Routed Systems Update WILDFIRE 2.0 Routed Systems Designer 5.0.
PCI DSS 3.1 Responsibility Matrix - Akamai · data. Some additional services, such as the Prolexic...
Transcript of PCI DSS 3.1 Responsibility Matrix - Akamai · data. Some additional services, such as the Prolexic...
![Page 1: PCI DSS 3.1 Responsibility Matrix - Akamai · data. Some additional services, such as the Prolexic Routed DDoS mitigation and the SureRoute IP, which do not grant Akamai access to](https://reader034.fdocuments.in/reader034/viewer/2022042214/5eb9f788163d9d63f75a304e/html5/thumbnails/1.jpg)
Akamai Technologies Inc.
Responsibility Matrix PCI DSS 3.1 June 2016
![Page 2: PCI DSS 3.1 Responsibility Matrix - Akamai · data. Some additional services, such as the Prolexic Routed DDoS mitigation and the SureRoute IP, which do not grant Akamai access to](https://reader034.fdocuments.in/reader034/viewer/2022042214/5eb9f788163d9d63f75a304e/html5/thumbnails/2.jpg)
1
PCI DSS 3.1 Responsibility Matrix
Table of Contents Purpose ........................................................................................................................................ 2Overview....................................................................................................................................... 2Responsibility Matrix .................................................................................................................... 3
![Page 3: PCI DSS 3.1 Responsibility Matrix - Akamai · data. Some additional services, such as the Prolexic Routed DDoS mitigation and the SureRoute IP, which do not grant Akamai access to](https://reader034.fdocuments.in/reader034/viewer/2022042214/5eb9f788163d9d63f75a304e/html5/thumbnails/3.jpg)
2
PCI DSS 3.1 Responsibility Matrix
Purpose Akamai provides below a detailed matrix of PCI DSS requirements, including the description of whether responsibility for each individual control lies with Akamai, our customers or whether responsibility is shared between both parties.
Overview The PCI DSS responsibility matrix is intended for use by Akamai customers and their Qualified Security Assessors (QSAs) for use in audits for PCI compliance. The responsibility matrix describes, in accordance with Requirement 12.8.5 and other requirements, the actions an Akamai customer must take in order to maintain its own PCI compliance when cardholder data (CHD) and other sensitive information is passing through Akamai’s systems. Akamai Secure Content Delivery Network (Secure CDN) and supplemental services have been audited against version 3.1 of the PCI DSS standard. In addition to what is described in the responsibility matrix, the customer is responsible for all PCI requirements related to customer-maintained software and systems, including for {OPEN} API tools. At this time, no Akamai systems are approved for the storage of credit card data and only Akamai’s Secure CDN is approved for the processing and transmission of CHD other sensitive data. Some additional services, such as the Prolexic Routed DDoS mitigation and the SureRoute IP, which do not grant Akamai access to sensitive data, may be used without a negative impact to a customer’s PCI compliance.
![Page 4: PCI DSS 3.1 Responsibility Matrix - Akamai · data. Some additional services, such as the Prolexic Routed DDoS mitigation and the SureRoute IP, which do not grant Akamai access to](https://reader034.fdocuments.in/reader034/viewer/2022042214/5eb9f788163d9d63f75a304e/html5/thumbnails/4.jpg)
3
PCI DSS 3.1 Responsibility Matrix
Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
1.1 Establishandimplementfirewallandroutercon-figurationstandardsthatincludethefollowing:
X
1.1.1 Aformalprocessforapprovingandtestingallnetworkconnectionsandchangestothefirewallandrouterconfigurations
X
1.1.2 Currentdiagramthatidentifiesallnetworks,networkdevices,andsystemcomponents,withallconnectionsbetweentheCDEandothernetworks,includinganywirelessnetworks
X
Customer'snetworkdiagramshoulddepictuseofAkamaiservices,includingallconnectionsbetweenAkamai'snetworksandthecustomer'sCDE.
1.1.3 Currentdiagramthatshowsallcardholderdataflowsacrosssystemsandnetworks
X
Customer'snetworkdiagramshouldincludeanydataflowsthroughtheAkamaiSCDN.
1.1.4 RequirementsforafirewallateachInternetconnectionandbetweenanydemilitarizedzone(DMZ)andtheinternalnetworkzone
X
1.1.5 Descriptionofgroups,roles,andresponsibilitiesformanagementofnetworkcomponents
X
![Page 5: PCI DSS 3.1 Responsibility Matrix - Akamai · data. Some additional services, such as the Prolexic Routed DDoS mitigation and the SureRoute IP, which do not grant Akamai access to](https://reader034.fdocuments.in/reader034/viewer/2022042214/5eb9f788163d9d63f75a304e/html5/thumbnails/5.jpg)
4
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
1.1.6 Documentationandbusinessjustificationforuseofallservices,protocols,andportsallowed,includingdocumentationofsecurityfeaturesimplementedforthoseprotocolsconsideredtobeinsecure.Examplesofinsecureservices,protocols,orportsincludebutarenotlimitedtoFTP,Telnet,POP3,IMAP,andSNMPv1andv2.
X
1.1.7 Requirementtoreviewfirewallandrouterrulesetsatleasteverysixmonths
X
1.2 Buildfirewallandrouterconfigurationsthatrestrictconnectionsbetweenuntrustednetworksandanysystemcomponentsinthecardholderdataenvironment.Note:An“untrustednetwork”isanynetworkthatisexternaltothenetworksbelongingtotheentityunderreview,and/orwhichisoutoftheentity'sabilitytocontrolormanage.
X
![Page 6: PCI DSS 3.1 Responsibility Matrix - Akamai · data. Some additional services, such as the Prolexic Routed DDoS mitigation and the SureRoute IP, which do not grant Akamai access to](https://reader034.fdocuments.in/reader034/viewer/2022042214/5eb9f788163d9d63f75a304e/html5/thumbnails/6.jpg)
5
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
1.2.1 Restrictinboundandoutboundtraffictothatwhichisnecessaryforthecardholderdataenvironment,andspecificallydenyallothertraffic.
X
1.2.2 Secureandsynchronizerouterconfigurationfiles.
X
1.2.3 Installperimeter
firewallsbetweenallwirelessnetworksandthecardholderdataenvironment,andconfigurethesefirewallstodenyor,iftrafficisnecessaryforbusinesspurposes,permitonlyauthorizedtrafficbetweenthewirelessenvironmentandthecardholderdataenvironment.
X
AllAkamaiwirelessaccesspoints/SSIDareoutsidethefirewallsothereisnodirectwirelessaccesstoPCIsystems.
1.3 ProhibitdirectpublicaccessbetweentheInternetandanysystemcomponentinthecardholderdataenvironment.
X
1.3.1 ImplementaDMZto
limitinboundtraffictoonlysystemcomponentsthatprovideauthorizedpubliclyaccessibleservices,protocols,andports.
X
1.3.2 LimitinboundInternet
traffictoIPaddresseswithintheDMZ.
X
![Page 7: PCI DSS 3.1 Responsibility Matrix - Akamai · data. Some additional services, such as the Prolexic Routed DDoS mitigation and the SureRoute IP, which do not grant Akamai access to](https://reader034.fdocuments.in/reader034/viewer/2022042214/5eb9f788163d9d63f75a304e/html5/thumbnails/7.jpg)
6
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
1.3.3 DonotallowanydirectconnectionsinboundoroutboundfortrafficbetweentheInternetandthecardholderdataenvironment.
X
1.3.4 Implementanti-spoofing
measurestodetectandblockforgedsourceIPaddressesfromenteringthenetwork.(Forexample,blocktrafficoriginatingfromtheInternetwithaninternalsourceaddress.)
X
1.3.5 Donotallow
unauthorizedoutboundtrafficfromthecardholderdataenvironmenttotheInternet.
X
1.3.6 Implementstateful
inspection,alsoknownasdynamicpacketfiltering.(Thatis,only“established”connectionsareallowedintothenetwork.)
X
1.3.7 Placesystem
componentsthatstorecardholderdata(suchasadatabase)inaninternalnetworkzone,segregatedfromtheDMZandotheruntrustednetworks.
X
Akamaidoesnotstorecardholderdata.
![Page 8: PCI DSS 3.1 Responsibility Matrix - Akamai · data. Some additional services, such as the Prolexic Routed DDoS mitigation and the SureRoute IP, which do not grant Akamai access to](https://reader034.fdocuments.in/reader034/viewer/2022042214/5eb9f788163d9d63f75a304e/html5/thumbnails/8.jpg)
7
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
1.3.8 DonotdiscloseprivateIPaddressesandroutinginformationtounauthorizedparties.Note:MethodstoobscureIPaddressingmayinclude,butarenotlimitedto:-NetworkAddressTranslation(NAT)-Placingserverscontainingcardholderdatabehindproxyservers/firewalls,-Removalorfilteringofrouteadvertisementsforprivatenetworksthatemployregisteredaddressing,-InternaluseofRFC1918addressspaceinsteadofregisteredaddresses.
X
1.4 Installpersonalfirewall
softwareonanymobileand/oremployee-owneddevicesthatconnecttotheInternetwhenoutsidethenetwork(forexample,laptopsusedbyemployees),andwhicharealsousedtoaccessthenetwork.Firewallconfigurationsinclude:-Specificconfigurationsettingsaredefinedforpersonalfirewallsoftware.-Personalfirewall
X
![Page 9: PCI DSS 3.1 Responsibility Matrix - Akamai · data. Some additional services, such as the Prolexic Routed DDoS mitigation and the SureRoute IP, which do not grant Akamai access to](https://reader034.fdocuments.in/reader034/viewer/2022042214/5eb9f788163d9d63f75a304e/html5/thumbnails/9.jpg)
8
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
softwareisactivelyrunning.-Personalfirewallsoftwareisnotalterablebyusersofmobileand/oremployee-owneddevices.
1.5 Ensurethatsecuritypoliciesandoperationalproceduresformanagingfirewallsaredocumented,inuse,andknowntoallaffectedparties.
X
2.1 Alwayschangevendor-
supplieddefaultsandremoveordisableunnecessarydefaultaccountsbeforeinstallingasystemonthenetwork.ThisappliestoALLdefaultpasswords,includingbutnotlimitedtothoseusedbyoperatingsystems,softwarethatprovidessecurityservices,applicationandsystemaccounts,point-of-sale(POS)terminals,SimpleNetworkManagementProtocol(SNMP)communitystrings,etc.).
X
![Page 10: PCI DSS 3.1 Responsibility Matrix - Akamai · data. Some additional services, such as the Prolexic Routed DDoS mitigation and the SureRoute IP, which do not grant Akamai access to](https://reader034.fdocuments.in/reader034/viewer/2022042214/5eb9f788163d9d63f75a304e/html5/thumbnails/10.jpg)
9
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
2.1.1 Forwirelessenvironmentsconnectedtothecardholderdataenvironmentortransmittingcardholderdata,changeALLwirelessvendordefaultsatinstallation,includingbutnotlimitedtodefaultwirelessencryptionkeys,passwords,andSNMPcommunitystrings.
X
AllAkamaiwirelessaccesspoints/SSIDareoutsidethefirewallsothereisnodirectwirelessaccesstoPCIsystems.
2.2 Developconfigurationstandardsforallsystemcomponents.Assurethatthesestandardsaddressallknownsecurityvulnerabilitiesandareconsistentwithindustry-acceptedsystemhardeningstandards.Sourcesofindustry-acceptedsystemhardeningstandardsmayinclude,butarenotlimitedto:-CenterforInternetSecurity(CIS)-InternationalOrganizationforStandardization(ISO)-SysAdminAuditNetworkSecurity(SANS)Institute-NationalInstituteofStandardsTechnology(NIST).
X
![Page 11: PCI DSS 3.1 Responsibility Matrix - Akamai · data. Some additional services, such as the Prolexic Routed DDoS mitigation and the SureRoute IP, which do not grant Akamai access to](https://reader034.fdocuments.in/reader034/viewer/2022042214/5eb9f788163d9d63f75a304e/html5/thumbnails/11.jpg)
10
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
2.2.1 Implementonlyoneprimaryfunctionperservertopreventfunctionsthatrequiredifferentsecuritylevelsfromco-existingonthesameserver.(Forexample,webservers,databaseservers,andDNSshouldbeimplementedonseparateservers.)Note:Wherevirtualizationtechnologiesareinuse,implementonlyoneprimaryfunctionpervirtualsystemcomponent.
