PCI DSS: 如何绘制数据流图

原创

竹杖芒鞋蓑衣斗笠 2021-08-17 09:25:24 博主文章分类：PCI DSS ©著作权

©著作权归作者所有：来自51CTO博客作者竹杖芒鞋蓑衣斗笠的原创作品，请联系作者获取转载授权，否则将追究法律责任

什么是卡数据环境(CDE)?

At its simplest, an organisation’s Cardholder Data Environment (CDE) is the physical and technical environment where Account Data is being accepted, captured, handled, processed, stored and/ or transmitted. Anywhere that people, processes, and technologies store, process, or transmit Account Data will be in scope for the Payment Card Industry Data Security Standard (PCI DSS) and considered part of the CDE.

As most card data breaches involve a compromise of the CDE, PCI DSS requirements require a wide variety of security controls to be maintained to help protect this data on its entry into, when it is within and on its exit or removal from the CDE.

The CDE consists of:

All system components that store, process, or transmit Account Data;
Systems components that do not in themselves store, process, or transmit Account Data but are ‘adjacent to’ (e.g. on the same network as) a system components that do.

However, the PCI DSS applies to more than just the system components within the CDE; also in scope are ‘connected-to or security-impacting’ systems components that:

Connect or have access to the CDE either directly or indirectly, g. via a jump server;
Can impact the configuration or security of the CDE, g. server providing name resolution (DNS) for the CDE;
Provide security services to the CDE, g. identification & authentication server, such as Active Directory;
Support PCI DSS requirements, e.g. audit log server;
Provide segmentation of the CDE from out-of-scope systems, g. internal firewalls.

For additional guidance on determining whether systems are in scope or out of scope, please see the articles referenced below.

System components can be network devices, servers, computing and mobile devices, and applications. That may include but is not limited to;

Virtualization components such as virtual machines, virtual switches/routers, virtual appliances, virtual applications/desktops, and hypervisors
Network components including but not limited to firewalls, switches, routers, wireless access points, network appliances, and other security appliances
Server types such as web, application, database, mail, proxy,
Applications including all purchased and custom applications, including internal and external (for example, Internet) applications
Third party devices, systems, networks or people, such as remote access, VPNs, IT support.

什么是账户数据？

Account data, also often referred to as Payment Card Data, is comprised of Cardholder Data (CHD) and Sensitive Authentication Data (SAD):

PCI DSS: 如何绘制数据流图_PCI DSS 范围数据流

源自：PCI DSS v3.2.1 page 7

CHD and SAD must be protected as per the PCI SSC guidelines:

PCI DSS: 如何绘制数据流图_PCI DSS 范围数据流_02

源自： PCI DSS v3.2.1 page 8

为什么需要数据流图？

The creation of network and data flow diagram(s) that define the CDE (Cardholder Data Environment diagrams) is one of the most important first steps for any organisation trying to determine Account Data use across their people, locations, functions, processes and systems and hence to define their PCI DSS assessment scope. The CDE diagram(s) should beused as one of the organisation’s central reference sources when addressing with PCI DSS compliance and protecting Account Data.

Network and data flow diagram(s) are required by the PCI DSS:

PCI DSS Requirement

Guidance

1.1.2: Current network diagram that identifies all connections between the cardholder data environment and other networks, including any wireless networks

Network diagrams describe how networks are configured, and identify the location of all network devices.

1.1.3: Current diagram that shows all cardholder data flows across systems and networks

Cardholder data-flow diagrams identify the location of all cardholder data that is stored, processed, or transmitted within the network.

Organizations required to formally assess their compliance must have network and data flow diagram(s). For self- assessing entities, a network diagram is mandatory for the PCI DSS SAQ A-EP, SAQ B-IP & SAQ D questionnaires, while the SAQ A-EP and D also requires a card data flow diagram. For the remaining questionnaires, these diagrams are not mandatory, but it is good practice to create one or more diagram to illustrate the CDE, the network(s) and systems that are part of or connect to the CDE and the journey of CHD and SAD across systems and network(s), as it is captured, transmitted, processed, and potentially stored. Without the diagrams, Account Data may be overlooked, unprotected, exposed to fraud, or stored in breach of PCI DSS.

By understanding where Account Data is captured, transmitted, processed and / or stored, it can.

Help an organization understand and define its
Define the PCI DSS assessment
If applicable, identify the relevant PCI DSS SAQ questionnaire/s.
Help determine which PCI DSS requirements are applicable to the
Highlight potential security weaknesses in networks/systems/processes.
Highlight potential opportunities for reducing the scope of the PCI DSS assessment

如何创建卡数据流图？

To identify where Account Data storage, processing, or transmission is within your organization, it is necessary to understand all payment method/channels. This is a generally a collaborative effort between departments, potentially also involving third party service providers, and can be broken down by the three payment channels – Ecommerce, Face-to- face, and MOTO (Mail Order/Telephone Order).

To develop a CDE diagram you will need.

Up-to date IT network documentation

Without a current network diagram, systems could be overlooked, and unknowingly left out of the security controls implemented for PCI DSS, or network connections could be left poorly protected that could leave the CDE vulnerable to attack or compromise by malicious individuals.

Knowledge of all Account Data handling and payment processes within the organization

Gather information on all aspects of account data receipt, capture, processing, retention/storage, archiving and destruction. This must include not only card payment processes but also account data handling processes such as bookings (where card data is captured but no payment taken), chargebacks, refunds, etc.

You will need to identify all of the people (including third parties), processes and technologies involved in the handling/transmission/processing of account data (in both hard copy or electronic form) across all teams, functions and services involved in each payment method/channel. This is often the most difficult part to investigate due to the many different forms, and historic ways of taking account data throughout an organization.

The first step to creating a CDE diagram is to document what is and isn’t included in the CDE.

Follow the movement of the account data from its entry point(s), through the organization until it permanently leaves the organization or is destroyed. This will identify all the components that are involved in the processing, storage, and transmission of the cardholder data.

For merchant organizations, mapping the list of Merchant Accounts or Merchant ID’s (MIDs) to each payment channel can help to identify payment processes and card data flows. Note that not all MIDs may be used to process payments directly by the organization. Some MIDs may be used by third parties to process payments on the merchant organization’s behalf. The merchant retains responsibility for the protection of account data and fulfilment of the applicable PCI DSS requirements by third party service providers and must therefore include those activities when defining assessment scope and creating CDE diagram(s).