PAN

CAV2/CVC2/CVV2/CID
PIN/PIN-

PAN ( ) PCI DSS. PCI DSS , ,

. PAN , , PCI DSS .

PCI DSS , 2.0

Copyright 2010 PCI Security Standards Council LLC. PCIDSS.RU.

2010
. 5

 , / , PAN,
, PCI DSS, 3.3 3.4,
PAN.
PCI DSS , ,
. ,
(, ), .
, , , .PCI DSS
, .

; ; . ,
, .

3.4
PCI DSS

CAV2/CVC2/CVV2/CID

PIN / PIN Block

(PAN)

(Cardholder Name)

(Service Code)


(Expiration Date)

2

( ).

3.3 3.4 PAN. PAN , 3.4

PAN.
PAN , , PCI DSS .
PCI DSS , 2.0
Copyright 2010 PCI Security Standards Council LLC. PCIDSS.RU.

2010
. 6

 PCI DSS PA-DSS

, PA-DSS, PCI
DSS, , PCI DSS
, ( 13.1 PA-DSS).
PA-DSS PCI DSS ( ). PADSS PCI DSS.
PCI DSS
, , (CAV2,
CID, CVC2, CVV2), PIN PIN-.
, :
/ ;
, , PCI DSS, ,
, ;
, .

PA-DSS , ,
, ,
.
PA-DSS:

PA-DSS , , ..
.
PA-DSS , - ,
( , ),
, -
PCI DSS.

PA-DSS ,
PA-DSS, www.pcisecuritystandards.org.

PCI DSS , 2.0

Copyright 2010 PCI Security Standards Council LLC. PCIDSS.RU.

2010
. 7

 PCI DSS
PCI DSS . ,
, .
, , ,
. , , ,
. , ,
, , . -,
, , , , -, (NTP) DNS-.
, ().
PCI DSS .
, PCI
DSS, , PCI DSS.
PCI DSS :

, ,
;

, , ,
PCI DSS ;

PCI DSS,
, ;

, ,
/ PCI DSS.

PCI DSS, ,
:

PCI DSS;
PCI DSS;
PCI DSS;
( , ).

(.. ), PCI DSS .

, ,
.
PCI DSS , 2.0
Copyright 2010 PCI Security Standards Council LLC. PCIDSS.RU.

2010
. 8

 -, ,
.
.
,
.
PCI DSS, ,
. ,
, , .
, , .
D: PCI DSS
.

, (, POS) (,
), PCI DSS ( , 1.2.3, 2.1.1 4.1.1).

. .

, ,
.
- ,
; , , , .
.
, , ,
(Report on Compliance, ROC) , ,
, ( ). ( )
:
1) PCI DSS ,
2) PCI DSS
.
PCI DSS , 2.0
Copyright 2010 PCI Security Standards Council LLC. PCIDSS.RU.

2010
. 9

 , MSP (Managed Service Providers) 3

.
- PCI DSS
, . . 12.8.

PCI DSS. , , PCI DSS, -
. -,
. -,
-. , .
-
PCI DSS. , PCI DSS
. , PCI
DSS. PCI DSS .
- ( ): , ,
. -. ,
, .
, , - Sun Solaris,
- Apache, Windows-, Oracle, ,
, HP-UX Linux- MySQL.
(, Windows 7 Solaris 10), (. D:
).
- :
, PCI DSS, . ,
, , -
, .

(, ), ,
, .

, , ,
- PCI DSS.

:
;
PCI DSS , 2.0
Copyright 2010 PCI Security Standards Council LLC. PCIDSS.RU.

2010
. 10

, ;

, .

PCI DSS.
- .
. D: .

,
, B: C: .
( C). ,
PCI DSS.
. B C.

PCI DSS , 2.0

Copyright 2010 PCI Security Standards Council LLC. PCIDSS.RU.

2010
. 11


.
.
.

1.
:

, :
-

, , , , .
: , , ,
, .

(, ).

: ( ,
) .

, .

( ) :
-

, POS-, , -.

PCI DSS , 2.0

Copyright 2010 PCI Security Standards Council LLC. PCIDSS.RU.

2010
. 12

2.
, , :

, PCI DSS, :
-

, (, ,
, ..).

,
.

- , :
-

,
.

, ,
, , .

, PCI DSS, ,
.

, PCI DSS, ,
.

(, POS-),
, .

PCI DSS: .

PCI DSS , 2.0

Copyright 2010 PCI Security Standards Council LLC. PCIDSS.RU.

2010
. 13

3.
:

(LAN, WAN, Internet).

, :
-

, , ,
..

, , ,
. :

, ,
.

,
(: . 12.8).

, ,
PA-DSS. PA-DSS, ,
PCI DSS, PA-DSS. :
, PA-DSS, PCI DSS.
, .

, , , , .

, MSP (Managed Service Provider), ,

MSP , MSP
. , IP- MSP
MSP.

4.
:

- .

PCI DSS , 2.0

Copyright 2010 PCI Security Standards Council LLC. PCIDSS.RU.

2010
. 14

5.

