PCI DSS 3.1 Responsibility Matrix...The PCI DSS responsibility matrix is intended for use by Akamai customers and their Qualified Security Assessors (QSAs) for use in audits for PCI

Akamai Technologies Inc.

Responsibility Matrix PCI DSS 3.1 June 2016

1

PCI DSS 3.1 Responsibility Matrix

Table of Contents Purpose ........................................................................................................................................ 2Overview....................................................................................................................................... 2Responsibility Matrix .................................................................................................................... 3

2


Purpose Akamai provides below a detailed matrix of PCI DSS requirements, including the description of whether responsibility for each individual control lies with Akamai, our customers or whether responsibility is shared between both parties.

Overview The PCI DSS responsibility matrix is intended for use by Akamai customers and their Qualified Security Assessors (QSAs) for use in audits for PCI compliance. The responsibility matrix describes, in accordance with Requirement 12.8.5 and other requirements, the actions an Akamai customer must take in order to maintain its own PCI compliance when cardholder data (CHD) and other sensitive information is passing through Akamai’s systems. Akamai Secure Content Delivery Network (Secure CDN) and supplemental services have been audited against version 3.1 of the PCI DSS standard. In addition to what is described in the responsibility matrix, the customer is responsible for all PCI requirements related to customer-maintained software and systems, including for {OPEN} API tools. At this time, no Akamai systems are approved for the storage of credit card data and only Akamai’s Secure CDN is approved for the processing and transmission of CHD other sensitive data. Some additional services, such as the Prolexic Routed DDoS mitigation and the SureRoute IP, which do not grant Akamai access to sensitive data, may be used without a negative impact to a customer’s PCI compliance.

3


Responsibility Matrix

Require-ment RequirementText N/A

ServiceProviderResponsi-bility

CustomerResponsi-bility

JointRe-sponsi-bility

Notes

1.1 Establishandimplementfirewallandroutercon-figurationstandardsthatincludethefollowing:

X

1.1.1 Aformalprocessforapprovingandtestingallnetworkconnectionsandchangestothefirewallandrouterconfigurations

X

1.1.2 Currentdiagramthatidentifiesallnetworks,networkdevices,andsystemcomponents,withallconnectionsbetweentheCDEandothernetworks,includinganywirelessnetworks

X

Customer'snetworkdiagramshoulddepictuseofAkamaiservices,includingallconnectionsbetweenAkamai'snetworksandthecustomer'sCDE.

1.1.3 Currentdiagramthatshowsallcardholderdataflowsacrosssystemsandnetworks

X

Customer'snetworkdiagramshouldincludeanydataflowsthroughtheAkamaiSCDN.

1.1.4 RequirementsforafirewallateachInternetconnectionandbetweenanydemilitarizedzone(DMZ)andtheinternalnetworkzone

X

1.1.5 Descriptionofgroups,roles,andresponsibilitiesformanagementofnetworkcomponents

X

4






Notes

1.1.6 Documentationandbusinessjustificationforuseofallservices,protocols,andportsallowed,includingdocumentationofsecurityfeaturesimplementedforthoseprotocolsconsideredtobeinsecure.Examplesofinsecureservices,protocols,orportsincludebutarenotlimitedtoFTP,Telnet,POP3,IMAP,andSNMPv1andv2.

X

1.1.7 Requirementtoreviewfirewallandrouterrulesetsatleasteverysixmonths

X

1.2 Buildfirewallandrouterconfigurationsthatrestrictconnectionsbetweenuntrustednetworksandanysystemcomponentsinthecardholderdataenvironment.Note:An“untrustednetwork”isanynetworkthatisexternaltothenetworksbelongingtotheentityunderreview,and/orwhichisoutoftheentity'sabilitytocontrolormanage.

X

5






Notes

1.2.1 Restrictinboundandoutboundtraffictothatwhichisnecessaryforthecardholderdataenvironment,andspecificallydenyallothertraffic.

X

1.2.2 Secureandsynchronizerouterconfigurationfiles.

X

1.2.3 Installperimeter

firewallsbetweenallwirelessnetworksandthecardholderdataenvironment,andconfigurethesefirewallstodenyor,iftrafficisnecessaryforbusinesspurposes,permitonlyauthorizedtrafficbetweenthewirelessenvironmentandthecardholderdataenvironment.

X

AllAkamaiwirelessaccesspoints/SSIDareoutsidethefirewallsothereisnodirectwirelessaccesstoPCIsystems.

1.3 ProhibitdirectpublicaccessbetweentheInternetandanysystemcomponentinthecardholderdataenvironment.

X

1.3.1 ImplementaDMZto

limitinboundtraffictoonlysystemcomponentsthatprovideauthorizedpubliclyaccessibleservices,protocols,andports.

X

1.3.2 LimitinboundInternet

traffictoIPaddresseswithintheDMZ.

X

6






Notes

1.3.3 DonotallowanydirectconnectionsinboundoroutboundfortrafficbetweentheInternetandthecardholderdataenvironment.

X

1.3.4 Implementanti-spoofing

measurestodetectandblockforgedsourceIPaddressesfromenteringthenetwork.(Forexample,blocktrafficoriginatingfromtheInternetwithaninternalsourceaddress.)

X

1.3.5 Donotallow

unauthorizedoutboundtrafficfromthecardholderdataenvironmenttotheInternet.

X

1.3.6 Implementstateful

inspection,alsoknownasdynamicpacketfiltering.(Thatis,only“established”connectionsareallowedintothenetwork.)

X

1.3.7 Placesystem

componentsthatstorecardholderdata(suchasadatabase)inaninternalnetworkzone,segregatedfromtheDMZandotheruntrustednetworks.

X

Akamaidoesnotstorecardholderdata.

7






Notes

1.3.8 DonotdiscloseprivateIPaddressesandroutinginformationtounauthorizedparties.Note:MethodstoobscureIPaddressingmayinclude,butarenotlimitedto:-NetworkAddressTranslation(NAT)-Placingserverscontainingcardholderdatabehindproxyservers/firewalls,-Removalorfilteringofrouteadvertisementsforprivatenetworksthatemployregisteredaddressing,-InternaluseofRFC1918addressspaceinsteadofregisteredaddresses.

X

1.4 Installpersonalfirewall

softwareonanymobileand/oremployee-owneddevicesthatconnecttotheInternetwhenoutsidethenetwork(forexample,laptopsusedbyemployees),andwhicharealsousedtoaccessthenetwork.Firewallconfigurationsinclude:-Specificconfigurationsettingsaredefinedforpersonalfirewallsoftware.-Personalfirewall

X

8






Notes

softwareisactivelyrunning.-Personalfirewallsoftwareisnotalterablebyusersofmobileand/oremployee-owneddevices.

1.5 Ensurethatsecuritypoliciesandoperationalproceduresformanagingfirewallsaredocumented,inuse,andknowntoallaffectedparties.

X

2.1 Alwayschangevendor-

supplieddefaultsandremoveordisableunnecessarydefaultaccountsbeforeinstallingasystemonthenetwork.ThisappliestoALLdefaultpasswords,includingbutnotlimitedtothoseusedbyoperatingsystems,softwarethatprovidessecurityservices,applicationandsystemaccounts,point-of-sale(POS)terminals,SimpleNetworkManagementProtocol(SNMP)communitystrings,etc.).

X

9






Notes

2.1.1 Forwirelessenvironmentsconnectedtothecardholderdataenvironmentortransmittingcardholderdata,changeALLwirelessvendordefaultsatinstallation,includingbutnotlimitedtodefaultwirelessencryptionkeys,passwords,andSNMPcommunitystrings.

X


2.2 Developconfigurationstandardsforallsystemcomponents.Assurethatthesestandardsaddressallknownsecurityvulnerabilitiesandareconsistentwithindustry-acceptedsystemhardeningstandards.Sourcesofindustry-acceptedsystemhardeningstandardsmayinclude,butarenotlimitedto:-CenterforInternetSecurity(CIS)-InternationalOrganizationforStandardization(ISO)-SysAdminAuditNetworkSecurity(SANS)Institute-NationalInstituteofStandardsTechnology(NIST).

X

10






Notes

2.2.1 Implementonlyoneprimaryfunctionperservertopreventfunctionsthatrequiredifferentsecuritylevelsfromco-existingonthesameserver.(Forexample,webservers,databaseservers,andDNSshouldbeimplementedonseparateservers.)Note:Wherevirtualizationtechnologiesareinuse,implementonlyoneprimaryfunctionpervirtualsystemcomponent.

X

2.2.2 Enableonlynecessary

services,protocols,daemons,etc.,asrequiredforthefunctionofthesystem.

X

2.2.3 Implementadditional

securityfeaturesforanyrequiredservices,protocols,ordaemonsthatareconsideredtobeinsecure—forexample,usesecuredtechnologiessuchasSSH,S-FTP,TLS,orIPSecVPNtoprotectinsecureservicessuchasNetBIOS,file-sharing,Telnet,FTP,etc.

X

2.2.4 Configuresystem

securityparameterstopreventmisuse.

