Attestation of Compliance - Akamai...effective date of the PCI DSS version 3.1 standard. The...

Akamai Technologies Inc.

Attestation of Compliance PCI DSS 3.1 June 2016

2

Introduction The attached document is Akamai’s Attestation of Compliance with the Payment Card Industry (PCI) Data Security Standard version 3.1. This document serves as a declaration of our compliance status, and evidence that Akamai, as a third party service provider, has the ability to protect sensitive data including but not limited to cardholder data. It also demonstrates our commitment to our customers who rely on Akamai’s Secure Content Delivery Network (Secure CDN)1 for their business and their own compliance initiatives. Akamai’s global Intelligent Platform supports a variety of solutions for our customers in different industries. Only solutions that operate on the Secure CDN are included within the scope of our PCI assessment and may be associated with our customers’ cardholder data environments. While the Attestation of Compliance states that only “Internet based HTTPS content delivery” is included in Akamai’s assessment, other solutions may be configured to operate on the Secure CDN. Please consult your account team to discuss if specific products and services may be implemented in your environment in a way that is compatible with the PCI DSS standard.

Additional Notes • The cover page of the Attestation of Compliance is dated “April 2015.” This is the

effective date of the PCI DSS version 3.1 standard. The effective date of Akamai’s Attestation of Compliance itself is June 29, 2016, the date it was countersigned by Akamai’s Chief Security Officer.

• In addition to the Attestation of Compliance, we have also published, at http://akamai.com/infosec, a Responsibility Matrix, which spells out the PCI DSS requirements in detail, and indicates whether Akamai or its customers are to be responsible for satisfying each requirement in order to be compliant. The Responsibility Matrix was reviewed by our PCI DSS assessors in this form, and Akamai is unable to make any modifications.

• Our customers’ account and professional service teams can offer general guidance as to how our solutions may be configured for compliance, but the ultimate determination of whether a solution is compliant with PCI DSS will be made by our customers and their qualified security assessors.

1 The Secure CDN is sometimes also referred to as “EdgeSuite SSL,” “ESSL,” and the “SCDN.”

DocuSign Envelope ID: 64BBA3A3·43EB·4577·87AF-E4E5A4AF31DF

Payment Card Industry (PCI) Data Security Standard

Attestation of Compliance for

~Security • ~~· Standards Council

Onsite Assessments - Service Providers Version 3.1

April 2015

DocuSign Envelope ID: 64BBA3A3-43EB-4577-87AF-E4E5A4AF31DF

Section 1 : Assessment Information

Instructions for Submission

~Security • ~..,,,,_. Standards Council

This Attestation of Compliance must be completed as a declaration of the results of the service provider's assessment with the Payment Card Industry Data Security Standard Requirements and Security Assessment Procedures (PC/ OSS). Complete all sections: The service provider is responsible for ensuring that each section is completed by the relevant parties, as applicable. Contact the requesting payment brand for reporting and submission procedures.

Part 1. Service Provider and Qualified Security Assessor Information

Part 1 a. Service Provider Organization Information

Company Name: Akamai OBA (doing None business as):

Contact Name: Jo Guthrie Title: Compliance Manager

ISA Name(s) (if applicable): Title:

Telephone: E-mail:

Business Address: 150 Broadway City: Cambridge

State/Province: MA J Country: USA l Zip: 1 02142

URL: www.akamai.com

Part 1b. Qualified S~urity Assessor Company Information (if applicable)

Company Name: Cisco Systems, Inc.

Lead QSA Contact Name: Patrick Harbauer Title:

Telephone: E-mail:

Business Address: 170 West Tasman Dr. City:

State/Province: CA J Country: USA

URL: www.cisco.com

PC/ DSS Attestation of Compliance for Onsite Assessments - Service Providers, v3. 1 © 2006-2015 PC/ Security Standards Council, LLC. All Rights Reserved.