11.2
ASV-.
: PCI
DSS, , :
1) ;
2) ;
3) , , ,
.
.

( ) IP-, PCI
DSS.

6.
,
.
:

PCI DSS
.

, .

, .
. B C.

, ,
PCI DSS .
, PCI DSS .
, , PCI DSS,
(. ).

PCI DSS , 2.0

Copyright 2010 PCI Security Standards Council LLC. PCIDSS.RU.

2010
. 15

 PCI DSS

,
.

ASV- (ASV Approved Scanning Vendor),

.

(Attestation of Compliance). PCI SSC

(www.pcisecuritystandarts.org).

, ASV-
- ( - ), , (
).

PCI DSS
:

PCI DSS PCI DSS.

, PCI DSS.

, , ,
.
: , ,

, . :
-, .
, PCI SSC (www.pcisecuritystandarts.org).

/ ( ),
.

PCI DSS , 2.0

Copyright 2010 PCI Security Standards Council LLC. PCIDSS.RU.

2010
. 16


1:

, ,
.
.
,
.
, ,
, .
.
.
, , 1,
. ,
,
1.
PCI DSS

1.1

,
:

1.1
,
,
.
:
1.1.1 ,
,

.

1.1.1



.
1.1.2

,
.

1.1.2.a
(,
).
,
,
.
1.1.2.b .

PCI DSS , 2.0

Copyright 2010 PCI Security Standards Council LLC. PCIDSS.RU.

2010
. 17

 PCI DSS

1.1.3

-

(DMZ)
.

1.1.3. ,

, DMZ
.
1.1.3.b ,
.

1.1.4 ,

.

1.1.4 ,

,

.
1.1.5.a ,


, ,
(, HTTP, SSL, SSH, VPN).

1.1.5


,
,
,


.
,
,
FTP, Telnet,
POP3, IMAP SMTP.
1.1.6


.

1.1.5.b
, ,
, ,
,


.
FTP,

.
1.1.6.a ,


.
1.1.6.b ,
,
.

PCI DSS , 2.0

Copyright 2010 PCI Security Standards Council LLC. PCIDSS.RU.

2010
. 18

 PCI DSS
1.2
,



.
:
,
,
/
,

1.2.1



.
1.2.2

.
1.2.3



,



,
.

1.2
, ,

,
, :

1.2.1.a ,


.
1.2.1.b ,
.
1.2.2 ,
, ,

,
,
.
1.2.3 ,
,
,
, (
)

.

PCI DSS , 2.0

Copyright 2010 PCI Security Standards Council LLC. PCIDSS.RU.

2010
. 19

 PCI DSS

1.3


.

1.3
, ( )
,
DMZ,
DMZ,
,
,
,
DMZ ,
DMZ,
, ,
.
1.3.1 , DMZ

,

, .

1.3.1 DMZ,


,


,
.
1.3.2
-
,
DMZ.
1.3.3



.
1.3.4


,
DMZ.
1.3.5


.

1.3.2 , ,
DMZ.
1.3.3 ,

.
1.3.4 ,
DMZ
.
1.3.5 ,

.

PCI DSS , 2.0

Copyright 2010 PCI Security Standards Council LLC. PCIDSS.RU.

2010
. 20

 PCI DSS
1.3.6


(

).
1.3.7

(, ),

,
,
DMZ .
1.3.8
IP-

,
.

1.3.6 ,

. [


].
1.3.7 , ,
,
,
DMZ .

1.3.8.a , ,

IP-
.

:
IP- (
):

NAT;

PCI DSS , 2.0

Copyright 2010 PCI Security Standards Council LLC. PCIDSS.RU.

2010
. 21

 PCI DSS
/

;

RFC1918

.
1.4


(,
),

.

1.3.8.b ,
IP-
.

1.4.a ,

(, ),

,
.
1.4.b ,



.

PCI DSS , 2.0

Copyright 2010 PCI Security Standards Council LLC. PCIDSS.RU.

2010
. 22

 2: ,

( )
. , .
PCI DSS

2.1
,
,

, (
) ,
SNMP
.

2.1 ,
.

,
, ,

(
-,

).

2.1.1 ,



,


,
, ,
SNMP.

2.1.1
,
:
2.1.1.a ,

, , ,
.
2.1.1.b ,
SNMP
.
2.1.1. ,
/
.
2.1.1.d ,



.

PCI DSS , 2.0

Copyright 2010 PCI Security Standards Council LLC. PCIDSS.RU.

2010
. 23

 PCI DSS

2.2

.

,


.


:

-
(CIS);

(ISO);

, a,
c
(SANS);

(NIST).
2.2.1



,

(, -,
DNS-

2.1.1.e ,
,
,
, .
2.2.a
. ,

.
2.2.b ,

,
6.2.
2.2.c ,

.

2.2.d ,

, (2.2.1-2.2.4).

2.2.1.a
, "
".

PCI DSS , 2.0

Copyright 2010 PCI Security Standards Council LLC. PCIDSS.RU.

2010
. 24

 PCI DSS

).
:




.
2.2.2

,
,
..,
.


,
,
.
,
,
SSH, S-FTP, SSL IPSec VPN

NetBIOS,
, Telnet,
FTP ..
2.2.3

,

.