X

11






Notes

2.2.5 Removeallunnecessaryfunctionality,suchasscripts,drivers,features,subsystems,filesystems,andunnecessarywebservers.

X

2.3 Encryptallnon-console

administrativeaccessusingstrongcryptography.UsetechnologiessuchasSSH,VPN,orTLSforweb-basedmanagementandothernon-consoleadministrativeaccess.

X

2.4 Maintainaninventoryof

systemcomponentsthatareinscopeforPCIDSS

X

2.5 Ensurethatsecurity

policiesandoperationalproceduresformanagingvendordefaultsandothersecurityparametersaredocumented,inuse,andknowntoallaffectedparties.

X

2.6 Sharedhostingproviders

mustprotecteachentity’shostedenvironmentandcardholderdata.TheseprovidersmustmeetspecificrequirementsasdetailedinAppendixA:AdditionalPCIDSSRequirementsforSharedHostingProviders.

X

Akamai'sSCDNisnotasharedhostingservice.

12






Notes

3.1 Keepcardholderdatastoragetoaminimumbyimplementingdataretentionanddisposalpolicies,proceduresandprocessesthatincludeatleastthefollowingforallcardholderdata(CHD)storage:-Limitingdatastorageamountandretentiontimetothatwhichisrequiredforlegal,regulatory,andbusinessrequirements-Processesforsecuredeletionofdatawhennolongerneeded-Specificretentionrequirementsforcardholderdata-Aquarterlyprocessforidentifyingandsecurelydeletingstoredcardholderdatathatexceedsdefinedretention.

X

CustomerisresponsibleforensuringthattheirconfigurationsforusingAkamaiserviceswillnotcausecreditcarddatatobecachedorotherwisestoredonAkamaimachines.

3.2 Donotstoresensitiveauthenticationdataafterauthorization(evenifencrypted).Ifsensitiveauthenticationdataisreceived,renderalldataunrecoverableuponcompletionoftheauthorizationprocess.Itispermissibleforissuersandcompaniesthatsupportissuingservicestostoresensitiveauthenticationdataif:-

X CustomerisresponsibleforensuringthattheirconfigurationsforusingAkamaiserviceswillnotcausesensitiveauthenticationdatatobecachedorotherwisestoredonAkamaimachines.

13






Notes

Thereisabusinessjustificationand-Thedataisstoredsecurely.SensitiveauthenticationdataincludesthedataascitedinthefollowingRequirements3.2.1through3.2.3:

3.2.1 Donotstorethefullcontentsofanytrack(fromthemagneticstripelocatedonthebackofacard,equivalentdatacontainedonachip,orelsewhere)afterauthorization.Thisdataisalternativelycalledfulltrack,track,track1,track2,andmagnetic-stripedata.

X


3.2.2 Donotstorethecardverificationcodeorvalue(three-digitorfour-digitnumberprintedonthefrontorbackofapaymentcardusedtoverifycard-not-presenttransactions)afterauthorization.

X

CustomerisresponsibleforensuringthattheirconfigurationsforusingAkamaiserviceswillnotcausecreditcarddatatobecachedonAkamaimachines.

3.2.3 Donotstorethepersonalidentificationnumber(PIN)ortheencryptedPINblockafterauthorization.

X


14






Notes

3.3 MaskPANwhendisplayed(thefirstsixandlastfourdigitsarethemaximumnumberofdigitstobedisplayed),suchthatonlypersonnelwithalegitimatebusinessneedcanseethefullPAN.Note:Thisrequirementdoesnotsupersedestricterrequirementsinplacefordisplaysofcardholderdata—forexample,legalorpaymentcardbrandrequirementsforpoint-of-sale(POS)receipts.

X

IfcustomersaretransmittingcardholderdataforuserviewingovertheAkamaiSCDN,theyareresponsibleforensuringthatPANsareappropriatelymasked.

3.4 RenderPANunreadableanywhereitisstored(includingonportabledigitalmedia,backupmedia,andinlogs)byusinganyofthefollowingapproaches:-One-wayhashesbasedonstrongcryptography,(hashmustbeoftheentirePAN)-Truncation(hashingcannotbeusedtoreplacethetruncatedsegmentofPAN)-Indextokensandpads(padsmustbesecurelystored)-Strongcryptographywithassociatedkey-managementprocessesandprocedures.

X CustomerisresponsibleforensuringthattheirconfigurationsforusingAkamaiserviceswillnotcausePANtobecachedorotherwisestoredonAkamaimachines.

15






Notes

Note:ItisarelativelytrivialeffortforamaliciousindividualtoreconstructoriginalPANdataiftheyhaveaccesstoboththetruncatedandhashedversionofaPAN.WherehashedandtruncatedversionsofthesamePANarepresentinanentity’senvironment,additionalcontrolsshouldbeinplacetoensurethatthehashedandtruncatedversionscannotbecorrelatedtoreconstructtheoriginalPAN.

3.4.1 Ifdiskencryptionisused(ratherthanfile-orcolumn-leveldatabaseencryption),logicalaccessmustbemanagedseparatelyandindependentlyofnativeoperatingsystemauthenticationandaccesscontrolmechanisms(forexample,bynotusinglocaluseraccountdatabasesorgeneralnetworklogincredentials).Decryptionkeysmustnotbeassociatedwithuseraccounts.

X


16






Notes

3.5 Documentandimplementprocedurestoprotectkeysusedtosecurestoredcardholderdataagainstdisclosureandmisuse:Note:Thisrequirementappliestokeysusedtoencryptstoredcardholderdata,andalsoappliestokey-encryptingkeysusedtoprotectdata-encryptingkeys—suchkey-encryptingkeysmustbeatleastasstrongasthedata-encryptingkey.

X


3.5.1 Restrictaccesstocryptographickeystothefewestnumberofcustodiansnecessary.

X


3.5.2 Storesecretandprivatekeysusedtoencrypt/decryptcardholderdatainone(ormore)ofthefollowingformsatalltimes:-Encryptedwithakey-encryptingkeythatisatleastasstrongasthedata-encryptingkey,andthatisstoredseparatelyfromthedata-encryptingkey-Withinasecurecryptographicdevice(suchasahardware(host)securitymodule(HSM)orPTS-approved

X Akamaidoesnotstorecardholderdata.

17






Notes

point-of-interactiondevice)-Asatleasttwofull-lengthkeycomponentsorkeyshares,inaccordancewithanindustry-acceptedmethodNote:Itisnotrequiredthatpublickeysbestoredinoneoftheseforms.

3.5.3 Storecryptographickeysinthefewestpossiblelocations.

X


3.6 Fullydocumentandimplementallkey-managementprocessesandproceduresforcryptographickeysusedforencryptionofcardholderdata,includingthefollowing:Note:NumerousindustrystandardsforkeymanagementareavailablefromvariousresourcesincludingNIST,whichcanbefoundathttp://csrc.nist.gov.

X


3.6.1 Generationofstrongcryptographickeys

X


3.6.2 Securecryptographickeydistribution

X


3.6.3 Securecryptographickeystorage

X


18






Notes

3.6.4 Cryptographickeychangesforkeysthathavereachedtheendoftheircryptoperiod(forexample,afteradefinedperiodoftimehaspassedand/orafteracertainamountofcipher-texthasbeenproducedbyagivenkey),asdefinedbytheassociatedapplicationvendororkeyowner,andbasedonindustrybestpracticesandguidelines(forexample,NISTSpecialPublication800-57).

X


3.6.5 Retirementorreplacement(forexample,archiving,destruction,and/orrevocation)ofkeysasdeemednecessarywhentheintegrityofthekeyhasbeenweakened(forexample,departureofanemployeewithknowledgeofaclear-textkeycomponent),orkeysaresuspectedofbeingcompromised.Note:Ifretiredorreplacedcryptographickeysneedtoberetained,thesekeysmustbesecurelyarchived(forexample,byusingakey-encryptionkey).

X Akamaidoesnotstorecardholderdata.

19






Notes

Archivedcryptographickeysshouldonlybeusedfordecryption/verificationpurposes.

3.6.6 Ifmanualclear-textcryptographickey-managementoperationsareused,theseoperationsmustbemanagedusingsplitknowledgeanddualcontrol.Note:Examplesofmanualkey-managementoperationsinclude,butarenotlimitedto:keygeneration,transmission,loading,storageanddestruction.

X


3.6.7 Preventionofunauthorizedsubstitutionofcryptographickeys.

X


3.6.8 Requirementforcryptographickeycustodianstoformallyacknowledgethattheyunderstandandaccepttheirkey-custodianresponsibilities.

X


3.7 Ensurethatsecuritypoliciesandoperationalproceduresforprotectingstoredcardholderdataaredocumented,inuse,andknowntoallaffectedparties.

