pci和pci_PCI合规性

pci和pci

PCI Compliance continues to confuse the masses. I will aim to address this confusion and actually explain what is needed. This article is aimed to clear up the confusion in regards to hosting providers and PCI Compliance and won’t address the different levels in regards to transaction volume.

PCI合规性继续使大众感到困惑。 我将致力于解决这种混乱，并实际说明需要什么。 本文旨在消除有关托管提供商和PCI合规性的困惑，并且不会涉及交易量的不同层次。

Location

位置

At this stage it would be worth pointing out that there are different levels of PCI Compliance. Firstly, let’s start with the Data Center where the server is hosted. The initial confusion usually starts here. Many people, wrongly, believe that the responsibility for PCI Compliance is solely with the Data Center. If a Data Center has chosen to be formally recognized as PCI Compliant, you don’t inherit ANY of that compliance. Below are the requirements for a Data Center to be PCI Compliant:

在此阶段，值得指出的是，存在不同级别的PCI合规性。 首先，让我们从托管服务器的数据中心开始。 最初的困惑通常从这里开始。 错误地，许多人认为PCI合规性的责任完全由数据中心承担。 如果数据中心选择被正式确认为符合PCI标准，则您不会继承任何该标准。 以下是数据中心要符合PCI的要求：

9.1 Are appropriate facility entry controls in place to limit and monitor physical access to systems in the cardholder data environment?

9.1是否有适当的设施进入控制措施来限制和监视持卡人数据环境中对系统的物理访问？

9.1.1.a Do video cameras or other access-control mechanisms monitor individual physical access to sensitive areas?

9.1.1.a摄像机或其他访问控制机制是否监视对敏感区域的个人物理访问？

9.1.1.b Is data collected from video cameras reviewed and correlated with other entries?

9.1.1.b是否已审查从摄像机收集的数据并将其与其他条目相关联？

9.1.1.c Is data from video cameras stored for at least three months, unless otherwise restricted by law?

9.1.1.c除非法律另有规定，摄像机的数据是否存储了至少三个月？

9.1.2 Is physical access to publicly accessible network jacks restricted?

9.1.2对可公开访问的网络插Kong的物理访问是否受到限制？

9.1.3 Is physical access to wireless access points, gateways, and handheld devices restricted?

9.1.3对无线访问点，网关和手持设备的物理访问是否受到限制？

9.2 Are procedures in place to help all personnel easily distinguish between employees and visitors, especially in areas where cardholder data is accessible?

9.2是否制定了程序来帮助所有人员轻松区分员工和访客，特别是在可访问持卡人数据的区域？

9.3 Are all visitors handled as follows:

9.3所有访客的处理方式如下：

9.3.1 Authorized before entering areas where cardholder data is processed or maintained?

9.3.1在进入处理或维护持卡人数据的区域之前是否获得授权？

9.3.2 Given a physical token (for example, a badge or access device) that expires and that identifies the visitors as non-employees?

9.3.2给定一个已过期的物理令牌(例如徽章或访问设备)，并将访客标识为非雇员？

9.3.3 Asked to surrender the physical token before leaving the facility or at the date of expiration?

9.3.3是否要求在离开设施之前或到期时交出物理令牌？

9.4.a Is a visitor log in use to maintain a physical audit trail of visitor activity?

9.4.a是否使用访客登录来维护访客活动的物理审核记录？

9.4.b Are the visitor’s name, the firm represented, and the employee authorizing physical access documented on the log?

9.4.b日志中是否记录了访客的姓名，所代表的公司以及授权进行物理访问的员工？

9.4.c Is visitor log retained for a minimum of three months, unless otherwise restricted by law?

9.4.c除非法律另有规定，访客日志是否至少保留三个月？

I can’t think of any reasonable Data Center these days which wouldn’t meet these requirements. As part of your own compliance, you will need to certify that the Data Center meets these requirements. If you are sure that the Data Center does indeed follow these policies, it is safe to answer yes to these questions. Just because I don’t know of any Data Centers out there these days that don’t, doesn’t mean they don’t exist. You have to be very sure of that aspect. The easiest way for you to be sure is to ask the Data Center in question, or your hosting provider, if they themselves have a certification they could show you. They don’t need to have this to be meeting the requirements though.

