1
PCI DSS 3.1 Responsibility Matrix
Table of Contents Purpose ........................................................................................................................................ 2Overview....................................................................................................................................... 2Responsibility Matrix .................................................................................................................... 3
2
PCI DSS 3.1 Responsibility Matrix
Purpose Akamai provides below a detailed matrix of PCI DSS requirements, including the description of whether responsibility for each individual control lies with Akamai, our customers or whether responsibility is shared between both parties.
Overview The PCI DSS responsibility matrix is intended for use by Akamai customers and their Qualified Security Assessors (QSAs) for use in audits for PCI compliance. The responsibility matrix describes, in accordance with Requirement 12.8.5 and other requirements, the actions an Akamai customer must take in order to maintain its own PCI compliance when cardholder data (CHD) and other sensitive information is passing through Akamai’s systems. Akamai Secure Content Delivery Network (Secure CDN) and supplemental services have been audited against version 3.1 of the PCI DSS standard. In addition to what is described in the responsibility matrix, the customer is responsible for all PCI requirements related to customer-maintained software and systems, including for {OPEN} API tools. At this time, no Akamai systems are approved for the storage of credit card data and only Akamai’s Secure CDN is approved for the processing and transmission of CHD other sensitive data. Some additional services, such as the Prolexic Routed DDoS mitigation and the SureRoute IP, which do not grant Akamai access to sensitive data, may be used without a negative impact to a customer’s PCI compliance.
3
PCI DSS 3.1 Responsibility Matrix
Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
1.1 Establishandimplementfirewallandroutercon-figurationstandardsthatincludethefollowing:
X
1.1.1 Aformalprocessforapprovingandtestingallnetworkconnectionsandchangestothefirewallandrouterconfigurations
X
1.1.2 Currentdiagramthatidentifiesallnetworks,networkdevices,andsystemcomponents,withallconnectionsbetweentheCDEandothernetworks,includinganywirelessnetworks
X
Customer'snetworkdiagramshoulddepictuseofAkamaiservices,includingallconnectionsbetweenAkamai'snetworksandthecustomer'sCDE.
1.1.3 Currentdiagramthatshowsallcardholderdataflowsacrosssystemsandnetworks
X
Customer'snetworkdiagramshouldincludeanydataflowsthroughtheAkamaiSCDN.
1.1.4 RequirementsforafirewallateachInternetconnectionandbetweenanydemilitarizedzone(DMZ)andtheinternalnetworkzone
X
1.1.5 Descriptionofgroups,roles,andresponsibilitiesformanagementofnetworkcomponents
X
4
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
1.1.6 Documentationandbusinessjustificationforuseofallservices,protocols,andportsallowed,includingdocumentationofsecurityfeaturesimplementedforthoseprotocolsconsideredtobeinsecure.Examplesofinsecureservices,protocols,orportsincludebutarenotlimitedtoFTP,Telnet,POP3,IMAP,andSNMPv1andv2.
X
1.1.7 Requirementtoreviewfirewallandrouterrulesetsatleasteverysixmonths
X
1.2 Buildfirewallandrouterconfigurationsthatrestrictconnectionsbetweenuntrustednetworksandanysystemcomponentsinthecardholderdataenvironment.Note:An“untrustednetwork”isanynetworkthatisexternaltothenetworksbelongingtotheentityunderreview,and/orwhichisoutoftheentity'sabilitytocontrolormanage.
X
5
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
1.2.1 Restrictinboundandoutboundtraffictothatwhichisnecessaryforthecardholderdataenvironment,andspecificallydenyallothertraffic.
X
1.2.2 Secureandsynchronizerouterconfigurationfiles.
X
1.2.3 Installperimeter
firewallsbetweenallwirelessnetworksandthecardholderdataenvironment,andconfigurethesefirewallstodenyor,iftrafficisnecessaryforbusinesspurposes,permitonlyauthorizedtrafficbetweenthewirelessenvironmentandthecardholderdataenvironment.
X
AllAkamaiwirelessaccesspoints/SSIDareoutsidethefirewallsothereisnodirectwirelessaccesstoPCIsystems.
1.3 ProhibitdirectpublicaccessbetweentheInternetandanysystemcomponentinthecardholderdataenvironment.
X
1.3.1 ImplementaDMZto
limitinboundtraffictoonlysystemcomponentsthatprovideauthorizedpubliclyaccessibleservices,protocols,andports.
X
1.3.2 LimitinboundInternet
traffictoIPaddresseswithintheDMZ.
X
6
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
1.3.3 DonotallowanydirectconnectionsinboundoroutboundfortrafficbetweentheInternetandthecardholderdataenvironment.
X
1.3.4 Implementanti-spoofing
measurestodetectandblockforgedsourceIPaddressesfromenteringthenetwork.(Forexample,blocktrafficoriginatingfromtheInternetwithaninternalsourceaddress.)
X
1.3.5 Donotallow
unauthorizedoutboundtrafficfromthecardholderdataenvironmenttotheInternet.
X
1.3.6 Implementstateful
inspection,alsoknownasdynamicpacketfiltering.(Thatis,only“established”connectionsareallowedintothenetwork.)
X
1.3.7 Placesystem
componentsthatstorecardholderdata(suchasadatabase)inaninternalnetworkzone,segregatedfromtheDMZandotheruntrustednetworks.
X
Akamaidoesnotstorecardholderdata.
7
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
1.3.8 DonotdiscloseprivateIPaddressesandroutinginformationtounauthorizedparties.Note:MethodstoobscureIPaddressingmayinclude,butarenotlimitedto:-NetworkAddressTranslation(NAT)-Placingserverscontainingcardholderdatabehindproxyservers/firewalls,-Removalorfilteringofrouteadvertisementsforprivatenetworksthatemployregisteredaddressing,-InternaluseofRFC1918addressspaceinsteadofregisteredaddresses.
X
1.4 Installpersonalfirewall
softwareonanymobileand/oremployee-owneddevicesthatconnecttotheInternetwhenoutsidethenetwork(forexample,laptopsusedbyemployees),andwhicharealsousedtoaccessthenetwork.Firewallconfigurationsinclude:-Specificconfigurationsettingsaredefinedforpersonalfirewallsoftware.-Personalfirewall
X
8
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
softwareisactivelyrunning.-Personalfirewallsoftwareisnotalterablebyusersofmobileand/oremployee-owneddevices.
1.5 Ensurethatsecuritypoliciesandoperationalproceduresformanagingfirewallsaredocumented,inuse,andknowntoallaffectedparties.
X
2.1 Alwayschangevendor-
supplieddefaultsandremoveordisableunnecessarydefaultaccountsbeforeinstallingasystemonthenetwork.ThisappliestoALLdefaultpasswords,includingbutnotlimitedtothoseusedbyoperatingsystems,softwarethatprovidessecurityservices,applicationandsystemaccounts,point-of-sale(POS)terminals,SimpleNetworkManagementProtocol(SNMP)communitystrings,etc.).
X
9
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
2.1.1 Forwirelessenvironmentsconnectedtothecardholderdataenvironmentortransmittingcardholderdata,changeALLwirelessvendordefaultsatinstallation,includingbutnotlimitedtodefaultwirelessencryptionkeys,passwords,andSNMPcommunitystrings.
X
AllAkamaiwirelessaccesspoints/SSIDareoutsidethefirewallsothereisnodirectwirelessaccesstoPCIsystems.
2.2 Developconfigurationstandardsforallsystemcomponents.Assurethatthesestandardsaddressallknownsecurityvulnerabilitiesandareconsistentwithindustry-acceptedsystemhardeningstandards.Sourcesofindustry-acceptedsystemhardeningstandardsmayinclude,butarenotlimitedto:-CenterforInternetSecurity(CIS)-InternationalOrganizationforStandardization(ISO)-SysAdminAuditNetworkSecurity(SANS)Institute-NationalInstituteofStandardsTechnology(NIST).
X
10
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
2.2.1 Implementonlyoneprimaryfunctionperservertopreventfunctionsthatrequiredifferentsecuritylevelsfromco-existingonthesameserver.(Forexample,webservers,databaseservers,andDNSshouldbeimplementedonseparateservers.)Note:Wherevirtualizationtechnologiesareinuse,implementonlyoneprimaryfunctionpervirtualsystemcomponent.
X
2.2.2 Enableonlynecessary
services,protocols,daemons,etc.,asrequiredforthefunctionofthesystem.
X
2.2.3 Implementadditional
securityfeaturesforanyrequiredservices,protocols,ordaemonsthatareconsideredtobeinsecure—forexample,usesecuredtechnologiessuchasSSH,S-FTP,TLS,orIPSecVPNtoprotectinsecureservicessuchasNetBIOS,file-sharing,Telnet,FTP,etc.
X
2.2.4 Configuresystem
securityparameterstopreventmisuse.
X
11
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
2.2.5 Removeallunnecessaryfunctionality,suchasscripts,drivers,features,subsystems,filesystems,andunnecessarywebservers.
X
2.3 Encryptallnon-console
administrativeaccessusingstrongcryptography.UsetechnologiessuchasSSH,VPN,orTLSforweb-basedmanagementandothernon-consoleadministrativeaccess.