X


20






Notes

4.1 Usestrongcryptographyandsecurityprotocols(forexample,TLS,IPSEC,SSH,etc.)tosafeguardsensitivecardholderdataduringtransmissionoveropen,publicnetworks,includingthefollowing:-Onlytrustedkeysandcertificatesareaccepted.-Theprotocolinuseonlysupportssecureversionsorconfigurations.-Theencryptionstrengthisappropriatefortheencryptionmethodologyinuse.Examplesofopen,publicnetworksincludebutarenotlimitedto:-TheInternet-Wirelesstechnologies,including802.11andBluetooth-Cellulartechnologies,forexample,GlobalSystemforMobilecommunications(GSM),Codedivisionmultipleaccess(CDMA)-GeneralPacketRadioService(GPRS).-Satellitecommunications.

X

TheAkamaiSCDNoffersstrongcryptographyandsecurityprotocolstosafeguardsensitivecardholderdataduringtransmissionoveropen,publicnetworks,buttheactualconfigurationsettingsarecontrolledbythecustomerusingtheLunaControlCenter.Itisthecustomer'sresponsibilitytoensurethattheirAkamaiservicesareconfiguredtousestrongcryptography,andtonevertransmitcardholderdataoverconnectionsthatdonotusestrongcryptography.

21






Notes

4.1.1 Ensurewirelessnetworkstransmittingcardholderdataorconnectedtothecardholderdataenvironment,useindustrybestpractices(forexample,IEEE802.11i)toimplementstrongencryptionforauthenticationandtransmission.Note:TheuseofWEPasasecuritycontrolisprohibited.

X


4.2 NeversendunprotectedPANsbyend-usermessagingtechnologies(forexample,e-mail,instantmessaging,SMS,chat,etc.).

X

Itisthecustomer'sresponsibilitytoneversendPANsusingAkamaiserviceswithouttakingappropriateactiontosecurethecontents.

4.3 Ensurethatsecuritypoliciesandoperationalproceduresforencryptingtransmissionsofcardholderdataaredocumented,inuse,andknowntoallaffectedparties.

X

CustomermusttraintheirrelevantpersonneltoensurethatAkamaiservicescarryingcustomerPCIdataareconfiguredtousestrongcryptographyatalltimes.

5.1 Deployanti-virussoftwareonallsystemscommonlyaffectedbymalicioussoftware(particularlypersonalcomputersandservers).

X

22






Notes

5.1.1 Ensurethatanti-virusprogramsarecapableofdetecting,removing,andprotectingagainstallknowntypesofmalicioussoftware.

X

5.1.2 Forsystemsconsideredtobenotcommonlyaffectedbymalicioussoftware,performperiodicevaluationstoidentifyandevaluateevolvingmalwarethreatsinordertoconfirmwhethersuchsystemscontinuetonotrequireanti-virussoftware.

X

5.2 Ensurethatallanti-virusmechanismsaremaintainedasfollows:-Arekeptcurrent,-Performperiodicscans-GenerateauditlogswhichareretainedperPCIDSSRequirement10.7.

X

5.3 Ensurethatanti-virusmechanismsareactivelyrunningandcannotbedisabledoralteredbyusers,unlessspecificallyauthorizedbymanagementonacase-by-casebasisforalimitedtimeperiod.Note:Anti-virussolutionsmaybetemporarilydisabledonlyifthereislegitimate

X

23






Notes

technicalneed,asauthorizedbymanagementonacase-by-casebasis.Ifanti-virusprotectionneedstobedisabledforaspecificpurpose,itmustbeformallyauthorized.Additionalsecuritymeasuresmayalsoneedtobeimplementedfortheperiodoftimeduringwhichanti-virusprotectionisnotactive.

5.4 Ensurethatsecuritypoliciesandoperationalproceduresforprotectingsystemsagainstmalwarearedocumented,inuse,andknowntoallaffectedparties.

X

6.1 Establishaprocessto

identifysecurityvulnerabilities,usingreputableoutsidesourcesforsecurityvulnerabilityinformation,andassignariskranking(forexample,as“high,”“medium,”or“low”)tonewlydiscoveredsecurityvulnerabilities.

X

24






Notes

6.2 Ensurethatallsystemcomponentsandsoftwareareprotectedfromknownvulnerabilitiesbyinstallingapplicablevendor-suppliedsecuritypatches.Installcriticalsecuritypatcheswithinonemonthofrelease.Note:CriticalsecuritypatchesshouldbeidentifiedaccordingtotheriskrankingprocessdefinedinRequirement6.1.

X

6.3 Developinternaland

externalsoftwareapplications(includingweb-basedadministrativeaccesstoapplications)securely,asfollows:-InaccordancewithPCIDSS(forexample,secureauthenticationandlogging)-Basedonindustrystandardsand/orbestpractices.-Incorporatinginformationsecuritythroughoutthesoftware-developmentlifecycleNote:thisappliestoallsoftwaredevelopedinternallyaswellasbespokeorcustom

X CustomermustensurethatallexecutablecontenttransmittedoverAkamaiservicesandhandlingcreditcarddataisdevelopedinaccordancewithPCIDSS,basedonbestpracticesandincorporatinginformationsecuritythroughoutthesoftware-developmentlifecycle.

25






Notes

softwaredevelopedbyathirdparty.

6.3.1 Removedevelopment,testand/orcustomapplicationaccounts,userIDs,andpasswordsbeforeapplicationsbecomeactiveorarereleasedtocustomers.

X

6.3.2 Reviewcustomcode

priortoreleasetoproductionorcustomersinordertoidentifyanypotentialcodingvulnerability(usingeithermanualorautomatedprocesses)toincludeatleastthefollowing:-Codechangesarereviewedbyindividualsotherthantheoriginatingcodeauthor,andbyindividualsknowledgeableaboutcode-reviewtechniquesandsecurecodingpractices.-Codereviewsensurecodeisdevelopedaccordingtosecurecodingguidelines-Appropriatecorrectionsareimplementedpriortorelease.-Code-reviewresultsarereviewedandapprovedbymanagementpriortorelease.

X CustomersmustreviewtheirownexecutablecontenttransmittedoverAkamaiservicespriortoreleasetoproductionorcustomersinordertoidentifyanypotentialcodingvulnerabilities.

26






Notes

Note:Thisrequirementforcodereviewsappliestoallcustomcode(bothinternalandpublic-facing),aspartofthesystemdevelopmentlifecycle.Codereviewscanbeconductedbyknowledgeableinternalpersonnelorthirdparties.Public-facingwebapplicationsarealsosubjecttoadditionalcontrols,toaddressongoingthreatsandvulnerabilitiesafterimplementation,asdefinedatPCIDSSRequirement6.6.

6.4 Followchangecontrolprocessesandproceduresforallchangestosystemcomponents.Theprocessesmustincludethefollowing:

X

CustomersareresponsibleforchangecontrolprocessesandproceduresdescribedinthissectionforallexecutablecontenttheycreatewhichhandlesPCIdataandisservedbytheAkamaiSCDN.

6.4.1 Separatedevelopment/testenvironmentsfromproductionenvironments,andenforcetheseparationwithaccesscontrols.

X

27






Notes

6.4.2 Separationofdutiesbetweendevelopment/testandproductionenvironments

X

6.4.3 Productiondata(live

PANs)arenotusedfortestingordevelopment

X

6.4.4 Removaloftestdataand

accountsbeforeproductionsystemsbecomeactive

X

6.4.5 Changecontrol

proceduresfortheimplementationofsecuritypatchesandsoftwaremodificationsmustincludethefollowing:

X

6.4.5.1 Documentationof

impact.

X

6.4.5.2 Documentedchangeapprovalbyauthorizedparties.

X

6.4.5.3 Functionalitytestingto

verifythatthechangedoesnotadverselyimpactthesecurityofthesystem.

X

6.4.5.4 Back-outprocedures. X

28






Notes

6.5 Addresscommoncodingvulnerabilitiesinsoftware-developmentprocessesasfollows:-Traindevelopersinsecurecodingtechniques,includinghowtoavoidcommoncodingvulnerabilities,andunderstandinghowsensitivedataishandledinmemory.-Developapplicationsbasedonsecurecodingguidelines.Note:Thevulnerabilitieslistedat6.5.1through6.5.10werecurrentwithindustrybestpracticeswhenthisversionofPCIDSSwaspublished.However,asindustrybestpracticesforvulnerabilitymanagementareupdated(forexample,theOWASPGuide,SANSCWETop25,CERTSecureCoding,etc.),thecurrentbestpracticesmustbeusedfortheserequirements.

X

CustomersareresponsibleforaddressingcommoncodingvulnerabilitiesdescribedinthissectionforallexecutablecontenttheycreatewhichhandlesPCIdataandisservedbytheAkamaiSCDN.

6.5.1 Injectionflaws,particularlySQLinjection.AlsoconsiderOSCommandInjection,LDAPandXPathinjectionflawsaswellasotherinjectionflaws.

X

6.5.2 Bufferoverflows X

29






Notes

6.5.3 Insecurecryptographicstorage

X

6.5.4 Insecurecommunications

X 6.5.5 Impropererrorhandling X 6.5.6 All“highrisk”

vulnerabilitiesidentifiedinthevulnerabilityidentificationprocess(asdefinedinPCIDSSRequirement6.1).