X
2.2.2 Enableonlynecessary
services,protocols,daemons,etc.,asrequiredforthefunctionofthesystem.
X
2.2.3 Implementadditional
securityfeaturesforanyrequiredservices,protocols,ordaemonsthatareconsideredtobeinsecure—forexample,usesecuredtechnologiessuchasSSH,S-FTP,TLS,orIPSecVPNtoprotectinsecureservicessuchasNetBIOS,file-sharing,Telnet,FTP,etc.
X
2.2.4 Configuresystem
securityparameterstopreventmisuse.
X
![Page 12: PCI DSS 3.1 Responsibility Matrix - Akamai · data. Some additional services, such as the Prolexic Routed DDoS mitigation and the SureRoute IP, which do not grant Akamai access to](https://reader034.fdocuments.in/reader034/viewer/2022042214/5eb9f788163d9d63f75a304e/html5/thumbnails/12.jpg)
11
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
2.2.5 Removeallunnecessaryfunctionality,suchasscripts,drivers,features,subsystems,filesystems,andunnecessarywebservers.
X
2.3 Encryptallnon-console
administrativeaccessusingstrongcryptography.UsetechnologiessuchasSSH,VPN,orTLSforweb-basedmanagementandothernon-consoleadministrativeaccess.
X
2.4 Maintainaninventoryof
systemcomponentsthatareinscopeforPCIDSS
X
2.5 Ensurethatsecurity
policiesandoperationalproceduresformanagingvendordefaultsandothersecurityparametersaredocumented,inuse,andknowntoallaffectedparties.
X
2.6 Sharedhostingproviders
mustprotecteachentity’shostedenvironmentandcardholderdata.TheseprovidersmustmeetspecificrequirementsasdetailedinAppendixA:AdditionalPCIDSSRequirementsforSharedHostingProviders.
X
Akamai'sSCDNisnotasharedhostingservice.
![Page 13: PCI DSS 3.1 Responsibility Matrix - Akamai · data. Some additional services, such as the Prolexic Routed DDoS mitigation and the SureRoute IP, which do not grant Akamai access to](https://reader034.fdocuments.in/reader034/viewer/2022042214/5eb9f788163d9d63f75a304e/html5/thumbnails/13.jpg)
12
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
3.1 Keepcardholderdatastoragetoaminimumbyimplementingdataretentionanddisposalpolicies,proceduresandprocessesthatincludeatleastthefollowingforallcardholderdata(CHD)storage:-Limitingdatastorageamountandretentiontimetothatwhichisrequiredforlegal,regulatory,andbusinessrequirements-Processesforsecuredeletionofdatawhennolongerneeded-Specificretentionrequirementsforcardholderdata-Aquarterlyprocessforidentifyingandsecurelydeletingstoredcardholderdatathatexceedsdefinedretention.
X
CustomerisresponsibleforensuringthattheirconfigurationsforusingAkamaiserviceswillnotcausecreditcarddatatobecachedorotherwisestoredonAkamaimachines.
3.2 Donotstoresensitiveauthenticationdataafterauthorization(evenifencrypted).Ifsensitiveauthenticationdataisreceived,renderalldataunrecoverableuponcompletionoftheauthorizationprocess.Itispermissibleforissuersandcompaniesthatsupportissuingservicestostoresensitiveauthenticationdataif:-
X CustomerisresponsibleforensuringthattheirconfigurationsforusingAkamaiserviceswillnotcausesensitiveauthenticationdatatobecachedorotherwisestoredonAkamaimachines.
![Page 14: PCI DSS 3.1 Responsibility Matrix - Akamai · data. Some additional services, such as the Prolexic Routed DDoS mitigation and the SureRoute IP, which do not grant Akamai access to](https://reader034.fdocuments.in/reader034/viewer/2022042214/5eb9f788163d9d63f75a304e/html5/thumbnails/14.jpg)
13
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
Thereisabusinessjustificationand-Thedataisstoredsecurely.SensitiveauthenticationdataincludesthedataascitedinthefollowingRequirements3.2.1through3.2.3:
3.2.1 Donotstorethefullcontentsofanytrack(fromthemagneticstripelocatedonthebackofacard,equivalentdatacontainedonachip,orelsewhere)afterauthorization.Thisdataisalternativelycalledfulltrack,track,track1,track2,andmagnetic-stripedata.
X
CustomerisresponsibleforensuringthattheirconfigurationsforusingAkamaiserviceswillnotcausecreditcarddatatobecachedorotherwisestoredonAkamaimachines.
3.2.2 Donotstorethecardverificationcodeorvalue(three-digitorfour-digitnumberprintedonthefrontorbackofapaymentcardusedtoverifycard-not-presenttransactions)afterauthorization.
X
CustomerisresponsibleforensuringthattheirconfigurationsforusingAkamaiserviceswillnotcausecreditcarddatatobecachedonAkamaimachines.
3.2.3 Donotstorethepersonalidentificationnumber(PIN)ortheencryptedPINblockafterauthorization.
X
CustomerisresponsibleforensuringthattheirconfigurationsforusingAkamaiserviceswillnotcausecreditcarddatatobecachedorotherwisestoredonAkamaimachines.
![Page 15: PCI DSS 3.1 Responsibility Matrix - Akamai · data. Some additional services, such as the Prolexic Routed DDoS mitigation and the SureRoute IP, which do not grant Akamai access to](https://reader034.fdocuments.in/reader034/viewer/2022042214/5eb9f788163d9d63f75a304e/html5/thumbnails/15.jpg)
14
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
3.3 MaskPANwhendisplayed(thefirstsixandlastfourdigitsarethemaximumnumberofdigitstobedisplayed),suchthatonlypersonnelwithalegitimatebusinessneedcanseethefullPAN.Note:Thisrequirementdoesnotsupersedestricterrequirementsinplacefordisplaysofcardholderdata—forexample,legalorpaymentcardbrandrequirementsforpoint-of-sale(POS)receipts.
X
IfcustomersaretransmittingcardholderdataforuserviewingovertheAkamaiSCDN,theyareresponsibleforensuringthatPANsareappropriatelymasked.
3.4 RenderPANunreadableanywhereitisstored(includingonportabledigitalmedia,backupmedia,andinlogs)byusinganyofthefollowingapproaches:-One-wayhashesbasedonstrongcryptography,(hashmustbeoftheentirePAN)-Truncation(hashingcannotbeusedtoreplacethetruncatedsegmentofPAN)-Indextokensandpads(padsmustbesecurelystored)-Strongcryptographywithassociatedkey-managementprocessesandprocedures.
X CustomerisresponsibleforensuringthattheirconfigurationsforusingAkamaiserviceswillnotcausePANtobecachedorotherwisestoredonAkamaimachines.
![Page 16: PCI DSS 3.1 Responsibility Matrix - Akamai · data. Some additional services, such as the Prolexic Routed DDoS mitigation and the SureRoute IP, which do not grant Akamai access to](https://reader034.fdocuments.in/reader034/viewer/2022042214/5eb9f788163d9d63f75a304e/html5/thumbnails/16.jpg)
15
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
Note:ItisarelativelytrivialeffortforamaliciousindividualtoreconstructoriginalPANdataiftheyhaveaccesstoboththetruncatedandhashedversionofaPAN.WherehashedandtruncatedversionsofthesamePANarepresentinanentity’senvironment,additionalcontrolsshouldbeinplacetoensurethatthehashedandtruncatedversionscannotbecorrelatedtoreconstructtheoriginalPAN.
3.4.1 Ifdiskencryptionisused(ratherthanfile-orcolumn-leveldatabaseencryption),logicalaccessmustbemanagedseparatelyandindependentlyofnativeoperatingsystemauthenticationandaccesscontrolmechanisms(forexample,bynotusinglocaluseraccountdatabasesorgeneralnetworklogincredentials).Decryptionkeysmustnotbeassociatedwithuseraccounts.
X
Akamaidoesnotstorecardholderdata.
![Page 17: PCI DSS 3.1 Responsibility Matrix - Akamai · data. Some additional services, such as the Prolexic Routed DDoS mitigation and the SureRoute IP, which do not grant Akamai access to](https://reader034.fdocuments.in/reader034/viewer/2022042214/5eb9f788163d9d63f75a304e/html5/thumbnails/17.jpg)
16
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
3.5 Documentandimplementprocedurestoprotectkeysusedtosecurestoredcardholderdataagainstdisclosureandmisuse:Note:Thisrequirementappliestokeysusedtoencryptstoredcardholderdata,andalsoappliestokey-encryptingkeysusedtoprotectdata-encryptingkeys—suchkey-encryptingkeysmustbeatleastasstrongasthedata-encryptingkey.
X
Akamaidoesnotstorecardholderdata.
3.5.1 Restrictaccesstocryptographickeystothefewestnumberofcustodiansnecessary.
X
Akamaidoesnotstorecardholderdata.
3.5.2 Storesecretandprivatekeysusedtoencrypt/decryptcardholderdatainone(ormore)ofthefollowingformsatalltimes:-Encryptedwithakey-encryptingkeythatisatleastasstrongasthedata-encryptingkey,andthatisstoredseparatelyfromthedata-encryptingkey-Withinasecurecryptographicdevice(suchasahardware(host)securitymodule(HSM)orPTS-approved
X Akamaidoesnotstorecardholderdata.
![Page 18: PCI DSS 3.1 Responsibility Matrix - Akamai · data. Some additional services, such as the Prolexic Routed DDoS mitigation and the SureRoute IP, which do not grant Akamai access to](https://reader034.fdocuments.in/reader034/viewer/2022042214/5eb9f788163d9d63f75a304e/html5/thumbnails/18.jpg)
17
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
point-of-interactiondevice)-Asatleasttwofull-lengthkeycomponentsorkeyshares,inaccordancewithanindustry-acceptedmethodNote:Itisnotrequiredthatpublickeysbestoredinoneoftheseforms.
3.5.3 Storecryptographickeysinthefewestpossiblelocations.
X
Akamaidoesnotstorecardholderdata.
3.6 Fullydocumentandimplementallkey-managementprocessesandproceduresforcryptographickeysusedforencryptionofcardholderdata,includingthefollowing:Note:NumerousindustrystandardsforkeymanagementareavailablefromvariousresourcesincludingNIST,whichcanbefoundathttp://csrc.nist.gov.
X
Akamaidoesnotstorecardholderdata.
3.6.1 Generationofstrongcryptographickeys
X
Akamaidoesnotstorecardholderdata.
3.6.2 Securecryptographickeydistribution
X
Akamaidoesnotstorecardholderdata.
3.6.3 Securecryptographickeystorage
X
Akamaidoesnotstorecardholderdata.
![Page 19: PCI DSS 3.1 Responsibility Matrix - Akamai · data. Some additional services, such as the Prolexic Routed DDoS mitigation and the SureRoute IP, which do not grant Akamai access to](https://reader034.fdocuments.in/reader034/viewer/2022042214/5eb9f788163d9d63f75a304e/html5/thumbnails/19.jpg)
18
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
3.6.4 Cryptographickeychangesforkeysthathavereachedtheendoftheircryptoperiod(forexample,afteradefinedperiodoftimehaspassedand/orafteracertainamountofcipher-texthasbeenproducedbyagivenkey),asdefinedbytheassociatedapplicationvendororkeyowner,andbasedonindustrybestpracticesandguidelines(forexample,NISTSpecialPublication800-57).
X
Akamaidoesnotstorecardholderdata.
3.6.5 Retirementorreplacement(forexample,archiving,destruction,and/orrevocation)ofkeysasdeemednecessarywhentheintegrityofthekeyhasbeenweakened(forexample,departureofanemployeewithknowledgeofaclear-textkeycomponent),orkeysaresuspectedofbeingcompromised.Note:Ifretiredorreplacedcryptographickeysneedtoberetained,thesekeysmustbesecurelyarchived(forexample,byusingakey-encryptionkey).
X Akamaidoesnotstorecardholderdata.
![Page 20: PCI DSS 3.1 Responsibility Matrix - Akamai · data. Some additional services, such as the Prolexic Routed DDoS mitigation and the SureRoute IP, which do not grant Akamai access to](https://reader034.fdocuments.in/reader034/viewer/2022042214/5eb9f788163d9d63f75a304e/html5/thumbnails/20.jpg)
19
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
Archivedcryptographickeysshouldonlybeusedfordecryption/verificationpurposes.
