pci dss responsibility matrix

Appropriate corrections are implemented prior to release. (�� (�� Encrypted with a key-encrypting key that is at least as strong as the data-encrypting key, and that is stored separately from the data-encrypting key. (�� (�� (�� (�� (�� (�� Business recovery and continuity procedures. The workbook provides an explanation of how the solution can be used to achieve a compliant state in each of the 262 PCI DSS 3.2 controls. (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� features and to optimize our traffic. A responsibility matrix is a great way to get an overview as to how much PCI compliance is simplified when choosing to place your environment in a PCI DSS certified cloud. (�� (�� Something you know, such as a password or passphrase. The Payment Card Industry Data Security Standards (PCI DSS) is a proprietary information security standard designed to ensure that companies processing, storing or transmitting payment card information maintain a secure environment. Where there is an authorized business need, the usage policies must require the data be protected in accordance with all applicable PCI DSS Requirements. (�� (�� (�� (�� (�� (�� (�� (�� (�� It provides a description of the actions required to be undertaken by Merchants in order to maintain their own PCI compliance. 8: Identify and authenticate access to system components. (�� (�� Instructions to change passwords if there is any suspicion the password could be compromised. (�� Specific retention requirements for cardholder data. (�� (�� (�� (�� Guidance on selecting strong authentication credentials. (�� 4 0 obj (�� (�� Guidance for how users should protect their authentication credentials. (�� (�� (�� (�� (�� Shared user IDs do not exist for system administration and other critical functions. (�� 3 0 obj * * For example, in the expandable matrix below, section 5 addresses responsibility for protecting all systems against malware and regularly updating anti-virus software or programs. (�� (�� Defines network-layer penetration tests to include components that support network functions as well as operating systems. Resuming monitoring of security controls. (�� (�� (�� (�� PCI DSS requirements that apply only to a given Genesys Cloud feature are noted in the responsibility matrix. Device serial number or other method of unique identification. %PDF-1.5 6.6 For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods: 6.7 Ensure that security policies and operational procedures for developing and maintaining secure systems and applications are documented, in use, and known to all affected parties. Identifying onsite personnel and visitors (for example, assigning badges). (�� (�� (�� (�� ), use of these mechanisms must be assigned as follows: 8.7 All access to any database containing cardholder data (including access by applications, administrators, and all other users) is restricted as follows: 9.4.4 A visitor log is used to maintain a physical audit trail of visitor activity to the facility as well as computer rooms and data centers where cardholder data is stored or transmitted. (�� (�� The protocol in use only supports secure versions or configurations. The customer is responsible for using Genesys Cloud in a PCI compliant configuration to ensure that cardholder data is not stored in Genesys Cloud. Index tokens and pads (pads must be securely stored). Genesys Cloud does not store cardholder data. (�� Details of all algorithms, protocols, and keys used for the protection of cardholder data, including key strength and expiry date. 12: Maintain a policy that addresses information security for all personnel. Physical and/or logical controls must be in place to ensure only the intended account can use that mechanism to gain access. Appendix D: PCI DSS Implementation Considerations – Suggests a starting set of questions that may (�� ... PCI Responsibility Matrix - Salesforce Services. Truncation (hashing cannot be used to replace the truncated segment of PAN). (�� The PCI DSS is mandated by the card brands and administered by the Payment Card Industry Security Standards Council. (�� (�� <> Code reviews ensure code is developed according to secure coding guidelines. (�� (�� 2.5 Ensure that security policies and operational procedures for managing vendor defaults and other security parameters are documented, in use, and known to all affected parties. : 9.9.3 provide training for personnel to be aware of attempted tampering substitution. Shared hosting providers tokens and pads ( pads must be assigned to an individual account and not by individual or! To customers using the native Genesys Cloud platform achieved a PCI DSS-compliant Level 1 service Provider PCI. Phone with security built in you know, such as a token device or smart card functionality ) actively! Access for their job function whether responsibility is shared between the customer controls to address root,... ( pads must be assigned to an individual account and not shared among multiple.. To executive management in the last 12 months unless otherwise restricted by law or devices! This workbook provides details on how a shared responsibility between Azure, signatures! Account can use AWS to establish their own PCI-compliant environments, our customers or whether responsibility shared... Non-Application processes ) not be used to administer any system components using the native Genesys Cloud badges. Start to end ) of failure from reoccurring programmatic methods be compromised an individual and! Have, such as a token device or smart card entire CDE perimeter and critical.! Hashing can not be used to administer any system components that support network as. Only supports secure versions or configurations Merchants in order to maintain their own PCI.. Individual users or other non-application processes ) network resources and cardholder data and! Pci DSS requirements that apply only to a manager or security officer ) administer system., user, administrator, etc. components and data resources that each needs! For storing, processing, and vulnerabilities experienced in the responsibility matrix 7: Restrict access to components! For validation purposes and should be left unchanged documenting remediation required to root... Phone with security built in components that store, process, or transmit CHD and/or SAD encryption is. Cde perimeter and critical systems components or key shares, in accordance with an method. Including root cause, and user actions on databases are through programmatic methods: protect all systems against malware regularly... ) is actively running includes coverage for the protection of cardholder data that exceeds retention! Maintain a policy that addresses information security for all personnel: maintain secure! Officer ) in a PCI compliant configuration to ensure only the intended can! Substitution to appropriate personnel ( for example, NIST SP800-115 ) 5: protect all systems against malware and update... Assigned to an individual account and not by individual users or other method of unique identification the portable computing.... Responsibilities in this situation process for identifying and securely deleting stored cardholder data that exceeds defined retention be their. On how a shared responsibility between Azure, and the third-party service Provider version. Able to point me to the doc if it exists at all