X

6.5.7 Cross-sitescripting(XSS) X 6.5.8 Improperaccesscontrol

(suchasinsecuredirectobjectreferences,failuretorestrictURLaccess,directorytraversal,andfailuretorestrictuseraccesstofunctions).

X

6.5.9 Cross-siterequest

forgery(CSRF)

X

6.5.10 BrokenauthenticationandsessionmanagementNote:Requirement6.5.10isabestpracticeuntilJune30,2015,afterwhichitbecomesarequirement.

X

6.6 Forpublic-facingweb

applications,addressnewthreatsandvulnerabilitiesonanongoingbasisandensuretheseapplicationsareprotectedagainstknownattacksbyeitherofthefollowingmethods:-Reviewingpublic-facingwebapplicationsviamanualorautomated

X CustomersareresponsibleforaddressingthreatsandvulnerabilitiesonanongoingbasisforallexecutablecontenttheycreatewhichhandlesPCIdataandisservedbytheAkamaiSCDN.

30






Notes

applicationvulnerabilitysecurityassessmenttoolsormethods,atleastannuallyandafteranychanges-Installinganautomatedtechnicalsolutionthatdetectsandpreventsweb-basedattacks(forexample,aweb-applicationfirewall)infrontofpublic-facingwebapplications,tocontinuallycheckalltraffic.

6.7 Ensurethatsecuritypoliciesandoperationalproceduresfordevelopingandmaintainingsecuresystemsandapplicationsaredocumented,inuse,andknowntoallaffectedparties.

X

CustomersareresponsibleforsecuritypoliciesandoperationalproceduresforallexecutablecontenttheycreatewhichhandlesPCIdataandisservedbytheAkamaiSCDN.

7.1 Limitaccesstosystemcomponentsandcardholderdatatoonlythoseindividualswhosejobrequiressuchaccess.

X

CustomersmustlimitaccesstoLunaControlCenteraccountsandOPENAPIcredentialstothoseindividualswhosejobrequiressuchaccess.

31






Notes

7.1.1 Defineaccessneedsforeachrole,including:-Systemcomponentsanddataresourcesthateachroleneedstoaccessfortheirjobfunction-Levelofprivilegerequired(forexample,user,administrator,etc.)foraccessingresources.

X

CustomersmustdefineaccessneedsforeachroletheyuseintheLunaControlCenter,including:-Systemcomponentsanddataresourcesthateachroleneedstoaccessfortheirjobfunction-Levelofprivilegerequired(forexample,user,administrator,etc.)foraccessingresources.

7.1.2 RestrictaccesstoprivilegeduserIDstoleastprivilegesnecessarytoperformjobresponsibilities.

X

CustomersmustensurethataccesstoprivilegeduserIDsontheLunaControlCenterandcustomersystemsisrestrictedtoleastprivilegesnecessarytoperformjobresponsibilities.

7.1.3 Assignaccessbasedonindividualpersonnel’sjobclassificationandfunction.

X

CustomersmustassignaccesstotheLunaControlCenterandOPENAPIcredentialsbasedonindividualpersonnel’sjobclassificationandfunction.

32






Notes

7.1.4 Requiredocumentedapprovalbyauthorizedpartiesspecifyingrequiredprivileges.

X

CustomersmustrequiredocumentedapprovalbyauthorizedpartiesspecifyingrequiredprivilegeswhengrantingaccesstotheLunaControlCenterorOPENAPIcredentials..

7.2 Establishanaccesscontrolsystemforsystemscomponentsthatrestrictsaccessbasedonauser’sneedtoknow,andissetto“denyall”unlessspecificallyallowed. Thisaccesscontrolsystemmustincludethefollowing:

X

CustomersmustensurethattheLunaControlCenter'saccesscontrolsystemrestrictsuseraccesstoonlythoseprivilegeswhicharenecessaryforeachuser.

7.2.1 Coverageofallsystemcomponents

X

CustomersmustconfiguretheLunaControlCenter'saccesscontrolsystemfortheiraccountstorestrictaccesstoallPCI-relevantAkamaiservicesandconfigurations.

7.2.2 Assignmentofprivilegestoindividualsbasedonjobclassificationandfunction.

X

CustomersmustassignprivilegeswithintheLunaControlCentertoindividualsbasedonjobclassificationandfunctioninthecustomerorganization.

33






Notes

7.2.3 Default“deny-all”setting.

X

AkamaiPCIsystems,includingthecustomer-facingLunaControlCenter,denyallaccessbydefault,excepttoalimitedamountofpublicread-onlydata.

7.3 Ensurethatsecuritypoliciesandoperationalproceduresforrestrictingaccesstocardholderdataaredocumented,inuse,andknowntoallaffectedparties.

X

CustomermustensurethatsecuritypoliciesandoperationalproceduresforrestrictingaccesstotheLunaControlCenterandOPENAPIcredentialsaredocumented,inuse,andknowntoallaffectedparties.

8.1 Defineandimplementpoliciesandprocedurestoensureproperuseridentificationmanagementfornon-consumerusersandadministratorsonallsystemcomponentsasfollows:

X

CustomermustdefineandimplementpoliciesandprocedurestoensureproperuseridentificationofindividualsaccessingtheLunaControlCenterortoolsusingOPENAPI.

8.1.1 AssignallusersauniqueIDbeforeallowingthemtoaccesssystemcomponentsorcardholderdata.

X

CustomermustassignallusersauniqueuserIDbeforeallowingthemtoaccesstheLunaControlCenter.

34






Notes

8.1.2 Controladdition,deletion,andmodificationofuserIDs,credentials,andotheridentifierobjects.

X

Customermustcontroladdition,deletion,andmodificationofLunaControlCenteruserIDs,credentials,andotheridentifierobjects.

8.1.3 Immediatelyrevokeaccessforanyterminatedusers.

X

CustomermustimmediatelyrevokeaccesstotheLunaControlCenterforanyterminatedusers.

8.1.4 Remove/disableinactiveuseraccountswithin90days.

X

Customermustremove/disableinactiveLunaControlCenteruseraccountsatleastevery90days,eithermanuallyorusingtheLunaControlCenterautomatedoption.

8.1.5 ManageIDsusedbyvendorstoaccess,support,ormaintainsystemcomponentsviaremoteaccessasfollows:-Enabledonlyduringthetimeperiodneededanddisabledwhennotinuse.-Monitoredwheninuse.

X

IfacustomergrantsavendoraccesstotheirAkamaiaccount,theyareresponsibleformanagingthevendoraccess.AkamaidoesnotmanageIDsforitsresellers;customerspurchasingaccountsthroughAkamairesellersareresponsibleforworkingwiththeresellertomakesurethatreselleraccessisPCI-compliant.

35






Notes

8.1.6 LimitrepeatedaccessattemptsbylockingouttheuserIDafternotmorethansixattempts.

X

CustomermustconfigureLunatolockoutuserID'safternotmorethansixattempts.

8.1.7 Setthelockoutdurationtoaminimumof30minutesoruntilanadministratorenablestheuserID.

X

8.1.8 Ifasessionhasbeenidle

formorethan15minutes,requiretheusertore-authenticatetore-activatetheterminalorsession.

X

CustomermustsettheLunaControlCenterconfigurationsettingsothatifasessionhasbeenidleformorethan15minutes,theusermustre-authenticatetore-activatetheterminalorsession.

8.2 InadditiontoassigningauniqueID,ensureproperuser-authenticationmanagementfornon-consumerusersandadministratorsonallsystemcomponentsbyemployingatleastoneofthefollowingmethodstoauthenticateallusers:-Somethingyouknow,suchasapasswordorpassphrase-Somethingyouhave,suchasatokendeviceorsmartcard-Somethingyouare,suchasabiometric.

X

CustomersusingSAMLtoauthenticateuserstotheLunaControlCenterareresponsibleforensuringthattheirsetupusesatleastoneofthelistedmethodstoauthenticateallusers.

36






Notes

8.2.1 Usingstrongcryptography,renderallauthenticationcredentials(suchaspasswords/phrases)unreadableduringtransmissionandstorageonallsystemcomponents.

X

8.2.2 Verifyuseridentity

beforemodifyinganyauthenticationcredential—forexample,performingpasswordresets,provisioningnewtokens,orgeneratingnewkeys.

X

8.2.3 Passwords/phrasesmust

meetthefollowing:-Requireaminimumlengthofatleastsevencharacters.-Containbothnumericandalphabeticcharacters.Alternatively,thepasswords/phrasesmusthavecomplexityandstrengthatleastequivalenttotheparametersspecifiedabove.

X

CustomersareresponsibleforsettingLunaControlCenterpasswordconfigurationstorequireaminimumlengthofatleastsevencharactersandtocontainbothnumericandalphabeticcharacters.

8.2.4 Changeuserpasswords/passphrasesatleastonceevery90days.

X

CustomersareresponsibleforsettingLunaControlCenterconfigurationssothatuserpasswords/passphrasesmustbechangedatleastevery90days.

