PCI DSS Guide Explains Latest Changes and Compliance Strategies

I N F O R M A T I O N

S ECURITY
®

E SS E NTIAL G U I D E TO

PCI DSS
,
We’ll explain the new changes in
Version 1.2 and how the standard will
tackle emerging technologies such as
cloud computing and virtualization.

INSIDE
5 Avoiding Audit Trouble: Getting PCI Compliant
13 PCI DSS 1.2 Answers Questions and Raises Others
17 Wireless Encryption in the Wake of PCI DSS 1.2
21 Is Tokenization the Cure-all for PCI Compliance?
25 PCI, Virtualization and Cloud Computing
30 Compliance Recycling
34 PCI Issues Priority Tool for Compliance

INFOSECURITYMAG.COM

contents ESSENTIAL GUIDE

F E AT U R E S

5 Avoiding Audit Trouble: Getting PCI Compliant
PCI DSS

COMPLIANCE Having trouble with PCI compliance?
You’re not alone. Auditors and audit survivors offer
tips for how to achieve it. BY DIANA KELLEY

13 PCI DSS 1.2 Answers Questions
and Raises Others
CHANGES The latest version of the standard provides clarity
on wireless and Web application requirements. BY DIANA KELLEY

17 Wireless Encryption in
the Wake of PCI DSS 1.2
FROM WEP TO WAP Merchants using WEP networks must
transition to Wi-Fi Protected Access (WPA) security no
later than June 30, 2010. BY MIKE CHAPPLE

21 Is Tokenization the
Cure-all for PCI Compliance?
EMERGING TECHNOLOGIES The technology attempts to replace
cardholder data with a token instead of a PAN. BY ED MOYLE

25 PCI, Virtualization and Cloud Computing
ENFORCEMENT Compliance guidelines on virtualization will
likely be in a state of flux for some time. BY MICHAEL COBB

30 Compliance Recycling
BEST PRACTICES How to combine compliance efforts
to manage PCI DSS. BY DIANA KELLEY

34 PCI Issues Priority Tool for Compliance
LATEST NEWS The PCI Prioritized Approach framework creates
a series of milestones for companies working
on PCI compliance. BY ROBERT WESTERVELT

39 Advertising Index

1 I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • PCI DSS

What’s Everyone
y
Looking at on Your
File Systems?

Varonis Tells You.
Yo

Learn More about
Varonis Solutions
www.varonis.com

EDITOR’S DESK

The regulation
that keeps on giving

p
TABLE OF CONTENTS BY KELLEY DAMORE
PCI DSS HAS BEEN HAILED by many as the clearest regulation/industry standard to
EDITOR’S DESK follow. It’s prescriptive in nature and relatively straightforward. There are 12
requirements that must be adhered to and the requirements are typically associated
with a particular security technology so you know what you have to do to become
GETTING PCI compliant and secure.
COMPLIANT Or do you? Many organizations that were PCI compliant, notably Heartland
Payment Systems, announced massive data breaches this year that call into question
the security controls that PCI requires. Some organization overuse compensating
PCI DSS 1.2 controls or outline the compensating control but never get back to fixing the issues.
The sad truth is it comes down to this: on that particular day when the Qualified
Assessor signed off on the audit, organization X was compliant.
WIRELESS To make matters worse, because this is a standard not a regulation set into law, it
REQUIREMENTS
is far more fluid. Changes can and will occur with the standard. It really isn’t ever
done. For example late last year the PCI Council weighed in on securing wireless
communications and Web applications. These are new additions to the standard
TOKENIZATION
that companies must adhere to even if they met all the other requirements previ-
ously. And if the organization is a large merchant they need to be assessed by an
outside QSA every year. Smaller companies need to do self-assessments.
PCI AND
VIRTUALIZATION But it is not all doom and gloom. On the bright side the PCI Council is a living
and breathing entity, and they request feedback on the standard and areas of ambi-
guity. For instance they are pulling together experts and a working group to talk
INTEGRATING PCI about how to secure some of the emerging technologies in the market including
INTO COMPLIANCE virtualization and cloud computing. Their executives answer questions and listen
PROGRAMS
to feedback. And because of the fines associated with PCI, this standard is taken
seriously and can be a strong argument for budget in difficult and tight times.
A NEW PRIORITY
In this Essential Guide to PCI, we aim to outline what you need to know right
TOOL FOR PCI now. We drill down into the new requirements with PCI DSS 1.2, offer suggestions
on how to pass an audit and what to consider when it comes to PCI and securing
virtualized machines and cloud services.
SPONSOR We hope this Essential Guide to PCI is prescriptive and straightforward and we
RESOURCES
promise we won’t be changing it or issuing any fines.w