Security T earn Lead

San Jose

J Zip:] 95134

April 2015 Page 1

DocuSign Envelope ID: 648BA3A3·43EB·4577·87Af·E4E5A4AF31DF

Part 2. Executive Summary

Part 2a. Scope Verification

Services that were INCLUDED In the scope of the PCI DSS Assessment (check all that apply):

Name of service(s) assessed: Secure Content Delivery Network (SCDN)

Type of service(s) assessed:

Hosting Provider: Managed Services (specify): Payment Processing:

D Applications I software D Systems security services D POS I card present

D Hardware D IT support D Internet I e-commerce

0 Infrastructure I Network 0 Physical security 0 MOTO I Call Center

D Physical space (co-location) D Terminal Management System OATM

D Storage D Other services {specify): D Other processing (specify):

0Web

D Security services

D 3-D Secure Hosting Provider

D Shared Hosting Provider

D Other Hosting (specify):

D Account Management D Fraud and Chargeback D Payment Gateway/Switch

0 Back-Office Services D Issuer Processing D Prepaid Services

D Billing Management D Loyalty Programs D Records Management

D Clearing and Settlement D Merchant Services D Tax/Government Payments

D Network Provider

~Others (specify): Internet based HTTPS content delivery.

Note: These categories are provided for assistance only, and are not intended to limit or predetermine an entity's service description. If you feel these categories don 't apply to your service, complete "Others."

If you're unsure whether a category could apply to your service, consult with the applicable payment brand.


April 2015

Page2~

DocuSign Envelope ID: 64BBA3A3-43EB-4577-87 AF-E4ESA4AF31 OF

Services that are provided by the service provider but were NOT INCLUDED in the scope of the PCI DSS Assessment (check all that apply):

Name of service(s) not assessed:

Type of service(s) not assessed:

Hosting Provider:

0 Applications I software

D Hardware

D Infrastructure I Network

D Physical space (co-location)

0 Storage

0Web D Security services

0 3-D Secure Hosting Provider

0 Shared Hosting Provider

0 Other Hosting (specify):

D Account Management

D Back-Office Services

D Billing Management

0 Clearing and Settlement

0 Network Provider

Other internet and intranet services, including select Web Performance Solutions, Media Delivery Solutions, Cloud Security Solutions, Cloud Networking Solutions, and Network Operator Solutions, which, to the extent these solutions are configured to operate on the Secure Content Delivery Network, may be further configured by customers to be in scope for customers' own PCI assessments. Akamai's Prolexic solutions are out of scope for Akamai's PCI assessment as they do not have access to cardholder data, and therefore may be used by Akamai's customers without impact to PCI assessments.

Managed Services (specify): Payment Processing:

O Systems security services 0 POS I card present

0 IT support 0 Internet I e-commerce

D Physical security 0 MOTO I Call Center

D Terminal Management System 0ATM 0 Other services (specify): 0 Other processing (specify):

0 Fraud and Chargeback 0 Payment Gateway/Switch

0 Issuer Processing D Prepaid Services

D Loyalty Programs D Records Management

0 Merchant Services D Tax/Government Payments

[81 Others (specify): Web solutions providing optimized, personalized on!ine customer experience, delivery of video content, protecction against online threats, in-branch application acceleration and network traffic optimization.

PC! DSS Attestation of Compliance for On site Assessments - Service Providers, v3.1 © 2006-2015 PC/ Security Standards Council, LLC. All Rights Reserved.

April 2015 Page3

~

DocuSign Envelope ID: 64BBA3A3·43EB·4577·87AF-E4ESA4AF31DF

Provide a brief explanation why any checked services were not included in the assessment:

We instruct our customers that only products running on the Secure Content Delivery Network are in-scope for PCI and that no other systems are intended or should be used for the transmission, processing, or storage of cardholder data. Nevertheless, as described above, Akamai's products and services running on the Secure Content Delivery Network may be configured to be used by customers in their cardholder data environment, and may be included in the scope of customers' PCI assessments.

Certain additional Akamai services, such as its Prolexic DDoS Mitigation services and SureRoute IP content delivery service, have no access to customers' cardholder data. Customers may contact their account teams to discuss the use of these services and configuration options that may be consistent with the customers' PCI assessments.

Part 2b. Description of Payment Card Business

Describe how and in what capacity your business stores, processes, and/or transmits cardholder data.

Describe how and in what capacity your business is otherwise involved in or has the ability to impact the security of cardholder data.