X
2.4 Maintainaninventoryof
systemcomponentsthatareinscopeforPCIDSS
X
2.5 Ensurethatsecurity
policiesandoperationalproceduresformanagingvendordefaultsandothersecurityparametersaredocumented,inuse,andknowntoallaffectedparties.
X
2.6 Sharedhostingproviders
mustprotecteachentity’shostedenvironmentandcardholderdata.TheseprovidersmustmeetspecificrequirementsasdetailedinAppendixA:AdditionalPCIDSSRequirementsforSharedHostingProviders.
X
Akamai'sSCDNisnotasharedhostingservice.
12
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
3.1 Keepcardholderdatastoragetoaminimumbyimplementingdataretentionanddisposalpolicies,proceduresandprocessesthatincludeatleastthefollowingforallcardholderdata(CHD)storage:-Limitingdatastorageamountandretentiontimetothatwhichisrequiredforlegal,regulatory,andbusinessrequirements-Processesforsecuredeletionofdatawhennolongerneeded-Specificretentionrequirementsforcardholderdata-Aquarterlyprocessforidentifyingandsecurelydeletingstoredcardholderdatathatexceedsdefinedretention.
X
CustomerisresponsibleforensuringthattheirconfigurationsforusingAkamaiserviceswillnotcausecreditcarddatatobecachedorotherwisestoredonAkamaimachines.
3.2 Donotstoresensitiveauthenticationdataafterauthorization(evenifencrypted).Ifsensitiveauthenticationdataisreceived,renderalldataunrecoverableuponcompletionoftheauthorizationprocess.Itispermissibleforissuersandcompaniesthatsupportissuingservicestostoresensitiveauthenticationdataif:-
X CustomerisresponsibleforensuringthattheirconfigurationsforusingAkamaiserviceswillnotcausesensitiveauthenticationdatatobecachedorotherwisestoredonAkamaimachines.
13
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
Thereisabusinessjustificationand-Thedataisstoredsecurely.SensitiveauthenticationdataincludesthedataascitedinthefollowingRequirements3.2.1through3.2.3:
3.2.1 Donotstorethefullcontentsofanytrack(fromthemagneticstripelocatedonthebackofacard,equivalentdatacontainedonachip,orelsewhere)afterauthorization.Thisdataisalternativelycalledfulltrack,track,track1,track2,andmagnetic-stripedata.
X
CustomerisresponsibleforensuringthattheirconfigurationsforusingAkamaiserviceswillnotcausecreditcarddatatobecachedorotherwisestoredonAkamaimachines.
3.2.2 Donotstorethecardverificationcodeorvalue(three-digitorfour-digitnumberprintedonthefrontorbackofapaymentcardusedtoverifycard-not-presenttransactions)afterauthorization.
X
CustomerisresponsibleforensuringthattheirconfigurationsforusingAkamaiserviceswillnotcausecreditcarddatatobecachedonAkamaimachines.
3.2.3 Donotstorethepersonalidentificationnumber(PIN)ortheencryptedPINblockafterauthorization.
X
CustomerisresponsibleforensuringthattheirconfigurationsforusingAkamaiserviceswillnotcausecreditcarddatatobecachedorotherwisestoredonAkamaimachines.
14
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
3.3 MaskPANwhendisplayed(thefirstsixandlastfourdigitsarethemaximumnumberofdigitstobedisplayed),suchthatonlypersonnelwithalegitimatebusinessneedcanseethefullPAN.Note:Thisrequirementdoesnotsupersedestricterrequirementsinplacefordisplaysofcardholderdata—forexample,legalorpaymentcardbrandrequirementsforpoint-of-sale(POS)receipts.
X
IfcustomersaretransmittingcardholderdataforuserviewingovertheAkamaiSCDN,theyareresponsibleforensuringthatPANsareappropriatelymasked.
3.4 RenderPANunreadableanywhereitisstored(includingonportabledigitalmedia,backupmedia,andinlogs)byusinganyofthefollowingapproaches:-One-wayhashesbasedonstrongcryptography,(hashmustbeoftheentirePAN)-Truncation(hashingcannotbeusedtoreplacethetruncatedsegmentofPAN)-Indextokensandpads(padsmustbesecurelystored)-Strongcryptographywithassociatedkey-managementprocessesandprocedures.
X CustomerisresponsibleforensuringthattheirconfigurationsforusingAkamaiserviceswillnotcausePANtobecachedorotherwisestoredonAkamaimachines.
15
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
Note:ItisarelativelytrivialeffortforamaliciousindividualtoreconstructoriginalPANdataiftheyhaveaccesstoboththetruncatedandhashedversionofaPAN.WherehashedandtruncatedversionsofthesamePANarepresentinanentity’senvironment,additionalcontrolsshouldbeinplacetoensurethatthehashedandtruncatedversionscannotbecorrelatedtoreconstructtheoriginalPAN.
3.4.1 Ifdiskencryptionisused(ratherthanfile-orcolumn-leveldatabaseencryption),logicalaccessmustbemanagedseparatelyandindependentlyofnativeoperatingsystemauthenticationandaccesscontrolmechanisms(forexample,bynotusinglocaluseraccountdatabasesorgeneralnetworklogincredentials).Decryptionkeysmustnotbeassociatedwithuseraccounts.
X
Akamaidoesnotstorecardholderdata.
16
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
3.5 Documentandimplementprocedurestoprotectkeysusedtosecurestoredcardholderdataagainstdisclosureandmisuse:Note:Thisrequirementappliestokeysusedtoencryptstoredcardholderdata,andalsoappliestokey-encryptingkeysusedtoprotectdata-encryptingkeys—suchkey-encryptingkeysmustbeatleastasstrongasthedata-encryptingkey.
X
Akamaidoesnotstorecardholderdata.
3.5.1 Restrictaccesstocryptographickeystothefewestnumberofcustodiansnecessary.
X
Akamaidoesnotstorecardholderdata.
3.5.2 Storesecretandprivatekeysusedtoencrypt/decryptcardholderdatainone(ormore)ofthefollowingformsatalltimes:-Encryptedwithakey-encryptingkeythatisatleastasstrongasthedata-encryptingkey,andthatisstoredseparatelyfromthedata-encryptingkey-Withinasecurecryptographicdevice(suchasahardware(host)securitymodule(HSM)orPTS-approved
X Akamaidoesnotstorecardholderdata.
17
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
point-of-interactiondevice)-Asatleasttwofull-lengthkeycomponentsorkeyshares,inaccordancewithanindustry-acceptedmethodNote:Itisnotrequiredthatpublickeysbestoredinoneoftheseforms.
3.5.3 Storecryptographickeysinthefewestpossiblelocations.
X
Akamaidoesnotstorecardholderdata.
3.6 Fullydocumentandimplementallkey-managementprocessesandproceduresforcryptographickeysusedforencryptionofcardholderdata,includingthefollowing:Note:NumerousindustrystandardsforkeymanagementareavailablefromvariousresourcesincludingNIST,whichcanbefoundathttp://csrc.nist.gov.
X
Akamaidoesnotstorecardholderdata.
3.6.1 Generationofstrongcryptographickeys
X
Akamaidoesnotstorecardholderdata.
3.6.2 Securecryptographickeydistribution
X
Akamaidoesnotstorecardholderdata.
3.6.3 Securecryptographickeystorage
X
Akamaidoesnotstorecardholderdata.
18
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
3.6.4 Cryptographickeychangesforkeysthathavereachedtheendoftheircryptoperiod(forexample,afteradefinedperiodoftimehaspassedand/orafteracertainamountofcipher-texthasbeenproducedbyagivenkey),asdefinedbytheassociatedapplicationvendororkeyowner,andbasedonindustrybestpracticesandguidelines(forexample,NISTSpecialPublication800-57).
X
Akamaidoesnotstorecardholderdata.
3.6.5 Retirementorreplacement(forexample,archiving,destruction,and/orrevocation)ofkeysasdeemednecessarywhentheintegrityofthekeyhasbeenweakened(forexample,departureofanemployeewithknowledgeofaclear-textkeycomponent),orkeysaresuspectedofbeingcompromised.Note:Ifretiredorreplacedcryptographickeysneedtoberetained,thesekeysmustbesecurelyarchived(forexample,byusingakey-encryptionkey).
X Akamaidoesnotstorecardholderdata.
19
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
Archivedcryptographickeysshouldonlybeusedfordecryption/verificationpurposes.
3.6.6 Ifmanualclear-textcryptographickey-managementoperationsareused,theseoperationsmustbemanagedusingsplitknowledgeanddualcontrol.Note:Examplesofmanualkey-managementoperationsinclude,butarenotlimitedto:keygeneration,transmission,loading,storageanddestruction.
X
Akamaidoesnotstorecardholderdata.
3.6.7 Preventionofunauthorizedsubstitutionofcryptographickeys.
X
Akamaidoesnotstorecardholderdata.
3.6.8 Requirementforcryptographickeycustodianstoformallyacknowledgethattheyunderstandandaccepttheirkey-custodianresponsibilities.
X
Akamaidoesnotstorecardholderdata.
3.7 Ensurethatsecuritypoliciesandoperationalproceduresforprotectingstoredcardholderdataaredocumented,inuse,andknowntoallaffectedparties.