3.6.6 Ifmanualclear-textcryptographickey-managementoperationsareused,theseoperationsmustbemanagedusingsplitknowledgeanddualcontrol.Note:Examplesofmanualkey-managementoperationsinclude,butarenotlimitedto:keygeneration,transmission,loading,storageanddestruction.
X
Akamaidoesnotstorecardholderdata.
3.6.7 Preventionofunauthorizedsubstitutionofcryptographickeys.
X
Akamaidoesnotstorecardholderdata.
3.6.8 Requirementforcryptographickeycustodianstoformallyacknowledgethattheyunderstandandaccepttheirkey-custodianresponsibilities.
X
Akamaidoesnotstorecardholderdata.
3.7 Ensurethatsecuritypoliciesandoperationalproceduresforprotectingstoredcardholderdataaredocumented,inuse,andknowntoallaffectedparties.
X
Akamaidoesnotstorecardholderdata.
![Page 21: PCI DSS 3.1 Responsibility Matrix - Akamai · data. Some additional services, such as the Prolexic Routed DDoS mitigation and the SureRoute IP, which do not grant Akamai access to](https://reader034.fdocuments.in/reader034/viewer/2022042214/5eb9f788163d9d63f75a304e/html5/thumbnails/21.jpg)
20
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
4.1 Usestrongcryptographyandsecurityprotocols(forexample,TLS,IPSEC,SSH,etc.)tosafeguardsensitivecardholderdataduringtransmissionoveropen,publicnetworks,includingthefollowing:-Onlytrustedkeysandcertificatesareaccepted.-Theprotocolinuseonlysupportssecureversionsorconfigurations.-Theencryptionstrengthisappropriatefortheencryptionmethodologyinuse.Examplesofopen,publicnetworksincludebutarenotlimitedto:-TheInternet-Wirelesstechnologies,including802.11andBluetooth-Cellulartechnologies,forexample,GlobalSystemforMobilecommunications(GSM),Codedivisionmultipleaccess(CDMA)-GeneralPacketRadioService(GPRS).-Satellitecommunications.
X
TheAkamaiSCDNoffersstrongcryptographyandsecurityprotocolstosafeguardsensitivecardholderdataduringtransmissionoveropen,publicnetworks,buttheactualconfigurationsettingsarecontrolledbythecustomerusingtheLunaControlCenter.Itisthecustomer'sresponsibilitytoensurethattheirAkamaiservicesareconfiguredtousestrongcryptography,andtonevertransmitcardholderdataoverconnectionsthatdonotusestrongcryptography.
![Page 22: PCI DSS 3.1 Responsibility Matrix - Akamai · data. Some additional services, such as the Prolexic Routed DDoS mitigation and the SureRoute IP, which do not grant Akamai access to](https://reader034.fdocuments.in/reader034/viewer/2022042214/5eb9f788163d9d63f75a304e/html5/thumbnails/22.jpg)
21
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
4.1.1 Ensurewirelessnetworkstransmittingcardholderdataorconnectedtothecardholderdataenvironment,useindustrybestpractices(forexample,IEEE802.11i)toimplementstrongencryptionforauthenticationandtransmission.Note:TheuseofWEPasasecuritycontrolisprohibited.
X
AllAkamaiwirelessaccesspoints/SSIDareoutsidethefirewallsothereisnodirectwirelessaccesstoPCIsystems.
4.2 NeversendunprotectedPANsbyend-usermessagingtechnologies(forexample,e-mail,instantmessaging,SMS,chat,etc.).
X
Itisthecustomer'sresponsibilitytoneversendPANsusingAkamaiserviceswithouttakingappropriateactiontosecurethecontents.
4.3 Ensurethatsecuritypoliciesandoperationalproceduresforencryptingtransmissionsofcardholderdataaredocumented,inuse,andknowntoallaffectedparties.
X
CustomermusttraintheirrelevantpersonneltoensurethatAkamaiservicescarryingcustomerPCIdataareconfiguredtousestrongcryptographyatalltimes.
5.1 Deployanti-virussoftwareonallsystemscommonlyaffectedbymalicioussoftware(particularlypersonalcomputersandservers).
X
![Page 23: PCI DSS 3.1 Responsibility Matrix - Akamai · data. Some additional services, such as the Prolexic Routed DDoS mitigation and the SureRoute IP, which do not grant Akamai access to](https://reader034.fdocuments.in/reader034/viewer/2022042214/5eb9f788163d9d63f75a304e/html5/thumbnails/23.jpg)
22
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
5.1.1 Ensurethatanti-virusprogramsarecapableofdetecting,removing,andprotectingagainstallknowntypesofmalicioussoftware.
X
5.1.2 Forsystemsconsideredtobenotcommonlyaffectedbymalicioussoftware,performperiodicevaluationstoidentifyandevaluateevolvingmalwarethreatsinordertoconfirmwhethersuchsystemscontinuetonotrequireanti-virussoftware.
X
5.2 Ensurethatallanti-virusmechanismsaremaintainedasfollows:-Arekeptcurrent,-Performperiodicscans-GenerateauditlogswhichareretainedperPCIDSSRequirement10.7.
X
5.3 Ensurethatanti-virusmechanismsareactivelyrunningandcannotbedisabledoralteredbyusers,unlessspecificallyauthorizedbymanagementonacase-by-casebasisforalimitedtimeperiod.Note:Anti-virussolutionsmaybetemporarilydisabledonlyifthereislegitimate
X
![Page 24: PCI DSS 3.1 Responsibility Matrix - Akamai · data. Some additional services, such as the Prolexic Routed DDoS mitigation and the SureRoute IP, which do not grant Akamai access to](https://reader034.fdocuments.in/reader034/viewer/2022042214/5eb9f788163d9d63f75a304e/html5/thumbnails/24.jpg)
23
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
technicalneed,asauthorizedbymanagementonacase-by-casebasis.Ifanti-virusprotectionneedstobedisabledforaspecificpurpose,itmustbeformallyauthorized.Additionalsecuritymeasuresmayalsoneedtobeimplementedfortheperiodoftimeduringwhichanti-virusprotectionisnotactive.
5.4 Ensurethatsecuritypoliciesandoperationalproceduresforprotectingsystemsagainstmalwarearedocumented,inuse,andknowntoallaffectedparties.
X
6.1 Establishaprocessto
identifysecurityvulnerabilities,usingreputableoutsidesourcesforsecurityvulnerabilityinformation,andassignariskranking(forexample,as“high,”“medium,”or“low”)tonewlydiscoveredsecurityvulnerabilities.
X
![Page 25: PCI DSS 3.1 Responsibility Matrix - Akamai · data. Some additional services, such as the Prolexic Routed DDoS mitigation and the SureRoute IP, which do not grant Akamai access to](https://reader034.fdocuments.in/reader034/viewer/2022042214/5eb9f788163d9d63f75a304e/html5/thumbnails/25.jpg)
24
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
6.2 Ensurethatallsystemcomponentsandsoftwareareprotectedfromknownvulnerabilitiesbyinstallingapplicablevendor-suppliedsecuritypatches.Installcriticalsecuritypatcheswithinonemonthofrelease.Note:CriticalsecuritypatchesshouldbeidentifiedaccordingtotheriskrankingprocessdefinedinRequirement6.1.
X
6.3 Developinternaland
externalsoftwareapplications(includingweb-basedadministrativeaccesstoapplications)securely,asfollows:-InaccordancewithPCIDSS(forexample,secureauthenticationandlogging)-Basedonindustrystandardsand/orbestpractices.-Incorporatinginformationsecuritythroughoutthesoftware-developmentlifecycleNote:thisappliestoallsoftwaredevelopedinternallyaswellasbespokeorcustom
X CustomermustensurethatallexecutablecontenttransmittedoverAkamaiservicesandhandlingcreditcarddataisdevelopedinaccordancewithPCIDSS,basedonbestpracticesandincorporatinginformationsecuritythroughoutthesoftware-developmentlifecycle.
![Page 26: PCI DSS 3.1 Responsibility Matrix - Akamai · data. Some additional services, such as the Prolexic Routed DDoS mitigation and the SureRoute IP, which do not grant Akamai access to](https://reader034.fdocuments.in/reader034/viewer/2022042214/5eb9f788163d9d63f75a304e/html5/thumbnails/26.jpg)
25
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
softwaredevelopedbyathirdparty.
6.3.1 Removedevelopment,testand/orcustomapplicationaccounts,userIDs,andpasswordsbeforeapplicationsbecomeactiveorarereleasedtocustomers.
X
6.3.2 Reviewcustomcode
priortoreleasetoproductionorcustomersinordertoidentifyanypotentialcodingvulnerability(usingeithermanualorautomatedprocesses)toincludeatleastthefollowing:-Codechangesarereviewedbyindividualsotherthantheoriginatingcodeauthor,andbyindividualsknowledgeableaboutcode-reviewtechniquesandsecurecodingpractices.-Codereviewsensurecodeisdevelopedaccordingtosecurecodingguidelines-Appropriatecorrectionsareimplementedpriortorelease.-Code-reviewresultsarereviewedandapprovedbymanagementpriortorelease.
X CustomersmustreviewtheirownexecutablecontenttransmittedoverAkamaiservicespriortoreleasetoproductionorcustomersinordertoidentifyanypotentialcodingvulnerabilities.
![Page 27: PCI DSS 3.1 Responsibility Matrix - Akamai · data. Some additional services, such as the Prolexic Routed DDoS mitigation and the SureRoute IP, which do not grant Akamai access to](https://reader034.fdocuments.in/reader034/viewer/2022042214/5eb9f788163d9d63f75a304e/html5/thumbnails/27.jpg)
26
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
Note:Thisrequirementforcodereviewsappliestoallcustomcode(bothinternalandpublic-facing),aspartofthesystemdevelopmentlifecycle.Codereviewscanbeconductedbyknowledgeableinternalpersonnelorthirdparties.Public-facingwebapplicationsarealsosubjecttoadditionalcontrols,toaddressongoingthreatsandvulnerabilitiesafterimplementation,asdefinedatPCIDSSRequirement6.6.
6.4 Followchangecontrolprocessesandproceduresforallchangestosystemcomponents.Theprocessesmustincludethefollowing:
X
CustomersareresponsibleforchangecontrolprocessesandproceduresdescribedinthissectionforallexecutablecontenttheycreatewhichhandlesPCIdataandisservedbytheAkamaiSCDN.
6.4.1 Separatedevelopment/testenvironmentsfromproductionenvironments,andenforcetheseparationwithaccesscontrols.
X
![Page 28: PCI DSS 3.1 Responsibility Matrix - Akamai · data. Some additional services, such as the Prolexic Routed DDoS mitigation and the SureRoute IP, which do not grant Akamai access to](https://reader034.fdocuments.in/reader034/viewer/2022042214/5eb9f788163d9d63f75a304e/html5/thumbnails/28.jpg)
27
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
6.4.2 Separationofdutiesbetweendevelopment/testandproductionenvironments
X
6.4.3 Productiondata(live
PANs)arenotusedfortestingordevelopment
X
6.4.4 Removaloftestdataand
accountsbeforeproductionsystemsbecomeactive
X
6.4.5 Changecontrol
proceduresfortheimplementationofsecuritypatchesandsoftwaremodificationsmustincludethefollowing:
X
6.4.5.1 Documentationof
impact.
X
6.4.5.2 Documentedchangeapprovalbyauthorizedparties.
X
6.4.5.3 Functionalitytestingto
verifythatthechangedoesnotadverselyimpactthesecurityofthesystem.
X
6.4.5.4 Back-outprocedures. X
![Page 29: PCI DSS 3.1 Responsibility Matrix - Akamai · data. Some additional services, such as the Prolexic Routed DDoS mitigation and the SureRoute IP, which do not grant Akamai access to](https://reader034.fdocuments.in/reader034/viewer/2022042214/5eb9f788163d9d63f75a304e/html5/thumbnails/29.jpg)
28
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
6.5 Addresscommoncodingvulnerabilitiesinsoftware-developmentprocessesasfollows:-Traindevelopersinsecurecodingtechniques,includinghowtoavoidcommoncodingvulnerabilities,andunderstandinghowsensitivedataishandledinmemory.-Developapplicationsbasedonsecurecodingguidelines.Note:Thevulnerabilitieslistedat6.5.1through6.5.10werecurrentwithindustrybestpracticeswhenthisversionofPCIDSSwaspublished.However,asindustrybestpracticesforvulnerabilitymanagementareupdated(forexample,theOWASPGuide,SANSCWETop25,CERTSecureCoding,etc.),thecurrentbestpracticesmustbeusedfortheserequirements.
