Document Comparison
PCI%20CP_Logical_SR_TPs_v3.pdf
→
PCI_CP_Logical_SR_TPs_v3.0.1.pdf
98% similar
115 → 116
Pages
41552 → 41687
Words
48
Content Changes
Content Changes
48 content changes. 97 administrative changes (dates, page numbers) hidden.
Added
p. 2
July 2016 2.x RFC Version
June 2022 3.0.1 Errata
June 2022 3.0.1 Errata
Added
p. 16
• Access to cardholder or cloud-based provisioning data and the processing facilities must not be provided until the appropriate access controls have been implemented and a contract defining terms for access has been signed.
Added
p. 109
Card Production Staff Card Production Staff applies to any employees or contractors who are involved in card production related activities that could impact security, including administration, support activities and IT infrastructure.
Modified
p. 1
Payment Card Industry (PCI) Card Production and Provisioning Logical Security Requirements and Test Procedures Version 3.0
Payment Card Industry (PCI) Card Production and Provisioning Logical Security Requirements and Test Procedures Version 3.0.1
Modified
p. 6
Although this document frequently states “vendor,” the specific applicability of these requirements is up to the individual payment brands; and the payment brand(s) of interest should be contacted for the applicability of these requirements to any card production or provisioning activity.
Although this document frequently states “vendor,” the specific applicability of these requirements is up to the individual Participating Payment Brands; and the payment brand(s) of interest should be contacted for the applicability of these requirements to any card production or provisioning activity.
Modified
p. 7
The individual Participating Payment Brands are responsible for defining and managing compliance programs associated with these requirements. Contact the Payment Brand(s) of interest for any additional criteria.
The individual Participating Payment Brands are responsible for defining and managing compliance programs associated with these requirements. Contact the Participating Payment Brand(s) of interest for any additional criteria.
Removed
p. 12
• Date and time of incident
• Details of companies and persons involved
• Details of the investigation
• Details of companies and persons involved
• Details of the investigation
Modified
p. 12
• Name and address of the vendor
Modified
p. 12
• Identification of the source of the data
Modified
p. 12
• Description of the incident including:
Modified
p. 12
- Date and time of incident - Details of companies and persons involved - Details of the investigation - Name, e-mail, and telephone number of the person reporting the loss or theft
Modified
p. 12
- Name, e-mail, and telephone number of the person to contact for additional information (if different from the person reporting the incident) Examine ISP documentation to verify notification procedures for suspected compromise of confidential or secret data to the VPA and impacted issuers are in place and requires reporting within 24 hours.
Modified
p. 13
• PINs Confidential Data Confidential data is considered as any information that might provide the vendor with a competitive advantage or could cause business harm or legal exposure if the information is used or disclosed without restriction. Confidential data is data restricted to authorized individuals. This includes cardholder data and the keys used to encrypt cardholder data.
• PINs Confidential Data Confidential data is considered any information that might provide the vendor with a competitive advantage or could cause business harm or legal exposure if the information is used or disclosed without restriction. Confidential data is data restricted to authorized individuals. This includes cardholder data and the keys used to encrypt cardholder data.
Modified
p. 13
• Mobil Station International Subscriber Directory Number (number used to identify a mobile phone number) Unrestricted/Public Data Unrestricted/public data includes any data not defined in the above terms
•i.e., information that is developed and ready for public dissemination, including any information that has been explicitly approved by management for release to the public. Controls are out of scope of these requirements and may be defined by the vendor.
•i.e., information that is developed and ready for public dissemination, including any information that has been explicitly approved by management for release to the public. Controls are out of scope of these requirements and may be defined by the vendor.
• Mobile Station International Subscriber Directory Number (number used to identify a mobile phone number) Unrestricted/Public Data Unrestricted/public data includes any data not defined in the above terms
•i.e., information that is developed and ready for public dissemination, including any information that has been explicitly approved by management for release to the public. Controls are out of scope of these requirements and may be defined by the vendor.
•i.e., information that is developed and ready for public dissemination, including any information that has been explicitly approved by management for release to the public. Controls are out of scope of these requirements and may be defined by the vendor.
Removed
p. 16
ii. Access to cardholder or cloud-based provisioning data and the processing facilities must not be provided until the appropriate access controls have been implemented and a contract defining terms for access has been signed.
Modified
p. 16
• Third-party access to cardholder or cloud-based provisioning data must be based on a formal contract referencing applicable security policies and standards.
Modified
p. 17
• Date and time of transmission
Modified
p. 17
• Identification of the data source Examine a sample of cardholder data transmission logs to verify they exist and at a minimum contain the date/time of transmission and identification of the data source.
Modified
p. 18
• Ensure that the authorized retention period does not exceed six months from the date the card is personalized.
Modified
p. 18
• Ensure each issuer authorization to retain cardholder data is valid for no longer than two years.