X
Akamaidoesnotstorecardholderdata.
20
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
4.1 Usestrongcryptographyandsecurityprotocols(forexample,TLS,IPSEC,SSH,etc.)tosafeguardsensitivecardholderdataduringtransmissionoveropen,publicnetworks,includingthefollowing:-Onlytrustedkeysandcertificatesareaccepted.-Theprotocolinuseonlysupportssecureversionsorconfigurations.-Theencryptionstrengthisappropriatefortheencryptionmethodologyinuse.Examplesofopen,publicnetworksincludebutarenotlimitedto:-TheInternet-Wirelesstechnologies,including802.11andBluetooth-Cellulartechnologies,forexample,GlobalSystemforMobilecommunications(GSM),Codedivisionmultipleaccess(CDMA)-GeneralPacketRadioService(GPRS).-Satellitecommunications.
X
TheAkamaiSCDNoffersstrongcryptographyandsecurityprotocolstosafeguardsensitivecardholderdataduringtransmissionoveropen,publicnetworks,buttheactualconfigurationsettingsarecontrolledbythecustomerusingtheLunaControlCenter.Itisthecustomer'sresponsibilitytoensurethattheirAkamaiservicesareconfiguredtousestrongcryptography,andtonevertransmitcardholderdataoverconnectionsthatdonotusestrongcryptography.
21
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
4.1.1 Ensurewirelessnetworkstransmittingcardholderdataorconnectedtothecardholderdataenvironment,useindustrybestpractices(forexample,IEEE802.11i)toimplementstrongencryptionforauthenticationandtransmission.Note:TheuseofWEPasasecuritycontrolisprohibited.
X
AllAkamaiwirelessaccesspoints/SSIDareoutsidethefirewallsothereisnodirectwirelessaccesstoPCIsystems.
4.2 NeversendunprotectedPANsbyend-usermessagingtechnologies(forexample,e-mail,instantmessaging,SMS,chat,etc.).
X
Itisthecustomer'sresponsibilitytoneversendPANsusingAkamaiserviceswithouttakingappropriateactiontosecurethecontents.
4.3 Ensurethatsecuritypoliciesandoperationalproceduresforencryptingtransmissionsofcardholderdataaredocumented,inuse,andknowntoallaffectedparties.
X
CustomermusttraintheirrelevantpersonneltoensurethatAkamaiservicescarryingcustomerPCIdataareconfiguredtousestrongcryptographyatalltimes.
5.1 Deployanti-virussoftwareonallsystemscommonlyaffectedbymalicioussoftware(particularlypersonalcomputersandservers).
X
22
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
5.1.1 Ensurethatanti-virusprogramsarecapableofdetecting,removing,andprotectingagainstallknowntypesofmalicioussoftware.
X
5.1.2 Forsystemsconsideredtobenotcommonlyaffectedbymalicioussoftware,performperiodicevaluationstoidentifyandevaluateevolvingmalwarethreatsinordertoconfirmwhethersuchsystemscontinuetonotrequireanti-virussoftware.
X
5.2 Ensurethatallanti-virusmechanismsaremaintainedasfollows:-Arekeptcurrent,-Performperiodicscans-GenerateauditlogswhichareretainedperPCIDSSRequirement10.7.
X
5.3 Ensurethatanti-virusmechanismsareactivelyrunningandcannotbedisabledoralteredbyusers,unlessspecificallyauthorizedbymanagementonacase-by-casebasisforalimitedtimeperiod.Note:Anti-virussolutionsmaybetemporarilydisabledonlyifthereislegitimate
X
23
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
technicalneed,asauthorizedbymanagementonacase-by-casebasis.Ifanti-virusprotectionneedstobedisabledforaspecificpurpose,itmustbeformallyauthorized.Additionalsecuritymeasuresmayalsoneedtobeimplementedfortheperiodoftimeduringwhichanti-virusprotectionisnotactive.
5.4 Ensurethatsecuritypoliciesandoperationalproceduresforprotectingsystemsagainstmalwarearedocumented,inuse,andknowntoallaffectedparties.
X
6.1 Establishaprocessto
identifysecurityvulnerabilities,usingreputableoutsidesourcesforsecurityvulnerabilityinformation,andassignariskranking(forexample,as“high,”“medium,”or“low”)tonewlydiscoveredsecurityvulnerabilities.
X
24
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
6.2 Ensurethatallsystemcomponentsandsoftwareareprotectedfromknownvulnerabilitiesbyinstallingapplicablevendor-suppliedsecuritypatches.Installcriticalsecuritypatcheswithinonemonthofrelease.Note:CriticalsecuritypatchesshouldbeidentifiedaccordingtotheriskrankingprocessdefinedinRequirement6.1.
X
6.3 Developinternaland
externalsoftwareapplications(includingweb-basedadministrativeaccesstoapplications)securely,asfollows:-InaccordancewithPCIDSS(forexample,secureauthenticationandlogging)-Basedonindustrystandardsand/orbestpractices.-Incorporatinginformationsecuritythroughoutthesoftware-developmentlifecycleNote:thisappliestoallsoftwaredevelopedinternallyaswellasbespokeorcustom
X CustomermustensurethatallexecutablecontenttransmittedoverAkamaiservicesandhandlingcreditcarddataisdevelopedinaccordancewithPCIDSS,basedonbestpracticesandincorporatinginformationsecuritythroughoutthesoftware-developmentlifecycle.
25
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
softwaredevelopedbyathirdparty.
6.3.1 Removedevelopment,testand/orcustomapplicationaccounts,userIDs,andpasswordsbeforeapplicationsbecomeactiveorarereleasedtocustomers.
X
6.3.2 Reviewcustomcode
priortoreleasetoproductionorcustomersinordertoidentifyanypotentialcodingvulnerability(usingeithermanualorautomatedprocesses)toincludeatleastthefollowing:-Codechangesarereviewedbyindividualsotherthantheoriginatingcodeauthor,andbyindividualsknowledgeableaboutcode-reviewtechniquesandsecurecodingpractices.-Codereviewsensurecodeisdevelopedaccordingtosecurecodingguidelines-Appropriatecorrectionsareimplementedpriortorelease.-Code-reviewresultsarereviewedandapprovedbymanagementpriortorelease.
X CustomersmustreviewtheirownexecutablecontenttransmittedoverAkamaiservicespriortoreleasetoproductionorcustomersinordertoidentifyanypotentialcodingvulnerabilities.
26
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
Note:Thisrequirementforcodereviewsappliestoallcustomcode(bothinternalandpublic-facing),aspartofthesystemdevelopmentlifecycle.Codereviewscanbeconductedbyknowledgeableinternalpersonnelorthirdparties.Public-facingwebapplicationsarealsosubjecttoadditionalcontrols,toaddressongoingthreatsandvulnerabilitiesafterimplementation,asdefinedatPCIDSSRequirement6.6.
6.4 Followchangecontrolprocessesandproceduresforallchangestosystemcomponents.Theprocessesmustincludethefollowing:
X
CustomersareresponsibleforchangecontrolprocessesandproceduresdescribedinthissectionforallexecutablecontenttheycreatewhichhandlesPCIdataandisservedbytheAkamaiSCDN.
6.4.1 Separatedevelopment/testenvironmentsfromproductionenvironments,andenforcetheseparationwithaccesscontrols.
X
27
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
6.4.2 Separationofdutiesbetweendevelopment/testandproductionenvironments
X
6.4.3 Productiondata(live
PANs)arenotusedfortestingordevelopment
X
6.4.4 Removaloftestdataand
accountsbeforeproductionsystemsbecomeactive
X
6.4.5 Changecontrol
proceduresfortheimplementationofsecuritypatchesandsoftwaremodificationsmustincludethefollowing:
X
6.4.5.1 Documentationof
impact.
X
6.4.5.2 Documentedchangeapprovalbyauthorizedparties.
X
6.4.5.3 Functionalitytestingto
verifythatthechangedoesnotadverselyimpactthesecurityofthesystem.
X
6.4.5.4 Back-outprocedures. X
28
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
6.5 Addresscommoncodingvulnerabilitiesinsoftware-developmentprocessesasfollows:-Traindevelopersinsecurecodingtechniques,includinghowtoavoidcommoncodingvulnerabilities,andunderstandinghowsensitivedataishandledinmemory.-Developapplicationsbasedonsecurecodingguidelines.Note:Thevulnerabilitieslistedat6.5.1through6.5.10werecurrentwithindustrybestpracticeswhenthisversionofPCIDSSwaspublished.However,asindustrybestpracticesforvulnerabilitymanagementareupdated(forexample,theOWASPGuide,SANSCWETop25,CERTSecureCoding,etc.),thecurrentbestpracticesmustbeusedfortheserequirements.
X
CustomersareresponsibleforaddressingcommoncodingvulnerabilitiesdescribedinthissectionforallexecutablecontenttheycreatewhichhandlesPCIdataandisservedbytheAkamaiSCDN.
6.5.1 Injectionflaws,particularlySQLinjection.AlsoconsiderOSCommandInjection,LDAPandXPathinjectionflawsaswellasotherinjectionflaws.