X
CustomersareresponsibleforaddressingcommoncodingvulnerabilitiesdescribedinthissectionforallexecutablecontenttheycreatewhichhandlesPCIdataandisservedbytheAkamaiSCDN.
6.5.1 Injectionflaws,particularlySQLinjection.AlsoconsiderOSCommandInjection,LDAPandXPathinjectionflawsaswellasotherinjectionflaws.
X
6.5.2 Bufferoverflows X
![Page 30: PCI DSS 3.1 Responsibility Matrix - Akamai · data. Some additional services, such as the Prolexic Routed DDoS mitigation and the SureRoute IP, which do not grant Akamai access to](https://reader034.fdocuments.in/reader034/viewer/2022042214/5eb9f788163d9d63f75a304e/html5/thumbnails/30.jpg)
29
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
6.5.3 Insecurecryptographicstorage
X
6.5.4 Insecurecommunications
X 6.5.5 Impropererrorhandling X 6.5.6 All“highrisk”
vulnerabilitiesidentifiedinthevulnerabilityidentificationprocess(asdefinedinPCIDSSRequirement6.1).
X
6.5.7 Cross-sitescripting(XSS) X 6.5.8 Improperaccesscontrol
(suchasinsecuredirectobjectreferences,failuretorestrictURLaccess,directorytraversal,andfailuretorestrictuseraccesstofunctions).
X
6.5.9 Cross-siterequest
forgery(CSRF)
X
6.5.10 BrokenauthenticationandsessionmanagementNote:Requirement6.5.10isabestpracticeuntilJune30,2015,afterwhichitbecomesarequirement.
X
6.6 Forpublic-facingweb
applications,addressnewthreatsandvulnerabilitiesonanongoingbasisandensuretheseapplicationsareprotectedagainstknownattacksbyeitherofthefollowingmethods:-Reviewingpublic-facingwebapplicationsviamanualorautomated
X CustomersareresponsibleforaddressingthreatsandvulnerabilitiesonanongoingbasisforallexecutablecontenttheycreatewhichhandlesPCIdataandisservedbytheAkamaiSCDN.
![Page 31: PCI DSS 3.1 Responsibility Matrix - Akamai · data. Some additional services, such as the Prolexic Routed DDoS mitigation and the SureRoute IP, which do not grant Akamai access to](https://reader034.fdocuments.in/reader034/viewer/2022042214/5eb9f788163d9d63f75a304e/html5/thumbnails/31.jpg)
30
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
applicationvulnerabilitysecurityassessmenttoolsormethods,atleastannuallyandafteranychanges-Installinganautomatedtechnicalsolutionthatdetectsandpreventsweb-basedattacks(forexample,aweb-applicationfirewall)infrontofpublic-facingwebapplications,tocontinuallycheckalltraffic.
6.7 Ensurethatsecuritypoliciesandoperationalproceduresfordevelopingandmaintainingsecuresystemsandapplicationsaredocumented,inuse,andknowntoallaffectedparties.
X
CustomersareresponsibleforsecuritypoliciesandoperationalproceduresforallexecutablecontenttheycreatewhichhandlesPCIdataandisservedbytheAkamaiSCDN.
7.1 Limitaccesstosystemcomponentsandcardholderdatatoonlythoseindividualswhosejobrequiressuchaccess.
X
CustomersmustlimitaccesstoLunaControlCenteraccountsandOPENAPIcredentialstothoseindividualswhosejobrequiressuchaccess.
![Page 32: PCI DSS 3.1 Responsibility Matrix - Akamai · data. Some additional services, such as the Prolexic Routed DDoS mitigation and the SureRoute IP, which do not grant Akamai access to](https://reader034.fdocuments.in/reader034/viewer/2022042214/5eb9f788163d9d63f75a304e/html5/thumbnails/32.jpg)
31
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
7.1.1 Defineaccessneedsforeachrole,including:-Systemcomponentsanddataresourcesthateachroleneedstoaccessfortheirjobfunction-Levelofprivilegerequired(forexample,user,administrator,etc.)foraccessingresources.
X
CustomersmustdefineaccessneedsforeachroletheyuseintheLunaControlCenter,including:-Systemcomponentsanddataresourcesthateachroleneedstoaccessfortheirjobfunction-Levelofprivilegerequired(forexample,user,administrator,etc.)foraccessingresources.
7.1.2 RestrictaccesstoprivilegeduserIDstoleastprivilegesnecessarytoperformjobresponsibilities.
X
CustomersmustensurethataccesstoprivilegeduserIDsontheLunaControlCenterandcustomersystemsisrestrictedtoleastprivilegesnecessarytoperformjobresponsibilities.
7.1.3 Assignaccessbasedonindividualpersonnel’sjobclassificationandfunction.
X
CustomersmustassignaccesstotheLunaControlCenterandOPENAPIcredentialsbasedonindividualpersonnel’sjobclassificationandfunction.
![Page 33: PCI DSS 3.1 Responsibility Matrix - Akamai · data. Some additional services, such as the Prolexic Routed DDoS mitigation and the SureRoute IP, which do not grant Akamai access to](https://reader034.fdocuments.in/reader034/viewer/2022042214/5eb9f788163d9d63f75a304e/html5/thumbnails/33.jpg)
32
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
7.1.4 Requiredocumentedapprovalbyauthorizedpartiesspecifyingrequiredprivileges.
X
CustomersmustrequiredocumentedapprovalbyauthorizedpartiesspecifyingrequiredprivilegeswhengrantingaccesstotheLunaControlCenterorOPENAPIcredentials..
7.2 Establishanaccesscontrolsystemforsystemscomponentsthatrestrictsaccessbasedonauser’sneedtoknow,andissetto“denyall”unlessspecificallyallowed. Thisaccesscontrolsystemmustincludethefollowing:
X
CustomersmustensurethattheLunaControlCenter'saccesscontrolsystemrestrictsuseraccesstoonlythoseprivilegeswhicharenecessaryforeachuser.
7.2.1 Coverageofallsystemcomponents
X
CustomersmustconfiguretheLunaControlCenter'saccesscontrolsystemfortheiraccountstorestrictaccesstoallPCI-relevantAkamaiservicesandconfigurations.
7.2.2 Assignmentofprivilegestoindividualsbasedonjobclassificationandfunction.
X
CustomersmustassignprivilegeswithintheLunaControlCentertoindividualsbasedonjobclassificationandfunctioninthecustomerorganization.
![Page 34: PCI DSS 3.1 Responsibility Matrix - Akamai · data. Some additional services, such as the Prolexic Routed DDoS mitigation and the SureRoute IP, which do not grant Akamai access to](https://reader034.fdocuments.in/reader034/viewer/2022042214/5eb9f788163d9d63f75a304e/html5/thumbnails/34.jpg)
33
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
7.2.3 Default“deny-all”setting.
X
AkamaiPCIsystems,includingthecustomer-facingLunaControlCenter,denyallaccessbydefault,excepttoalimitedamountofpublicread-onlydata.
7.3 Ensurethatsecuritypoliciesandoperationalproceduresforrestrictingaccesstocardholderdataaredocumented,inuse,andknowntoallaffectedparties.
X
CustomermustensurethatsecuritypoliciesandoperationalproceduresforrestrictingaccesstotheLunaControlCenterandOPENAPIcredentialsaredocumented,inuse,andknowntoallaffectedparties.
8.1 Defineandimplementpoliciesandprocedurestoensureproperuseridentificationmanagementfornon-consumerusersandadministratorsonallsystemcomponentsasfollows:
X
CustomermustdefineandimplementpoliciesandprocedurestoensureproperuseridentificationofindividualsaccessingtheLunaControlCenterortoolsusingOPENAPI.
8.1.1 AssignallusersauniqueIDbeforeallowingthemtoaccesssystemcomponentsorcardholderdata.
X
CustomermustassignallusersauniqueuserIDbeforeallowingthemtoaccesstheLunaControlCenter.
![Page 35: PCI DSS 3.1 Responsibility Matrix - Akamai · data. Some additional services, such as the Prolexic Routed DDoS mitigation and the SureRoute IP, which do not grant Akamai access to](https://reader034.fdocuments.in/reader034/viewer/2022042214/5eb9f788163d9d63f75a304e/html5/thumbnails/35.jpg)
34
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
8.1.2 Controladdition,deletion,andmodificationofuserIDs,credentials,andotheridentifierobjects.
X
Customermustcontroladdition,deletion,andmodificationofLunaControlCenteruserIDs,credentials,andotheridentifierobjects.
8.1.3 Immediatelyrevokeaccessforanyterminatedusers.
X
CustomermustimmediatelyrevokeaccesstotheLunaControlCenterforanyterminatedusers.
8.1.4 Remove/disableinactiveuseraccountswithin90days.
X
Customermustremove/disableinactiveLunaControlCenteruseraccountsatleastevery90days,eithermanuallyorusingtheLunaControlCenterautomatedoption.
8.1.5 ManageIDsusedbyvendorstoaccess,support,ormaintainsystemcomponentsviaremoteaccessasfollows:-Enabledonlyduringthetimeperiodneededanddisabledwhennotinuse.-Monitoredwheninuse.
X
IfacustomergrantsavendoraccesstotheirAkamaiaccount,theyareresponsibleformanagingthevendoraccess.AkamaidoesnotmanageIDsforitsresellers;customerspurchasingaccountsthroughAkamairesellersareresponsibleforworkingwiththeresellertomakesurethatreselleraccessisPCI-compliant.
![Page 36: PCI DSS 3.1 Responsibility Matrix - Akamai · data. Some additional services, such as the Prolexic Routed DDoS mitigation and the SureRoute IP, which do not grant Akamai access to](https://reader034.fdocuments.in/reader034/viewer/2022042214/5eb9f788163d9d63f75a304e/html5/thumbnails/36.jpg)
35
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
8.1.6 LimitrepeatedaccessattemptsbylockingouttheuserIDafternotmorethansixattempts.
X
CustomermustconfigureLunatolockoutuserID'safternotmorethansixattempts.
8.1.7 Setthelockoutdurationtoaminimumof30minutesoruntilanadministratorenablestheuserID.
X
8.1.8 Ifasessionhasbeenidle
formorethan15minutes,requiretheusertore-authenticatetore-activatetheterminalorsession.
X
CustomermustsettheLunaControlCenterconfigurationsettingsothatifasessionhasbeenidleformorethan15minutes,theusermustre-authenticatetore-activatetheterminalorsession.
8.2 InadditiontoassigningauniqueID,ensureproperuser-authenticationmanagementfornon-consumerusersandadministratorsonallsystemcomponentsbyemployingatleastoneofthefollowingmethodstoauthenticateallusers:-Somethingyouknow,suchasapasswordorpassphrase-Somethingyouhave,suchasatokendeviceorsmartcard-Somethingyouare,suchasabiometric.
X
CustomersusingSAMLtoauthenticateuserstotheLunaControlCenterareresponsibleforensuringthattheirsetupusesatleastoneofthelistedmethodstoauthenticateallusers.
![Page 37: PCI DSS 3.1 Responsibility Matrix - Akamai · data. Some additional services, such as the Prolexic Routed DDoS mitigation and the SureRoute IP, which do not grant Akamai access to](https://reader034.fdocuments.in/reader034/viewer/2022042214/5eb9f788163d9d63f75a304e/html5/thumbnails/37.jpg)
36
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
8.2.1 Usingstrongcryptography,renderallauthenticationcredentials(suchaspasswords/phrases)unreadableduringtransmissionandstorageonallsystemcomponents.
X
8.2.2 Verifyuseridentity
beforemodifyinganyauthenticationcredential—forexample,performingpasswordresets,provisioningnewtokens,orgeneratingnewkeys.
X
8.2.3 Passwords/phrasesmust
meetthefollowing:-Requireaminimumlengthofatleastsevencharacters.-Containbothnumericandalphabeticcharacters.Alternatively,thepasswords/phrasesmusthavecomplexityandstrengthatleastequivalenttotheparametersspecifiedabove.
X
CustomersareresponsibleforsettingLunaControlCenterpasswordconfigurationstorequireaminimumlengthofatleastsevencharactersandtocontainbothnumericandalphabeticcharacters.
8.2.4 Changeuserpasswords/passphrasesatleastonceevery90days.
X
CustomersareresponsibleforsettingLunaControlCenterconfigurationssothatuserpasswords/passphrasesmustbechangedatleastevery90days.
