1 minute read
3.13 Appendix A: Additional PCI DSS requirements
• Acceptable use policies • Employee screening • Incident response process All the above items contribute positively to the confidentiality and integrity of cardholder data.
Relevant Toolkit Documents:
• Network Security Policy • Network Diagram Example • Cardholder Data Flow Diagram Example • Information Security Roles Responsibilities and Authorities • Risk Assessment and Mitigation Process • Risk Mitigation Plan • Business Impact Analysis (BIA) Process • Business Impact Analysis (BIA) Tool • Impact Assessment Process • Problem Management Process • PCI DSS Compliance Review Dependent on the different types of entity your organization is defined as, additional requirements may need to be fulfilled. This appendix is broken down into three main areas:
3.13.1 Shared hosting providers
As referenced in requirements 2 and 12 of the standard, all service providers, including shared hosting providers, must adhere to PCI DSS. In addition, hosting providers must protect each entity’s hosted environment.
3.13.2 Entities using SSL/early TLS
After June 30th, 2018, all organizations using SSL or early TLS as a security control on entities within the Cardholder Data Environment (CDE) must stop using them, and later versions of TLS must be implemented (for example TLS 1.2). If your organization is currently PCI DSS compliant and is still using SSL or early TLS, a risk mitigation plan with timescales must be put in place. This will ensure the organization is taking appropriate action to remain complaint after the key date.
This section applies to organizations designated by a payment brand or acquiring bank as requiring additional validation of existing PCI DSS requirements. Examples of where these would apply could include:
• Organizations storing, processing or transmitting large volumes of cardholder data • Organizations that have suffered significant or repeated breaches of cardholder data If the organization falls under this section, additional items are required such as a PCI compliance program owned by an accountable role within the organization. Validation of the PCI DSS scope, and assurance that the requirements are being met in business-as-usual (BAU) activities, are also needed as part of this section.