X
6.5.2 Bufferoverflows X
29
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
6.5.3 Insecurecryptographicstorage
X
6.5.4 Insecurecommunications
X 6.5.5 Impropererrorhandling X 6.5.6 All“highrisk”
vulnerabilitiesidentifiedinthevulnerabilityidentificationprocess(asdefinedinPCIDSSRequirement6.1).
X
6.5.7 Cross-sitescripting(XSS) X 6.5.8 Improperaccesscontrol
(suchasinsecuredirectobjectreferences,failuretorestrictURLaccess,directorytraversal,andfailuretorestrictuseraccesstofunctions).
X
6.5.9 Cross-siterequest
forgery(CSRF)
X
6.5.10 BrokenauthenticationandsessionmanagementNote:Requirement6.5.10isabestpracticeuntilJune30,2015,afterwhichitbecomesarequirement.
X
6.6 Forpublic-facingweb
applications,addressnewthreatsandvulnerabilitiesonanongoingbasisandensuretheseapplicationsareprotectedagainstknownattacksbyeitherofthefollowingmethods:-Reviewingpublic-facingwebapplicationsviamanualorautomated
X CustomersareresponsibleforaddressingthreatsandvulnerabilitiesonanongoingbasisforallexecutablecontenttheycreatewhichhandlesPCIdataandisservedbytheAkamaiSCDN.
30
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
applicationvulnerabilitysecurityassessmenttoolsormethods,atleastannuallyandafteranychanges-Installinganautomatedtechnicalsolutionthatdetectsandpreventsweb-basedattacks(forexample,aweb-applicationfirewall)infrontofpublic-facingwebapplications,tocontinuallycheckalltraffic.
6.7 Ensurethatsecuritypoliciesandoperationalproceduresfordevelopingandmaintainingsecuresystemsandapplicationsaredocumented,inuse,andknowntoallaffectedparties.
X
CustomersareresponsibleforsecuritypoliciesandoperationalproceduresforallexecutablecontenttheycreatewhichhandlesPCIdataandisservedbytheAkamaiSCDN.
7.1 Limitaccesstosystemcomponentsandcardholderdatatoonlythoseindividualswhosejobrequiressuchaccess.
X
CustomersmustlimitaccesstoLunaControlCenteraccountsandOPENAPIcredentialstothoseindividualswhosejobrequiressuchaccess.
31
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
7.1.1 Defineaccessneedsforeachrole,including:-Systemcomponentsanddataresourcesthateachroleneedstoaccessfortheirjobfunction-Levelofprivilegerequired(forexample,user,administrator,etc.)foraccessingresources.
X
CustomersmustdefineaccessneedsforeachroletheyuseintheLunaControlCenter,including:-Systemcomponentsanddataresourcesthateachroleneedstoaccessfortheirjobfunction-Levelofprivilegerequired(forexample,user,administrator,etc.)foraccessingresources.
7.1.2 RestrictaccesstoprivilegeduserIDstoleastprivilegesnecessarytoperformjobresponsibilities.
X
CustomersmustensurethataccesstoprivilegeduserIDsontheLunaControlCenterandcustomersystemsisrestrictedtoleastprivilegesnecessarytoperformjobresponsibilities.
7.1.3 Assignaccessbasedonindividualpersonnel’sjobclassificationandfunction.
X
CustomersmustassignaccesstotheLunaControlCenterandOPENAPIcredentialsbasedonindividualpersonnel’sjobclassificationandfunction.
32
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
7.1.4 Requiredocumentedapprovalbyauthorizedpartiesspecifyingrequiredprivileges.
X
CustomersmustrequiredocumentedapprovalbyauthorizedpartiesspecifyingrequiredprivilegeswhengrantingaccesstotheLunaControlCenterorOPENAPIcredentials..
7.2 Establishanaccesscontrolsystemforsystemscomponentsthatrestrictsaccessbasedonauser’sneedtoknow,andissetto“denyall”unlessspecificallyallowed. Thisaccesscontrolsystemmustincludethefollowing:
X
CustomersmustensurethattheLunaControlCenter'saccesscontrolsystemrestrictsuseraccesstoonlythoseprivilegeswhicharenecessaryforeachuser.
7.2.1 Coverageofallsystemcomponents
X
CustomersmustconfiguretheLunaControlCenter'saccesscontrolsystemfortheiraccountstorestrictaccesstoallPCI-relevantAkamaiservicesandconfigurations.
7.2.2 Assignmentofprivilegestoindividualsbasedonjobclassificationandfunction.
X
CustomersmustassignprivilegeswithintheLunaControlCentertoindividualsbasedonjobclassificationandfunctioninthecustomerorganization.
33
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
7.2.3 Default“deny-all”setting.
X
AkamaiPCIsystems,includingthecustomer-facingLunaControlCenter,denyallaccessbydefault,excepttoalimitedamountofpublicread-onlydata.
7.3 Ensurethatsecuritypoliciesandoperationalproceduresforrestrictingaccesstocardholderdataaredocumented,inuse,andknowntoallaffectedparties.
X
CustomermustensurethatsecuritypoliciesandoperationalproceduresforrestrictingaccesstotheLunaControlCenterandOPENAPIcredentialsaredocumented,inuse,andknowntoallaffectedparties.
8.1 Defineandimplementpoliciesandprocedurestoensureproperuseridentificationmanagementfornon-consumerusersandadministratorsonallsystemcomponentsasfollows:
X
CustomermustdefineandimplementpoliciesandprocedurestoensureproperuseridentificationofindividualsaccessingtheLunaControlCenterortoolsusingOPENAPI.
8.1.1 AssignallusersauniqueIDbeforeallowingthemtoaccesssystemcomponentsorcardholderdata.
X
CustomermustassignallusersauniqueuserIDbeforeallowingthemtoaccesstheLunaControlCenter.
34
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
8.1.2 Controladdition,deletion,andmodificationofuserIDs,credentials,andotheridentifierobjects.
X
Customermustcontroladdition,deletion,andmodificationofLunaControlCenteruserIDs,credentials,andotheridentifierobjects.
8.1.3 Immediatelyrevokeaccessforanyterminatedusers.
X
CustomermustimmediatelyrevokeaccesstotheLunaControlCenterforanyterminatedusers.
8.1.4 Remove/disableinactiveuseraccountswithin90days.
X
Customermustremove/disableinactiveLunaControlCenteruseraccountsatleastevery90days,eithermanuallyorusingtheLunaControlCenterautomatedoption.
8.1.5 ManageIDsusedbyvendorstoaccess,support,ormaintainsystemcomponentsviaremoteaccessasfollows:-Enabledonlyduringthetimeperiodneededanddisabledwhennotinuse.-Monitoredwheninuse.
X
IfacustomergrantsavendoraccesstotheirAkamaiaccount,theyareresponsibleformanagingthevendoraccess.AkamaidoesnotmanageIDsforitsresellers;customerspurchasingaccountsthroughAkamairesellersareresponsibleforworkingwiththeresellertomakesurethatreselleraccessisPCI-compliant.
35
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
8.1.6 LimitrepeatedaccessattemptsbylockingouttheuserIDafternotmorethansixattempts.
X
CustomermustconfigureLunatolockoutuserID'safternotmorethansixattempts.
8.1.7 Setthelockoutdurationtoaminimumof30minutesoruntilanadministratorenablestheuserID.
X
8.1.8 Ifasessionhasbeenidle
formorethan15minutes,requiretheusertore-authenticatetore-activatetheterminalorsession.
X
CustomermustsettheLunaControlCenterconfigurationsettingsothatifasessionhasbeenidleformorethan15minutes,theusermustre-authenticatetore-activatetheterminalorsession.
8.2 InadditiontoassigningauniqueID,ensureproperuser-authenticationmanagementfornon-consumerusersandadministratorsonallsystemcomponentsbyemployingatleastoneofthefollowingmethodstoauthenticateallusers:-Somethingyouknow,suchasapasswordorpassphrase-Somethingyouhave,suchasatokendeviceorsmartcard-Somethingyouare,suchasabiometric.
X
CustomersusingSAMLtoauthenticateuserstotheLunaControlCenterareresponsibleforensuringthattheirsetupusesatleastoneofthelistedmethodstoauthenticateallusers.
36
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
8.2.1 Usingstrongcryptography,renderallauthenticationcredentials(suchaspasswords/phrases)unreadableduringtransmissionandstorageonallsystemcomponents.
X
8.2.2 Verifyuseridentity
beforemodifyinganyauthenticationcredential—forexample,performingpasswordresets,provisioningnewtokens,orgeneratingnewkeys.
X
8.2.3 Passwords/phrasesmust
meetthefollowing:-Requireaminimumlengthofatleastsevencharacters.-Containbothnumericandalphabeticcharacters.Alternatively,thepasswords/phrasesmusthavecomplexityandstrengthatleastequivalenttotheparametersspecifiedabove.
X
CustomersareresponsibleforsettingLunaControlCenterpasswordconfigurationstorequireaminimumlengthofatleastsevencharactersandtocontainbothnumericandalphabeticcharacters.
8.2.4 Changeuserpasswords/passphrasesatleastonceevery90days.
X
CustomersareresponsibleforsettingLunaControlCenterconfigurationssothatuserpasswords/passphrasesmustbechangedatleastevery90days.