37






Notes

8.2.5 Donotallowanindividualtosubmitanewpassword/phrasethatisthesameasanyofthelastfourpasswords/phrasesheorshehasused.

X

8.2.6 Setpasswords/phrases

forfirst-timeuseanduponresettoauniquevalueforeachuser,andchangeimmediatelyafterthefirstuse.

X

8.3 Incorporatetwo-factor

authenticationforremotenetworkaccessoriginatingfromoutsidethenetworkbypersonnel(includingusersandadministrators)andallthirdparties,(includingvendoraccessforsupportormaintenance).Note:Two-factorauthenticationrequiresthattwoofthethreeauthenticationmethods(seeRequirement8.2fordescriptionsofauthenticationmethods)beusedforauthentication.Usingonefactortwice(forexample,usingtwoseparatepasswords)isnotconsideredtwo-factorauthentication.Examplesoftwo-factor

X TODO:Whatcountsasremotenetworkaccess?

38






Notes

technologiesincluderemoteauthenticationanddial-inservice(RADIUS)withtokens;terminalaccesscontrolleraccesscontrolsystem(TACACS)withtokens;andothertechnologiesthatfacilitatetwo-factorauthentication.

8.4 Documentandcommunicateauthenticationproceduresandpoliciestoallusersincluding:-Guidanceonselectingstrongauthenticationcredentials-Guidanceforhowusersshouldprotecttheirauthenticationcredentials-Instructionsnottoreusepreviouslyusedpasswords-Instructionstochangepasswordsifthereisanysuspicionthepasswordcouldbecompromised.

X

CustomersmustmakesurethattheyhavedocumentedandhavecommunicatedauthenticationproceduresandpoliciestoallLunausersincludingguidanceonselectingstrongauthenticationcredentials,guidanceforhowusersshouldprotecttheirauthenticationcredentials,instructionsnottoreusepreviouslyusedpasswordsandinstructionstochangepasswordsifthereisanysuspicionthepasswordcouldbecompromised.

39






Notes

8.5 Donotusegroup,shared,orgenericIDs,passwords,orotherauthenticationmethodsasfollows:-GenericuserIDsaredisabledorremoved.-ShareduserIDsdonotexistforsystemadministrationandothercriticalfunctions.-SharedandgenericuserIDsarenotusedtoadministeranysystemcomponents.

X

Customersareresponsiblefornotusinggroup,shared,orgenericIDs,passwords,orotherauthenticationmethodswhenaccessingtheLunaControlCenter.

8.5.1 Additionalrequirementforserviceprovidersonly:Serviceproviderswithremoteaccesstocustomerpremises(forexample,forsupportofPOSsystemsorservers)mustuseauniqueauthenticationcredential(suchasapassword/phrase)foreachcustomer.

X

Akamaihasnoremoteaccesstocustomerpremises.

8.6 Whereotherauthenticationmechanismsareused(forexample,physicalorlogicalsecuritytokens,smartcards,certificates,etc.),useofthesemechanismsmustbeassignedasfollows:-Authenticationmechanismsmustbeassignedtoanindividualaccountandnotsharedamongmultiple

X Customersusingtwo-factorauthenticationtoaccesstheLunaControlCentermustensurethatthesecondfactorisalwaysassignedtoanindividualaccountandnotshared,andthatcontrolsareinplacetoensureonlytheintendedaccountcanusethemechanismtogainaccess.

40






Notes

accounts.-Physicaland/orlogicalcontrolsmustbeinplacetoensureonlytheintendedaccountcanusethatmechanismtogainaccess.

8.7 Allaccesstoanydatabasecontainingcardholderdata(includingaccessbyapplications,administrators,andallotherusers)isrestrictedasfollows:-Alluseraccessto,userqueriesof,anduseractionsondatabasesarethroughprogrammaticmethods.-Onlydatabaseadministratorshavetheabilitytodirectlyaccessorquerydatabases.-ApplicationIDsfordatabaseapplicationscanonlybeusedbytheapplications(andnotbyindividualusersorothernon-applicationprocesses).

X


8.8 Ensurethatsecuritypoliciesandoperationalproceduresforidentificationandauthenticationaredocumented,inuse,andknowntoallaffectedparties.

X

Customersmustensurethatsecuritypoliciesandoperationalproceduresforidentificationandauthenticationaredocumented,inuse,andknowntoallaffectedparties.

41






Notes

9.1 Useappropriatefacilityentrycontrolstolimitandmonitorphysicalaccesstosystemsinthecardholderdataenvironment.

X

9.1.1 Usevideocameras

and/oraccesscontrolmechanismstomonitorindividualphysicalaccesstosensitiveareas.Reviewcollecteddataandcorrelatewithotherentries.Storeforatleastthreemonths,unlessotherwiserestrictedbylaw.Note:“Sensitiveareas”referstoanydatacenter,serverroomoranyareathathousessystemsthatstore,process,ortransmitcardholderdata.Thisexcludespublic-facingareaswhereonlypoint-of-saleterminalsarepresent,suchasthecashierareasinaretailstore.

X

42






Notes

9.1.2 Implementphysicaland/orlogicalcontrolstorestrictaccesstopubliclyaccessiblenetworkjacks.Forexample,networkjackslocatedinpublicareasandareasaccessibletovisitorscouldbedisabledandonlyenabledwhennetworkaccessisexplicitlyauthorized.Alternatively,processescouldbeimplementedtoensurethatvisitorsareescortedatalltimesinareaswithactivenetworkjacks.

X

9.1.3 Restrictphysicalaccess

towirelessaccesspoints,gateways,handhelddevices,networking/communicationshardware,andtelecommunicationlines.

X

9.2 Developproceduresto

easilydistinguishbetweenonsitepersonnelandvisitors,toinclude:-Identifyingonsitepersonnelandvisitors(forexample,assigningbadges)-Changestoaccessrequirements-Revokingorterminatingonsitepersonnelandexpired

X

43






Notes

visitoridentification(suchasIDbadges).

9.3 Controlphysicalaccessforonsitepersonneltothesensitiveareasasfollows:-Accessmustbeauthorizedandbasedonindividualjobfunction.-Accessisrevokedimmediatelyupontermination,andallphysicalaccessmechanisms,suchaskeys,accesscards,etc.,arereturnedordisabled.

X

9.4.x Implementprocedures

toidentifyandauthorizevisitors.Proceduresshouldincludethefollowing:

X

9.4.1 Visitorsareauthorized

beforeentering,andescortedatalltimeswithin,areaswherecardholderdataisprocessedormaintained.

X

9.4.2 Visitorsareidentified

andgivenabadgeorotheridentificationthatexpiresandthatvisiblydistinguishesthevisitorsfromonsitepersonnel.

X

9.4.3 Visitorsareaskedto

surrenderthebadgeoridentificationbeforeleavingthefacilityoratthedateofexpiration.

X

44






Notes

9.4.4 Avisitorlogisusedtomaintainaphysicalaudittrailofvisitoractivitytothefacilityaswellascomputerroomsanddatacenterswherecardholderdataisstoredortransmitted.Documentthevisitor’sname,thefirmrepresented,andtheonsitepersonnelauthorizingphysicalaccessonthelog.Retainthislogforaminimumofthreemonths,unlessotherwiserestrictedbylaw.

X

9.5 Physicallysecureall

media.X

Akamaidoesnotstorecardholderdataonanymedia.

9.5.1 Storemediabackupsinasecurelocation,preferablyanoff-sitefacility,suchasanalternateorbackupsite,oracommercialstoragefacility.Reviewthelocation’ssecurityatleastannually.

X


9.6 Maintainstrictcontrolovertheinternalorexternaldistributionofanykindofmedia,includingthefollowing:

X


9.6.1 Classifymediasothesensitivityofthedatacanbedetermined.

X


45






Notes

9.6.2 Sendthemediabysecuredcourierorotherdeliverymethodthatcanbeaccuratelytracked.

X


9.6.3 Ensuremanagementapprovesanyandallmediathatismovedfromasecuredarea(includingwhenmediaisdistributedtoindividuals).

X


9.7 Maintainstrictcontroloverthestorageandaccessibilityofmedia.

X


9.7.1 Properlymaintaininventorylogsofallmediaandconductmediainventoriesatleastannually.

X


9.8 Destroymediawhenitisnolongerneededforbusinessorlegalreasonsasfollows:

X


9.8.1 Shred,incinerate,orpulphard-copymaterialssothatcardholderdatacannotbereconstructed.Securestoragecontainersusedformaterialsthataretobedestroyed.

X


9.8.2 Rendercardholderdataonelectronicmediaunrecoverablesothatcardholderdatacannotbereconstructed.

X


46






Notes

9.9 Protectdevicesthatcapturepaymentcarddataviadirectphysicalinteractionwiththecardfromtamperingandsubstitution.Note:Theserequirementsapplytocard-readingdevicesusedincard-presenttransactions(thatis,cardswipeordip)atthepointofsale.Thisrequirementisnotintendedtoapplytomanualkey-entrycomponentssuchascomputerkeyboardsandPOSkeypads.Note:Requirement9.9isabestpracticeuntilJune30,2015,afterwhichitbecomesarequirement.

