Соответствие требованиям

Куда я попал?

SECURITM это SGRC система, автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Подробнее

Наш канал

PCI PIN Security v3.1

Framework

В П.29-4

Для проведения оценки соответствия по документу войдите в систему.

Список требований

Normative Annex B – Key-Injection Facilities
Control Objective 7: Equipment used to process PINs and keys is managed in a secure manner
Requirement 29: PIN-processing equipment (e.g., POI devices and HSMs) must be placed into service only if there is assurance that the equipment has not been substituted or subjected to unauthorized modifications or tampering prior to the deployment of the device—both prior to and subsequent to the loading of cryptographic keys—and that precautions are taken to minimize the threat of compromise once deployed.
Key-injection facilities must ensure that only legitimate, unaltered devices are loaded with cryptographic keys.
Secure rooms must be established for inventory that includes securing PEDs that have not had keys injected. The area must have extended walls from the real floor to the real ceiling using sheetrock, wire mesh, or equivalent. Equivalence can be steel cages extending floor to real ceiling. The cages can have a steel cage top in lieu of the sides extending to the real ceiling. The cages must have locks (with logs) or badge control with logging for entry
PIN Security Requirements:
29-4 Dual-control mechanisms must exist to prevent substitution or tampering of HSMs—both deployed and spare or back-up devices—throughout their life cycle. Procedural controls, which may be a combination of physical barriers and logical controls, may exist to support the prevention and detection of substituted HSMs but must not supplant the implementation of dual-control mechanisms.
Testing Procedures:
29-4.a Examine documented procedures to confirm that dual-control mechanisms exist to prevent substitution or tampering of HSMs—both deployed and spare or back-up devices—throughout their life cycle.
29-4.b Interview responsible personnel and physically verify the dual-control mechanism used to prevent substitution or tampering of HSMs—both in service and spare or back-up devices—throughout their life cycle.
PIN Security Requirements:
29-4.1 HSM serial numbers must be compared to the serial numbers documented by the sender (sent using a different communication channel from the device) to ensure device substitution has not occurred. A record of device serial-number verification must be maintained.
Note: Documents used for this process must be received via a different communication channel—i.e., the control document used must not have arrived with the equipment. An example of how serial numbers may be documented by the sender includes but is not limited to the manufacturer’s invoice or similar document.
Testing Procedures:
29-4.1.a Interview responsible personnel to verify that device serial numbers are compared to the serial number documented by the sender.
29-4.1.b For a sample of received devices, examine sender documentation sent via a different communication channel than the device’s shipment (for example, the manufacturer’s invoice or similar documentation) used to verify device serial numbers. Examine the record of serial-number validations to confirm the serial number for the received device was verified to match that documented by the sender.
PIN Security Requirements:
29-4.2 The security policy enforced by the HSM must not allow unauthorized or unnecessary functions. HSM API functionality and commands that are not required to support specified functionality must be disabled before the equipment is commissioned.
For example, for HSMs used in transaction processing operations:
- PIN-block format translation functionality is in accordance with Requirement 3, or non-ISO PIN-block formats must not be supported without a defined documented and approved business need.
- HSMs used for acquiring functions shall not be configured to output clear-text PINs or support PIN-change functionality. Documentation (e.g., a checklist or similar suitable to use as a log) of configuration settings must exist and be signed and dated by personnel responsible for the implementation. This documentation must include identifying information for the HSM, such as serial number and/or asset identifiers. This documentation must be retained and updated for each affected HSM any time changes to configuration settings would impact security.
Testing Procedures:
29-4.2.a Obtain and examine the defined security policy to be enforced by the HSM.
29-4.2.b Examine documentation of the HSM configuration settings from past commissioning events to determine that the functions and commands enabled are in accordance with the security policy.
29-4.2.c For a sample of HSMs, examine the configuration settings to determine that only authorized functions are enabled.
29-4.2.d Verify that PIN-change functionality, PIN-block format translation functionality, or non-ISO PIN-block formats are not supported without a defined documented and approved business need.
29-4.2.e Verify that functionality is not enabled to allow the outputting of clear-text PINs.
29-4.2.f Examine documentation to verify:
- Configuration settings are defined, signed and dated by personnel responsible for implementation.
- It includes identifying information for the HSM, such as serial number and/or asset identifiers.
- The documentation is retained and updated anytime configuration setting impacting security occur for each affected HSM.
PIN Security Requirements:
29-4.3 When HSMs are connected to online systems, controls are in place to prevent the use of an HSM to perform privileged or sensitive functions that are not available during routine HSM operations.
Examples of sensitive functions include but are not limited to: loading of key components, outputting clear-text key components, and altering HSM configuration.
Testing Procedures:
29-4.3 Examine HSM configurations and observe processes to verify that HSMs are not enabled in a sensitive state when connected to online systems.
PIN Security Requirements:
29-4.4 Inspect and test all HSMs—either new or retrieved from secure storage—prior to installation to verify devices have not been tampered with or compromised. Processes must include:
Testing Procedures:
29-4.4 Examine documented procedures to verify they require inspection and testing of HSMs prior to installation to verify integrity of device.
PIN Security Requirements:
29-4.4.1 Running self-tests to ensure the correct operation of the device
Testing Procedures:
29-4.4.1 Examine records of device inspections and test resu lts to verify that self-tests are run on devices to ensure the correct operation of the device.
PIN Security Requirements:
29-4.4.2 Installing (or re-installing) devices only after confirming that the device has not been tampered with or compromised
Testing Procedures:
29-4.4.2 Observe inspection processes and interview responsible personnel to verify that devices are installed, or reinstalled, only after confirming that the device has not been tampered with or compromised.
PIN Security Requirements:
29-4.4.3 Physical and/or functional tests and visual inspection to confirm that physical and logical controls and anti-tamper mechanisms are not modified or removed
Testing Procedures:
29-4.4.3 Observe inspection processes and interview responsible personnel to confirm processes include physical and/or functional tests and visual inspection to verify that physical and logical controls and anti-tamper mechanisms are not modified or removed
PIN Security Requirements:
29-4.4.4 Maintaining records of the tests and inspections, and retaining records for at least one year
Testing Procedures:
29-4.4.4.a Examine records of inspections and interview responsible personnel to verify records of the tests and inspections are maintained.
29-4.4.4.b Examine records of inspections to verify records are retained for at least one year.

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.