37
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
8.2.5 Donotallowanindividualtosubmitanewpassword/phrasethatisthesameasanyofthelastfourpasswords/phrasesheorshehasused.
X
8.2.6 Setpasswords/phrases
forfirst-timeuseanduponresettoauniquevalueforeachuser,andchangeimmediatelyafterthefirstuse.
X
8.3 Incorporatetwo-factor
authenticationforremotenetworkaccessoriginatingfromoutsidethenetworkbypersonnel(includingusersandadministrators)andallthirdparties,(includingvendoraccessforsupportormaintenance).Note:Two-factorauthenticationrequiresthattwoofthethreeauthenticationmethods(seeRequirement8.2fordescriptionsofauthenticationmethods)beusedforauthentication.Usingonefactortwice(forexample,usingtwoseparatepasswords)isnotconsideredtwo-factorauthentication.Examplesoftwo-factor
X TODO:Whatcountsasremotenetworkaccess?
38
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
technologiesincluderemoteauthenticationanddial-inservice(RADIUS)withtokens;terminalaccesscontrolleraccesscontrolsystem(TACACS)withtokens;andothertechnologiesthatfacilitatetwo-factorauthentication.
8.4 Documentandcommunicateauthenticationproceduresandpoliciestoallusersincluding:-Guidanceonselectingstrongauthenticationcredentials-Guidanceforhowusersshouldprotecttheirauthenticationcredentials-Instructionsnottoreusepreviouslyusedpasswords-Instructionstochangepasswordsifthereisanysuspicionthepasswordcouldbecompromised.
X
CustomersmustmakesurethattheyhavedocumentedandhavecommunicatedauthenticationproceduresandpoliciestoallLunausersincludingguidanceonselectingstrongauthenticationcredentials,guidanceforhowusersshouldprotecttheirauthenticationcredentials,instructionsnottoreusepreviouslyusedpasswordsandinstructionstochangepasswordsifthereisanysuspicionthepasswordcouldbecompromised.
39
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
8.5 Donotusegroup,shared,orgenericIDs,passwords,orotherauthenticationmethodsasfollows:-GenericuserIDsaredisabledorremoved.-ShareduserIDsdonotexistforsystemadministrationandothercriticalfunctions.-SharedandgenericuserIDsarenotusedtoadministeranysystemcomponents.
X
Customersareresponsiblefornotusinggroup,shared,orgenericIDs,passwords,orotherauthenticationmethodswhenaccessingtheLunaControlCenter.
8.5.1 Additionalrequirementforserviceprovidersonly:Serviceproviderswithremoteaccesstocustomerpremises(forexample,forsupportofPOSsystemsorservers)mustuseauniqueauthenticationcredential(suchasapassword/phrase)foreachcustomer.
X
Akamaihasnoremoteaccesstocustomerpremises.
8.6 Whereotherauthenticationmechanismsareused(forexample,physicalorlogicalsecuritytokens,smartcards,certificates,etc.),useofthesemechanismsmustbeassignedasfollows:-Authenticationmechanismsmustbeassignedtoanindividualaccountandnotsharedamongmultiple
X Customersusingtwo-factorauthenticationtoaccesstheLunaControlCentermustensurethatthesecondfactorisalwaysassignedtoanindividualaccountandnotshared,andthatcontrolsareinplacetoensureonlytheintendedaccountcanusethemechanismtogainaccess.
40
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
accounts.-Physicaland/orlogicalcontrolsmustbeinplacetoensureonlytheintendedaccountcanusethatmechanismtogainaccess.
8.7 Allaccesstoanydatabasecontainingcardholderdata(includingaccessbyapplications,administrators,andallotherusers)isrestrictedasfollows:-Alluseraccessto,userqueriesof,anduseractionsondatabasesarethroughprogrammaticmethods.-Onlydatabaseadministratorshavetheabilitytodirectlyaccessorquerydatabases.-ApplicationIDsfordatabaseapplicationscanonlybeusedbytheapplications(andnotbyindividualusersorothernon-applicationprocesses).
X
Akamaidoesnotstorecardholderdata.
8.8 Ensurethatsecuritypoliciesandoperationalproceduresforidentificationandauthenticationaredocumented,inuse,andknowntoallaffectedparties.
X
Customersmustensurethatsecuritypoliciesandoperationalproceduresforidentificationandauthenticationaredocumented,inuse,andknowntoallaffectedparties.
41
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
9.1 Useappropriatefacilityentrycontrolstolimitandmonitorphysicalaccesstosystemsinthecardholderdataenvironment.
X
9.1.1 Usevideocameras
and/oraccesscontrolmechanismstomonitorindividualphysicalaccesstosensitiveareas.Reviewcollecteddataandcorrelatewithotherentries.Storeforatleastthreemonths,unlessotherwiserestrictedbylaw.Note:“Sensitiveareas”referstoanydatacenter,serverroomoranyareathathousessystemsthatstore,process,ortransmitcardholderdata.Thisexcludespublic-facingareaswhereonlypoint-of-saleterminalsarepresent,suchasthecashierareasinaretailstore.
X
42
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
9.1.2 Implementphysicaland/orlogicalcontrolstorestrictaccesstopubliclyaccessiblenetworkjacks.Forexample,networkjackslocatedinpublicareasandareasaccessibletovisitorscouldbedisabledandonlyenabledwhennetworkaccessisexplicitlyauthorized.Alternatively,processescouldbeimplementedtoensurethatvisitorsareescortedatalltimesinareaswithactivenetworkjacks.
X
9.1.3 Restrictphysicalaccess
towirelessaccesspoints,gateways,handhelddevices,networking/communicationshardware,andtelecommunicationlines.
X
9.2 Developproceduresto
easilydistinguishbetweenonsitepersonnelandvisitors,toinclude:-Identifyingonsitepersonnelandvisitors(forexample,assigningbadges)-Changestoaccessrequirements-Revokingorterminatingonsitepersonnelandexpired
X
43
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
visitoridentification(suchasIDbadges).
9.3 Controlphysicalaccessforonsitepersonneltothesensitiveareasasfollows:-Accessmustbeauthorizedandbasedonindividualjobfunction.-Accessisrevokedimmediatelyupontermination,andallphysicalaccessmechanisms,suchaskeys,accesscards,etc.,arereturnedordisabled.
X
9.4.x Implementprocedures
toidentifyandauthorizevisitors.Proceduresshouldincludethefollowing:
X
9.4.1 Visitorsareauthorized
beforeentering,andescortedatalltimeswithin,areaswherecardholderdataisprocessedormaintained.
X
9.4.2 Visitorsareidentified
andgivenabadgeorotheridentificationthatexpiresandthatvisiblydistinguishesthevisitorsfromonsitepersonnel.
X
9.4.3 Visitorsareaskedto
surrenderthebadgeoridentificationbeforeleavingthefacilityoratthedateofexpiration.
X
44
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
9.4.4 Avisitorlogisusedtomaintainaphysicalaudittrailofvisitoractivitytothefacilityaswellascomputerroomsanddatacenterswherecardholderdataisstoredortransmitted.Documentthevisitor’sname,thefirmrepresented,andtheonsitepersonnelauthorizingphysicalaccessonthelog.Retainthislogforaminimumofthreemonths,unlessotherwiserestrictedbylaw.
X
9.5 Physicallysecureall
media.X
Akamaidoesnotstorecardholderdataonanymedia.
9.5.1 Storemediabackupsinasecurelocation,preferablyanoff-sitefacility,suchasanalternateorbackupsite,oracommercialstoragefacility.Reviewthelocation’ssecurityatleastannually.
X
Akamaidoesnotstorecardholderdataonanymedia.
9.6 Maintainstrictcontrolovertheinternalorexternaldistributionofanykindofmedia,includingthefollowing:
X
Akamaidoesnotstorecardholderdataonanymedia.
9.6.1 Classifymediasothesensitivityofthedatacanbedetermined.
X
Akamaidoesnotstorecardholderdataonanymedia.
45
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
9.6.2 Sendthemediabysecuredcourierorotherdeliverymethodthatcanbeaccuratelytracked.
X
Akamaidoesnotstorecardholderdataonanymedia.
9.6.3 Ensuremanagementapprovesanyandallmediathatismovedfromasecuredarea(includingwhenmediaisdistributedtoindividuals).
X
Akamaidoesnotstorecardholderdataonanymedia.
9.7 Maintainstrictcontroloverthestorageandaccessibilityofmedia.
X
Akamaidoesnotstorecardholderdataonanymedia.
9.7.1 Properlymaintaininventorylogsofallmediaandconductmediainventoriesatleastannually.
X
Akamaidoesnotstorecardholderdataonanymedia.
9.8 Destroymediawhenitisnolongerneededforbusinessorlegalreasonsasfollows:
X
Akamaidoesnotstorecardholderdataonanymedia.
9.8.1 Shred,incinerate,orpulphard-copymaterialssothatcardholderdatacannotbereconstructed.Securestoragecontainersusedformaterialsthataretobedestroyed.
X
Akamaidoesnotstorecardholderdataonanymedia.
9.8.2 Rendercardholderdataonelectronicmediaunrecoverablesothatcardholderdatacannotbereconstructed.
X
Akamaidoesnotstorecardholderdataonanymedia.