Akamai only proxies and re-transmits cardholder data. It never processes cardholder data or stores cardholder data on durable media.

None

Part 2c. Locations

List types of facilities (for example, retail outlets, corporate offices, data centers, call centers, etc.) and a summary of locations included in the PCI DSS review.

Type of facility: Number of facilities Locatlon(s) of facility (city, country): of this type

Example: Retail outlets 3 Boston, MA, USA

Headquarters 1 Cambridge, MA USA

Data Center 2 Cambridge, MA USA, Somerville, MA USA

PC/ DSS Attestation of Compliance for Onsite Assessments - Service Providers, v3.1 © 2006-2015 PC/ Security Standards Council, LLC. All Rights Reserved.

April 2015

Page~

DocuSign Envelope ID: 64BBA3A3-43EB-4577-87AF-E4ESA4AF31 OF

Part 2d. Payment Applications

Does the organization use one or more Payment Applications? D Yes ~No

Provide the following information regarding the Payment Applications your organization uses:

Payment Application Version Application Is application PA-OSS Listing Expiry Name Number

Part 2e. Description of Environment

Provide a high-level description of the environment covered by this assessment.

For example: • Connections into and out of the cardholder

data environment (CDE).

• Critical system components within the CDE, such as POS devices, databases, web servers, etc., and any other necessary payment components, as applicable.

Vendor PA-DSS Listed? date (if applicable)

DYes 0No

0Yes DNo

DYes DNo

Akamai only proxies and re-transmits cardholder data. It never processes cardholder data or stores cardholder data on durable media. The Akamai Secure Content Delivery Network (SCDN) is the only in-scope system that transmits cardholder data. The SCDN, comprised of the EdgeSuite SSL (ESSL) distributed computer system, allows Akamai's customers to extend and accelerate their online business infrastructure. An Akamai customer will use the SCDN to transmit cardholder data within individual transactions between the end user and the Akamai customer.

Does your business use network segmentation to affect the scope of your PCI DSS environment?

~Yes

0No (Refer to "Network Segmentation" section of PC/ DSS for guidance on network segmentation)

Part 2f. Third-Party Service Providers

Does your company have a relationship with one or more third-party service providers (for example, gateways, payment processors, payment service providers (PSP), web-hosting companies, airline booking agents, loyalty program agents, etc.) for the purpose of the services being validated?

If Yes:

Type of service provider: Description of services provided:

Note: Requirement 12. 8 applies to all entities in this list.


0Yes

~No

April 2015 Page5

DocuSign Envelope ID: 64BBA3A3-43EB-4577-87AF-E4ESA4AF31 DF

Part 2g. Summary of Requirements Tested

For each PCI DSS Requirement, select one of the following:

• Full - The requirement and all sub-requirements of that requirement were assessed, and no subrequirements were marked as "Not Tested" or "Not Applicable" in the ROC.

• Partial - One or more sub-requirements of that requirement were marked as "Not Tested" or "Not Applicable" in the ROC.

• None -All sub-requirements of that requirement were marked as "Not Tested" and/or "Not Applicable" in the ROC.

For all requirements identified as either "Partial" or "None," provide details in the · Justification for Approach" column, including:

• Details of specific sub-requirements that were marked as either "Not Tested" and/or "Not Applicable" in the ROC

• Reason why sub-requirement(s) were not tested or not applicable

Note: One table to be completed for each service covered by this AOC. Additional copies of this section are available on the PC/ SSC website.

Name of Service Assessed: Secure Content Delivery Network (SCDN)

Details of Requirements Assessed

Justification for Approach PCIDSS (Required for all "Partial" and "None• responses. Identify which

Requirement Full Partial None sub-requirements were not tested and the reason.)

Requirement 1: 0 D D

Requirement 2: D 0 D 2.1.1 - Not applicable to the deployed network. Systems are publicly accessible servers that do not store cardholder data. Akamai does not employ wireless networking on these Networks. Not applicable for non-deployed networks. All wireless networks are firewalled off from the non-deployed networks and components.

2.2.3 - NIA: No enabled insecure services, daemons, or protocols were identified when reviewing systems with network administrators.

