Куда я попал?
Framework № PCI DSS 4.0 от 01.03.2022
Payment Card Industry Data Security Standard (RU)
Requirement 9.5.1.2
Для проведения оценки соответствия по документу войдите в систему.
Список требований
Похожие требования
NIST Cybersecurity Framework (RU):
PR.DS-8
PR.DS-8: Механизмы проверки целостности используются для проверки целостности оборудования
Framework № PCI DSS 4.0 от 01.03.2022 "Payment Card Industry Data Security Standard":
Requirement 9.5.1.2
9.5.1.2
Defined Approach Requirements:
POI device surfaces are periodically inspected to detect tampering and unauthorized substitution.
Customized Approach Objective:
Point of Interaction Devices cannot be tampered with, substituted without authorization, or have skimming attachments installed without timely detection.
Defined Approach Testing Procedures:
Defined Approach Requirements:
POI device surfaces are periodically inspected to detect tampering and unauthorized substitution.
Customized Approach Objective:
Point of Interaction Devices cannot be tampered with, substituted without authorization, or have skimming attachments installed without timely detection.
Defined Approach Testing Procedures:
- 9.5.1.2.a Examine documented procedures to verify processes are defined for periodic inspections of POI device surfaces to detect tampering and unauthorized substitution.
- 9.5.1.2.b Interview responsible personnel and observe inspection processes to verify:
- Personnel are aware of procedures for inspecting devices.
- All devices are periodically inspected for evidence of tampering and unauthorized substitution.
Purpose:
Regular inspections of devices will help organizations detect tampering more quickly via external evidence—for example, the addition of a card skimmer—or replacement of a device, thereby minimizing the potential impact of using fraudulent devices.
Good Practice:
Methods for periodic inspection include checking the serial number or other device characteristics and comparing the information to the list of POI devices to verify the device has not been swapped with a fraudulent device.
Examples:
The type of inspection will depend on the device. For instance, photographs of devices known to be secure can be used to compare a device’s current appearance with its original appearance to see whether it has changed. Another option may be to use a secure marker pen, such as a UV light marker, to mark device surfaces and device openings so any tampering or replacement will be apparent. Criminals will often replace the outer casing of a device to hide their tampering, and these methods may help to detect such activities. Device vendors may also provide security guidance and “how to” guides to help determine whether the device has been subject to tampering.
Signs that a device might have been tampered with or substituted include:
Regular inspections of devices will help organizations detect tampering more quickly via external evidence—for example, the addition of a card skimmer—or replacement of a device, thereby minimizing the potential impact of using fraudulent devices.
Good Practice:
Methods for periodic inspection include checking the serial number or other device characteristics and comparing the information to the list of POI devices to verify the device has not been swapped with a fraudulent device.
Examples:
The type of inspection will depend on the device. For instance, photographs of devices known to be secure can be used to compare a device’s current appearance with its original appearance to see whether it has changed. Another option may be to use a secure marker pen, such as a UV light marker, to mark device surfaces and device openings so any tampering or replacement will be apparent. Criminals will often replace the outer casing of a device to hide their tampering, and these methods may help to detect such activities. Device vendors may also provide security guidance and “how to” guides to help determine whether the device has been subject to tampering.
Signs that a device might have been tampered with or substituted include:
- Unexpected attachments or cables plugged into the device.
- Missing or changed security labels.
- Broken or differently colored casing.
- Changes to the serial number or other external markings.
Стандарт № ИСО/МЭК 27001:2022(E) от 25.10.2022 "Информационная безопасность, кибербезопасность и защита частной жизни — Системы управления информационной безопасностью — Требования. Приложение А":
А.7.13
А.7.13 Обслуживание оборудования
В целях обеспечения доступности, целостности и конфиденциальности информации оборудование должно обслуживаться корректным образом.
В целях обеспечения доступности, целостности и конфиденциальности информации оборудование должно обслуживаться корректным образом.
NIST Cybersecurity Framework (EN):
PR.DS-8
PR.DS-8: Integrity checking mechanisms are used to verify hardware integrity
Стандарт № ISO/IEC 27001:2022(E) от 25.10.2022 "Information security, cybersecurity and privacy protection — Information security management systems — Requirements. Annex A":
А.7.13
А.7.13 Equipment maintenance
Equipment shall be maintained correctly to ensure availability, integrity and confidentiality of information.
Equipment shall be maintained correctly to ensure availability, integrity and confidentiality of information.
Связанные защитные меры
Ничего не найдено
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.