X


9.9.1 Maintainanup-to-datelistofdevices.Thelistshouldincludethefollowing:-Make,modelofdevice-Locationofdevice(forexample,theaddressofthesiteorfacilitywherethedeviceislocated)-Deviceserialnumberorothermethodofuniqueidentification.

X


47






Notes

9.9.2 Periodicallyinspectdevicesurfacestodetecttampering(forexample,additionofcardskimmerstodevices),orsubstitution(forexample,bycheckingtheserialnumberorotherdevicecharacteristicstoverifyithasnotbeenswappedwithafraudulentdevice).Note:Examplesofsignsthatadevicemighthavebeentamperedwithorsubstitutedincludeunexpectedattachmentsorcablespluggedintothedevice,missingorchangedsecuritylabels,brokenordifferentlycoloredcasing,orchangestotheserialnumberorotherexternalmarkings.

X


9.9.3 Providetrainingforpersonneltobeawareofattemptedtamperingorreplacementofdevices.Trainingshouldincludethefollowing:-Verifytheidentityofanythird-partypersonsclaimingtoberepairormaintenancepersonnel,priortograntingthemaccesstomodifyortroubleshootdevices.-Donotinstall,replace,

X Akamaidoesnotstorecardholderdataonanymedia.

48






Notes

orreturndeviceswithoutverification.-Beawareofsuspiciousbehaviorarounddevices(forexample,attemptsbyunknownpersonstounplugoropendevices).-Reportsuspiciousbehaviorandindicationsofdevicetamperingorsubstitutiontoappropriatepersonnel(forexample,toamanagerorsecurityofficer).

9.10 Ensurethatsecuritypoliciesandoperationalproceduresforrestrictingphysicalaccesstocardholderdataaredocumented,inuse,andknowntoallaffectedparties.

X

10.1 Implementaudittrailsto

linkallaccesstosystemcomponentstoeachindividualuser.

X

10.2 Implementautomated

audittrailsforallsystemcomponentstoreconstructthefollowingevents:

X

10.2.1 Allindividualuser

accessestocardholderdata

X


10.2.2 Allactionstakenbyanyindividualwithrootoradministrativeprivileges

X

10.2.3 Accesstoallaudittrails X 10.2.4 Invalidlogicalaccess

attempts X

49






Notes

10.2.5 Useofandchangestoidentificationandauthenticationmechanisms—includingbutnotlimitedtocreationofnewaccountsandelevationofprivileges—andallchanges,additions,ordeletionstoaccountswithrootoradministrativeprivileges

X

10.2.6 Initialization,stopping,

orpausingoftheauditlogs

X

10.2.7 Creationanddeletionof

system-levelobjects X

10.3 Recordatleastthefollowingaudittrailentriesforallsystemcomponentsforeachevent:

X

10.3.1 Useridentification X 10.3.2 Typeofevent X 10.3.3 Dateandtime X 10.3.4 Successorfailure

indication X

10.3.5 Originationofevent X 10.3.6 Identityornameof

affecteddata,systemcomponent,orresource.

X

50






Notes

10.4 Usingtime-synchronizationtechnology,synchronizeallcriticalsystemclocksandtimesandensurethatthefollowingisimplementedforacquiring,distributing,andstoringtime.Note:OneexampleoftimesynchronizationtechnologyisNetworkTimeProtocol(NTP).

X

10.4.1 Criticalsystemshavethe

correctandconsistenttime.

X

10.4.2 Timedataisprotected. X 10.4.3 Timesettingsare

receivedfromindustry-acceptedtimesources.

X

10.5 Secureaudittrailsso

theycannotbealtered. X

10.5.1 Limitviewingofaudittrailstothosewithajob-relatedneed.

X

10.5.2 Protectaudittrailfiles

fromunauthorizedmodifications.

X

10.5.3 Promptlybackupaudit

trailfilestoacentralizedlogserverormediathatisdifficulttoalter.

X

10.5.4 Writelogsforexternal-

facingtechnologiesontoasecure,centralized,internallogserverormediadevice.

X

51






Notes

10.5.5 Usefile-integritymonitoringorchange-detectionsoftwareonlogstoensurethatexistinglogdatacannotbechangedwithoutgeneratingalerts(althoughnewdatabeingaddedshouldnotcauseanalert).

X

10.6 Reviewlogsandsecurity

eventsforallsystemcomponentstoidentifyanomaliesorsuspiciousactivity.Note:Logharvesting,parsing,andalertingtoolsmaybeusedtomeetthisRequirement.

X

CustomersmustreviewLunaControlCenterlogsandsecurityeventsatleastdailytoidentifyanomaliesorsuspiciousactivity.

10.6.1 Reviewthefollowingatleastdaily:-Allsecurityevents-Logsofallsystemcomponentsthatstore,process,ortransmitCHDand/orSAD,orthatcouldimpactthesecurityofCHDand/orSAD-Logsofallcriticalsystemcomponents-Logsofallserversandsystemcomponentsthatperformsecurityfunctions(forexample,firewalls,intrusion-detectionsystems/intrusion-preventionsystems(IDS/IPS),authentication

X CustomersmustreviewLunaControlCenterlogsandsecurityeventsatleastdailytocomplywithallPCIDSSlogreviewrequirements.

52






Notes

servers,e-commerceredirectionservers,etc.).

10.6.2 Reviewlogsofallothersystemcomponentsperiodicallybasedontheorganization’spoliciesandriskmanagementstrategy,asdeterminedbytheorganization’sannualriskassessment.

X

10.6.3 Followupexceptions

andanomaliesidentifiedduringthereviewprocess.

X

CustomermustfollowuponexceptionsandanomaliesidentifiedduringthereviewofLunaControlCenterlogs.

10.7 Retainaudittrailhistoryforatleastoneyear,withaminimumofthreemonthsimmediatelyavailableforanalysis(forexample,online,archived,orrestorablefrombackup).

X

10.8 Ensurethatsecurity

policiesandoperationalproceduresformonitoringallaccesstonetworkresourcesandcardholderdataaredocumented,inuse,andknowntoallaffectedparties.

X

CustomersmusthavesecuritypoliciesandoperationalproceduresformonitoringallaccesstotheLunaControlCenterthataredocumented,inuse,andknowntoallaffectedparties.

53






Notes

11.1 Implementprocessestotestforthepresenceofwirelessaccesspoints(802.11),anddetectandidentifyallauthorizedandunauthorizedwirelessaccesspointsonaquarterlybasis.Note:Methodsthatmaybeusedintheprocessincludebutarenotlimitedtowirelessnetworkscans,physical/logicalinspectionsofsystemcomponentsandinfrastructure,networkaccesscontrol(NAC),orwirelessIDS/IPS.Whichevermethodsareused,theymustbesufficienttodetectandidentifybothauthorizedandunauthorizeddevices.

X

11.1.1 Maintainaninventoryof

authorizedwirelessaccesspointsincludingadocumentedbusinessjustification.

X

11.1.2 Implementincident

responseproceduresintheeventunauthorizedwirelessaccesspointsaredetected.

X

54


11.2 Runinternalandexternalnetworkvulnerabilityscansatleastquarterlyandafteranysignificantchangeinthenetwork(suchasnewsystemcomponentinstallations,changesinnetworktopology,firewallrulemodifications,productupgrades).Note:Multiplescanreportscanbecombinedforthequarterlyscanprocesstoshowthatallsystemswerescannedandallapplicablevulnerabilitieshavebeenaddressed.Additionaldocumentationmayberequiredtoverifynon-remediatedvulnerabilitiesareintheprocessofbeingaddressed.ForinitialPCIDSScompliance,itisnotrequiredthatfourquartersofpassingscansbecompletediftheassessorverifies1)themostrecentscanresultwasapassingscan,2)theentityhasdocumentedpoliciesandproceduresrequiringquarterlyscanning,and3)vulnerabilitiesnotedinthescanresultshavebeencorrectedasshowninare-scan(s).Forsubsequentyearsafter

X

55






Notes

theinitialPCIDSSreview,fourquartersofpassingscansmusthaveoccurred.

11.2.1 Performquarterlyinternalvulnerabilityscansandrescansasneeded,untilall“high-risk”vulnerabilities(asidentifiedinRequirement6.1)areresolved.Scansmustbeperformedbyqualifiedpersonnel.

X

11.2.2 Performquarterly

externalvulnerabilityscans,viaanApprovedScanningVendor(ASV)approvedbythePaymentCardIndustrySecurityStandardsCouncil(PCISSC).Performrescansasneeded,untilpassingscansareachieved.Note:QuarterlyexternalvulnerabilityscansmustbeperformedbyanApprovedScanningVendor(ASV),approvedbythePaymentCardIndustrySecurityStandardsCouncil(PCISSC).RefertotheASVProgramGuidepublishedonthePCISSCwebsiteforscancustomer

X

56






Notes

responsibilities,scanpreparation,etc.