46
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
9.9 Protectdevicesthatcapturepaymentcarddataviadirectphysicalinteractionwiththecardfromtamperingandsubstitution.Note:Theserequirementsapplytocard-readingdevicesusedincard-presenttransactions(thatis,cardswipeordip)atthepointofsale.Thisrequirementisnotintendedtoapplytomanualkey-entrycomponentssuchascomputerkeyboardsandPOSkeypads.Note:Requirement9.9isabestpracticeuntilJune30,2015,afterwhichitbecomesarequirement.
X
Akamaidoesnotstorecardholderdataonanymedia.
9.9.1 Maintainanup-to-datelistofdevices.Thelistshouldincludethefollowing:-Make,modelofdevice-Locationofdevice(forexample,theaddressofthesiteorfacilitywherethedeviceislocated)-Deviceserialnumberorothermethodofuniqueidentification.
X
Akamaidoesnotstorecardholderdataonanymedia.
47
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
9.9.2 Periodicallyinspectdevicesurfacestodetecttampering(forexample,additionofcardskimmerstodevices),orsubstitution(forexample,bycheckingtheserialnumberorotherdevicecharacteristicstoverifyithasnotbeenswappedwithafraudulentdevice).Note:Examplesofsignsthatadevicemighthavebeentamperedwithorsubstitutedincludeunexpectedattachmentsorcablespluggedintothedevice,missingorchangedsecuritylabels,brokenordifferentlycoloredcasing,orchangestotheserialnumberorotherexternalmarkings.
X
Akamaidoesnotstorecardholderdataonanymedia.
9.9.3 Providetrainingforpersonneltobeawareofattemptedtamperingorreplacementofdevices.Trainingshouldincludethefollowing:-Verifytheidentityofanythird-partypersonsclaimingtoberepairormaintenancepersonnel,priortograntingthemaccesstomodifyortroubleshootdevices.-Donotinstall,replace,
X Akamaidoesnotstorecardholderdataonanymedia.
48
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
orreturndeviceswithoutverification.-Beawareofsuspiciousbehaviorarounddevices(forexample,attemptsbyunknownpersonstounplugoropendevices).-Reportsuspiciousbehaviorandindicationsofdevicetamperingorsubstitutiontoappropriatepersonnel(forexample,toamanagerorsecurityofficer).
9.10 Ensurethatsecuritypoliciesandoperationalproceduresforrestrictingphysicalaccesstocardholderdataaredocumented,inuse,andknowntoallaffectedparties.
X
10.1 Implementaudittrailsto
linkallaccesstosystemcomponentstoeachindividualuser.
X
10.2 Implementautomated
audittrailsforallsystemcomponentstoreconstructthefollowingevents:
X
10.2.1 Allindividualuser
accessestocardholderdata
X
Akamaidoesnotstorecardholderdata.
10.2.2 Allactionstakenbyanyindividualwithrootoradministrativeprivileges
X
10.2.3 Accesstoallaudittrails X 10.2.4 Invalidlogicalaccess
attempts X
49
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
10.2.5 Useofandchangestoidentificationandauthenticationmechanisms—includingbutnotlimitedtocreationofnewaccountsandelevationofprivileges—andallchanges,additions,ordeletionstoaccountswithrootoradministrativeprivileges
X
10.2.6 Initialization,stopping,
orpausingoftheauditlogs
X
10.2.7 Creationanddeletionof
system-levelobjects X
10.3 Recordatleastthefollowingaudittrailentriesforallsystemcomponentsforeachevent:
X
10.3.1 Useridentification X 10.3.2 Typeofevent X 10.3.3 Dateandtime X 10.3.4 Successorfailure
indication X
10.3.5 Originationofevent X 10.3.6 Identityornameof
affecteddata,systemcomponent,orresource.
X
50
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
10.4 Usingtime-synchronizationtechnology,synchronizeallcriticalsystemclocksandtimesandensurethatthefollowingisimplementedforacquiring,distributing,andstoringtime.Note:OneexampleoftimesynchronizationtechnologyisNetworkTimeProtocol(NTP).
X
10.4.1 Criticalsystemshavethe
correctandconsistenttime.
X
10.4.2 Timedataisprotected. X 10.4.3 Timesettingsare
receivedfromindustry-acceptedtimesources.
X
10.5 Secureaudittrailsso
theycannotbealtered. X
10.5.1 Limitviewingofaudittrailstothosewithajob-relatedneed.
X
10.5.2 Protectaudittrailfiles
fromunauthorizedmodifications.
X
10.5.3 Promptlybackupaudit
trailfilestoacentralizedlogserverormediathatisdifficulttoalter.
X
10.5.4 Writelogsforexternal-
facingtechnologiesontoasecure,centralized,internallogserverormediadevice.
X
51
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
10.5.5 Usefile-integritymonitoringorchange-detectionsoftwareonlogstoensurethatexistinglogdatacannotbechangedwithoutgeneratingalerts(althoughnewdatabeingaddedshouldnotcauseanalert).
X
10.6 Reviewlogsandsecurity
eventsforallsystemcomponentstoidentifyanomaliesorsuspiciousactivity.Note:Logharvesting,parsing,andalertingtoolsmaybeusedtomeetthisRequirement.
X
CustomersmustreviewLunaControlCenterlogsandsecurityeventsatleastdailytoidentifyanomaliesorsuspiciousactivity.
10.6.1 Reviewthefollowingatleastdaily:-Allsecurityevents-Logsofallsystemcomponentsthatstore,process,ortransmitCHDand/orSAD,orthatcouldimpactthesecurityofCHDand/orSAD-Logsofallcriticalsystemcomponents-Logsofallserversandsystemcomponentsthatperformsecurityfunctions(forexample,firewalls,intrusion-detectionsystems/intrusion-preventionsystems(IDS/IPS),authentication
X CustomersmustreviewLunaControlCenterlogsandsecurityeventsatleastdailytocomplywithallPCIDSSlogreviewrequirements.
52
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
servers,e-commerceredirectionservers,etc.).
10.6.2 Reviewlogsofallothersystemcomponentsperiodicallybasedontheorganization’spoliciesandriskmanagementstrategy,asdeterminedbytheorganization’sannualriskassessment.
X
10.6.3 Followupexceptions
andanomaliesidentifiedduringthereviewprocess.
X
CustomermustfollowuponexceptionsandanomaliesidentifiedduringthereviewofLunaControlCenterlogs.
10.7 Retainaudittrailhistoryforatleastoneyear,withaminimumofthreemonthsimmediatelyavailableforanalysis(forexample,online,archived,orrestorablefrombackup).
X
10.8 Ensurethatsecurity
policiesandoperationalproceduresformonitoringallaccesstonetworkresourcesandcardholderdataaredocumented,inuse,andknowntoallaffectedparties.
X
CustomersmusthavesecuritypoliciesandoperationalproceduresformonitoringallaccesstotheLunaControlCenterthataredocumented,inuse,andknowntoallaffectedparties.
53
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
11.1 Implementprocessestotestforthepresenceofwirelessaccesspoints(802.11),anddetectandidentifyallauthorizedandunauthorizedwirelessaccesspointsonaquarterlybasis.Note:Methodsthatmaybeusedintheprocessincludebutarenotlimitedtowirelessnetworkscans,physical/logicalinspectionsofsystemcomponentsandinfrastructure,networkaccesscontrol(NAC),orwirelessIDS/IPS.Whichevermethodsareused,theymustbesufficienttodetectandidentifybothauthorizedandunauthorizeddevices.
X
11.1.1 Maintainaninventoryof
authorizedwirelessaccesspointsincludingadocumentedbusinessjustification.
X
11.1.2 Implementincident
responseproceduresintheeventunauthorizedwirelessaccesspointsaredetected.
X
54
PCI DSS 3.1 Responsibility Matrix
11.2 Runinternalandexternalnetworkvulnerabilityscansatleastquarterlyandafteranysignificantchangeinthenetwork(suchasnewsystemcomponentinstallations,changesinnetworktopology,firewallrulemodifications,productupgrades).Note:Multiplescanreportscanbecombinedforthequarterlyscanprocesstoshowthatallsystemswerescannedandallapplicablevulnerabilitieshavebeenaddressed.Additionaldocumentationmayberequiredtoverifynon-remediatedvulnerabilitiesareintheprocessofbeingaddressed.ForinitialPCIDSScompliance,itisnotrequiredthatfourquartersofpassingscansbecompletediftheassessorverifies1)themostrecentscanresultwasapassingscan,2)theentityhasdocumentedpoliciesandproceduresrequiringquarterlyscanning,and3)vulnerabilitiesnotedinthescanresultshavebeencorrectedasshowninare-scan(s).Forsubsequentyearsafter
X
55
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
theinitialPCIDSSreview,fourquartersofpassingscansmusthaveoccurred.
11.2.1 Performquarterlyinternalvulnerabilityscansandrescansasneeded,untilall“high-risk”vulnerabilities(asidentifiedinRequirement6.1)areresolved.Scansmustbeperformedbyqualifiedpersonnel.