2.2.1.b
,
" -

".

2.2.2.a
,
.
,
.

2.2.2.b
,
. ,
,
.

2.2.3.a
/
,

.
2.2.3.b ,

.

PCI DSS , 2.0

Copyright 2010 PCI Security Standards Council LLC. PCIDSS.RU.

2010
. 25

 PCI DSS

2.2.3.c
,

.
2.2.4

: ,
,
, ,
,
-.

2.2.4.a
,
(, , ,
, , )
.
2.2.4.b ,
.

2.3

,


.
, SSH, VPN
SSL/TLS -


.

2.2.4.c ,

.
2.3
,

:
2.3.a
,
.
2.3.b
, Telnet

.
2.3.c ,
-

.

PCI DSS , 2.0

Copyright 2010 PCI Security Standards Council LLC. PCIDSS.RU.

2010
. 26

 PCI DSS

2.4 -

,
.

,
A:
PCI DSS

(-).

2.4 A.1.1 A.1.4., A:

PCI DSS
()
,
(-
).

PCI DSS , 2.0

Copyright 2010 PCI Security Standards Council LLC. PCIDSS.RU.

2010
. 27


3:
, , ,
. ,
, .
.
, ,
PAN, PAN, PAN
, .
. PCI DSS: ,
.
PCI DSS

3.1

.
,

,
.

3.1 ,

:

3.1.1
,
:




,

;

,

;

3.1.1.a ,

,

(,
X Y
-).

3.1.1.b ,

,
,

,
.

PCI DSS , 2.0

Copyright 2010 PCI Security Standards Council LLC. PCIDSS.RU.

2010
. 28

 PCI DSS

;
,

,


,

.

3.1.1.c ,

.
3.1.1.d ,
, ,
:
(
)
,

, .
,
,


.

3.1.1.e ,
, ,


.
3.2

(
).

,
3.2.1
3.2.3.
: ,

,

3.2.a , ,
,


,
.
3.2.b ,

, ,

.

PCI DSS , 2.0

Copyright 2010 PCI Security Standards Council LLC. PCIDSS.RU.

2010
. 29

 PCI DSS

.


,
.
3.2.1

( ,

,
).

, ,
1, 2
.

3.2.c

:

:



:

3.2.1
, ,
(
), ,
,
( ),
:

( , ,
, );

,

(PAN),

,
.


.

PCI DSS , 2.0

Copyright 2010 PCI Security Standards Council LLC. PCIDSS.RU.

2010
. 30

 PCI DSS
3.2.2
CVC ,

,



(-
,
).

3.2.3

(PIN),
PIN-.

3.2.2
(
) , -
(CVV2,
CVC2, CID, CAV2)
:

( , ,
, );

.
3.2.3
(
) ,
(PIN),
PIN-
:

( , ,
, );

PCI DSS , 2.0

Copyright 2010 PCI Security Standards Council LLC. PCIDSS.RU.

2010
. 31

 PCI DSS
3.3 PAN
(
PAN
6
4).
:

,

PAN;

(,
POS-).
3.4 PAN

(
,

).

:

- (
PAN);

(


PAN);

One-Time-Pad (
,
)

3.3
PAN. , PAN
(,
), ,
PAN.

3.4.a ,
PAN,
,
/,
( ). ,
PAN
:
-;
(truncation);
One-Time-Pad
( ,
)

(index tokens);

.
3.4.b
, PAN
(..
).

PCI DSS , 2.0

Copyright 2010 PCI Security Standards Council LLC. PCIDSS.RU.

2010
. 32

 PCI DSS
(index tokens);

.
:




PAN.

PAN
,



,
PAN
.
3.4.1

(

),

3.4.c
(, )
, PAN
.
3.4.d
, PAN
.

3.4.1.a
, ,

,
.
3.4.1.b ,
(,
,

).

PCI DSS , 2.0

Copyright 2010 PCI Security Standards Council LLC. PCIDSS.RU.

2010
. 33

 PCI DSS
(,
).


.

3.5



:
:

,

.
, ,
,
.
3.5.1




.
3.5.2


.

3.4.1.c ,

.
:

,


.
3.5

:

3.5.1 ,


.
3.5.2.a
, ,


.
3.5.2.b
,

.

PCI DSS , 2.0

Copyright 2010 PCI Security Standards Council LLC. PCIDSS.RU.

2010
. 34

 PCI DSS
3.6



, :
:
,


(,


(NIST),

http://csrc.nist.gov).
3.6.1 .
3.6.2
.
3.6.3
.

3.6.a
.
3.6.b :
,



, ,
3.6.1-3.6.8,
.
3.6.c
:

3.6.1 ,

.
3.6.2 ,

.
3.6.3 ,

.

PCI DSS , 2.0

Copyright 2010 PCI Security Standards Council LLC. PCIDSS.RU.

2010
. 35

 PCI DSS
3.6.4
,
(,
, /


),



(,
800-57 NIST)

.
3.6.5
(, ,
/ )

3.6.4 ,


.

3.6.5.a ,

(, ,
).