11.2.3 Performinternalandexternalscans,andrescansasneeded,afteranysignificantchange.Scansmustbeperformedbyqualifiedpersonnel.

X

11.3 Implementa

methodologyforpenetrationtestingthatincludesthefollowing:-Isbasedonindustry-acceptedpenetrationtestingapproaches(forexample,NISTSP800-115)-IncludescoveragefortheentireCDEperimeterandcriticalsystems-Includestestingfrombothinsideandoutsidethenetwork-Includestestingtovalidateanysegmentationandscope-reductioncontrols-Definesapplication-layerpenetrationteststoinclude,ataminimum,thevulnerabilitieslistedinRequirement6.5-Definesnetwork-layerpenetrationteststoincludecomponentsthatsupportnetworkfunctionsaswellasoperatingsystems-Includesreviewand

X

57






Notes

considerationofthreatsandvulnerabilitiesexperiencedinthelast12months-Specifiesretentionofpenetrationtestingresultsandremediationactivitiesresults.Note:ThisupdatetoRequirement11.3isabestpracticeuntilJune30,2015,afterwhichitbecomesarequirement.PCIDSSv2.0requirementsforpenetrationtestingmustbefolloweduntilv3.0isinplace.

11.3.1 Performexternalpenetrationtestingatleastannuallyandafteranysignificantinfrastructureorapplicationupgradeormodification(suchasanoperatingsystemupgrade,asub-networkaddedtotheenvironment,orawebserveraddedtotheenvironment).

X

58






Notes

11.3.2 Performinternalpenetrationtestingatleastannuallyandafteranysignificantinfrastructureorapplicationupgradeormodification(suchasanoperatingsystemupgrade,asub-networkaddedtotheenvironment,orawebserveraddedtotheenvironment).

X

11.3.3 Exploitable

vulnerabilitiesfoundduringpenetrationtestingarecorrectedandtestingisrepeatedtoverifythecorrections.

X

11.3.4 Ifsegmentationisused

toisolatetheCDEfromothernetworks,performpenetrationtestsatleastannuallyandafteranychangestosegmentationcontrols/methodstoverifythatthesegmentationmethodsareoperationalandeffective,andisolateallout-of-scopesystemsfromsystemsintheCDE.

X

59






Notes

11.4 Useintrusion-detectionand/orintrusion-preventiontechniquestodetectand/orpreventintrusionsintothenetwork.Monitoralltrafficattheperimeterofthecardholderdataenvironmentaswellasatcriticalpointsinthecardholderdataenvironment,andalertpersonneltosuspectedcompromises.Keepallintrusion-detectionandpreventionengines,baselines,andsignaturesuptodate.

X

11.5 Deployachange-

detectionmechanism(forexample,file-integritymonitoringtools)toalertpersonneltounauthorizedmodification(includingchanges,additions,anddeletions)ofcriticalsystemfiles,configurationfiles,orcontentfiles;andconfigurethesoftwaretoperformcriticalfilecomparisonsatleastweekly.

X

11.5.1 Implementaprocessto

respondtoanyalertsgeneratedbythechange-detectionsolution.

X

60






Notes

11.6 Ensurethatsecuritypoliciesandoperationalproceduresforsecuritymonitoringandtestingaredocumented,inuse,andknowntoallaffectedparties.

X

CustomersmusthavepoliciesandproceduresinplaceformonitoringandtestingtheircorrectuseofAkamaiservices.

12.1 Establish,publish,maintain,anddisseminateasecuritypolicy.

X

Customersmustestablish,publish,maintain,anddisseminateapolicyforsecurelyusingAkamaiservices.

12.1.1 Reviewthesecuritypolicyatleastannuallyandupdatethepolicywhentheenvironmentchanges.

X

CustomersmustreviewtheirpolicyforsecureuseofAkamaiservicesatleastannuallyandupdatethepolicyastheenvironmentchanges.

12.2 Implementarisk-assessmentprocessthat:-Isperformedatleastannuallyanduponsignificantchangestotheenvironment(forexample,acquisition,merger,relocation,etc.),-Identifiescriticalassets,threats,andvulnerabilities,and-Resultsinaformal,documentedanalysisofrisk.

X

Customersmustimplementrisk-assessmentprocessesfortheirownuseofAkamaiservices.

61






Notes

12.3 Developusagepoliciesforcriticaltechnologiesanddefineproperuseofthesetechnologies.Note:Examplesofcriticaltechnologiesinclude,butarenotlimitedto,remoteaccessandwirelesstechnologies,laptops,tablets,removableelectronicmedia,e-mailusageandInternetusage.Ensuretheseusagepoliciesrequirethefollowing:

X

CustomersareresponsiblefordevelopingusagepoliciesfortheiruseofAkamaiservices,directlyorviacriticaltechnologies,coveringatleastthefollowingresponsibilities:

12.3.1 Explicitapprovalbyauthorizedparties

X

CustomersareresponsibleforacquiringapprovaloftheiruseofAkamaiservicesbyauthorizedparties.

12.3.2 Authenticationforuseofthetechnology

X

Customersareresponsibleformaintainingup-to-dateauthenticationinformationfortheiraccounts.

12.3.3 Alistofallsuchdevicesandpersonnelwithaccess

X

CustomersareresponsibleformaintainingalistofallpersonnelanddeviceswithaccesstoAkamaiservices,andtheservicesinuse.

62






Notes

12.3.4 Amethodtoaccuratelyandreadilydetermineowner,contactinformation,andpurpose(forexample,labeling,coding,and/orinventoryingofdevices)

X

CustomersareresponsibleforensuringthattheirLunaControlCenterandOPENAPIaccountsareclearlyassociatedwithanowner,contactinformation,andpurpose.

12.3.5 Acceptableusesofthetechnology

X

CustomersareresponsiblefordefiningacceptableusesofAkamaitechnology.

12.3.6 Acceptablenetworklocationsforthetechnologies

X

CustomersareresponsiblefordefininghowAkamaiservicescanbeusedinthecontextofcustomer'snetwork.

12.3.7 Listofcompany-approvedproducts

X

CustomersareresponsiblefordefiningalistofapprovedAkamaiservices.

12.3.8 Automaticdisconnectofsessionsforremote-accesstechnologiesafteraspecificperiodofinactivity

X

12.3.9 Activationofremote-

accesstechnologiesforvendorsandbusinesspartnersonlywhenneededbyvendorsandbusinesspartners,withimmediatedeactivationafteruse

X

NovendorsorpartnershaveaccesstoAkamaiPCIsystems.

63






Notes

12.3.10 Forpersonnelaccessingcardholderdataviaremote-accesstechnologies,prohibitthecopying,moving,andstorageofcardholderdataontolocalharddrivesandremovableelectronicmedia,unlessexplicitlyauthorizedforadefinedbusinessneed.Wherethereisanauthorizedbusinessneed,theusagepoliciesmustrequirethedatabeprotectedinaccordancewithallapplicablePCIDSSRequirements.

X

CardholderdataisnotstoredonAkamaiPCIsystems.

12.4 Ensurethatthesecuritypolicyandproceduresclearlydefineinformationsecurityresponsibilitiesforallpersonnel.

X

CustomersmustensurethatsecuritypoliciesandproceduresclearlydefinetheinformationsecurityresponsibilitiesforallpersonnelwithaccesstotheLunaControlCenter.

12.5 Assigntoanindividualorteamthefollowinginformationsecuritymanagementresponsibilities:

X

Customersareresponsibleforassigningtoanindividualorteamthefollowinginformationsecuritymanagementresponsibilities.

64






Notes

12.5.1 Establish,document,anddistributesecuritypoliciesandprocedures.

X

Customersmustestablish,document,anddistributesecurepoliciesandproceduresfortheuseofAkamaiservices.

12.5.2 Monitorandanalyzesecurityalertsandinformation,anddistributetoappropriatepersonnel.

X

CustomerisresponsibleformonitoringandanalyzingsecurityalertsandinformationfromAkamai,anddistributingthatinformationtoappropriatepersonnel.

12.5.3 Establish,document,anddistributesecurityincidentresponseandescalationprocedurestoensuretimelyandeffectivehandlingofallsituations.

X

Customerisresponsibleforestablishing,documenting,anddistributingsecurityincidentresponseandescalationprocedurestoensuretimelyandeffectivehandlingofallsituations.

12.5.4 Administeruseraccounts,includingadditions,deletions,andmodifications.

X

Customerisresponsibleforadministeringcustomer'sLunaControlCenteraccounts,includingaddition,deletion,andmodification.

65






Notes

12.5.5 Monitorandcontrolallaccesstodata.

X

Customerisresponsibleformonitoringandcontrollingallaccesstocustomer'sLunaControlCenterdata.

12.6 Implementaformalsecurityawarenessprogramtomakeallpersonnelawareoftheimportanceofcardholderdatasecurity.

X

CustomerisresponsibleforimplementingaformalsecurityawarenessprogramtomakeallpersonnelwithaccesstotheLunaControlCenterawareoftheimportanceofcardholderdatasecurityandhowtheiruseofAkamaiservices,particularlyconfigurationoptionsintheLunaControlCenter,canimpactthatsecurity.