Kelley Damore is the Editorial Director of Information Security and TechTarget’s Security
Media Group. Send your comments on this column to feedback@infosecuritymag.com.


Three Platforms.
One Provider.
Complete Privileged Access Control.

Introducing the new BeyondTrust.
A security strategy is only effective if it grows with your company. As enterprises deploy more Linux®,
UNIX®, and Windows® in heterogeneous IT environments, managing sensitive data in these multi-platform
infrastructures can be difficult, complex, and costly.

Meet the new BeyondTrust, a leading provider of Privileged Access Lifecycle Management solutions for
heterogeneous environments. Our leading products protect sensitive and confidential data through an
effective combination of privilege delegation, strict user access control, privileged password management,
and secure audit trails. With solutions that prevent data breaches and achieve regulatory compliance,
hundreds of Forbes 2000 companies rely on us to maximize their security while reducing complexity
and administrative costs.

Try it free for 30 days at www.beyondtrust.com/pci

When it comes to managing risk, we have the key.
Copyright© 2009 BeyondTrust Software International, Inc. All rights reserved. BeyondTrust is a trademark
of BeyondTrust Software International, Inc. UNIX is a registered trademark of The Open Group.
Linux is a registered trademark of Linus Torvalds. Windows is a registered trademark of Microsoft Corporation.
All trademarks are registered in the United States and/or other countries.
1-800-234-9072

COMPLIANCE

TABLE OF CONTENTS

Having trouble with
EDITOR’S DESK
PCI compliance?
You’re not alone.
GETTING PCI
COMPLIANT Auditors and audit
survivors offer tips
PCI DSS 1.2
for how to achieve it.
WIRELESS
REQUIREMENTS
AVOIDING AUDIT TROUBLE:
Getting PCI
TOKENIZATION

PCI AND
VIRTUALIZATION

INTEGRATING PCI
INTO COMPLIANCE
PROGRAMS Compliant BY D IANA KE LLEY

A NEW PRIORITY
TOOL FOR PCI BY ALL ACCOUNTS, compliance with the Payment Card Industry Data Security Standard
(PCI DSS) is on the upswing. And media reports indicate the standard is gaining ground
in the European Union, where many countries—the U.K. in particular—are stepping up
SPONSOR compliance efforts.
RESOURCES Yet successful PCI Report on Compliance (RoC) completion remains a confusing
venture and elusive to many. Some of the confusion stems from the convoluted path of
accountability. Although the PCI DSS is often touted as a one-stop standard, each of the
five major card brands continues to maintain separate compliance programs. Some
brands have announced heavy noncompliance fees in the form of penalties and higher
transactions rates, but it is the acquiring banks that decide when and how to pass on these


fees to their retail and merchant customers. And despite the prescriptive nature of
PCI, the standard changes when updates are issued, and Qualified Security Assessors
(QSAs) have room to interpret the standard. It’s not uncommon for a QSA’s inter-
pretation of the standard to differ from that of the company under review.
Still, while PCI DSS compliance may not always be easy, it’s definitely achievable.