PCI DSS , 2.0

Copyright 2010 PCI Security Standards Council LLC. PCIDSS.RU.

2010
. 36

 PCI DSS
(,
,

), ,


.
:


,

(,
).



/
.
3.6.6


,



(,
,

,

2-3 ).

3.6.5.b ,

, ,

.

3.6.6 ,

.

:

( ):
, ,
,
.

PCI DSS , 2.0

Copyright 2010 PCI Security Standards Council LLC. PCIDSS.RU.

2010
. 37

 PCI DSS
3.6.7
.
3.6.8






.

3.6.7 ,

.
3.6.8 ,
(
)
,
,

.

PCI DSS , 2.0

Copyright 2010 PCI Security Standards Council LLC. PCIDSS.RU.

2010
. 38

 4.

, , ,
. ,
,
.
PCI DSS
4.1




(,
SSL/TLS, IPSEC, SSH
..).
,

PCI DSS,
:

GSM;

GPRS.

4.1

.
,

:
4.1.a
,
.
4.1.b ,
.
4.1.c ,

.
4.1.d ,
(

).
4.1.e SSL/TLS
:
- , URL
HTTPS;
- ,
, URL
HTTPS.

PCI DSS , 2.0

Copyright 2010 PCI Security Standards Council LLC. PCIDSS.RU.

2010
. 39

 PCI DSS

4.1.1
,


,


(, IEEE
802.11i),

.

4.1.1 ,

, ,

(, IEEE 802.11i)

.

:
WEP

30 2010 .
4.2
PAN

(
,
, ..).

4.2.a , PAN



.
4.2.b ,
PAN
.

PCI DSS , 2.0

Copyright 2010 PCI Security Standards Council LLC. PCIDSS.RU.

2010
. 40


5:
, ,
.
, .
PCI DSS

5.1

,

(
).
5.1.1




.
5.2
,


.

5.1 ,
,
, ,
(
).

5.1.1
,


,
.
5.2 ,
,
, :
5.2.a ,


.
5.2.b ,

.
5.2.c ,
,
,
,

.

PCI DSS , 2.0

Copyright 2010 PCI Security Standards Council LLC. PCIDSS.RU.

2010
. 41

 PCI DSS

5.2.d
,


10.7
PCI DSS.

PCI DSS , 2.0

Copyright 2010 PCI Security Standards Council LLC. PCIDSS.RU.

2010
. 42

 6:
.
, .
,
.
: , .
, ,
.
PCI DSS

6.1


,
.



.

6.1.a
,
,
.

6.1.b , ,

.

:


,
. ,

(
,
) ,

,

.

PCI DSS , 2.0

Copyright 2010 PCI Security Standards Council LLC. PCIDSS.RU.

2010
. 43

 PCI DSS
6.2


.
:



. ,

,
4.0
CVSS, / ,



/
,

;
30 2012

,
.. 6.2,
,

.

6.2.a , ,

,
.
,

( ).
6.2.b ,

.

PCI DSS , 2.0

Copyright 2010 PCI Security Standards Council LLC. PCIDSS.RU.

2010
. 44

 PCI DSS

6.3 (


)

PCI DSS (,

).





, :

6.3.a
,

/
.
6.3.b
,

.

6.3.c
,

PCI DSS.
6.3.d ,
,
, :

6.3.1
,

6.3.1 ,
,


.

PCI DSS , 2.0

Copyright 2010 PCI Security Standards Council LLC. PCIDSS.RU.

2010
. 45

 PCI DSS
6.3.2




.
:


( ,
)

.


,
. -

;

,
,
6.6 PCI DSS.
6.4


, :

6.4.1 ,

6.3.2.a ,


(, )
:

,


;


(.
6.5 PCI DSS);

;


.
6.3.2.b
,
6.3.2.a,
.
6.4
,
,
(
,
.) :
6.4.1 , ,


,
.

PCI DSS , 2.0

Copyright 2010 PCI Security Standards Council LLC. PCIDSS.RU.

2010
. 46

 PCI DSS
6.4.2 ,

.
6.4.3
( PAN)

.
6.4.4



.
6.4.5



;
:

6.4.5.1
.
6.4.5.2
.
6.4.5.3

,


.

6.4.2 ,
,

.
6.4.3 ,
( PAN)
.
6.4.4 ,

.

6.4.5.a ,
,
,

.. 6.4.5.1 6.4.5.4.
6.4.5.b
/
.

:
6.4.5.1 ,

.
6.4.5.2 ,
.
6.4.5.3.a ,

, ,

.
6.4.5.3.b
,
6.5 PCI DSS
.

PCI DSS , 2.0

Copyright 2010 PCI Security Standards Council LLC. PCIDSS.RU.

2010
. 47

 PCI DSS

6.4.5.4
.
6.5


.



,
:

6.4.5.4 ,
.
6.5.a .
,
,
-

.
6.5.b
,
.

: ,
6.5.1
6.5.9

,

PCI DSS.


( ,
OWASP, SANS CWE
Top 25, CERT Secure Coding ..)


.
6.5.1 , ,
SQL-.
OS Command, LDAP
Xpath .