X
11.2.2 Performquarterly
externalvulnerabilityscans,viaanApprovedScanningVendor(ASV)approvedbythePaymentCardIndustrySecurityStandardsCouncil(PCISSC).Performrescansasneeded,untilpassingscansareachieved.Note:QuarterlyexternalvulnerabilityscansmustbeperformedbyanApprovedScanningVendor(ASV),approvedbythePaymentCardIndustrySecurityStandardsCouncil(PCISSC).RefertotheASVProgramGuidepublishedonthePCISSCwebsiteforscancustomer
X
56
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
responsibilities,scanpreparation,etc.
11.2.3 Performinternalandexternalscans,andrescansasneeded,afteranysignificantchange.Scansmustbeperformedbyqualifiedpersonnel.
X
11.3 Implementa
methodologyforpenetrationtestingthatincludesthefollowing:-Isbasedonindustry-acceptedpenetrationtestingapproaches(forexample,NISTSP800-115)-IncludescoveragefortheentireCDEperimeterandcriticalsystems-Includestestingfrombothinsideandoutsidethenetwork-Includestestingtovalidateanysegmentationandscope-reductioncontrols-Definesapplication-layerpenetrationteststoinclude,ataminimum,thevulnerabilitieslistedinRequirement6.5-Definesnetwork-layerpenetrationteststoincludecomponentsthatsupportnetworkfunctionsaswellasoperatingsystems-Includesreviewand
X
57
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
considerationofthreatsandvulnerabilitiesexperiencedinthelast12months-Specifiesretentionofpenetrationtestingresultsandremediationactivitiesresults.Note:ThisupdatetoRequirement11.3isabestpracticeuntilJune30,2015,afterwhichitbecomesarequirement.PCIDSSv2.0requirementsforpenetrationtestingmustbefolloweduntilv3.0isinplace.
11.3.1 Performexternalpenetrationtestingatleastannuallyandafteranysignificantinfrastructureorapplicationupgradeormodification(suchasanoperatingsystemupgrade,asub-networkaddedtotheenvironment,orawebserveraddedtotheenvironment).
X
58
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
11.3.2 Performinternalpenetrationtestingatleastannuallyandafteranysignificantinfrastructureorapplicationupgradeormodification(suchasanoperatingsystemupgrade,asub-networkaddedtotheenvironment,orawebserveraddedtotheenvironment).
X
11.3.3 Exploitable
vulnerabilitiesfoundduringpenetrationtestingarecorrectedandtestingisrepeatedtoverifythecorrections.
X
11.3.4 Ifsegmentationisused
toisolatetheCDEfromothernetworks,performpenetrationtestsatleastannuallyandafteranychangestosegmentationcontrols/methodstoverifythatthesegmentationmethodsareoperationalandeffective,andisolateallout-of-scopesystemsfromsystemsintheCDE.
X
59
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
11.4 Useintrusion-detectionand/orintrusion-preventiontechniquestodetectand/orpreventintrusionsintothenetwork.Monitoralltrafficattheperimeterofthecardholderdataenvironmentaswellasatcriticalpointsinthecardholderdataenvironment,andalertpersonneltosuspectedcompromises.Keepallintrusion-detectionandpreventionengines,baselines,andsignaturesuptodate.
X
11.5 Deployachange-
detectionmechanism(forexample,file-integritymonitoringtools)toalertpersonneltounauthorizedmodification(includingchanges,additions,anddeletions)ofcriticalsystemfiles,configurationfiles,orcontentfiles;andconfigurethesoftwaretoperformcriticalfilecomparisonsatleastweekly.
X
11.5.1 Implementaprocessto
respondtoanyalertsgeneratedbythechange-detectionsolution.
X
60
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
11.6 Ensurethatsecuritypoliciesandoperationalproceduresforsecuritymonitoringandtestingaredocumented,inuse,andknowntoallaffectedparties.
X
CustomersmusthavepoliciesandproceduresinplaceformonitoringandtestingtheircorrectuseofAkamaiservices.
12.1 Establish,publish,maintain,anddisseminateasecuritypolicy.
X
Customersmustestablish,publish,maintain,anddisseminateapolicyforsecurelyusingAkamaiservices.
12.1.1 Reviewthesecuritypolicyatleastannuallyandupdatethepolicywhentheenvironmentchanges.
X
CustomersmustreviewtheirpolicyforsecureuseofAkamaiservicesatleastannuallyandupdatethepolicyastheenvironmentchanges.
12.2 Implementarisk-assessmentprocessthat:-Isperformedatleastannuallyanduponsignificantchangestotheenvironment(forexample,acquisition,merger,relocation,etc.),-Identifiescriticalassets,threats,andvulnerabilities,and-Resultsinaformal,documentedanalysisofrisk.
X
Customersmustimplementrisk-assessmentprocessesfortheirownuseofAkamaiservices.
61
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
12.3 Developusagepoliciesforcriticaltechnologiesanddefineproperuseofthesetechnologies.Note:Examplesofcriticaltechnologiesinclude,butarenotlimitedto,remoteaccessandwirelesstechnologies,laptops,tablets,removableelectronicmedia,e-mailusageandInternetusage.Ensuretheseusagepoliciesrequirethefollowing:
X
CustomersareresponsiblefordevelopingusagepoliciesfortheiruseofAkamaiservices,directlyorviacriticaltechnologies,coveringatleastthefollowingresponsibilities:
12.3.1 Explicitapprovalbyauthorizedparties
X
CustomersareresponsibleforacquiringapprovaloftheiruseofAkamaiservicesbyauthorizedparties.
12.3.2 Authenticationforuseofthetechnology
X
Customersareresponsibleformaintainingup-to-dateauthenticationinformationfortheiraccounts.
12.3.3 Alistofallsuchdevicesandpersonnelwithaccess
X
CustomersareresponsibleformaintainingalistofallpersonnelanddeviceswithaccesstoAkamaiservices,andtheservicesinuse.
62
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
12.3.4 Amethodtoaccuratelyandreadilydetermineowner,contactinformation,andpurpose(forexample,labeling,coding,and/orinventoryingofdevices)
X
CustomersareresponsibleforensuringthattheirLunaControlCenterandOPENAPIaccountsareclearlyassociatedwithanowner,contactinformation,andpurpose.
12.3.5 Acceptableusesofthetechnology
X
CustomersareresponsiblefordefiningacceptableusesofAkamaitechnology.
12.3.6 Acceptablenetworklocationsforthetechnologies
X
CustomersareresponsiblefordefininghowAkamaiservicescanbeusedinthecontextofcustomer'snetwork.
12.3.7 Listofcompany-approvedproducts
X
CustomersareresponsiblefordefiningalistofapprovedAkamaiservices.
12.3.8 Automaticdisconnectofsessionsforremote-accesstechnologiesafteraspecificperiodofinactivity
X
12.3.9 Activationofremote-
accesstechnologiesforvendorsandbusinesspartnersonlywhenneededbyvendorsandbusinesspartners,withimmediatedeactivationafteruse
X
NovendorsorpartnershaveaccesstoAkamaiPCIsystems.
63
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
12.3.10 Forpersonnelaccessingcardholderdataviaremote-accesstechnologies,prohibitthecopying,moving,andstorageofcardholderdataontolocalharddrivesandremovableelectronicmedia,unlessexplicitlyauthorizedforadefinedbusinessneed.Wherethereisanauthorizedbusinessneed,theusagepoliciesmustrequirethedatabeprotectedinaccordancewithallapplicablePCIDSSRequirements.
X
CardholderdataisnotstoredonAkamaiPCIsystems.
12.4 Ensurethatthesecuritypolicyandproceduresclearlydefineinformationsecurityresponsibilitiesforallpersonnel.
X
CustomersmustensurethatsecuritypoliciesandproceduresclearlydefinetheinformationsecurityresponsibilitiesforallpersonnelwithaccesstotheLunaControlCenter.
12.5 Assigntoanindividualorteamthefollowinginformationsecuritymanagementresponsibilities:
X
Customersareresponsibleforassigningtoanindividualorteamthefollowinginformationsecuritymanagementresponsibilities.
64
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
12.5.1 Establish,document,anddistributesecuritypoliciesandprocedures.
X
Customersmustestablish,document,anddistributesecurepoliciesandproceduresfortheuseofAkamaiservices.
12.5.2 Monitorandanalyzesecurityalertsandinformation,anddistributetoappropriatepersonnel.
X
CustomerisresponsibleformonitoringandanalyzingsecurityalertsandinformationfromAkamai,anddistributingthatinformationtoappropriatepersonnel.
12.5.3 Establish,document,anddistributesecurityincidentresponseandescalationprocedurestoensuretimelyandeffectivehandlingofallsituations.
X
Customerisresponsibleforestablishing,documenting,anddistributingsecurityincidentresponseandescalationprocedurestoensuretimelyandeffectivehandlingofallsituations.
12.5.4 Administeruseraccounts,includingadditions,deletions,andmodifications.
X
Customerisresponsibleforadministeringcustomer'sLunaControlCenteraccounts,includingaddition,deletion,andmodification.
65
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
12.5.5 Monitorandcontrolallaccesstodata.
X
Customerisresponsibleformonitoringandcontrollingallaccesstocustomer'sLunaControlCenterdata.