KNOW WHO’S WHO
TABLE OF CONTENTS
The first step to tackling PCI DSS compliance is to understand who’s who in the
PCI accountability chain; an organization may be surprised to learn who actually
does what. The five card brands that constitute the payment card industry are
EDITOR’S DESK American Express, Discover Financial Services, JCB International, MasterCard
Worldwide and Visa. Each brand had its compliance program before PCI DSS, and
each continues to maintain those programs and exert final decision control over
GETTING PCI compliance. However, all of the PCI brands have agreed to use the PCI DSS as a
COMPLIANT
baseline for compliance evaluation to simplify the process for members.
In December 2004, the card brands issued the first version (1.0) of the Data
Security Standard. The standard is not intended to replace the individual brand
PCI DSS 1.2
compliance programs; rather, it is meant to be a single set of guidelines for entities
that store, process or transact credit card data. The assumption is that if an organi-
zation receives a successful PCI DSS RoC, it’s compliant with any of the card brand
WIRELESS programs.
REQUIREMENTS

TOKENIZATION PA DSS

PCI AND
App Lockdown
VIRTUALIZATION NEW STANDARD FOCUSES ON COMMERCIAL PAYMENT APPLICATIONS.

RELEASED IN APRIL 2008, the first version of the Payment Application Data Security Standard outlines
requirements that payment applications, such as point-of-sale systems, must adhere to. For those familiar
INTEGRATING PCI
INTO COMPLIANCE with Visa’s Payment Application Best Practices (PABP) program, which provides guidance on how to create
PROGRAMS payment applications that protect cardholder data in accordance with the PCI DSS, there won’t be many
surprises in the PA DSS.
The majority of changes were renumbering and wording clarifications. However, some notable
A NEW PRIORITY enhancements have been added such as listing code-analysis tools as an alternative option for testing.
TOOL FOR PCI Compliance to the PA DSS applies to COTS payment applications that are sold to more than one cus-
tomer and don’t receive significant customization. At this point, the payment card brands still hold final
determination on whether the PA DSS is mandatory for all payment applications. However, Visa has
SPONSOR announced a phased PA DSS compliance program that will require its merchants and processors to use
RESOURCES
only PABP-compliant applications.
Single customer payment applications and applications developed in-house aren’t subject to the PA DSS,
though they must meet the PCI DSS. The wealth of information in the PA DSS can help any team develop
more secure payment applications, even if those applications aren’t required to be PA DSS compliant.w
—DIANA KELLEY