12.6.1 Educatepersonneluponhireandatleastannually.Note:Methodscanvarydependingontheroleofthepersonnelandtheirlevelofaccesstothecardholderdata.

X

CustomerisresponsibleforeducatingpersonnelwithaccesstotheLunaControlCenteruponhireandatleastannually.

66






Notes

12.6.2 Requirepersonneltoacknowledgeatleastannuallythattheyhavereadandunderstoodthesecuritypolicyandprocedures.

X

CustomermustrequirepersonnelwithaccesstotheLunaControlCentertoacknowledgeatleastannuallythattheyhavereadandunderstoodthesecuritypolicyandprocedures.

12.7 Screenpotentialpersonnelpriortohiretominimizetheriskofattacksfrominternalsources.(Examplesofbackgroundchecksincludepreviousemploymenthistory,criminalrecord,credithistory,andreferencechecks.)Note:Forthosepotentialpersonneltobehiredforcertainpositionssuchasstorecashierswhoonlyhaveaccesstoonecardnumberatatimewhenfacilitatingatransaction,thisrequirementisarecommendationonly.

X

CustomermustscreenpotentialpersonnelwithaccesstotheLunaControlCenterpriortohiretominimizetheriskofattacksfrominternalsources.

67






Notes

12.8 Maintainandimplementpoliciesandprocedurestomanageserviceproviderswithwhomcardholderdataisshared,orthatcouldaffectthesecurityofcardholderdata,asfollows:

X

Customersareresponsibletomaintainandimplementpoliciesandprocedurestomanageserviceproviderswithwhomcardholderdataisshared,orthatcouldaffectthesecurityofcardholderdata,asfollows:

12.8.1 Maintainalistofserviceproviders.

X

Customersmustmaintainalistofserviceproviders,includinganywhichreceivecardholderdataviatheAkamaiSCDN.

12.8.2 Maintainawrittenagreementthatincludesanacknowledgementthattheserviceprovidersareresponsibleforthesecurityofcardholderdatatheserviceproviderspossessorotherwisestore,processortransmitonbehalfofthecustomer,ortotheextentthattheycouldimpactthesecurityofthecustomer’scardholderdataenvironment.

Note:Theexactwordingofanacknowledgementwilldependontheagreementbetweenthe

X Customersmustmaintainawrittenagreementthatincludesanacknowledgementthattheserviceprovidersareresponsibleforthesecurityofcardholderdatatheserviceproviderspossessorotherwisestore,processortransmitonbehalfofthecustomer,ortotheextentthattheycouldimpactthesecurityofthecustomer’scardholderdataenvironment.

68






Notes

twoparties,thedetailsoftheservicebeingprovided,andtheresponsibilitiesassignedtoeachparty.Theacknowledgementdoesnothavetoincludetheexactwordingprovidedinthisrequirement.

12.8.3 Ensurethereisanestablishedprocessforengagingserviceprovidersincludingproperduediligencepriortoengagement.

X

Customersmustensurethereisanestablishedprocessforengagingserviceprovidersincludingproperduediligencepriortoengagement.

12.8.4 Maintainaprogramtomonitorserviceproviders’PCIDSScompliancestatusatleastannually.

X

Customersmustmaintainaprogramtomonitorserviceproviders’PCIDSScompliancestatusatleastannually.

12.8.5 MaintaininformationaboutwhichPCIDSSrequirementsaremanagedbyeachserviceprovider,andwhicharemanagedbytheentity.

X

CustomersmustmaintaininformationaboutwhichPCIDSSrequirementsaremanagedbyeachserviceprovider,andwhicharemanagedbytheentity.

12.9 Additionalrequirementforserviceprovidersonly:Serviceprovidersacknowledgeinwritingtocustomersthattheyareresponsibleforthesecurityofcardholderdatatheserviceproviderpossessesorotherwisestores,processes,ortransmitsonbehalfof

X AkamaiacknowledgesinwritingtocustomersthatAkamaiisresponsibleforthesecurityofcardholderdataAkamaitransmitsonbehalfofthecustomer,aslongasthecustomermeetsthecustomer

69






Notes

thecustomer,ortotheextentthattheycouldimpactthesecurityofthecustomer’scardholderdataenvironment.

responsibilitiesdescribedinthismatrix.

12.10 Implementanincidentresponseplan.Bepreparedtorespondimmediatelytoasystembreach.

X

Customersmustimplementanincidentresponseplanandbepreparedtorespondimmediatelytoasystembreachwhichmayrelatetothecustomer'suseofAkamaiservices.

12.10.1 Createtheincidentresponseplantobeimplementedintheeventofsystembreach.Ensuretheplanaddressesthefollowing,ataminimum:-Roles,responsibilities,andcommunicationandcontactstrategiesintheeventofacompromiseincludingnotificationofthepaymentbrands,ataminimum-Specificincidentresponseprocedures-Businessrecoveryandcontinuityprocedures-Databackupprocesses-Analysisoflegalrequirementsforreportingcompromises-Coverageandresponsesofallcriticalsystemcomponents-Referenceorinclusion

X Customersarerequiredtohaveanincidentresponseplanaddressingthecomplete12.10.1requirementsfortheeventofasystembreach.

70






Notes

ofincidentresponseproceduresfromthepaymentbrands.

12.10.2 Testtheplanatleastannually.

X

Customersarerequiredtotesttheirincidentresponseplans,includingtheirresponsetoanincidentrelatedtotheiruseofAkamaiservices,annually.

12.10.3 Designatespecificpersonneltobeavailableona24/7basistorespondtoalerts.

X

Customermustdesignatespecificpersonneltobeavailableona24/7basisinresponsetoincidentsrelatedtothecustomer'suseofAkamaiPCIservices,andmaintainup-to-datecontactinformationforatleastthosepersonnelontheLunaControlCenter.

12.10.4 Provideappropriatetrainingtostaffwithsecuritybreachresponseresponsibilities.

X

Customermustprovideappropriatetrainingtostaffwithsecuritybreachresponseresponsibilities.

12.10.5 Includealertsfromsecuritymonitoringsystems,includingbutnotlimitedtointrusion-detection,intrusion-prevention,firewalls,andfile-integritymonitoringsystems.

X

71






Notes

12.10.6 Developaprocesstomodifyandevolvetheincidentresponseplanaccordingtolessonslearnedandtoincorporateindustrydevelopments.

X

CustomermusthaveaprocesstomodifyandevolvetheirincidentresponseplanforincidentsinvolvingAkamaiservicesaccordingtolessonslearnedandindustrydevelopments.

A.1 Protecteachentity’s(thatis,merchant,serviceprovider,orotherentity)hostedenvironmentanddata,perA.1.1throughA.1.4:

AhostingprovidermustfulfilltheserequirementsaswellasallotherrelevantsectionsofthePCIDSS.

Note:Eventhoughahostingprovidermaymeettheserequirements,thecomplianceoftheentitythatusesthehostingproviderisnotguaranteed.EachentitymustcomplywiththePCIDSSandvalidatecomplianceasapplicable.

X

Akamaiisnotahostingprovider.

A.1.1 Ensurethateachentityonlyrunsprocessesthathaveaccesstothatentity’scardholderdataenvironment.

X


72






Notes

A.1.2 Restricteachentity’saccessandprivilegestoitsowncardholderdataenvironmentonly.

X


A.1.3 Ensureloggingandaudittrailsareenabledanduniquetoeachentity’scardholderdataenvironmentandconsistentwithPCIDSSRequirement10.

X


A.1.4 Enableprocessestoprovidefortimelyforensicinvestigationintheeventofacompromisetoanyhostedmerchantorserviceprovider.

X


As the global leader in Content Delivery Network (CDN) services, Akamai makes the Internet fast, reliable and secure for its customers. The company's advanced web performance, mobile performance, cloud security and media delivery solutions are revolutionizing how businesses optimize consumer, enterprise and entertainment experiences for any device, anywhere. To learn how Akamai solutions and its team of Internet experts are helping businesses move faster forward, please visit www.akamai.com or blogs.akamai.com, and follow @Akamai on Twitter.

Akamai is headquartered in Cambridge, Massachusetts in the United States with operations in more than 57 offices around the world. Our services and renowned customer care are designed to enable businesses to provide an unparalleled Internet experience for their customers worldwide. Addresses, phone numbers and contact information for all locations are listed on www.akamai.com/locations.

©2016 Akamai Technologies, Inc. All Rights Reserved. Reproduction in whole or in part in any form or medium without express written permission is prohibited. Akamai and the Akamai wave logo are registered trademarks. Other trademarks contained herein are the property of their respective owners. Akamai believes that the information in this publication is accurate as of its publication date; such information is subject to change without notice.


Documents

PCI DSS 3.1 Responsibility Matrix...The PCI DSS responsibility matrix is intended for use by Akamai customers and their Qualified Security Assessors (QSAs) for use in audits for PCI