zhaol's blog

PCI的全称是Payment Card Industry, 是信用卡相关的一项符合性标准。目前我尚不清楚到底有多少个国家实施了这个标准，北美是要求的。这个标准在硬盘里休息了很长时间，今天在飞机上终于有时间将它打开读了起来。我手里的版本是2006年9月份的。 

笼统看，PCI 数据安全标准（DSS）共有6组12大要求，覆盖了从建设、到运营和策略的很多方面。相对于BS7799/ISO7799/ISO27001和CoBiT等，它的要求显得很朴实直接、具有很高的操作性。下面就是那6组12大要求，中英文对照：

[separator]

Build and Maintain a Secure Network
建设维护一个安全的网络
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
要求1：安装并维护防火墙以保护持卡人数据信息
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
要求2：不使用厂家提供的口令以及其他安全参数方面的缺省配置

Protect Cardholder Data
保护持卡人数据信息
Requirement 3: Protect stored cardholder data
要求3：保护存储的持卡人数据信息
Requirement 4: Encrypt transmission of cardholder data across open, public networks
要求4：在公众、 开放的网络上传送持卡人数据信息时，需要加密

Maintain a Vulnerability Management Program
维护一套脆弱性管理程序
Requirement 5: Use and regularly update anti-virus software
要求5：使用并定期更新反病毒软件
Requirement 6: Develop and maintain secure systems and applications
要求6：开发并维护安全的系统和应用

Implement Strong Access Control Measures
部署严格的访问控制措施
Requirement 7: Restrict access to cardholder data by business need-to-know
要求7：按照“按需知道”的原则严格限制对持卡人数据信息的访问
Requirement 8: Assign a unique ID to each person with computer access
要求8：对计算机访问的所有人都分配专有唯一的帐号ID
Requirement 9: Restrict physical access to cardholder data
要求9：严格限制对持卡人数据信息的物理访问

Regularly Monitor and Test Networks
定期的监视和测试网络
Requirement 10: Track and monitor all access to network resources and cardholder data
要求10：跟踪并监视对网络资源和持卡人数据信息的所有访问
Requirement 11: Regularly test security systems and processes
要求11：定期地测试安全系统和流程

Maintain an Information Security Policy
维护一套信息安全策略
Requirement 12: Maintain a policy that addresses information security
要求12：维护一套旨在解决信息安全问题的策略

从其适用的范围看，标准中明确提出只有存储、处理和传输PAN的相关系统才适用PCI-DSS.
PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or transmitted. If a PAN is not stored, processed, or transmitted, PCI DSS requirements do not apply.

* These data elements must be protected if stored in conjunction with the PAN. This protection must be consistent with PCI DSS requirements for general protection of the cardholder environment. Additionally, other legislation (for example, related to consumer personal data protection, privacy, identity theft, or data security) may require specific protection of this data, or proper disclosure of a company's practices if consumer-related personal data is being collected during the course of business. PCI DSS; however, does not apply if PANs are not stored, processed, or transmitted.
** Sensitive authentication data must not be stored subsequent to authorization (even if encrypted).

These security requirements apply to all “system components.” System components are defined as any network component, server, or application that is included in or connected to the cardholder data environment. The cardholder data environment is that part of the network that possesses cardholder data or sensitive authentication data. Adequate network segmentation, which isolates systems that store, process, or transmit cardholder data from those that do not, may reduce the scope of the cardholder data environment. Network components include but are not limited to firewalls, switches, routers, wireless access points, network appliances, and other security appliances. Server types include but are not limited to the following: web,  database, authentication, mail, proxy, network time protocol (NTP), and domain name server (DNS). Applications include all purchased and custom applications, including internal and external (Internet) applications.