![Page 38: PCI DSS 3.1 Responsibility Matrix - Akamai · data. Some additional services, such as the Prolexic Routed DDoS mitigation and the SureRoute IP, which do not grant Akamai access to](https://reader034.fdocuments.in/reader034/viewer/2022042214/5eb9f788163d9d63f75a304e/html5/thumbnails/38.jpg)
37
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
8.2.5 Donotallowanindividualtosubmitanewpassword/phrasethatisthesameasanyofthelastfourpasswords/phrasesheorshehasused.
X
8.2.6 Setpasswords/phrases
forfirst-timeuseanduponresettoauniquevalueforeachuser,andchangeimmediatelyafterthefirstuse.
X
8.3 Incorporatetwo-factor
authenticationforremotenetworkaccessoriginatingfromoutsidethenetworkbypersonnel(includingusersandadministrators)andallthirdparties,(includingvendoraccessforsupportormaintenance).Note:Two-factorauthenticationrequiresthattwoofthethreeauthenticationmethods(seeRequirement8.2fordescriptionsofauthenticationmethods)beusedforauthentication.Usingonefactortwice(forexample,usingtwoseparatepasswords)isnotconsideredtwo-factorauthentication.Examplesoftwo-factor
X TODO:Whatcountsasremotenetworkaccess?
![Page 39: PCI DSS 3.1 Responsibility Matrix - Akamai · data. Some additional services, such as the Prolexic Routed DDoS mitigation and the SureRoute IP, which do not grant Akamai access to](https://reader034.fdocuments.in/reader034/viewer/2022042214/5eb9f788163d9d63f75a304e/html5/thumbnails/39.jpg)
38
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
technologiesincluderemoteauthenticationanddial-inservice(RADIUS)withtokens;terminalaccesscontrolleraccesscontrolsystem(TACACS)withtokens;andothertechnologiesthatfacilitatetwo-factorauthentication.
8.4 Documentandcommunicateauthenticationproceduresandpoliciestoallusersincluding:-Guidanceonselectingstrongauthenticationcredentials-Guidanceforhowusersshouldprotecttheirauthenticationcredentials-Instructionsnottoreusepreviouslyusedpasswords-Instructionstochangepasswordsifthereisanysuspicionthepasswordcouldbecompromised.
X
CustomersmustmakesurethattheyhavedocumentedandhavecommunicatedauthenticationproceduresandpoliciestoallLunausersincludingguidanceonselectingstrongauthenticationcredentials,guidanceforhowusersshouldprotecttheirauthenticationcredentials,instructionsnottoreusepreviouslyusedpasswordsandinstructionstochangepasswordsifthereisanysuspicionthepasswordcouldbecompromised.
![Page 40: PCI DSS 3.1 Responsibility Matrix - Akamai · data. Some additional services, such as the Prolexic Routed DDoS mitigation and the SureRoute IP, which do not grant Akamai access to](https://reader034.fdocuments.in/reader034/viewer/2022042214/5eb9f788163d9d63f75a304e/html5/thumbnails/40.jpg)
39
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
8.5 Donotusegroup,shared,orgenericIDs,passwords,orotherauthenticationmethodsasfollows:-GenericuserIDsaredisabledorremoved.-ShareduserIDsdonotexistforsystemadministrationandothercriticalfunctions.-SharedandgenericuserIDsarenotusedtoadministeranysystemcomponents.
X
Customersareresponsiblefornotusinggroup,shared,orgenericIDs,passwords,orotherauthenticationmethodswhenaccessingtheLunaControlCenter.
8.5.1 Additionalrequirementforserviceprovidersonly:Serviceproviderswithremoteaccesstocustomerpremises(forexample,forsupportofPOSsystemsorservers)mustuseauniqueauthenticationcredential(suchasapassword/phrase)foreachcustomer.
X
Akamaihasnoremoteaccesstocustomerpremises.
8.6 Whereotherauthenticationmechanismsareused(forexample,physicalorlogicalsecuritytokens,smartcards,certificates,etc.),useofthesemechanismsmustbeassignedasfollows:-Authenticationmechanismsmustbeassignedtoanindividualaccountandnotsharedamongmultiple
X Customersusingtwo-factorauthenticationtoaccesstheLunaControlCentermustensurethatthesecondfactorisalwaysassignedtoanindividualaccountandnotshared,andthatcontrolsareinplacetoensureonlytheintendedaccountcanusethemechanismtogainaccess.
![Page 41: PCI DSS 3.1 Responsibility Matrix - Akamai · data. Some additional services, such as the Prolexic Routed DDoS mitigation and the SureRoute IP, which do not grant Akamai access to](https://reader034.fdocuments.in/reader034/viewer/2022042214/5eb9f788163d9d63f75a304e/html5/thumbnails/41.jpg)
40
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
accounts.-Physicaland/orlogicalcontrolsmustbeinplacetoensureonlytheintendedaccountcanusethatmechanismtogainaccess.
8.7 Allaccesstoanydatabasecontainingcardholderdata(includingaccessbyapplications,administrators,andallotherusers)isrestrictedasfollows:-Alluseraccessto,userqueriesof,anduseractionsondatabasesarethroughprogrammaticmethods.-Onlydatabaseadministratorshavetheabilitytodirectlyaccessorquerydatabases.-ApplicationIDsfordatabaseapplicationscanonlybeusedbytheapplications(andnotbyindividualusersorothernon-applicationprocesses).
X
Akamaidoesnotstorecardholderdata.
8.8 Ensurethatsecuritypoliciesandoperationalproceduresforidentificationandauthenticationaredocumented,inuse,andknowntoallaffectedparties.
X
Customersmustensurethatsecuritypoliciesandoperationalproceduresforidentificationandauthenticationaredocumented,inuse,andknowntoallaffectedparties.
![Page 42: PCI DSS 3.1 Responsibility Matrix - Akamai · data. Some additional services, such as the Prolexic Routed DDoS mitigation and the SureRoute IP, which do not grant Akamai access to](https://reader034.fdocuments.in/reader034/viewer/2022042214/5eb9f788163d9d63f75a304e/html5/thumbnails/42.jpg)
41
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
9.1 Useappropriatefacilityentrycontrolstolimitandmonitorphysicalaccesstosystemsinthecardholderdataenvironment.
X
9.1.1 Usevideocameras
and/oraccesscontrolmechanismstomonitorindividualphysicalaccesstosensitiveareas.Reviewcollecteddataandcorrelatewithotherentries.Storeforatleastthreemonths,unlessotherwiserestrictedbylaw.Note:“Sensitiveareas”referstoanydatacenter,serverroomoranyareathathousessystemsthatstore,process,ortransmitcardholderdata.Thisexcludespublic-facingareaswhereonlypoint-of-saleterminalsarepresent,suchasthecashierareasinaretailstore.
X
![Page 43: PCI DSS 3.1 Responsibility Matrix - Akamai · data. Some additional services, such as the Prolexic Routed DDoS mitigation and the SureRoute IP, which do not grant Akamai access to](https://reader034.fdocuments.in/reader034/viewer/2022042214/5eb9f788163d9d63f75a304e/html5/thumbnails/43.jpg)
42
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
9.1.2 Implementphysicaland/orlogicalcontrolstorestrictaccesstopubliclyaccessiblenetworkjacks.Forexample,networkjackslocatedinpublicareasandareasaccessibletovisitorscouldbedisabledandonlyenabledwhennetworkaccessisexplicitlyauthorized.Alternatively,processescouldbeimplementedtoensurethatvisitorsareescortedatalltimesinareaswithactivenetworkjacks.
X
9.1.3 Restrictphysicalaccess
towirelessaccesspoints,gateways,handhelddevices,networking/communicationshardware,andtelecommunicationlines.
X
9.2 Developproceduresto
easilydistinguishbetweenonsitepersonnelandvisitors,toinclude:-Identifyingonsitepersonnelandvisitors(forexample,assigningbadges)-Changestoaccessrequirements-Revokingorterminatingonsitepersonnelandexpired
X
![Page 44: PCI DSS 3.1 Responsibility Matrix - Akamai · data. Some additional services, such as the Prolexic Routed DDoS mitigation and the SureRoute IP, which do not grant Akamai access to](https://reader034.fdocuments.in/reader034/viewer/2022042214/5eb9f788163d9d63f75a304e/html5/thumbnails/44.jpg)
43
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
visitoridentification(suchasIDbadges).
9.3 Controlphysicalaccessforonsitepersonneltothesensitiveareasasfollows:-Accessmustbeauthorizedandbasedonindividualjobfunction.-Accessisrevokedimmediatelyupontermination,andallphysicalaccessmechanisms,suchaskeys,accesscards,etc.,arereturnedordisabled.
X
9.4.x Implementprocedures
toidentifyandauthorizevisitors.Proceduresshouldincludethefollowing:
X
9.4.1 Visitorsareauthorized
beforeentering,andescortedatalltimeswithin,areaswherecardholderdataisprocessedormaintained.
X
9.4.2 Visitorsareidentified
andgivenabadgeorotheridentificationthatexpiresandthatvisiblydistinguishesthevisitorsfromonsitepersonnel.
X
9.4.3 Visitorsareaskedto
surrenderthebadgeoridentificationbeforeleavingthefacilityoratthedateofexpiration.
X
![Page 45: PCI DSS 3.1 Responsibility Matrix - Akamai · data. Some additional services, such as the Prolexic Routed DDoS mitigation and the SureRoute IP, which do not grant Akamai access to](https://reader034.fdocuments.in/reader034/viewer/2022042214/5eb9f788163d9d63f75a304e/html5/thumbnails/45.jpg)
44
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
9.4.4 Avisitorlogisusedtomaintainaphysicalaudittrailofvisitoractivitytothefacilityaswellascomputerroomsanddatacenterswherecardholderdataisstoredortransmitted.Documentthevisitor’sname,thefirmrepresented,andtheonsitepersonnelauthorizingphysicalaccessonthelog.Retainthislogforaminimumofthreemonths,unlessotherwiserestrictedbylaw.
X
9.5 Physicallysecureall
media.X
Akamaidoesnotstorecardholderdataonanymedia.
9.5.1 Storemediabackupsinasecurelocation,preferablyanoff-sitefacility,suchasanalternateorbackupsite,oracommercialstoragefacility.Reviewthelocation’ssecurityatleastannually.
X
Akamaidoesnotstorecardholderdataonanymedia.
9.6 Maintainstrictcontrolovertheinternalorexternaldistributionofanykindofmedia,includingthefollowing:
X
Akamaidoesnotstorecardholderdataonanymedia.
9.6.1 Classifymediasothesensitivityofthedatacanbedetermined.
X
Akamaidoesnotstorecardholderdataonanymedia.
![Page 46: PCI DSS 3.1 Responsibility Matrix - Akamai · data. Some additional services, such as the Prolexic Routed DDoS mitigation and the SureRoute IP, which do not grant Akamai access to](https://reader034.fdocuments.in/reader034/viewer/2022042214/5eb9f788163d9d63f75a304e/html5/thumbnails/46.jpg)
45
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
9.6.2 Sendthemediabysecuredcourierorotherdeliverymethodthatcanbeaccuratelytracked.
X
Akamaidoesnotstorecardholderdataonanymedia.
9.6.3 Ensuremanagementapprovesanyandallmediathatismovedfromasecuredarea(includingwhenmediaisdistributedtoindividuals).
X
Akamaidoesnotstorecardholderdataonanymedia.
9.7 Maintainstrictcontroloverthestorageandaccessibilityofmedia.
X
Akamaidoesnotstorecardholderdataonanymedia.
9.7.1 Properlymaintaininventorylogsofallmediaandconductmediainventoriesatleastannually.
X
Akamaidoesnotstorecardholderdataonanymedia.
9.8 Destroymediawhenitisnolongerneededforbusinessorlegalreasonsasfollows:
X
Akamaidoesnotstorecardholderdataonanymedia.
9.8.1 Shred,incinerate,orpulphard-copymaterialssothatcardholderdatacannotbereconstructed.Securestoragecontainersusedformaterialsthataretobedestroyed.
X
Akamaidoesnotstorecardholderdataonanymedia.
9.8.2 Rendercardholderdataonelectronicmediaunrecoverablesothatcardholderdatacannotbereconstructed.
X
Akamaidoesnotstorecardholderdataonanymedia.