这些天我无法想到任何无法满足这些要求的合理数据中心。 作为您自己的合规性的一部分，您将需要证明数据中心符合这些要求。 如果您确定数据中心确实遵循这些政策，则可以肯定地回答这些问题。 仅仅因为我现在不知道那里没有任何数据中心，并不意味着它们不存在。 您必须非常确定这方面。 确保您最简单的方法是，向有问题的数据中心或您的托管服务提供商询问他们自己是否可以向您显示证书。 他们不需要让它满足要求。

Environment

环境

The next step is the physical or virtual environment where your website is located. I don’t want to even guess how many websites out there have a PCI Compliance certificate but have done so by not answering truthfully to questions. How many of you have a firewall in front of your servers? How many of you have split web, sql, mail, dns or any other service between servers? These are all requirements and those requirements don’t come cheap. If you are reading this now and you are thinking “Huh? I don’t have this in my environment, but I am compliant!” well, you aren’t. If you have a breach and an investigation is carried out and you divulge your setup, your insurance would be invalid. You would also be open to litigation from your merchant provider and your customers, along with anyone else impacted by said breach. Read https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf for the full requirements.

下一步是您网站所在的物理或虚拟环境。 我什至不想猜测有多少网站拥有PCI合规性证书，但是却没有如实回答问题就这样做了。 你们当中有多少人在服务器前有防火墙？ 你们中有多少人在服务器之间拆分了Web，SQL，邮件，DNS或任何其他服务？ 这些都是要求，而且这些要求并不便宜。 如果您现在正在阅读此书，并且在考虑““？ 我的环境中没有这个，但是我合规！” 好吧，你不是。 如果您有违规行为并且进行了调查并泄露了设置，则您的保险将无效。 您还将对您的商家提供商和您的客户以及受到上述违约影响的任何其他人提起诉讼。 阅读https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf了解全部要求。

Configuration

组态

We now come onto the actual scan. This is what people usually concentrate on as it is something they can’t lie or skip their way through. After you have certified your setup either physically or virtually meets PCI Compliance, a scan will be performed against your website/server. I say website, as part of the scan actually checks your website for vulnerabilities. During this scan you will no doubt see that your website has many vulnerabilities. Firstly, not all of these are actual vulnerabilities and many are theoretical, but they still need fixing. It is generally the hosting provider’s responsibility to fix things such as software versions like PHP, SQL or Apache. Things like SSH protocol versions, SSL and ports also fall under the responsibility of the hosting provider. Part of the scan will also test the actual website for vulnerabilities. Mostly SQL Injection and cross site scripting are what they focus on and these are the types of things which need fixing by your developer. You can’t expect your hosting company to change your website code.

现在，我们进行实际扫描。 人们通常会专注于此，因为这是他们无法撒谎或无法通过的方式。 在您对设置进行了物理或虚拟认证后，将对您的网站/服务器进行扫描。 我说网站是扫描的一部分，实际上是检查您的网站是否存在漏洞。 在此扫描过程中，您无疑会看到您的网站存在许多漏洞。 首先，并非所有漏洞都是实际漏洞，并且许多漏洞都是理论漏洞，但仍需要修复。 修复诸如PHP，SQL或Apache之类的软件版本之类的内容通常是托管服务提供商的责任。 诸如SSH协议版本，SSL和端口之类的内容也由托管服务提供商负责。 扫描的一部分还将测试实际网站的漏洞。 他们主要关注SQL注入和跨站点脚本编写，这些是开发人员需要修复的类型。 您不能指望托管公司更改您的网站代码。

All of these parameters change over time, sometimes over days, and most providers will scan you either monthly or quarterly. Expect to fail almost every time and allow your hosting company and site developers the chance to address the new requirements.

所有这些参数都会随着时间变化，有时甚至是几天，并且大多数提供程序都会每月或每季度扫描一次。 期望几乎每次都会失败，并使您的托管公司和站点开发人员有机会解决新要求。

Warning

警告

Don’t always trust your provider, particularly in shared environments. Is it possible for a shared hosting environment to be PCI Compliant? Yes, but it is incredibly difficult. There are hosts out there which specialize in this type of shared hosting, at a premium that is. When you keep in mind the aspect of SQL injection or cross site scripting, that is very unique to your own environment. Very few shared hosting providers will actually have an individual scan for your website. You would still need to seek that yourself. Remember, a provider’s compliance doesn’t mean you are compliant. The responsibility ultimately will fall on you.

不要总是信任您的提供商，尤其是在共享环境中。 共享主机环境是否可能符合PCI？ 是的，但是很难。 有一些主机专门提供这种类型的共享主机，价格很高。 当您牢记SQL注入或跨站点脚本编写方面时，这对于您自己的环境是非常独特的。 实际上，很少有共享托管服务提供商会对您的网站进行单独扫描。 您仍然需要自己寻找。 请记住，提供商的合规并不意味着您合规。 责任最终将落在您身上。

John Strong Managing Director

约翰·斯特朗 常务董事

翻译自: https://www.eukhost.com/blog/webhosting/pci-compliance/

pci和pci