Requirement 3: 0 D D 3.4 - NIA: Cardholder data is not stored on durable media on the SCDN or the SCI. To ensure this, the Personally Identifiable lnfonnation and Sensitive lnfonnation Caching and Storage Policy states that Personally Identifiable lnfonnation (Pll) such as cardholder data should never be cached, should never be written to unencrypted persistent storage, should never be written to log files, and should always be transmitted over encrypted channels.

3.4.1 - NIA: Disk encryption is not in use.

3.5, 3.5.1-3.5.3, 3.6.1-3.6.8, 3. 7 - NIA: Cardholder data was confinned not to be stored on durable media on


Apri/2015 . I ~ Page6 ~

DocuSign Envelope ID: 64BBA3A3-43EB-4577-87AF-E4E5A4AF31 OF

~S« .. r, • 1~· Sl.indMd1Countil

Requirement 4:

Requirement 5:

Requirement 6:

Requirement 7:

Requirement 8:

Requirement 9:

0 181

[8J 0

0 181

[8J 0

0 181

0 181

0

0

0

0

0

0

any Akamai systems therefore there are no encryption keys in use.

4.1 - NIA: SCDN supports strong cryptography and security protocols to safeguard sensitive cardholder data during transmission. It is the responsibility of Akamai customers to use only trusted keys and certificates, use secure configurations and strength appropriate for the encryption methodology in use.

4.1 .1 - NIA: Akamai has no wireless networks transmitting cardholder data or connected to the cardholder data environment.

4.2 - N/A: No end-user messaging technologies are used to send cardholder data.

4.3 - NIA: SCDN supports strong cryptography and security protocols to safeguard sensitive cardholder data during transmission. It is the responsibility of Akamai customers to use only trusted keys and certificates, use secure configurations and strength appropriate for the encryption methodology In use.

6.3.1 - NIA: Not applicable to the SCDN or the SCI. Cardholder data is not stored on durable media on the SCDN or the SCI, and there are no payment card applications with customer accounts, user IDs, or passwords within these systems.

6.4.3 - N/A: Cardholder data is not stored on durable media on the SCDN or the SCI. Neither primary account numbers nor any other cardholder data is used for testing or development. LUNA does not process credit card information. Web BU (Cloudlets, FEO and RUM) does not process or store cardholder data. Neither primary account numbers nor any other cardholder data is used for testing or development.

6.4.4 - N/A: Test data is never moved from the test networks back into production or source control. Cardholder data is never processed or stored on durable media by any Akamai software or application.

6.5.7 - 6.5.10, 6.6 - NIA: Akamai has no web applications that accept cardholder data.

8.7 - N/A: Akamai has no databases in place that store cardholder data.

9.4 - NIA: Akamai does not store or maintain cardholder data.

PC/ OSS Attestation of Compliance for Onsite Assessments - Service Providers, v3. 1 © 2006-2015 PC/ Security Standards Council, LLC. All Rights Reserved.

Apri/2015 ,11. ~ Pagel ~

DocuSign Envelope ID: 64BBA3A3-43EB-4577-87AF-E4ESA4AF310F

9.4.3, 9.4.4 - NIA: Akamai houses in-scope systems in co-location facilities. Each co-location facility may have their own processes and procedures for granting visitor access. Therefore, Akamai has adopted a model using the secured cabinets so that even if an unauthorized user gain physical access to a co-location facility, they would still have no access to the Akamai in-scope systems.

9.5, 9.5.1 , 9.6, 9.6.1, 9.6.2, 9.6.3, 9.7, 9.7.1 - NIA: Not applicable to the SCDN or SCI. Akamai does not store cardholder data on any media.

9.8, 9.8.1 - NIA: Not applicable to the SCDN or SCI. Akamai does not store cardholder data on any media. In additional, all production servers on the SCDN that could have transmitted cardholder data are destroyed according to the Akamai Sensitive Data Destruction procedure when they are deconstructed.

9.8.2: Not applicable to the SCDN or SCI. Akamai does not store cardholder data on any media. In addition, all production servers on the SCDN that transmit cardholder data are destroyed according to the Akamai sensitive data destruction procedure when they are deconstructed.