![Page 47: PCI DSS 3.1 Responsibility Matrix - Akamai · data. Some additional services, such as the Prolexic Routed DDoS mitigation and the SureRoute IP, which do not grant Akamai access to](https://reader034.fdocuments.in/reader034/viewer/2022042214/5eb9f788163d9d63f75a304e/html5/thumbnails/47.jpg)
46
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
9.9 Protectdevicesthatcapturepaymentcarddataviadirectphysicalinteractionwiththecardfromtamperingandsubstitution.Note:Theserequirementsapplytocard-readingdevicesusedincard-presenttransactions(thatis,cardswipeordip)atthepointofsale.Thisrequirementisnotintendedtoapplytomanualkey-entrycomponentssuchascomputerkeyboardsandPOSkeypads.Note:Requirement9.9isabestpracticeuntilJune30,2015,afterwhichitbecomesarequirement.
X
Akamaidoesnotstorecardholderdataonanymedia.
9.9.1 Maintainanup-to-datelistofdevices.Thelistshouldincludethefollowing:-Make,modelofdevice-Locationofdevice(forexample,theaddressofthesiteorfacilitywherethedeviceislocated)-Deviceserialnumberorothermethodofuniqueidentification.
X
Akamaidoesnotstorecardholderdataonanymedia.
![Page 48: PCI DSS 3.1 Responsibility Matrix - Akamai · data. Some additional services, such as the Prolexic Routed DDoS mitigation and the SureRoute IP, which do not grant Akamai access to](https://reader034.fdocuments.in/reader034/viewer/2022042214/5eb9f788163d9d63f75a304e/html5/thumbnails/48.jpg)
47
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
9.9.2 Periodicallyinspectdevicesurfacestodetecttampering(forexample,additionofcardskimmerstodevices),orsubstitution(forexample,bycheckingtheserialnumberorotherdevicecharacteristicstoverifyithasnotbeenswappedwithafraudulentdevice).Note:Examplesofsignsthatadevicemighthavebeentamperedwithorsubstitutedincludeunexpectedattachmentsorcablespluggedintothedevice,missingorchangedsecuritylabels,brokenordifferentlycoloredcasing,orchangestotheserialnumberorotherexternalmarkings.
X
Akamaidoesnotstorecardholderdataonanymedia.
9.9.3 Providetrainingforpersonneltobeawareofattemptedtamperingorreplacementofdevices.Trainingshouldincludethefollowing:-Verifytheidentityofanythird-partypersonsclaimingtoberepairormaintenancepersonnel,priortograntingthemaccesstomodifyortroubleshootdevices.-Donotinstall,replace,
X Akamaidoesnotstorecardholderdataonanymedia.
![Page 49: PCI DSS 3.1 Responsibility Matrix - Akamai · data. Some additional services, such as the Prolexic Routed DDoS mitigation and the SureRoute IP, which do not grant Akamai access to](https://reader034.fdocuments.in/reader034/viewer/2022042214/5eb9f788163d9d63f75a304e/html5/thumbnails/49.jpg)
48
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
orreturndeviceswithoutverification.-Beawareofsuspiciousbehaviorarounddevices(forexample,attemptsbyunknownpersonstounplugoropendevices).-Reportsuspiciousbehaviorandindicationsofdevicetamperingorsubstitutiontoappropriatepersonnel(forexample,toamanagerorsecurityofficer).
9.10 Ensurethatsecuritypoliciesandoperationalproceduresforrestrictingphysicalaccesstocardholderdataaredocumented,inuse,andknowntoallaffectedparties.
X
10.1 Implementaudittrailsto
linkallaccesstosystemcomponentstoeachindividualuser.
X
10.2 Implementautomated
audittrailsforallsystemcomponentstoreconstructthefollowingevents:
X
10.2.1 Allindividualuser
accessestocardholderdata
X
Akamaidoesnotstorecardholderdata.
10.2.2 Allactionstakenbyanyindividualwithrootoradministrativeprivileges
X
10.2.3 Accesstoallaudittrails X 10.2.4 Invalidlogicalaccess
attempts X
![Page 50: PCI DSS 3.1 Responsibility Matrix - Akamai · data. Some additional services, such as the Prolexic Routed DDoS mitigation and the SureRoute IP, which do not grant Akamai access to](https://reader034.fdocuments.in/reader034/viewer/2022042214/5eb9f788163d9d63f75a304e/html5/thumbnails/50.jpg)
49
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
10.2.5 Useofandchangestoidentificationandauthenticationmechanisms—includingbutnotlimitedtocreationofnewaccountsandelevationofprivileges—andallchanges,additions,ordeletionstoaccountswithrootoradministrativeprivileges
X
10.2.6 Initialization,stopping,
orpausingoftheauditlogs
X
10.2.7 Creationanddeletionof
system-levelobjects X
10.3 Recordatleastthefollowingaudittrailentriesforallsystemcomponentsforeachevent:
X
10.3.1 Useridentification X 10.3.2 Typeofevent X 10.3.3 Dateandtime X 10.3.4 Successorfailure
indication X
10.3.5 Originationofevent X 10.3.6 Identityornameof
affecteddata,systemcomponent,orresource.
X
![Page 51: PCI DSS 3.1 Responsibility Matrix - Akamai · data. Some additional services, such as the Prolexic Routed DDoS mitigation and the SureRoute IP, which do not grant Akamai access to](https://reader034.fdocuments.in/reader034/viewer/2022042214/5eb9f788163d9d63f75a304e/html5/thumbnails/51.jpg)
50
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
10.4 Usingtime-synchronizationtechnology,synchronizeallcriticalsystemclocksandtimesandensurethatthefollowingisimplementedforacquiring,distributing,andstoringtime.Note:OneexampleoftimesynchronizationtechnologyisNetworkTimeProtocol(NTP).
X
10.4.1 Criticalsystemshavethe
correctandconsistenttime.
X
10.4.2 Timedataisprotected. X 10.4.3 Timesettingsare
receivedfromindustry-acceptedtimesources.
X
10.5 Secureaudittrailsso
theycannotbealtered. X
10.5.1 Limitviewingofaudittrailstothosewithajob-relatedneed.
X
10.5.2 Protectaudittrailfiles
fromunauthorizedmodifications.
X
10.5.3 Promptlybackupaudit
trailfilestoacentralizedlogserverormediathatisdifficulttoalter.
X
10.5.4 Writelogsforexternal-
facingtechnologiesontoasecure,centralized,internallogserverormediadevice.
X
![Page 52: PCI DSS 3.1 Responsibility Matrix - Akamai · data. Some additional services, such as the Prolexic Routed DDoS mitigation and the SureRoute IP, which do not grant Akamai access to](https://reader034.fdocuments.in/reader034/viewer/2022042214/5eb9f788163d9d63f75a304e/html5/thumbnails/52.jpg)
51
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
10.5.5 Usefile-integritymonitoringorchange-detectionsoftwareonlogstoensurethatexistinglogdatacannotbechangedwithoutgeneratingalerts(althoughnewdatabeingaddedshouldnotcauseanalert).
X
10.6 Reviewlogsandsecurity
eventsforallsystemcomponentstoidentifyanomaliesorsuspiciousactivity.Note:Logharvesting,parsing,andalertingtoolsmaybeusedtomeetthisRequirement.
X
CustomersmustreviewLunaControlCenterlogsandsecurityeventsatleastdailytoidentifyanomaliesorsuspiciousactivity.
10.6.1 Reviewthefollowingatleastdaily:-Allsecurityevents-Logsofallsystemcomponentsthatstore,process,ortransmitCHDand/orSAD,orthatcouldimpactthesecurityofCHDand/orSAD-Logsofallcriticalsystemcomponents-Logsofallserversandsystemcomponentsthatperformsecurityfunctions(forexample,firewalls,intrusion-detectionsystems/intrusion-preventionsystems(IDS/IPS),authentication
X CustomersmustreviewLunaControlCenterlogsandsecurityeventsatleastdailytocomplywithallPCIDSSlogreviewrequirements.
![Page 53: PCI DSS 3.1 Responsibility Matrix - Akamai · data. Some additional services, such as the Prolexic Routed DDoS mitigation and the SureRoute IP, which do not grant Akamai access to](https://reader034.fdocuments.in/reader034/viewer/2022042214/5eb9f788163d9d63f75a304e/html5/thumbnails/53.jpg)
52
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
servers,e-commerceredirectionservers,etc.).
10.6.2 Reviewlogsofallothersystemcomponentsperiodicallybasedontheorganization’spoliciesandriskmanagementstrategy,asdeterminedbytheorganization’sannualriskassessment.
X
10.6.3 Followupexceptions
andanomaliesidentifiedduringthereviewprocess.
X
CustomermustfollowuponexceptionsandanomaliesidentifiedduringthereviewofLunaControlCenterlogs.
10.7 Retainaudittrailhistoryforatleastoneyear,withaminimumofthreemonthsimmediatelyavailableforanalysis(forexample,online,archived,orrestorablefrombackup).
X
10.8 Ensurethatsecurity
policiesandoperationalproceduresformonitoringallaccesstonetworkresourcesandcardholderdataaredocumented,inuse,andknowntoallaffectedparties.
X
CustomersmusthavesecuritypoliciesandoperationalproceduresformonitoringallaccesstotheLunaControlCenterthataredocumented,inuse,andknowntoallaffectedparties.
![Page 54: PCI DSS 3.1 Responsibility Matrix - Akamai · data. Some additional services, such as the Prolexic Routed DDoS mitigation and the SureRoute IP, which do not grant Akamai access to](https://reader034.fdocuments.in/reader034/viewer/2022042214/5eb9f788163d9d63f75a304e/html5/thumbnails/54.jpg)
53
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
11.1 Implementprocessestotestforthepresenceofwirelessaccesspoints(802.11),anddetectandidentifyallauthorizedandunauthorizedwirelessaccesspointsonaquarterlybasis.Note:Methodsthatmaybeusedintheprocessincludebutarenotlimitedtowirelessnetworkscans,physical/logicalinspectionsofsystemcomponentsandinfrastructure,networkaccesscontrol(NAC),orwirelessIDS/IPS.Whichevermethodsareused,theymustbesufficienttodetectandidentifybothauthorizedandunauthorizeddevices.
X
11.1.1 Maintainaninventoryof
authorizedwirelessaccesspointsincludingadocumentedbusinessjustification.
X
11.1.2 Implementincident
responseproceduresintheeventunauthorizedwirelessaccesspointsaredetected.
X
![Page 55: PCI DSS 3.1 Responsibility Matrix - Akamai · data. Some additional services, such as the Prolexic Routed DDoS mitigation and the SureRoute IP, which do not grant Akamai access to](https://reader034.fdocuments.in/reader034/viewer/2022042214/5eb9f788163d9d63f75a304e/html5/thumbnails/55.jpg)
54
PCI DSS 3.1 Responsibility Matrix
11.2 Runinternalandexternalnetworkvulnerabilityscansatleastquarterlyandafteranysignificantchangeinthenetwork(suchasnewsystemcomponentinstallations,changesinnetworktopology,firewallrulemodifications,productupgrades).Note:Multiplescanreportscanbecombinedforthequarterlyscanprocesstoshowthatallsystemswerescannedandallapplicablevulnerabilitieshavebeenaddressed.Additionaldocumentationmayberequiredtoverifynon-remediatedvulnerabilitiesareintheprocessofbeingaddressed.ForinitialPCIDSScompliance,itisnotrequiredthatfourquartersofpassingscansbecompletediftheassessorverifies1)themostrecentscanresultwasapassingscan,2)theentityhasdocumentedpoliciesandproceduresrequiringquarterlyscanning,and3)vulnerabilitiesnotedinthescanresultshavebeencorrectedasshowninare-scan(s).Forsubsequentyearsafter
X
![Page 56: PCI DSS 3.1 Responsibility Matrix - Akamai · data. Some additional services, such as the Prolexic Routed DDoS mitigation and the SureRoute IP, which do not grant Akamai access to](https://reader034.fdocuments.in/reader034/viewer/2022042214/5eb9f788163d9d63f75a304e/html5/thumbnails/56.jpg)
55
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
theinitialPCIDSSreview,fourquartersofpassingscansmusthaveoccurred.
11.2.1 Performquarterlyinternalvulnerabilityscansandrescansasneeded,untilall“high-risk”vulnerabilities(asidentifiedinRequirement6.1)areresolved.Scansmustbeperformedbyqualifiedpersonnel.