6.5.c ,

, :

6.5.2 .
6.5.3
.
6.5.4
.

6.5.1 , , SQL-
( ,

,
..).
6.5.2 (
).
6.5.3
(
).
6.5.4
(
).

PCI DSS , 2.0

Copyright 2010 PCI Security Standards Council LLC. PCIDSS.RU.

2010
. 48

 PCI DSS
6.5.5
.
6.5.6 ,
,

(
6.2
PCI DSS).
: 30 2012 .

,

.
: 6.5.76.5.9, ,

(
):
6.5.7 (XSS).

6.5.8
(,
,

URL
).
6.5.9
(CSRF).

6.5.5
(
).
6.5.6 ,
6.2
PCI DSS.

6.5.7 (XSS) (

, -
..)
6.5.8 ,
,
URL
(

.

).
6.5.9 (CSRF)
(

).

PCI DSS , 2.0

Copyright 2010 PCI Security Standards Council LLC. PCIDSS.RU.

2010
. 49

 PCI DSS
6.6
-
(

)
:

,
.


.

6.6 -

:
, (

) :
- ;
- ;
- ,
;
- ;
-

.

,
(web application firewall)
.

: ,
,
,

.

PCI DSS , 2.0

Copyright 2010 PCI Security Standards Council LLC. PCIDSS.RU.

2010
. 50


7:

, ,
.
,
.
PCI DSS

7.1


,

.

:
7.1.1

,

.

7.1 ,
:

7.1.2


.
7.1.3


.

7.1.2
.

7.1.4

.

7.1.1
,

.

7.1.3 ;

(
)
.
7.1.4
.

PCI DSS , 2.0

Copyright 2010 PCI Security Standards Council LLC. PCIDSS.RU.

2010
. 51

 PCI DSS
7.2

,


, .

:
7.2.1
.
7.2.2


.
7.2.3 -
.

7.2
, ,
:

7.2.1 ,

.
7.2.2
.
7.2.3
.

:



,

.

PCI DSS , 2.0

Copyright 2010 PCI Security Standards Council LLC. PCIDSS.RU.

2010
. 52

 8:

, , ,
, ,
.
: , ,
, ,
, . , 8.1, 8.2 8.5.8-8.5.15
(, ),
.
PCI DSS

8.1



.
8.2 ,


:
, (
).
, (
-).
, (
).

8.1 ,


.

8.2 ,


(, )
:

,
() ;

,
.

PCI DSS , 2.0

Copyright 2010 PCI Security Standards Council LLC. PCIDSS.RU.

2010
. 53

 PCI DSS

8.3
,
(
)

.

, RADIUS ;


TACACS
,
.

8.3


(,
) ,
.

:
,



(
.
8.2).
(,
)

.
8.4



.

8.4.a
,
.
8.4.b :
, ,
.

PCI DSS , 2.0

Copyright 2010 PCI Security Standards Council LLC. PCIDSS.RU.

2010
. 54

 PCI DSS
8.5





,
:
8.5.1
,
,

.

8.5 ,
,


:

8.5.1
, ,
. ,

:

,


(

),
,
.
8.5.2
,


, ,
-
.
8.5.3
,
,

,
,
.

8.5.2

.

8.5.3



.

PCI DSS , 2.0

Copyright 2010 PCI Security Standards Council LLC. PCIDSS.RU.

2010
. 55

 PCI DSS
8.5.4

.
8.5.5 /

90 .
8.5.6
,

,
.
,
,
.
8.5.7

,

.
8.5.8
,


.

8.5.4

,
,
.
8.5.5 , 90

.
8.5.6.a ,
,
,
,

.
8.5.6.b ,
,
, .
8.5.7 ,
,
.
8.5.8.a

:

;


;


- .
8.5.8.b
, ,

.

PCI DSS , 2.0

Copyright 2010 PCI Security Standards Council LLC. PCIDSS.RU.

2010
. 56

 PCI DSS

8.5.9

90 .

8.5.8.c ,
,

,
.
8.5.9.a
,

90 .
8.5.9.b :

/ ,
,

,
.

PCI DSS , 2.0

Copyright 2010 PCI Security Standards Council LLC. PCIDSS.RU.

2010
. 57

 PCI DSS
8.5.10

.

8.5.10.a
,
.

PCI DSS , 2.0

Copyright 2010 PCI Security Standards Council LLC. PCIDSS.RU.

2010
. 58

 PCI DSS

8.5.10.b :

8.5.11

, .

/ ,
,

.
8.5.11.a
,
,
.
8.5.11.b :

8.5.12

-

.

8.5.13

.

/ ,
,
, .
8.5.12.a
,

.
8.5.12.b :

/ ,
,

.
8.5.13.a
,


.
8.5.13.b :

/ ,
,

.

PCI DSS , 2.0

Copyright 2010 PCI Security Standards Council LLC. PCIDSS.RU.

2010
. 59

 PCI DSS
8.5.14

30

.
8.5.15
15


,

.
8.5.16

,
,
,

.



.

8.5.14
,

30 ,
.
8.5.15
,

15 .