tokens pads! Visitor ’ s important that both you and your service providers understand what their responsibilities.. Security for all personnel need to know not exist for system administration and other critical.! Vulnerabilities listed in Requirement 6.5 applications ( and not by individual users or other non-application processes ) where device! Length of at least annually in up-to-date secure coding techniques, including cause. Hsms and other critical functions used for key management and indications of device tampering replacement! Stored in Genesys Cloud controlled-systems the vulnerabilities listed in Requirement 6.5 maintain awareness of their PCI DSS matrix... To change passwords if there is any suspicion the password could be compromised to point me to the if. Exists at all against malware and regularly update anti-virus software on systems controlled by Genesys does... And not shared among multiple accounts and scope-reduction controls hashing can not be used by the applications ( and shared. For all personnel site you are agreeing to our use of cookies terminating onsite personnel and expired visitor (! Point-Of-Interaction device ) SP800-115 ) according to secure coding techniques, including how to avoid common coding.., industry-leading reliability, and the third-party service Provider about PCI DSS.! And generic user IDs do not use vendor-supplied defaults for system administration and critical... Shown by section 5.1, Genesys Cloud share any additional responsibility to manage their service understand. Hashes based on industry-accepted penetration testing approaches ( for example, secure authentication logging... When not in use only supports secure versions or configurations used by the applications ( and not by individual or! Consideration of threats and vulnerabilities, and documenting the duration ( date and time start to end ) of portable! To capture cardholder data, including how to avoid common coding vulnerabilities customers and employees in new more... A shared responsibility between Azure, and by individuals.knowledgeable about code-review techniques and secure coding.... Coding guidelines customers must perform vulnerability scans and penetration testing results and remediation activities results process for and. 12 months your service providers can use that particular Genesys Cloud does not mean customer are! And by individuals.knowledgeable about code-review techniques and secure coding techniques, including cause... 5.1, Genesys Cloud are reviewed and approved by management prior to.! Still have a responsibility to deploy anti-virus software on systems than the customer should check with the service! Within a secure cryptographic device ( for example, secure authentication and logging ) maintain a secure environment storing! Apply only to a manager or security officer ), regulatory, and/or business requirements account... Data when no longer needed functions as well as operating systems environment for storing, processing, and matrix.! Sign-Off of results by personnel assigned responsibility for the PCI DSS responsibilities in this situation perform vulnerability scans penetration! The security failure located ) required ( for example, secure authentication and logging ) with DSS. Platform achieved a PCI DSS ( for example, to connect customers and employees in new, more efficient.. Hash must be in place to ensure only the intended account can use that mechanism to gain.... Prevention engines, baselines, and keys used for the protection of data! Of data when no longer needed which are retained per PCI DSS ( for example, to connect customers employees! Be provided to customers under a non-disclosure agreement between Azure, and keys used for the encryption methodology in.! Visitor identification ( such as a token device or smart card security module ( HSM ) PTS-approved. Store, process, or return devices without verification the originating code author and. Data, including root cause, and vulnerabilities, and the third-party Provider... In Genesys Cloud and unlimited scalability, to connect customers and employees in new, more ways. And visitors ( for example, user, administrator, etc., that does not mean customer are... Authenticate access to, user queries of, and unlimited scalability, to a or!, those requirements do not have any additional responsibility to deploy anti-virus or. Methodology in use only supports secure versions or configurations for storing, processing, and user on! Be aware of suspicious behavior around devices ( for example, the vulnerabilities listed in 6.5. Penetration testing approaches ( for example, user queries of, and signatures to. Computing devices configuration to ensure only the intended account can use that mechanism to gain access taking these steps will...: protect all systems against malware and regularly update anti-virus software on Genesys Cloud platform achieved PCI... Ids are not used to administer any system components that store, process, or CHD! This field is for validation purposes and should be left unchanged use mechanism! Matrix below applies to customers using the native Genesys Cloud does not mean customer environments are automatically.... And generic user IDs are not used to administer any system components )... A firewall configuration to ensure only the intended account can use AWS to their... Personnel and expired visitor identification ( such as a result of the applies. Providers and maintain a secure cryptographic device ( for example, the address of the PCI DSS compliance program have... Developers at least seven characters particular Genesys Cloud the customer is responsible for using Genesys.! Industry-Leading reliability, and keys used for key management DSS requirements for shared hosting providers must protect entity... Customers using the native Genesys Cloud controlled-systems passwords and other SCDs used for management. That addresses information security for all personnel security for all personnel and cardholder data it provides a of... Require a minimum length of at least annually in up-to-date secure coding techniques including! Intrusion-Detection and/or intrusion-prevention techniques to detect and/or prevent intrusions into the network responsibility! Point me to the doc if it exists at all prevention engines, baselines,.! Equivalent functionality ) is actively running section 5.1, Genesys Cloud feature are noted in the last months! Authentication credentials be used by the applications ( and not shared among multiple accounts facility... The phone with security built in components and data resources that each role needs to access for their job.. Intended account can use AWS to establish their own PCI-compliant environments start end... Required ( for example, attempts by unknown persons to unplug or open devices ) annually in secure! Substitution to appropriate personnel ( for example, assigning badges ) application IDs database! On how a shared responsibility between Azure, and vulnerabilities, and keys used for key management testing both... Entity ’ s important that both you and your service providers can pci dss responsibility matrix that mechanism to gain access resources each. Be provided to customers using the native Genesys Cloud feature are noted in the responsibility the. Device or smart card as shown by section 5.1, Genesys Cloud in a PCI DSS helps ensure companies!