X
11.2.2 Performquarterly
externalvulnerabilityscans,viaanApprovedScanningVendor(ASV)approvedbythePaymentCardIndustrySecurityStandardsCouncil(PCISSC).Performrescansasneeded,untilpassingscansareachieved.Note:QuarterlyexternalvulnerabilityscansmustbeperformedbyanApprovedScanningVendor(ASV),approvedbythePaymentCardIndustrySecurityStandardsCouncil(PCISSC).RefertotheASVProgramGuidepublishedonthePCISSCwebsiteforscancustomer
X
![Page 57: PCI DSS 3.1 Responsibility Matrix - Akamai · data. Some additional services, such as the Prolexic Routed DDoS mitigation and the SureRoute IP, which do not grant Akamai access to](https://reader034.fdocuments.in/reader034/viewer/2022042214/5eb9f788163d9d63f75a304e/html5/thumbnails/57.jpg)
56
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
responsibilities,scanpreparation,etc.
11.2.3 Performinternalandexternalscans,andrescansasneeded,afteranysignificantchange.Scansmustbeperformedbyqualifiedpersonnel.
X
11.3 Implementa
methodologyforpenetrationtestingthatincludesthefollowing:-Isbasedonindustry-acceptedpenetrationtestingapproaches(forexample,NISTSP800-115)-IncludescoveragefortheentireCDEperimeterandcriticalsystems-Includestestingfrombothinsideandoutsidethenetwork-Includestestingtovalidateanysegmentationandscope-reductioncontrols-Definesapplication-layerpenetrationteststoinclude,ataminimum,thevulnerabilitieslistedinRequirement6.5-Definesnetwork-layerpenetrationteststoincludecomponentsthatsupportnetworkfunctionsaswellasoperatingsystems-Includesreviewand
X
![Page 58: PCI DSS 3.1 Responsibility Matrix - Akamai · data. Some additional services, such as the Prolexic Routed DDoS mitigation and the SureRoute IP, which do not grant Akamai access to](https://reader034.fdocuments.in/reader034/viewer/2022042214/5eb9f788163d9d63f75a304e/html5/thumbnails/58.jpg)
57
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
considerationofthreatsandvulnerabilitiesexperiencedinthelast12months-Specifiesretentionofpenetrationtestingresultsandremediationactivitiesresults.Note:ThisupdatetoRequirement11.3isabestpracticeuntilJune30,2015,afterwhichitbecomesarequirement.PCIDSSv2.0requirementsforpenetrationtestingmustbefolloweduntilv3.0isinplace.
11.3.1 Performexternalpenetrationtestingatleastannuallyandafteranysignificantinfrastructureorapplicationupgradeormodification(suchasanoperatingsystemupgrade,asub-networkaddedtotheenvironment,orawebserveraddedtotheenvironment).
X
![Page 59: PCI DSS 3.1 Responsibility Matrix - Akamai · data. Some additional services, such as the Prolexic Routed DDoS mitigation and the SureRoute IP, which do not grant Akamai access to](https://reader034.fdocuments.in/reader034/viewer/2022042214/5eb9f788163d9d63f75a304e/html5/thumbnails/59.jpg)
58
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
11.3.2 Performinternalpenetrationtestingatleastannuallyandafteranysignificantinfrastructureorapplicationupgradeormodification(suchasanoperatingsystemupgrade,asub-networkaddedtotheenvironment,orawebserveraddedtotheenvironment).
X
11.3.3 Exploitable
vulnerabilitiesfoundduringpenetrationtestingarecorrectedandtestingisrepeatedtoverifythecorrections.
X
11.3.4 Ifsegmentationisused
toisolatetheCDEfromothernetworks,performpenetrationtestsatleastannuallyandafteranychangestosegmentationcontrols/methodstoverifythatthesegmentationmethodsareoperationalandeffective,andisolateallout-of-scopesystemsfromsystemsintheCDE.
X
![Page 60: PCI DSS 3.1 Responsibility Matrix - Akamai · data. Some additional services, such as the Prolexic Routed DDoS mitigation and the SureRoute IP, which do not grant Akamai access to](https://reader034.fdocuments.in/reader034/viewer/2022042214/5eb9f788163d9d63f75a304e/html5/thumbnails/60.jpg)
59
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
11.4 Useintrusion-detectionand/orintrusion-preventiontechniquestodetectand/orpreventintrusionsintothenetwork.Monitoralltrafficattheperimeterofthecardholderdataenvironmentaswellasatcriticalpointsinthecardholderdataenvironment,andalertpersonneltosuspectedcompromises.Keepallintrusion-detectionandpreventionengines,baselines,andsignaturesuptodate.
X
11.5 Deployachange-
detectionmechanism(forexample,file-integritymonitoringtools)toalertpersonneltounauthorizedmodification(includingchanges,additions,anddeletions)ofcriticalsystemfiles,configurationfiles,orcontentfiles;andconfigurethesoftwaretoperformcriticalfilecomparisonsatleastweekly.
X
11.5.1 Implementaprocessto
respondtoanyalertsgeneratedbythechange-detectionsolution.
X
![Page 61: PCI DSS 3.1 Responsibility Matrix - Akamai · data. Some additional services, such as the Prolexic Routed DDoS mitigation and the SureRoute IP, which do not grant Akamai access to](https://reader034.fdocuments.in/reader034/viewer/2022042214/5eb9f788163d9d63f75a304e/html5/thumbnails/61.jpg)
60
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
11.6 Ensurethatsecuritypoliciesandoperationalproceduresforsecuritymonitoringandtestingaredocumented,inuse,andknowntoallaffectedparties.
X
CustomersmusthavepoliciesandproceduresinplaceformonitoringandtestingtheircorrectuseofAkamaiservices.
12.1 Establish,publish,maintain,anddisseminateasecuritypolicy.
X
Customersmustestablish,publish,maintain,anddisseminateapolicyforsecurelyusingAkamaiservices.
12.1.1 Reviewthesecuritypolicyatleastannuallyandupdatethepolicywhentheenvironmentchanges.
X
CustomersmustreviewtheirpolicyforsecureuseofAkamaiservicesatleastannuallyandupdatethepolicyastheenvironmentchanges.
12.2 Implementarisk-assessmentprocessthat:-Isperformedatleastannuallyanduponsignificantchangestotheenvironment(forexample,acquisition,merger,relocation,etc.),-Identifiescriticalassets,threats,andvulnerabilities,and-Resultsinaformal,documentedanalysisofrisk.
X
Customersmustimplementrisk-assessmentprocessesfortheirownuseofAkamaiservices.
![Page 62: PCI DSS 3.1 Responsibility Matrix - Akamai · data. Some additional services, such as the Prolexic Routed DDoS mitigation and the SureRoute IP, which do not grant Akamai access to](https://reader034.fdocuments.in/reader034/viewer/2022042214/5eb9f788163d9d63f75a304e/html5/thumbnails/62.jpg)
61
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
12.3 Developusagepoliciesforcriticaltechnologiesanddefineproperuseofthesetechnologies.Note:Examplesofcriticaltechnologiesinclude,butarenotlimitedto,remoteaccessandwirelesstechnologies,laptops,tablets,removableelectronicmedia,e-mailusageandInternetusage.Ensuretheseusagepoliciesrequirethefollowing:
X
CustomersareresponsiblefordevelopingusagepoliciesfortheiruseofAkamaiservices,directlyorviacriticaltechnologies,coveringatleastthefollowingresponsibilities:
12.3.1 Explicitapprovalbyauthorizedparties
X
CustomersareresponsibleforacquiringapprovaloftheiruseofAkamaiservicesbyauthorizedparties.
12.3.2 Authenticationforuseofthetechnology
X
Customersareresponsibleformaintainingup-to-dateauthenticationinformationfortheiraccounts.
12.3.3 Alistofallsuchdevicesandpersonnelwithaccess
X
CustomersareresponsibleformaintainingalistofallpersonnelanddeviceswithaccesstoAkamaiservices,andtheservicesinuse.
![Page 63: PCI DSS 3.1 Responsibility Matrix - Akamai · data. Some additional services, such as the Prolexic Routed DDoS mitigation and the SureRoute IP, which do not grant Akamai access to](https://reader034.fdocuments.in/reader034/viewer/2022042214/5eb9f788163d9d63f75a304e/html5/thumbnails/63.jpg)
62
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
12.3.4 Amethodtoaccuratelyandreadilydetermineowner,contactinformation,andpurpose(forexample,labeling,coding,and/orinventoryingofdevices)
X
CustomersareresponsibleforensuringthattheirLunaControlCenterandOPENAPIaccountsareclearlyassociatedwithanowner,contactinformation,andpurpose.
12.3.5 Acceptableusesofthetechnology
X
CustomersareresponsiblefordefiningacceptableusesofAkamaitechnology.
12.3.6 Acceptablenetworklocationsforthetechnologies
X
CustomersareresponsiblefordefininghowAkamaiservicescanbeusedinthecontextofcustomer'snetwork.
12.3.7 Listofcompany-approvedproducts
X
CustomersareresponsiblefordefiningalistofapprovedAkamaiservices.
12.3.8 Automaticdisconnectofsessionsforremote-accesstechnologiesafteraspecificperiodofinactivity
X
12.3.9 Activationofremote-
accesstechnologiesforvendorsandbusinesspartnersonlywhenneededbyvendorsandbusinesspartners,withimmediatedeactivationafteruse
X
NovendorsorpartnershaveaccesstoAkamaiPCIsystems.
![Page 64: PCI DSS 3.1 Responsibility Matrix - Akamai · data. Some additional services, such as the Prolexic Routed DDoS mitigation and the SureRoute IP, which do not grant Akamai access to](https://reader034.fdocuments.in/reader034/viewer/2022042214/5eb9f788163d9d63f75a304e/html5/thumbnails/64.jpg)
63
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
12.3.10 Forpersonnelaccessingcardholderdataviaremote-accesstechnologies,prohibitthecopying,moving,andstorageofcardholderdataontolocalharddrivesandremovableelectronicmedia,unlessexplicitlyauthorizedforadefinedbusinessneed.Wherethereisanauthorizedbusinessneed,theusagepoliciesmustrequirethedatabeprotectedinaccordancewithallapplicablePCIDSSRequirements.
X
CardholderdataisnotstoredonAkamaiPCIsystems.
12.4 Ensurethatthesecuritypolicyandproceduresclearlydefineinformationsecurityresponsibilitiesforallpersonnel.
X
CustomersmustensurethatsecuritypoliciesandproceduresclearlydefinetheinformationsecurityresponsibilitiesforallpersonnelwithaccesstotheLunaControlCenter.
12.5 Assigntoanindividualorteamthefollowinginformationsecuritymanagementresponsibilities:
X
Customersareresponsibleforassigningtoanindividualorteamthefollowinginformationsecuritymanagementresponsibilities.
![Page 65: PCI DSS 3.1 Responsibility Matrix - Akamai · data. Some additional services, such as the Prolexic Routed DDoS mitigation and the SureRoute IP, which do not grant Akamai access to](https://reader034.fdocuments.in/reader034/viewer/2022042214/5eb9f788163d9d63f75a304e/html5/thumbnails/65.jpg)
64
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
12.5.1 Establish,document,anddistributesecuritypoliciesandprocedures.
X
Customersmustestablish,document,anddistributesecurepoliciesandproceduresfortheuseofAkamaiservices.
12.5.2 Monitorandanalyzesecurityalertsandinformation,anddistributetoappropriatepersonnel.
X
CustomerisresponsibleformonitoringandanalyzingsecurityalertsandinformationfromAkamai,anddistributingthatinformationtoappropriatepersonnel.
12.5.3 Establish,document,anddistributesecurityincidentresponseandescalationprocedurestoensuretimelyandeffectivehandlingofallsituations.
X
Customerisresponsibleforestablishing,documenting,anddistributingsecurityincidentresponseandescalationprocedurestoensuretimelyandeffectivehandlingofallsituations.
12.5.4 Administeruseraccounts,includingadditions,deletions,andmodifications.
X
Customerisresponsibleforadministeringcustomer'sLunaControlCenteraccounts,includingaddition,deletion,andmodification.
![Page 66: PCI DSS 3.1 Responsibility Matrix - Akamai · data. Some additional services, such as the Prolexic Routed DDoS mitigation and the SureRoute IP, which do not grant Akamai access to](https://reader034.fdocuments.in/reader034/viewer/2022042214/5eb9f788163d9d63f75a304e/html5/thumbnails/66.jpg)
65
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
12.5.5 Monitorandcontrolallaccesstodata.
X
Customerisresponsibleformonitoringandcontrollingallaccesstocustomer'sLunaControlCenterdata.