Modified
p. 20
• Name and signature of current custodian
Modified
p. 20
• Name and signature of custodian recipient
Modified
p. 20
• Reason for transfer Examine the media audit trail documentation to verify that it contains at least the following data points:
Modified
p. 25
g) Put controls in place to restrict, prevent, and detect unauthorized access to the cloud-based and personalization networks. Access from within the high security area to anything other than the personalization or cloud-based networks must be “read-only.” Examine policies and procedures to verify that:
g) Put controls in place to restrict, prevent, and detect unauthorized access to the cloud-based and personalization networks. Access from within the high security area to anything other than the personalization or cloud-based networks must be “read-only”.
Modified
p. 28
b) Deploy an external firewall outside the HSA to protect the HSA’s DMZ (see figures 5-2 and 5-3 above for acceptable configurations).
b) Deploy an external firewall outside the HSA to protect the HSA’s DMZ.
Modified
p. 29
m) Use unique administrator passwords for firewalls used by the personalization system and those passwords used for other network devices in the facility.
m) Use unique administrator passwords for firewalls used by the personalization system as well as those passwords used for other network devices in the facility.
Modified
p. 30
n) Implement both mechanisms to protect firewall and router system logs from tampering, and procedures to check the system integrity monthly.
n) Implement both mechanisms to protect firewall and router system logs from tampering, and procedures to check the integrity of the logs monthly.
Modified
p. 42
− Injection flaws•e.g., SQL injection. Also consider OS Command Injection, LDAP and XPath injection flaws as well as other injection flaws.
− Injection flaws•e.g., SQL injection. Also consider OS Command Injection, LDAP, and XPath injection flaws as well as other injection flaws.
Modified
p. 49
• User identification
Modified
p. 49
• Valid date and time stamp
Modified
p. 49
• Success or failure indication
Modified
p. 49
• Origination of the event
Modified
p. 49
• Identity or name of the affected data, system component, or resources
Modified
p. 49
• Access to audit logs
Modified
p. 49
• Changes in access privileges Examine the audit logs to ensure they contain the required components.
Modified
p. 53
• The strongest encryption reasonable must be implemented for the application, if both client and server support higher than these minimum standards.
• The strongest encryption reasonable must be implemented for the application if both client and server support higher than these minimum standards.
Modified
p. 57
l) Ensure that when generic administrative accounts are used, the password is managed under dual control where no individual has access to the full password. Each component of the password must comply with the password control requirements in Section 6.2 below except for password length when an exception condition exists..
l) Ensure that when generic administrative accounts are used, the password is managed under dual control where no individual has access to the full password. Each component of the password must comply with the password control requirements in Section 6.2 below except for password length when an exception condition exists.
Removed
p. 60
i. Upper-case letters
ii. Lower-case letters
ii. Lower-case letters
Modified
p. 60
• Special characters Examine the system configuration settings for a sample of system components to verify that user passwords are set to require at least three of the following categories:
Modified
p. 61
Observe a user session to verify the user is logged out after 15 minutes, if the system does not permit session locking.
Observe a user session to verify the user is logged out after 15 minutes if the system does not permit session locking.
Modified
p. 76
• A validation mechanism is in place to ensure authenticity of the keys and key components and provide assurance that the keys and key components have not been tampered with, substituted or compromised;
• A validation mechanism is in place to ensure authenticity of the keys and key components and provide assurance that the keys and key components have not been tampered with, substituted, or compromised;
Modified
p. 78
e) Ensure that access logs include, at a minimum, the following:
e) Ensure that access logs, at a minimum, include the following:
Modified
p. 83
d) All key destruction must be logged and the log retained for verification.
d) All key destruction must be logged, and the log retained for verification.
Modified
p. 93
Section 9: PIN Distribution via Electronic Methods 9.1 General Requirements Requirement Test Procedure The following requirements apply for the distribution of PINs via electronic methods:
Section 9: PIN Distribution via Electronic Methods 9.1 General Requirements Requirement Test Procedure The following requirements apply for the distribution of PINs via electronic methods.
Removed
p. 109
Card Production Staff Employees and contractors of the Card Vendor.
Modified
p. 112
Laser engraving Thermal transfer Indent printing Personalization file A file created by the issuer or issuer’s processor that has all of the necessary information to personalize a card.
Removed
p. 113
• Wireless technologies, including 802.11 and Bluetooth,
• General Packet Radio Service (GPRS),
• Satellite communications.
• General Packet Radio Service (GPRS),
• Satellite communications.
Modified
p. 113 → 114
The Internet, Wireless technologies, including 802.11 and Bluetooth, Cellular technologies, for example, Global System for Mobile, communications (GSM), code division multiple access (CDMA), General Packet Radio Service (GPRS), Satellite communications.