ACCO U NTABI LITY

Chain Reaction
Here’s a guide for understanding who’s who in the PCI chain
of accountability. You may be surprised to learn who actually
does what. So that there would be
one central point of contact
WHO for PCI DSS matters, the five
WHAT WHY
brands formed the PCI Secu-
Card brands American Express, Individual compliance rity Standards Council (PCI
Discover, JCB, programs; service level SSC) in September 2006. The
MasterCard, Visa agreements with council is led by a five-member
TABLE OF CONTENTS banks, retail- executive committee (one from
ers/merchants and
each brand) and owns the offi-
processors; brand rep-
utation cial document repository for all
EDITOR’S DESK PCI Security Independent organiza- things PCI DSS. This includes
Standards Council tion led by the card Maintain the PCI DSS, the standard, as well as collateral
brands with participa- PCI PED (PIN Entry such as the self-assessment
tion from member Device), PA DSS and questionnaire, audit proce-
GETTING PCI
COMPLIANT organizations and associated content;
dures, and since April, the
advisers oversight and gover-
nance of QSA and Payment Application Data
ASV training and Security Standard (PA DSS)
PCI DSS 1.2 approval process (see “App Lockdown,” p. 6).
Issuing banks Banks that issue credit The council also maintains
cards to consumers Issuing consumer governance over training and
credit cards
WIRELESS approval for QSAs and Approved
REQUIREMENTS Acquiring banks Banks that enable
merchants, retailers Governance to ensure Scanning Vendors (ASVs).
and processors to members are PCI Something many retailers
accept and process compliant; fees and find confusing is that the
TOKENIZATION credit card payments penalties for failure council is not responsible for
to comply compliance or decisions relating
Merchants/retailers Entities that store, to compliance. The council has
and processors process or transact Complying with the
PCI AND
credit card data PCI DSS; validating no control over fees or penalties
VIRTUALIZATION
compliance if Level 1 issued to retailers or processors,
Qualified Security Auditors that are nor does it have any involve-
Assessors approved to issue RoCs On-site assessment ment in the service-level agree-
INTEGRATING PCI of compliance to PCI ments between the card
INTO COMPLIANCE DSS; interpretation
PROGRAMS brands, the banks and their
of PCI DSS
Approved Scanning Vendors that have been members. That’s why David
Vendors approved to perform External scans; Hogan, CIO of the National
A NEW PRIORITY PCI DSS compliance issuing reports Retail Federation, was shooting
TOOL FOR PCI scanning on scan findings at the wrong target when he
asked the council for changes
in primary account number
SPONSOR (PAN) storage requirements.
RESOURCES
The PCI DSS is the standard on how to protect PANs if they’re stored, but doesn’t address
whether they need to be stored in the first place. That’s between the retailers/merchants,
acquiring banks and card brands.
Organizations that need to validate PCI DSS compliance, such as Level 1 merchants with
more than 6 million Visa or MasterCard transactions annually, work with QSAs for validation.
Prescriptive though the PCI DSS is, there’s still room for disagreement on specific controls and


their implementation. For example, one end user reports that for requirement 3.4
(render the PAN unreadable), his QSA refused to validate solutions that were not
FIPS 140-2 certified. Though this federal certification provides a much higher value
of assurance from a data protection standpoint, it is not specifically required for
compliance by the PCI DSS Security Audit Procedures.
In cases like this, it may seem that the council is a good place to turn for
answers, but it’s not. The council has QSA feedback forms that companies are
TABLE OF CONTENTS encouraged to fill out after audits, but these are used to determine if the QSA is
performing audits properly. Finding a company out of compliance for not using
FIPS 140-2 certified products is an interpreta-
EDITOR’S DESK tion issue. And sometimes even QSAs feel a
little lost when looking for guidance. William
“They’re generally very
Lynch, a manager and QSA at IT consulting reluctant to provide
GETTING PCI firm CTG, says he’s tried to go to the card
COMPLIANT brands and the council for help with interpre- specifics, and their
tation: “They’re generally very reluctant to
provide specifics, and their responses can be responses can be some-
PCI DSS 1.2 somewhat slow. If I have an interpretation
question, I usually discuss it with other QSAs
what slow. If I have an
first and contact the council as a last resort”
(see “Chain Reaction,” p. 7).
interpretation question,
WIRELESS
REQUIREMENTS I usually discuss it with
GET TO KNOW THE QSA other QSAs first and
As the person who issues the Report on
TOKENIZATION
Compliance (RoC) to the acquiring banks and
card brands, the QSA has quite a bit of power.
contact the council as
PCI AND
Working effectively with the QSA can mean the a last resort.”
VIRTUALIZATION difference between attaining compliance and
—WILLIAM LYNCH, manager and QSA, CTG
not. The first place to go when looking for a
QSA is the council’s site. For external validation, only council-approved QSAs may
INTEGRATING PCI
submit RoCs. Another option is to ask colleagues with whom they’ve worked, or ask
INTO COMPLIANCE for a QSA reference from your acquiring bank. Evaluate acquiring bank recommen-
PROGRAMS dations carefully, though. Some acquiring banks have relationships with assessor
organizations that pay referral fees—which may indicate the bank is motivated to
make the recommendation simply to receive the fee.
A NEW PRIORITY Many organizations that have successfully completed PCI audits recommend
TOOL FOR PCI
treating the QSA search like any hiring process. Include requests for references and
price quotes in the assessment criteria. And keep in mind that you’ll be working
closely with the assessment company, so it’s important to have a good comfort level
SPONSOR
RESOURCES with its methodology. Another great tip from the trenches: consider two QSA firms,
one for pre-assessment and one for the validation work.
Even if an organization does not wish to pre-assess with a QSA, it should conduct
its own pre-assessment. The PCI SSC Self-Assessment Questionnaire (SAQ) and the
PCI DSS Security Audit Procedures are excellent resources. An IT professional who
completed a PCI validation cycle for his company said, “By pre-assessing, we knew