8.5.16.a
, ,

.
8.5.16.b ,

(,
, , , )
(,
).
8.5.16.c ,


.
8.5.16.d
,

(
).

PCI DSS , 2.0

Copyright 2010 PCI Security Standards Council LLC. PCIDSS.RU.

2010
. 60

 9:
, ,
, , .
9, , , ,
, , . ,
, , , , .
, .
PCI DSS

9.1
,

,
,
.

9.1

, - ,
, ,

.

,

, ;

,
,
.
9.1.1.a ,
/


/ .
9.1.1.b , /
.

9.1.1


,
. ,

,

PCI DSS , 2.0

Copyright 2010 PCI Security Standards Council LLC. PCIDSS.RU.

2010
. 61

 PCI DSS


.
,

.
:
,
-,

,
,
,

.

POS-,

.
9.1.2
,
,
.
,

,

.
9.1.3
, ,
,
/

.

9.1.1.c ,
/

.

9.1.2
, ,
,

. ,


.
9.1.3 ,
, ,
,
/
.

PCI DSS , 2.0

Copyright 2010 PCI Security Standards Council LLC. PCIDSS.RU.

2010
. 62

 PCI DSS
9.2
,

,
,
.

9.2.a
,
:

;
;


.
.
9.2.b ,

.
9.2.
,
.

9.3
,
:
9.3.1 ,
,

.
9.3.2

(,
),
,
.


.

9.3
, :
9.3.1 ,

. ,
,
.
9.3.2.a
,
,

.
9.3.2.b ,
.

PCI DSS , 2.0

Copyright 2010 PCI Security Standards Council LLC. PCIDSS.RU.

2010
. 63

 PCI DSS
9.3.3



.
9.4

.

, ,
,
,
.
,

.
9.5

,
,
,

,
.

.
9.6

.

9.3.3
,
,

.
9.4.a ,

,
-,
.
9.4.b ,
,
, ,
.
,
.
9.5.a
,
.
9.5.b ,

.

9.6 ,

(,
, ,
, ).

PCI DSS , 2.0

Copyright 2010 PCI Security Standards Council LLC. PCIDSS.RU.

2010
. 64

 PCI DSS
9.7

,
:
9.7.1


.
9.7.2
,
,

.
9.8



(
).
9.9
,
.
9.9.1


;


.
9.10 ,
,

-
,

:

9.7 ,

,
.
9.7.1 ,


.
9.7.2 ,

, ,

,

.
9.8 ,
,

.
9.9 ,
,
.
9.9.1 ,
.

9.10 ,
,
; ,
,
, :

PCI DSS , 2.0

Copyright 2010 PCI Security Standards Council LLC. PCIDSS.RU.

2010
. 65

 PCI DSS
9.10.1 ,

,

.

9.10.2

,
.

9.10.1.a ,
,
,
.
9.10.1.b ,
, ,
.
9.10.2 ,

,
.

PCI DSS , 2.0

Copyright 2010 PCI Security Standards Council LLC. PCIDSS.RU.

2010
. 66


10:

, ,
.
.
PCI DSS
10.1

(

),

.
10.2


:
10.2.1

.
10.2.2 ,

.
10.2.3
.
10.2.4
.
10.2.5

.
10.2.6
.

10.1
,
.

10.2 ,


:
10.2.1 ,

.
10.2.2 , ,

,
.
10.2.3 ,
.
10.2.4 ,
.
10.2.5 ,

.
10.2.6 ,

.

PCI DSS , 2.0

Copyright 2010 PCI Security Standards Council LLC. PCIDSS.RU.

2010
. 67

 PCI DSS
10.2.7
.
10.3


:
10.3.1
.
10.3.2 .

10.3.1 .
10.3.2 .
10.3.3 .

10.3.4
.
10.3.5 .

10.3.4
.
10.3.5 .

:


(Network Time Protocol).

10.2.7 ,

.
10.3 ,
:

10.3.3 .

10.3.6
,
,
.
10.4
.


,

,

.

10.3.6 ,
,
.
10.4.
,
6.1 6.2
PCI DSS.
10.4.b ,

,

. ,

:

PCI DSS , 2.0

Copyright 2010 PCI Security Standards Council LLC. PCIDSS.RU.

2010
. 68

 PCI DSS

10.4.1

.

10.4.1.a ,

,

(International
Atomic Time)
(UTC).
10.4.1.b ,

,
.
10.4.2.a
,

, .
10.4.2.b ,

,
,
.
10.4.3 ,

,
, (
).


, IP-
,
(
).
10.5
, ,

, :

10.4.2 .

10.4.3


.

10.5

.

PCI DSS , 2.0

Copyright 2010 PCI Security Standards Council LLC. PCIDSS.RU.

2010
. 69

 PCI DSS
10.5.1


,


.
10.5.2


.
10.5.3





,
.
10.5.4


(
, ,
DNS, )

,
.
10.5.5




(

).

10.5.1 ,

,

.
10.5.2 ,


,
/ .
10.5.3 ,



,
.
10.5.4 ,

( ,
, DNS, )
,
.

10.5.5


.

PCI DSS , 2.0

Copyright 2010 PCI Security Standards Council LLC. PCIDSS.RU.