12.6 Implementaformalsecurityawarenessprogramtomakeallpersonnelawareoftheimportanceofcardholderdatasecurity.
X
CustomerisresponsibleforimplementingaformalsecurityawarenessprogramtomakeallpersonnelwithaccesstotheLunaControlCenterawareoftheimportanceofcardholderdatasecurityandhowtheiruseofAkamaiservices,particularlyconfigurationoptionsintheLunaControlCenter,canimpactthatsecurity.
12.6.1 Educatepersonneluponhireandatleastannually.Note:Methodscanvarydependingontheroleofthepersonnelandtheirlevelofaccesstothecardholderdata.
X
CustomerisresponsibleforeducatingpersonnelwithaccesstotheLunaControlCenteruponhireandatleastannually.
66
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
12.6.2 Requirepersonneltoacknowledgeatleastannuallythattheyhavereadandunderstoodthesecuritypolicyandprocedures.
X
CustomermustrequirepersonnelwithaccesstotheLunaControlCentertoacknowledgeatleastannuallythattheyhavereadandunderstoodthesecuritypolicyandprocedures.
12.7 Screenpotentialpersonnelpriortohiretominimizetheriskofattacksfrominternalsources.(Examplesofbackgroundchecksincludepreviousemploymenthistory,criminalrecord,credithistory,andreferencechecks.)Note:Forthosepotentialpersonneltobehiredforcertainpositionssuchasstorecashierswhoonlyhaveaccesstoonecardnumberatatimewhenfacilitatingatransaction,thisrequirementisarecommendationonly.
X
CustomermustscreenpotentialpersonnelwithaccesstotheLunaControlCenterpriortohiretominimizetheriskofattacksfrominternalsources.
67
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
12.8 Maintainandimplementpoliciesandprocedurestomanageserviceproviderswithwhomcardholderdataisshared,orthatcouldaffectthesecurityofcardholderdata,asfollows:
X
Customersareresponsibletomaintainandimplementpoliciesandprocedurestomanageserviceproviderswithwhomcardholderdataisshared,orthatcouldaffectthesecurityofcardholderdata,asfollows:
12.8.1 Maintainalistofserviceproviders.
X
Customersmustmaintainalistofserviceproviders,includinganywhichreceivecardholderdataviatheAkamaiSCDN.
12.8.2 Maintainawrittenagreementthatincludesanacknowledgementthattheserviceprovidersareresponsibleforthesecurityofcardholderdatatheserviceproviderspossessorotherwisestore,processortransmitonbehalfofthecustomer,ortotheextentthattheycouldimpactthesecurityofthecustomer’scardholderdataenvironment.
Note:Theexactwordingofanacknowledgementwilldependontheagreementbetweenthe
X Customersmustmaintainawrittenagreementthatincludesanacknowledgementthattheserviceprovidersareresponsibleforthesecurityofcardholderdatatheserviceproviderspossessorotherwisestore,processortransmitonbehalfofthecustomer,ortotheextentthattheycouldimpactthesecurityofthecustomer’scardholderdataenvironment.
68
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
twoparties,thedetailsoftheservicebeingprovided,andtheresponsibilitiesassignedtoeachparty.Theacknowledgementdoesnothavetoincludetheexactwordingprovidedinthisrequirement.
12.8.3 Ensurethereisanestablishedprocessforengagingserviceprovidersincludingproperduediligencepriortoengagement.
X
Customersmustensurethereisanestablishedprocessforengagingserviceprovidersincludingproperduediligencepriortoengagement.
12.8.4 Maintainaprogramtomonitorserviceproviders’PCIDSScompliancestatusatleastannually.
X
Customersmustmaintainaprogramtomonitorserviceproviders’PCIDSScompliancestatusatleastannually.
12.8.5 MaintaininformationaboutwhichPCIDSSrequirementsaremanagedbyeachserviceprovider,andwhicharemanagedbytheentity.
X
CustomersmustmaintaininformationaboutwhichPCIDSSrequirementsaremanagedbyeachserviceprovider,andwhicharemanagedbytheentity.
12.9 Additionalrequirementforserviceprovidersonly:Serviceprovidersacknowledgeinwritingtocustomersthattheyareresponsibleforthesecurityofcardholderdatatheserviceproviderpossessesorotherwisestores,processes,ortransmitsonbehalfof
X AkamaiacknowledgesinwritingtocustomersthatAkamaiisresponsibleforthesecurityofcardholderdataAkamaitransmitsonbehalfofthecustomer,aslongasthecustomermeetsthecustomer
69
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
thecustomer,ortotheextentthattheycouldimpactthesecurityofthecustomer’scardholderdataenvironment.
responsibilitiesdescribedinthismatrix.
12.10 Implementanincidentresponseplan.Bepreparedtorespondimmediatelytoasystembreach.
X
Customersmustimplementanincidentresponseplanandbepreparedtorespondimmediatelytoasystembreachwhichmayrelatetothecustomer'suseofAkamaiservices.
12.10.1 Createtheincidentresponseplantobeimplementedintheeventofsystembreach.Ensuretheplanaddressesthefollowing,ataminimum:-Roles,responsibilities,andcommunicationandcontactstrategiesintheeventofacompromiseincludingnotificationofthepaymentbrands,ataminimum-Specificincidentresponseprocedures-Businessrecoveryandcontinuityprocedures-Databackupprocesses-Analysisoflegalrequirementsforreportingcompromises-Coverageandresponsesofallcriticalsystemcomponents-Referenceorinclusion
X Customersarerequiredtohaveanincidentresponseplanaddressingthecomplete12.10.1requirementsfortheeventofasystembreach.
70
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
ofincidentresponseproceduresfromthepaymentbrands.
12.10.2 Testtheplanatleastannually.
X
Customersarerequiredtotesttheirincidentresponseplans,includingtheirresponsetoanincidentrelatedtotheiruseofAkamaiservices,annually.
12.10.3 Designatespecificpersonneltobeavailableona24/7basistorespondtoalerts.
X
Customermustdesignatespecificpersonneltobeavailableona24/7basisinresponsetoincidentsrelatedtothecustomer'suseofAkamaiPCIservices,andmaintainup-to-datecontactinformationforatleastthosepersonnelontheLunaControlCenter.
12.10.4 Provideappropriatetrainingtostaffwithsecuritybreachresponseresponsibilities.
X
Customermustprovideappropriatetrainingtostaffwithsecuritybreachresponseresponsibilities.
12.10.5 Includealertsfromsecuritymonitoringsystems,includingbutnotlimitedtointrusion-detection,intrusion-prevention,firewalls,andfile-integritymonitoringsystems.
X
71
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
12.10.6 Developaprocesstomodifyandevolvetheincidentresponseplanaccordingtolessonslearnedandtoincorporateindustrydevelopments.
X
CustomermusthaveaprocesstomodifyandevolvetheirincidentresponseplanforincidentsinvolvingAkamaiservicesaccordingtolessonslearnedandindustrydevelopments.
A.1 Protecteachentity’s(thatis,merchant,serviceprovider,orotherentity)hostedenvironmentanddata,perA.1.1throughA.1.4:
AhostingprovidermustfulfilltheserequirementsaswellasallotherrelevantsectionsofthePCIDSS.
Note:Eventhoughahostingprovidermaymeettheserequirements,thecomplianceoftheentitythatusesthehostingproviderisnotguaranteed.EachentitymustcomplywiththePCIDSSandvalidatecomplianceasapplicable.
X
Akamaiisnotahostingprovider.
A.1.1 Ensurethateachentityonlyrunsprocessesthathaveaccesstothatentity’scardholderdataenvironment.
X
Akamaiisnotahostingprovider.
72
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
A.1.2 Restricteachentity’saccessandprivilegestoitsowncardholderdataenvironmentonly.
X
Akamaiisnotahostingprovider.
A.1.3 Ensureloggingandaudittrailsareenabledanduniquetoeachentity’scardholderdataenvironmentandconsistentwithPCIDSSRequirement10.
X
Akamaiisnotahostingprovider.
A.1.4 Enableprocessestoprovidefortimelyforensicinvestigationintheeventofacompromisetoanyhostedmerchantorserviceprovider.
X
Akamaiisnotahostingprovider.
As the global leader in Content Delivery Network (CDN) services, Akamai makes the Internet fast, reliable and secure for its customers. The company's advanced web performance, mobile performance, cloud security and media delivery solutions are revolutionizing how businesses optimize consumer, enterprise and entertainment experiences for any device, anywhere. To learn how Akamai solutions and its team of Internet experts are helping businesses move faster forward, please visit www.akamai.com or blogs.akamai.com, and follow @Akamai on Twitter.
Akamai is headquartered in Cambridge, Massachusetts in the United States with operations in more than 57 offices around the world. Our services and renowned customer care are designed to enable businesses to provide an unparalleled Internet experience for their customers worldwide. Addresses, phone numbers and contact information for all locations are listed on www.akamai.com/locations.
©2016 Akamai Technologies, Inc. All Rights Reserved. Reproduction in whole or in part in any form or medium without express written permission is prohibited. Akamai and the Akamai wave logo are registered trademarks. Other trademarks contained herein are the property of their respective owners. Akamai believes that the information in this publication is accurate as of its publication date; such information is subject to change without notice.
PCI DSS 3.1 Responsibility Matrix
Top Related