where the holes were and could fill them before getting beat up in front of upper
management by the QSA.” Though not getting “beat up” can be a benefit of pre-
assessment, it’s important to keep in mind that most QSAs aren’t aiming for humili-
ation and failure. Pre-assessment gives organizations key knowledge regarding what
is important to QSAs during an assessment, especially with regard to documentation.
By understanding where the QSA is coming from, IT professionals can engage in a
more col- laborative relationship.
TABLE OF CONTENTS Documentation may not be exciting but reviewing documents is a cornerstone
of the QSA audit process. So be sure to include documentation review while work-
ing on a gap assessment. This is particularly important for areas where there may
EDITOR’S DESK be interpretation or where compensating controls have been implemented. If a risk
assessment process has been completed before implementing a control, be sure the
supporting documentation is there so the QSA can assess it properly. Otherwise, the
GETTING PCI QSA may fail your control.
COMPLIANT A money-based “gotcha” to watch out for when working with a QSA is when the
QSA claims a company won’t be validated as compliant if it doesn’t buy a specific
vendor product from the assessor’s reseller. The tactic can be a softer sell, recom-
PCI DSS 1.2 mending the customer make the purchase rather than demanding it, but either way
it’s all wrong. QSAs that attempt to increase profits by requiring product purchases
should be reported to the council.
WIRELESS
REQUIREMENTS

TOKENIZATION MANAG I N G LO GS

PCI AND
SIMs Stand Out
VIRTUALIZATION REQUIREMENT 10.6 PCI REQUIRES DAILY LOG REVIEWS,
SPURRING A BOOM IN SIMS SALES.

PCI COMPLIANCE IS “a process, not a product,” says Michelle Dickman, president and CEO of security
INTEGRATING PCI
INTO COMPLIANCE information management (SIM) vendor TriGeo Network Security. Yet, there’s no denying that a lot of prod-
PROGRAMS uct has been sold in the name of PCI.
Many of these purchases were a result of shoring up security controls in areas where they did not
exist. For example, most companies have firewalls (Requirement 1) in their data centers, but many did
A NEW PRIORITY not have one at every retail site. Now, thanks to PCI, many do.
TOOL FOR PCI One product category, however, does stand out as particularly helpful, according to those who have
undergone PCI DSS audits: SIMs and log management tools. Requirement 10 calls for monitoring and test-
ing of networks, and 10.6 specifies: “Review logs for all system components at least daily.” For a major
SPONSOR retailer with thousands of components in the cardholder data environment, meeting those requirements
RESOURCES just wasn’t feasible without a log aggregation solution.
But simply centralizing all logs and alerts isn’t the end of the story, warns William Lynch, a manager
and Qualified Security Assessor at IT consulting firm CTG. “Make sure the review process, accountable
parties and documentation are in place to ensure that the review happens,” he says.w
—DIANA KELLEY