9.9, 9.9.1, 9.9.2, 9.9.3 - NIA: Akamai does not have any devices that capture payment card data.

Requirement 10: D ~ D 10.2.1 - NIA: Akamai in-scope systems do not store or process cardholder data.

Requirement 11 : ~ D D

Requirement 12: D ~ D 12.3.9 - NIA: Not applicable to the SCDN or the SCI. Only Akamai personnel are granted remote access privileges.

12.3.10 - N/A: Not applicable to the SCDN or the SCI. Cardholder data is not stored on durable media on these networks.

12.8, 12.8.1 - 12.8.5 - NIA: Akamai does not share cardholder data with any 3rd parties.

Appendix A: D ~ D Akamai is not a shared hosting provider.


April2015 A ~ Page B ~

DocuSign Envelope ID: 64BBA3A3-43EB-4577-87AF-E4ESA4AF31DF

Section 2: Report on Compliance

This Attestation of Compliance reflects the results of an onsite assessment, which is documented in an accompanying Report on Compliance (ROC).

The assessment documented in this attestation and in the ROC was completed on:

6/28/2016

Have compensating controls been used to meet any requirement in r81 Yes the ROC?

Were any requirements in the ROC identified as being not [8J Yes applicable (NIA)?

Were any requirements not tested? D Yes

Were any requirements in the ROC unable to be met due to a legal 0 Yes constraint?


0No

0No

[8J No

[8J No

April 2015

Page9

DocuSign Envelope ID: 64BBA3A3·43EB-4577·87AF·E4E5A4AF31DF

Section 3: Validation and Attestation Details

Part 3. PCI DSS Validation

Based on the results noted in the ROC dated 612812016, the signatories identified in Parts 3b-3d, as applicable, assert(s) the following compliance status for the entity identified in Part 2 of this document as of 612812016: (check one):

l:8l Compliant: All sections of the PCI DSS ROC are complete, all questions answered affirmatively, resulting in an overall COMPLIANT rating; thereby Akamai has demonstrated full compliance with the PCI DSS.

D Non-Compliant: Not all sections of the PCI DSS ROC are complete, or not all questions are answered affirmatively, resulting in an overall NON-COMPLIANT rating, thereby (Service Provider Company Name) has not demonstrated full compliance with the PCI DSS.

Target Date for Compliance:

An entity submitting this form with a status of Non-Compliant may be required to complete the Action Plan in Part 4 of this document. Check with the payment brand(s) before completing Part 4.

D Compliant but with Legal exception: One or more requirements are marked "Not in Place• due to a legal restriction that prevents the requirement from being met. This option requires additional review from acquirer or payment brand.

If checked, complete the following:

Affected Requirement Details of how legal constraint prevents requirement being met

Part 3a. Acknowledgement of Status

Signatory(s) confinns:

(Check all that apply)

l:8l The ROC was completed according to the PC/ OSS Requirements and Security Assessment Procedures, Version 3. 1, and was completed according to the instructions therein.

l:8l All information within the above-referenced ROC and in this attestation fairly represents the results of my assessment in all material respects.

D I have confirmed with my payment application vendor that my payment system does not store sensitive authentication data after authorization.

l:8l I have read the PCI DSS and I recognize that I must maintain PCI DSS compliance, as applicable to my environment, at all times.

l:8l If my environment changes, I recognize I must reassess my environment and implement any additional PCI DSS requirements that apply.

PC/ OSS Attestation of Compliance for Onsite Assessments - Service Providers, v3. 1 © 2006-2015 PC/ Security Standards Council, LLC. All Rights Reserved.

April 2015 Page 10


Part 3a. Acknowledgement of Status (continued)

[8J No evidence of full track data1, CAV2, CVC2, CID, or CW2 data2, or PIN data3 storage after transaction authorization was found on ANY system reviewed during this assessment.

[8J ASV scans are being completed by the PCI SSC Approved Scanning Vendor Cisco Systems, Inc.

Signature of Service Provider Executive Officer 1'

Service Provider Executive Officer Name: Andy El 1 i 5 Title: C ~ 0 ---------------------·-·-- - - -----·-- ----------

Part 3c. QSA Acknowledgement (If applicable)

If a QSA was involved or assisted with this assessment, describe the role performed:

QSA assessed all PCI DSS requirements.

