PCI 3DS payment card industry 3-d secure 英文版

Payment Card Industry 3-D Secure (PCI 3DS) Security Requirements and Assessment Procedures for EMV® 3-D Secure Core Components: ACS, DS, and 3DS Server Version 1.0 October 2017 Document Changes Date Version October 2017 1.0 Description Initial version PCI 3DS Security Requirements and Assessment Procedures for EMV® 3-D Secure Core Components: ACS, DS, and 3DS Server, v1.0 © 2017 PCI Security Standards Council, LLC. All Rights Reserved. October 2017 Page 2 Table of Contents Document Changes ..................................................................................................................................................................................................... 2 Introduction .................................................................................................................................................................................................................. 5 Terminology ................................................................................................................................................................................................................ 7 Roles and Responsibilities ......................................................................................................................................................................................... 8 Scope of PCI 3DS Core Security Standard .............................................................................................................................................................. 10 3DS Data .................................................................................................................................................................................................................. 10 Relationship between PCI 3DS Core Security Standard and PCI DSS ................................................................................................................... 10 Use of Third-Party Service Providers / Outsourcing .............................................................................................................................................. 11 3DS Security Requirements and Assessment Procedures ................................................................................................................................... 12 Risk-Management Approach to Requirements ........................................................................................................................................................ 12 Validating Requirements .......................................................................................................................................................................................... 12 Compensating Controls ............................................................................................................................................................................................ 13 3DS Assessment Process ........................................................................................................................................................................................ 13 Part 1: 3DS Baseline Security Requirements .......................................................................................................................................................... 14 Requirement P1-1. Maintain security policies for all personnel ............................................................................................................................... 14 Requirement P1-2. Secure network connectivity ..................................................................................................................................................... 17 Requirement P1-3. Develop and maintain secure systems ..................................................................................................................................... 19 Requirement P1-4. Vulnerability management......................................................................................................................................................... 23 Requirement P1-5. Manage access ......................................................................................................................................................................... 26 Requirement P1-6. Physical Security .............................................................................