KEEP IT SIMPLE
An important step for a successful PCI assessment is to simplify the process by
narrowing the scope of the audit with zoning, experts say. Allan Carey, senior vice
president of research at IANS, which has advised a number of companies on PCI,
stresses that “one of the most important things an entity can do is to reduce scope
with proper network segmentation, including VLANs, air gaps and physical separa-
tion.” When data must travel over public networks, such as the Internet and wireless
TABLE OF CONTENTS
LANs, Carey advises companies to secure the transmission using encryption proto-
cols such as SSL.
Segmentation was a key part of the National Aquarium in Baltimore’s strategy.
EDITOR’S DESK As part of its PCI pre-assessment work, the aquarium reviewed two merchant func-
tions that were operationally outsourced to third parties—the aquarium gift store
and food services—and decided to physically separate the outsourced merchant
GETTING PCI networks from the aquarium. This resulted in a
COMPLIANT
significant reduction in audit scope during the
aquarium’s PCI validation work.
An important step for a
PCI DSS 1.2
Another tip on the simplification front— successful PCI assessment
one we’ve all heard—is don’t store what you
don’t need. But as Hogan’s plea to the PCI SSC is to simplify the process
illustrated, many retailers—due to their service
WIRELESS
REQUIREMENTS
level agreements—are required to store PANs by narrowing the scope
in a retrievable format for up to 18 months.
Companies that don’t have that requirement
of the audit with zoning,
TOKENIZATION
have simplified their PCI compliance by elimi- experts say.
nating PAN storage. Others don’t have to hang
on to the PAN for months but hold it for hours during authorization. Brady Deck-
er, network engineer at the aquarium, suggests that banks and card brands “take
PCI AND
VIRTUALIZATION the merchants out of the security loop” by not having them store the PAN, even
during the authorization phase. If a company must hold on to PANs for any length
of time, Carey recommends “leveraging native database encryption capabilities to
INTEGRATING PCI
meet [requirement] 3.4 before layering on a third-party solution that may degrade
INTO COMPLIANCE performance or increase management complexity.”
PROGRAMS In addition, make sure to really know what’s in your environment. Stories
abound of large organizations that found untracked spreadsheets with thousands
of credit card numbers when beginning their PCI assessment work. “Map the
A NEW PRIORITY credit card data flow” for the entire lifecycle of the data’s existence in your organi-
TOOL FOR PCI
zation, says Michael Gavin, security strategist for application security company
Security Innovation. That means answering these questions: Where does the
information come in? Where is it being stored? Who has access along the way?
SPONSOR
RESOURCES
THINK GLOBALLY
Although PCI DSS is an internationally applicable standard, most of the PCI DSS
noise has been coming out of the U.S. That’s no longer the case. Since late last year,
there has been a significant increase in PCI awareness in the U.K. and parts of
Europe. Some European countries still believe that the standard doesn’t apply or


is less important because of the use
of a smart chip and PIN (personal
identification number) in European Resources
credit cards. Chip and PIN does
change the threat model, but not PCI Security Standards Council
the PCI DSS requirement. Whether Provides information on standards, QSAs and more.
the PAN was read from a magnetic www.pcisecuritystandards.org
TABLE OF CONTENTS stripe, off of a smart chip, or typed
into a Web form, the PAN protec- PCI Knowledge Base
tion requirements are the same. Offers tips from research community.
Bob Russo, general manager of www.knowpci.com
EDITOR’S DESK
the PCI council, notes that organi-
zations in some countries, like Visa
Japan, have spent a lot of time com- Includes list of validated payment applications.
GETTING PCI
COMPLIANT plying with security frameworks— http://usa.visa.com/merchants/risk_management/cisp.html
such as the Information Security
Management Systems (ISMS)
PCI DSS 1.2 approach of ISO 27001 and 27002—and don’t want to spend time complying with
an additional standard. The card brands, along with the council, are working to
raise awareness that DSS is not optional and not replaceable by any other certifica-
WIRELESS tion work.
REQUIREMENTS If an organization has been concentrating only on U.S. operations, it’s time for it
to start thinking globally and assessing all sites where card information is transacted.
And if you are using a compliance framework, consider mapping the controls and
TOKENIZATION documentation in place to those needed for the PCI assessment. Many companies
report that “careful compliance recycling” can reduce overhead when certifying to
new and emerging standards.
PCI AND PCI compliance may not be a simple art, but there are ways—like leveraging
VIRTUALIZATION
compliance frameworks—to make it simpler. There are a lot of rules and require-
ments for PCI, but the core goal is simple: protect credit cards on those digital
“mean streets.”w
INTEGRATING PCI
INTO COMPLIANCE
PROGRAMS Diana Kelley is a partner with Amherst, N.H.-based consulting firm SecurityCurve. She formerly
served as vice president and service director with research firm Burton Group. She has extensive
experience creating secure network architectures and business solutions for large corporations and
delivering strategic, competitive knowledge to security software vendors.
A NEW PRIORITY
TOOL FOR PCI