Signature of Duly Authorized Officer of QSA Company 1' Date: 6/29/2016

Duly Authorized Officer Name: Patrick J. Harbauer QSA Company: Cisco Systems, Inc.

Part 3d. ISA Acknowledgement (if applicable)

If an ISA was involved or assisted with this assessment, describe the role performed:

Signature of /SA 1'

/SA Name:

I Date:

Title:

1 Data encoded in the magnetic stripe or equivalent data on a chip used for authorization during a card-present transaction. Entities may not retain full track data after transaction authorization. The only elements of track data that may be retained are primary account number (PAN}, expiration date, and cardholder name.

2 The three- or four-Oigit value printed by the signature panel or on the face of a payment card used to verify card-not-present transactions.

3 Personal identification number entered by cardholder during a card-present transaction, and/or encrypted PIN block present within the transaction message.


April 2015 Page 11


-

Part 4. Action Plan for Non-Compliant Requirements

Select the appropriate response for "Compliant to PCI DSS Requirements" for each requirement. If you answer "No" to any of the requirements, you may be required to provide the date your Company expects to be compliant with the requirement and a brief description of the actions being taken to meet the requirement.

Check with the applicable payment brand(s) before completing Part 4.

Compliant to PCI Remediation Date and Actions

PCIDSS DSS Requirements

Requirement Description of Requirement

(Select One) (If "NO" selected for any

Requirement) YES NO

Install and maintain a firewall I i

1 configuration to protect cardholder r8I I 0 data i Do not use vendor-supplied l 2 defaults for system passwords and 181 0 other security parameters l

! ----t-

181 I

0 3 Protect stored cardholder data I I -

4 Encrypt transmission of cardholder 181 I D data across open, public networks I

I

Protect all systems against

I 5 malware and regularly update anti- 181 0 virus software or programs _ ___, - ------ - ---

6 Develop and maintain secure 181 0 systems and applications

-

J ----7

Restrict access to cardholder data 181 I 0 by business need to know l Identify and authenticate access to I

8 181 I 0 system components

9 Restrict physical access to 181 0 cardholder data

Track and monitor all access to I 10 network resources and cardholder 181 I 0

data I I

11 Regularly test security systems and 181 I D processes

Maintain a policy that addresses I I

12 information security for all 181 i 0 personnel

--·--.----- -- -- -- ---- ----- ....___ l ------ -- .. __ -

( MasterCard

PC/ OSS Attestation of Compliance for Onsite Assessments - Service Providers, v3.1 © 2006-2015 PC/ Security Standards Council, LLC. All Rights Reserved.

VISA April 2015\..../ / Page12~

As the global leader in Content Delivery Network (CDN) services, Akamai makes the Internet fast, reliable and secure for its customers. The company's advanced web performance, mobile performance, cloud security and media delivery solutions are revolutionizing how businesses optimize consumer, enterprise and entertainment experiences for any device, anywhere. To learn how Akamai solutions and its team of Internet experts are helping businesses move faster forward, please visit www.akamai.com or blogs.akamai.com, and follow @Akamai on Twitter.

Akamai is headquartered in Cambridge, Massachusetts in the United States with operations in more than 57 offices around the world. Our services and renowned customer care are designed to enable businesses to provide an unparalleled Internet experience for their customers worldwide. Addresses, phone numbers and contact information for all locations are listed on www.akamai.com/locations.

© 2016 Akamai Technologies, Inc. All Rights Reserved. Reproduction in whole or in part in any form or medium without express written permission is prohibited. Akamai and the Akamai wave logo are registered trademarks. Other trademarks contained herein are the property of their respective owners. Akamai believes that the information in this publication is accurate as of its publication date; such information is subject to change without notice.

PCI DSS 3.1 Attestation of Compliance

Date post:	27-Aug-2020
Category:	Documents
Upload:	others
View:	3 times
Download:	0 times

Attestation of Compliance - Akamai...effective date of the PCI DSS version 3.1 standard. The...

Documents