PCI DSS Implementation Guide
• • •
Acceptable use policies Employee screening Incident response process
All the above items contribute positively to the confidentiality and integrity of cardholder data.
3.13 Appendix A: Additional PCI DSS requirements Relevant Toolkit Documents: • • • • • • • • • • •
Network Security Policy Network Diagram Example Cardholder Data Flow Diagram Example Information Security Roles Responsibilities and Authorities Risk Assessment and Mitigation Process Risk Mitigation Plan Business Impact Analysis (BIA) Process Business Impact Analysis (BIA) Tool Impact Assessment Process Problem Management Process PCI DSS Compliance Review
Dependent on the different types of entity your organization is defined as, additional requirements may need to be fulfilled. This appendix is broken down into three main areas:
3.13.1 Shared hosting providers As referenced in requirements 2 and 12 of the standard, all service providers, including shared hosting providers, must adhere to PCI DSS. In addition, hosting providers must protect each entity’s hosted environment.
3.13.2 Entities using SSL/early TLS After June 30th, 2018, all organizations using SSL or early TLS as a security control on entities within the Cardholder Data Environment (CDE) must stop using them, and later versions of TLS must be implemented (for example TLS 1.2). If your organization is currently PCI DSS compliant and is still using SSL or early TLS, a risk mitigation plan with timescales must be put in place. This will ensure the organization is taking appropriate action to remain complaint after the key date.
Page 18 of 21