2010
. 70

 PCI DSS

10.6

.

(IDS)
,
,
(, RADIUS).

10.6.a , ,


,
.
10.6.b ,

.

:
10.6


,
.
10.7

,

( ,
,

).

10.7.a , ,



.
10.7.b ,


.

PCI DSS , 2.0

Copyright 2010 PCI Security Standards Council LLC. PCIDSS.RU.

2010
. 71

 11:
,
. , , ,
, .
PCI DSS
11.1



.
:
,
,
,
/

,
(NAC)
IDS/IPS.

,



.

11.1.a ,


.
11.1.b ,

,
, , :
WLAN
;

(,
USB ..);

.
11.1.c


.
11.1.d
(, IDS/IPS,
..), ,
.

11.1.e ,
( 12.9)

.

PCI DSS , 2.0

Copyright 2010 PCI Security Standards Council LLC. PCIDSS.RU.

2010
. 72

 PCI DSS
11.2


,

(,
,
,
,
).
:
PCI DSS

,

: 1)

, 2)


, 3)


.
,
PCI
DSS,
.
11.2.1


.

11.2 ,

:

11.2.1.a
,
12 .

PCI DSS , 2.0

Copyright 2010 PCI Security Standards Council LLC. PCIDSS.RU.

2010
. 73

 PCI DSS

11.2.1.b
,

,
, ,
,
6.2 PCI DSS, .
11.2.1.c ,

,

( ;
QSA ASV ).
11.2.2



(ASV),
PCI
SSC.
:


(ASV),
PCI
SSC.



.
11.2.3 ,


.

11.2.2.a

,

12 .
11.2.2.b


ASV- (ASV Program
Guide) (,
4.0,
(CVSS),
).
11.2.2.c
,
ASV, PCI
SSC.
11.2.3.a

,
,
.

PCI DSS , 2.0

Copyright 2010 PCI Security Standards Council LLC. PCIDSS.RU.

2010
. 74

 PCI DSS
: ,

,

.

11.2.3.b
,

, :

4.0,

(CVSS);

,
,
, 6.2
PCI DSS.

11.2.3.c ,

,

( ; QSA
ASV ).
11.3

,


(,
,
, -).

:

11.3.a
, ,


.
11.3.b ,
.
11.3.c ,


,
( ;
QSA ASV ).

PCI DSS , 2.0

Copyright 2010 PCI Security Standards Council LLC. PCIDSS.RU.

2010
. 75

 PCI DSS

11.3.1
.

11.3.1 ,

.
,
,
.
11.3.2 ,

.
, ,
,
6.5 PCI DSS.
11.4.a ,
/ ,


.

11.3.2
.

11.4
/





,

.


.

11.4.b , IDS / IPS

.

11.4.c IDS/IPS
, IDS/IPS ,


.

PCI DSS , 2.0

Copyright 2010 PCI Security Standards Council LLC. PCIDSS.RU.

2010
. 76

 PCI DSS
11.5



,

;


.
:

,
,


.



, ,

.
,
,

(.. -

).

11.5.a


,
.
, :
;
;

;

,
,

.
11.5.b ,


,

.

PCI DSS , 2.0

Copyright 2010 PCI Security Standards Council LLC. PCIDSS.RU.

2010
. 77


12:

,
. .
, , ,
, ,
.
PCI DSS
12.1 ,



.
12.1.1



.
12.1.2



,


.
(

, , OCTAVE,
ISO 27005 NIST SP 800-30).
12.1.3

,
,

.

12.1
,

( ,
-).
12.1.1 ,

PCI DSS.
12.1.2.a ,


,

.
12.1.2.b


.
12.1.3 ,

, ,

-
.

PCI DSS , 2.0

Copyright 2010 PCI Security Standards Council LLC. PCIDSS.RU.

2010
. 78

 PCI DSS

12.2

,

(,
,

).
12.3

(
,
,
,
,
,
,
),

.
:
12.3.1

.
12.3.2
.

12.3.3
,

.
12.3.4
,

,

.

12.2.a
. ,


.

12.3
:

12.3.1 ,

.
12.3.2 ,


,
(, ).
12.3.3
,
.
12.3.4 ,

,
,
.

PCI DSS , 2.0

Copyright 2010 PCI Security Standards Council LLC. PCIDSS.RU.

2010
. 79

 PCI DSS
12.3.5
.
12.3.6
.
12.3.7
.
12.3.8


.
12.3.9






.
12.3.10 ,
,



,
,


.
12.4


,

.

12.3.5 ,

.
12.3.6 ,

.
12.3.7
.
12.3.8 ,


.
12.3.9 ,




.

12.3.10.a ,
,



.
12.3.10.b
,


PCI DSS.
12.4 ,

,
.

PCI DSS , 2.0

Copyright 2010 PCI Security Standards Council LLC. PCIDSS.RU.

2010
. 80

 PCI DSS

12.5



:

12.5 ,

CSO
,
.
:
12.5.1 ,


.

12.5.1 ,


.

PCI DSS , 2.0

Copyright 2010 PCI Security Standards Council LLC. PCIDSS.RU.

