PCI Full Environment
OpenSecurityArchitecture (OSA) distills the know-how of the security architecture community and provides readily usable patterns for your application. This is a free framework, developed and owned by the community.
Click on controls in the diagram to view details. Download SVG
When to Use
Apply this pattern where you are a Merchant or Payment Services Processor storing, transmitting or processing Payment Cards.
When NOT to Use
Do not use this pattern where you plan to reduce the compliance scope using tokenisation (SP-027), or remove the environment from scope using a 3rd Party Payment services gateway (SP-028)
Typical Challenges
PCI-DSS is a proscriptive and detailed security standard. You need to ensure that you fully understand the scope of the Cardholder Data Environment with accurate network diagrams that show the relevant systems with Cardholder data flows. You'll need to demonstrate to the Qualified Security Assessor (QSA) that there are suitable control points that delimit the CDE. These control points (e.g. firewalls, remote access servers etc) will be checked as part of the assessment to confirm that the scope represented is accurate.
- Documentation will need to be accurate and current, you may wish to check this in advance of the assessment. Many aspects of documentation are interlinked, for example Build Standards will be needed to meet the PCI requirements on vendor defaults, but also play an important part in implmenting effective File integrity monitoring (11.5)
- You will need to provide evidence of control operation- make sure you have the repeating activites in place such as quarterly security scans
- Encryption requirements may be challenging, think carefully during the design phase about how you can secure data within the environment and the best approaches to key management
- You may need to make use of compensating controls in your environment if there are specific PCI-DSS requirements that cannot be met due to business process requirements that conflict. This is permissible if the QSA assesses the risks and determines that the original intent of the control is still met. You
Threat Resistance
This pattern is designed to resist the threat of non-compliance with the PCI-DSS v2.0 requirements. It provides a good basis for securing a confidential data set against motivated criminal actors.
Assumptions
This pattern assumes that you have a basic working knowledge of PCI-DSS requirements and if not that you will go and download the standard and spend a couple of days properly reading it...
Mapped Controls (32)
- AC-02 Account Management
- AC-06 Least Privilege
- AC-18 Wireless Access Restrictions
- AC-19 Access Control For Portable And Mobile Devices
- AU-02 Auditable Events
- AU-06 Audit Monitoring, Analysis, And Reporting
- AU-08 Time Stamps
- AU-09 Protection Of Audit Information
- CA-02 Security Assessments
- CA-07 Continuous Monitoring
- CM-02 Baseline Configuration
- CM-03 Configuration Change Control
- CM-08 Information System Component Inventory
- IR-01 Incident Response Policy And Procedures
- MP-03 Media Labeling
- MP-06 Media Sanitization And Disposal
- PE-03 Physical Access Control
- PE-07 Visitor Control
- PS-03 Personnel Screening
- RA-03 Risk Assessment
- RA-05 Vulnerability Scanning
- SC-07 Boundary Protection
- SC-09 Transmission Confidentiality
- SC-12 Cryptographic Key Establishment And Management
- SC-13 Use Of Cryptography
- SI-02 Flaw Remediation
- SI-03 Malicious Code Protection
- SI-04 Information System Monitoring Tools And Techniques
- SI-05 Security Alerts And Advisories
- SI-06 Security Functionality Verification
- SI-07 Software And Information Integrity
- SI-09 Information Input Restrictions