12.6 Implementaformalsecurityawarenessprogramtomakeallpersonnelawareoftheimportanceofcardholderdatasecurity.
X
CustomerisresponsibleforimplementingaformalsecurityawarenessprogramtomakeallpersonnelwithaccesstotheLunaControlCenterawareoftheimportanceofcardholderdatasecurityandhowtheiruseofAkamaiservices,particularlyconfigurationoptionsintheLunaControlCenter,canimpactthatsecurity.
12.6.1 Educatepersonneluponhireandatleastannually.Note:Methodscanvarydependingontheroleofthepersonnelandtheirlevelofaccesstothecardholderdata.
X
CustomerisresponsibleforeducatingpersonnelwithaccesstotheLunaControlCenteruponhireandatleastannually.
![Page 67: PCI DSS 3.1 Responsibility Matrix - Akamai · data. Some additional services, such as the Prolexic Routed DDoS mitigation and the SureRoute IP, which do not grant Akamai access to](https://reader034.fdocuments.in/reader034/viewer/2022042214/5eb9f788163d9d63f75a304e/html5/thumbnails/67.jpg)
66
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
12.6.2 Requirepersonneltoacknowledgeatleastannuallythattheyhavereadandunderstoodthesecuritypolicyandprocedures.
X
CustomermustrequirepersonnelwithaccesstotheLunaControlCentertoacknowledgeatleastannuallythattheyhavereadandunderstoodthesecuritypolicyandprocedures.
12.7 Screenpotentialpersonnelpriortohiretominimizetheriskofattacksfrominternalsources.(Examplesofbackgroundchecksincludepreviousemploymenthistory,criminalrecord,credithistory,andreferencechecks.)Note:Forthosepotentialpersonneltobehiredforcertainpositionssuchasstorecashierswhoonlyhaveaccesstoonecardnumberatatimewhenfacilitatingatransaction,thisrequirementisarecommendationonly.
X
CustomermustscreenpotentialpersonnelwithaccesstotheLunaControlCenterpriortohiretominimizetheriskofattacksfrominternalsources.
![Page 68: PCI DSS 3.1 Responsibility Matrix - Akamai · data. Some additional services, such as the Prolexic Routed DDoS mitigation and the SureRoute IP, which do not grant Akamai access to](https://reader034.fdocuments.in/reader034/viewer/2022042214/5eb9f788163d9d63f75a304e/html5/thumbnails/68.jpg)
67
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
12.8 Maintainandimplementpoliciesandprocedurestomanageserviceproviderswithwhomcardholderdataisshared,orthatcouldaffectthesecurityofcardholderdata,asfollows:
X
Customersareresponsibletomaintainandimplementpoliciesandprocedurestomanageserviceproviderswithwhomcardholderdataisshared,orthatcouldaffectthesecurityofcardholderdata,asfollows:
12.8.1 Maintainalistofserviceproviders.
X
Customersmustmaintainalistofserviceproviders,includinganywhichreceivecardholderdataviatheAkamaiSCDN.
12.8.2 Maintainawrittenagreementthatincludesanacknowledgementthattheserviceprovidersareresponsibleforthesecurityofcardholderdatatheserviceproviderspossessorotherwisestore,processortransmitonbehalfofthecustomer,ortotheextentthattheycouldimpactthesecurityofthecustomer’scardholderdataenvironment.
Note:Theexactwordingofanacknowledgementwilldependontheagreementbetweenthe
X Customersmustmaintainawrittenagreementthatincludesanacknowledgementthattheserviceprovidersareresponsibleforthesecurityofcardholderdatatheserviceproviderspossessorotherwisestore,processortransmitonbehalfofthecustomer,ortotheextentthattheycouldimpactthesecurityofthecustomer’scardholderdataenvironment.
![Page 69: PCI DSS 3.1 Responsibility Matrix - Akamai · data. Some additional services, such as the Prolexic Routed DDoS mitigation and the SureRoute IP, which do not grant Akamai access to](https://reader034.fdocuments.in/reader034/viewer/2022042214/5eb9f788163d9d63f75a304e/html5/thumbnails/69.jpg)
68
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
twoparties,thedetailsoftheservicebeingprovided,andtheresponsibilitiesassignedtoeachparty.Theacknowledgementdoesnothavetoincludetheexactwordingprovidedinthisrequirement.
12.8.3 Ensurethereisanestablishedprocessforengagingserviceprovidersincludingproperduediligencepriortoengagement.
X
Customersmustensurethereisanestablishedprocessforengagingserviceprovidersincludingproperduediligencepriortoengagement.
12.8.4 Maintainaprogramtomonitorserviceproviders’PCIDSScompliancestatusatleastannually.
X
Customersmustmaintainaprogramtomonitorserviceproviders’PCIDSScompliancestatusatleastannually.
12.8.5 MaintaininformationaboutwhichPCIDSSrequirementsaremanagedbyeachserviceprovider,andwhicharemanagedbytheentity.
X
CustomersmustmaintaininformationaboutwhichPCIDSSrequirementsaremanagedbyeachserviceprovider,andwhicharemanagedbytheentity.
12.9 Additionalrequirementforserviceprovidersonly:Serviceprovidersacknowledgeinwritingtocustomersthattheyareresponsibleforthesecurityofcardholderdatatheserviceproviderpossessesorotherwisestores,processes,ortransmitsonbehalfof
X AkamaiacknowledgesinwritingtocustomersthatAkamaiisresponsibleforthesecurityofcardholderdataAkamaitransmitsonbehalfofthecustomer,aslongasthecustomermeetsthecustomer
![Page 70: PCI DSS 3.1 Responsibility Matrix - Akamai · data. Some additional services, such as the Prolexic Routed DDoS mitigation and the SureRoute IP, which do not grant Akamai access to](https://reader034.fdocuments.in/reader034/viewer/2022042214/5eb9f788163d9d63f75a304e/html5/thumbnails/70.jpg)
69
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
thecustomer,ortotheextentthattheycouldimpactthesecurityofthecustomer’scardholderdataenvironment.
responsibilitiesdescribedinthismatrix.
12.10 Implementanincidentresponseplan.Bepreparedtorespondimmediatelytoasystembreach.
X
Customersmustimplementanincidentresponseplanandbepreparedtorespondimmediatelytoasystembreachwhichmayrelatetothecustomer'suseofAkamaiservices.
12.10.1 Createtheincidentresponseplantobeimplementedintheeventofsystembreach.Ensuretheplanaddressesthefollowing,ataminimum:-Roles,responsibilities,andcommunicationandcontactstrategiesintheeventofacompromiseincludingnotificationofthepaymentbrands,ataminimum-Specificincidentresponseprocedures-Businessrecoveryandcontinuityprocedures-Databackupprocesses-Analysisoflegalrequirementsforreportingcompromises-Coverageandresponsesofallcriticalsystemcomponents-Referenceorinclusion
X Customersarerequiredtohaveanincidentresponseplanaddressingthecomplete12.10.1requirementsfortheeventofasystembreach.
![Page 71: PCI DSS 3.1 Responsibility Matrix - Akamai · data. Some additional services, such as the Prolexic Routed DDoS mitigation and the SureRoute IP, which do not grant Akamai access to](https://reader034.fdocuments.in/reader034/viewer/2022042214/5eb9f788163d9d63f75a304e/html5/thumbnails/71.jpg)
70
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
ofincidentresponseproceduresfromthepaymentbrands.
12.10.2 Testtheplanatleastannually.
X
Customersarerequiredtotesttheirincidentresponseplans,includingtheirresponsetoanincidentrelatedtotheiruseofAkamaiservices,annually.
12.10.3 Designatespecificpersonneltobeavailableona24/7basistorespondtoalerts.
X
Customermustdesignatespecificpersonneltobeavailableona24/7basisinresponsetoincidentsrelatedtothecustomer'suseofAkamaiPCIservices,andmaintainup-to-datecontactinformationforatleastthosepersonnelontheLunaControlCenter.
12.10.4 Provideappropriatetrainingtostaffwithsecuritybreachresponseresponsibilities.
X
Customermustprovideappropriatetrainingtostaffwithsecuritybreachresponseresponsibilities.
12.10.5 Includealertsfromsecuritymonitoringsystems,includingbutnotlimitedtointrusion-detection,intrusion-prevention,firewalls,andfile-integritymonitoringsystems.
X
![Page 72: PCI DSS 3.1 Responsibility Matrix - Akamai · data. Some additional services, such as the Prolexic Routed DDoS mitigation and the SureRoute IP, which do not grant Akamai access to](https://reader034.fdocuments.in/reader034/viewer/2022042214/5eb9f788163d9d63f75a304e/html5/thumbnails/72.jpg)
71
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
12.10.6 Developaprocesstomodifyandevolvetheincidentresponseplanaccordingtolessonslearnedandtoincorporateindustrydevelopments.
X
CustomermusthaveaprocesstomodifyandevolvetheirincidentresponseplanforincidentsinvolvingAkamaiservicesaccordingtolessonslearnedandindustrydevelopments.
A.1 Protecteachentity’s(thatis,merchant,serviceprovider,orotherentity)hostedenvironmentanddata,perA.1.1throughA.1.4:
AhostingprovidermustfulfilltheserequirementsaswellasallotherrelevantsectionsofthePCIDSS.
Note:Eventhoughahostingprovidermaymeettheserequirements,thecomplianceoftheentitythatusesthehostingproviderisnotguaranteed.EachentitymustcomplywiththePCIDSSandvalidatecomplianceasapplicable.
X
Akamaiisnotahostingprovider.
A.1.1 Ensurethateachentityonlyrunsprocessesthathaveaccesstothatentity’scardholderdataenvironment.
X
Akamaiisnotahostingprovider.
![Page 73: PCI DSS 3.1 Responsibility Matrix - Akamai · data. Some additional services, such as the Prolexic Routed DDoS mitigation and the SureRoute IP, which do not grant Akamai access to](https://reader034.fdocuments.in/reader034/viewer/2022042214/5eb9f788163d9d63f75a304e/html5/thumbnails/73.jpg)
72
PCI DSS 3.1 Responsibility Matrix
Require-ment RequirementText N/A
ServiceProviderResponsi-bility
CustomerResponsi-bility
JointRe-sponsi-bility
Notes
A.1.2 Restricteachentity’saccessandprivilegestoitsowncardholderdataenvironmentonly.
X
Akamaiisnotahostingprovider.
A.1.3 Ensureloggingandaudittrailsareenabledanduniquetoeachentity’scardholderdataenvironmentandconsistentwithPCIDSSRequirement10.
X
Akamaiisnotahostingprovider.
A.1.4 Enableprocessestoprovidefortimelyforensicinvestigationintheeventofacompromisetoanyhostedmerchantorserviceprovider.
X
Akamaiisnotahostingprovider.
![Page 74: PCI DSS 3.1 Responsibility Matrix - Akamai · data. Some additional services, such as the Prolexic Routed DDoS mitigation and the SureRoute IP, which do not grant Akamai access to](https://reader034.fdocuments.in/reader034/viewer/2022042214/5eb9f788163d9d63f75a304e/html5/thumbnails/74.jpg)
As the global leader in Content Delivery Network (CDN) services, Akamai makes the Internet fast, reliable and secure for its customers. The company's advanced web performance, mobile performance, cloud security and media delivery solutions are revolutionizing how businesses optimize consumer, enterprise and entertainment experiences for any device, anywhere. To learn how Akamai solutions and its team of Internet experts are helping businesses move faster forward, please visit www.akamai.com or blogs.akamai.com, and follow @Akamai on Twitter.
Akamai is headquartered in Cambridge, Massachusetts in the United States with operations in more than 57 offices around the world. Our services and renowned customer care are designed to enable businesses to provide an unparalleled Internet experience for their customers worldwide. Addresses, phone numbers and contact information for all locations are listed on www.akamai.com/locations.
©2016 Akamai Technologies, Inc. All Rights Reserved. Reproduction in whole or in part in any form or medium without express written permission is prohibited. Akamai and the Akamai wave logo are registered trademarks. Other trademarks contained herein are the property of their respective owners. Akamai believes that the information in this publication is accurate as of its publication date; such information is subject to change without notice.
PCI DSS 3.1 Responsibility Matrix