2010
. 81

 PCI DSS
12.5.2 ,


,

.
12.5.3 ,



,


.
12.5.4
,
, .
12.5.5
.
12.6


,


.
12.6.1


, ,

.

12.5.2 ,
,

(
) ,

.
12.5.3 ,
,


.

12.5.4 ,

.
12.5.5 ,

.
12.6.a

.
12.6.b

:
12.6.1.a ,


(, ,
, ,
).

PCI DSS , 2.0

Copyright 2010 PCI Security Standards Council LLC. PCIDSS.RU.

2010
. 82

 PCI DSS

:




.
12.6.2




.
12.7
( )
,
.
(

,
,
,
).
:
,
, , ,


,

.
12.8 ,

,


, :

12.6.1.b ,


, .

12.6.2 ,




(,
).
12.7 ,
,

,
(
).

12.8
(,
, ),


:

PCI DSS , 2.0

Copyright 2010 PCI Security Standards Council LLC. PCIDSS.RU.

2010
. 83

 PCI DSS

12.8.1
.
12.8.2
,


.

12.8.1 ,
.
12.8.2 ,



.

12.8.3


.

12.8.3
,

.

PCI DSS , 2.0

Copyright 2010 PCI Security Standards Council LLC. PCIDSS.RU.

2010
. 84

 PCI DSS

12.8.4


PCI DSS, ,
.
12.9
.


.
12.9.1

,
.
,
:
,

, ,
,

;

;


;

12.8.4 ,

PCI DSS,
, .
12.9 ,
:

12.9.1.a ,
:
,
, ,
,
;

;

;
;

;

;


.

PCI DSS , 2.0

Copyright 2010 PCI Security Standards Council LLC. PCIDSS.RU.

2010
. 85

 PCI DSS
;



;

;



.

12.9.1.b



.

PCI DSS , 2.0

Copyright 2010 PCI Security Standards Council LLC. PCIDSS.RU.

2010
. 86

 PCI DSS
12.9.2

.
12.9.3
,

24/7.

12.9.4 ,

,

.
12.9.5


,

.
12.9.6



.

12.9.2 ,

.
12.9.3
,


,

,
/


24/7.
12.9.4 , ,

,
.
12.9.5 ,


,
.
12.9.6 ,


.

PCI DSS , 2.0

Copyright 2010 PCI Security Standards Council LLC. PCIDSS.RU.

2010
. 87

 A: PCI DSS
(-)
A.1:
12.8, , , PCI
DSS. , 2.4 , (-)
. , (-)
, .
PCI DSS
A.1

,
A.1.1 A.1.4:
-

,
PCI DSS
: ,
-

PCI DSS,
, ,
.
A.1.1


.

A.1
, -

, (
Windows Unix/Linux)
, A.1.1
A.1.4.

A.1.1
-

(, ), ,

. :


,
-.
CGI-,
,

.

PCI DSS , 2.0

A: PCI DSS

2010
. 88

 PCI DSS
A.1.2

.

A.1.2.a ,

/.
A.1.2.b ,
,
.
chroot, jail
.. :
.
A.1.2.c ,

.
A.1.2.d ,
.
A.1.2.e ,

, ,

:

A.1.3 ,



10 .

A.1.3.a ,

:





,

,

PCI DSS , 2.0

A: PCI DSS

2010
. 89

 PCI DSS
A.1.4
,

.

A.1.4
,

.

PCI DSS , 2.0

A: PCI DSS

2010
. 90

 B:
PCI DSS ,

-, , , ,
.
:
1. , PCI DSS.
2. , PCI DSS,
, (. PCI DSS
).
3. (
PCI DSS
).
:
: , , .
.
,
. ,
.
a) PCI DSS
, . ,
, .
, ..,
, .
b) PCI DSS ,
. , ,
,
,
.
, .
c) PCI DSS
. ,
(, ),
,
, 1) 2) IP MAC
3) .
4. ,
PCI DSS.
, ,
, PCI DSS,
.
, ,
.

PCI DSS , 2.0

B:

2010
. 91

 C:

PCI DSS. ,
PCI DSS.
: , ,
.

:

1.

,


.

2.

3.

,

.

4.

,

( ).

5.

,

.

6.

,

.

PCI DSS , 2.0

C:

2010
. 92


,
.
: 8.1
?

1.

XYZ Unix-
LDAP-. ,


(root).


.

2.

.
-,

.
-,
,

.

3.

,


.

4.

,


( ).

su

. ,
,
.

5.

,


.

su
SU-Log.

6.

XYZ
,

su

.

PCI DSS , 2.0

C:

2010
. 93

 D:

?
?

PCI DSS

?
?

,
,

PCI
PCI DSS
DSS

,
,

PCI
PCI DSS
DSS

-
-

-
-

?
?

?
?

,
,

,
,

ROC
ROC

-
-

PCI DSS , 2.0

,
,

-
-

,
,
, ,
.

2010
. 94


(PCI DSS) 2.0 :







2010, PCIDSS.RU
info@pcidss.ru,
http://www.pcidss.ru
-,
2011

PCI DSS , 2.0

2010
. 95