Pau Lo
asked on
PCI DSS workstation/user requirements
Are there any specific PCI requirements for workstations or user profiles in thin client environments?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I suggest you get the standard and see the requirements yourself, the standard is available at https://www.pcisecuritystandards.org/security_standards/documents.php (PCI DSS v2.0).
User access control is covered by requirements 7 and 8, which describe how user access must be granted, what kind of privileges can be given, authentication methods, password policies etc. Also take a look at requirement 2.2, which states you need to have a configuration standard for all system components. In practice this means all devices must be hardened according to an industry-accepted hardening guide, I would recommend the Center for Internet Security benchmarks: http://benchmarks.cisecurity.org/en-us/?route=downloads.benchmarks. they will detail each and every operating system level setting and how to configure them.
But in essence, your environment (your determined PCI scope) has to fulfill all applicable requirements in the standard in order to be compliant. Is your organization a service provider or a merchant, has your PCI scope been determined and what is your validation level (self-assessment questionnaire or on-site audit required)?
User access control is covered by requirements 7 and 8, which describe how user access must be granted, what kind of privileges can be given, authentication methods, password policies etc. Also take a look at requirement 2.2, which states you need to have a configuration standard for all system components. In practice this means all devices must be hardened according to an industry-accepted hardening guide, I would recommend the Center for Internet Security benchmarks: http://benchmarks.cisecurity.org/en-us/?route=downloads.benchmarks. they will detail each and every operating system level setting and how to configure them.
But in essence, your environment (your determined PCI scope) has to fulfill all applicable requirements in the standard in order to be compliant. Is your organization a service provider or a merchant, has your PCI scope been determined and what is your validation level (self-assessment questionnaire or on-site audit required)?
ASKER
We dont store PCI data in our network, however we do take phone payments via phone using internal phone system - and access an externally hosted app that collects such data from machines within our LAN
ASKER
Are the benchmarks tools or just documents?
Do you have to be a member?
Do you have to be a member?
No membership, if your not storing the data, then the PCI burden is on your external vendor, phone payments in this scenario are not subject to pci.
-rich
-rich
So I'll assume you're a merchant (you own the payment card transactions that your process) and you don't process hundreds of thousands of transactions a year, so you are not required to have an annual on-site audit.
I would look into the following options:
1. See if you can outsource the processing of payment data and make sure your environment never sees a single PAN. Cheapest and easiest option by far. :)
2. Contact your issuing bank to see if they have a specific policy for applicable requirements for your organization. The issuer determines your validation level and can agree to somewhat looser set of requirements under certain conditions.
3. If neither 1. nor 2. work out, your issuer will anyway determine which SAQ is applicable to you (https://www.pcisecuritystandards.org/merchants/self_assessment_form.php). There are 4 different ones, all with a different subset of the requirements for varying environments. Find out which one you need to fill and see the requirements that apply to you (well they still all apply, but only those will be validated).
The CIS benchmarks as pdf documents are free but require registration, the XCCDF format benchmarks are members only (non-free).
I would look into the following options:
1. See if you can outsource the processing of payment data and make sure your environment never sees a single PAN. Cheapest and easiest option by far. :)
2. Contact your issuing bank to see if they have a specific policy for applicable requirements for your organization. The issuer determines your validation level and can agree to somewhat looser set of requirements under certain conditions.
3. If neither 1. nor 2. work out, your issuer will anyway determine which SAQ is applicable to you (https://www.pcisecuritystandards.org/merchants/self_assessment_form.php). There are 4 different ones, all with a different subset of the requirements for varying environments. Find out which one you need to fill and see the requirements that apply to you (well they still all apply, but only those will be validated).
The CIS benchmarks as pdf documents are free but require registration, the XCCDF format benchmarks are members only (non-free).
> No membership, if your not storing the data, then the PCI burden is on your external vendor, phone payments in this scenario are not subject to pci.
Not true, unless the issuer determines this is the case. By default all requirements apply to all parts of the environment that "store, process or transmit" cardholder data, even one PAN is enough. They get the PAN from the customer over the phone and type it in using their thin clients to the external payment application, the physical premises where the thin clients are, the thin clients, the network are all in-scope by default.
Not true, unless the issuer determines this is the case. By default all requirements apply to all parts of the environment that "store, process or transmit" cardholder data, even one PAN is enough. They get the PAN from the customer over the phone and type it in using their thin clients to the external payment application, the physical premises where the thin clients are, the thin clients, the network are all in-scope by default.
ASKER
Thanks man