SPONSOR
RESOURCES


Which
came
first?
cyber
criminals
or Data
breaches

We don’t have to tell you that enterprise security and compliance is serious business.
From external and internal threats to compliance violations, the risks associated with the
continuity of IT infrastructure and the usage of sensitive data and applications are huge.
And the constantly shifting cyber threat landscape only makes it more difficult to protect your
business.

The ArcSight SIEM Platform mitigates operational risk by providing scalable security,
comprehensive real-time monitoring, and intelligent event analysis. With ArcSight, you’ll get
the big picture so you can avoid the big problem. After all, keeping a business running is the
only way to run a business.

Visit us at www.arcsight.com.

ArcSight Headquarters: 1-888-415-ARST
© 2009 ArcSight. All rights reserved.

CHANGES

PCI DSS 1.2
Answers
TABLE OF CONTENTS
Questions
EDITOR’S DESK and Raises
GETTING PCI
COMPLIANT Others
PCI DSS 1.2
The latest version of the standard provides clarity
WIRELESS
on wireless and Web application requirements.
REQUIREMENTS BY DIANA KELLEY

i
TOKENIZATION
IN OCTOBER 2008 the PCI Security Standards Council, stewards of the PCI Data
Security Standard, released version 1.2. PCI DSS version 1.2 is not a sweeping
PCI AND rewrite of version 1.1. Most of the changes listed in the summary document are
VIRTUALIZATION clarifications of wording and terminology. Bob Russo, general manager of the
PCI Security Standards Council, said of the group’s goal was “eliminating as many
questions as possible.”
INTEGRATING PCI Some welcomed the changes, since some terms were poorly defined in the last
INTO COMPLIANCE
PROGRAMS iteration, making them confusing and difficult to interpret. For example, Require-
ment 6.6 of version 1.1 called for an “application-layer firewall.” Retailers and PCI
assessors (QSAs) alike wondered whether an application-layer-aware firewall, like
A NEW PRIORITY the Cisco Systems Inc. PIX or ASA firewall, would suffice, or if it called for a Web
TOOL FOR PCI application firewall like Barracuda Networks Inc.’s Web Site. Although the summary
changes continue to reference “application-layer firewall,” the Council issued specific
guidance on the terminology in February regarding product type intended. Troy
SPONSOR Leach, technical director of the PCI Security Standards Council, said that the testing
RESOURCES procedures for Requirement 6.6 in version 1.2 make it clear that the Council is
referring to Web application firewalls.
Other terms that received clarification and usage consistency makeovers are
primary account numbers (PANs) and “strong cryptography.” In version 1.1,
“strong cryptography” is not defined, however, the audit/assessment procedures
used by QSAs did list “Triple-DES 128-bit and AES 256-bit” as examples.


Another tricky one: Does the PCI DSS apply to electronic media exclusively or
is paper included? According to version 1.2, it applies to both electronic and paper
media that contains cardholder data. This will create additional work for those
organizations that had misinterpreted version 1.1 and kept paper media out of
scope during DSS compliance work.

Compensating controls
TABLE OF CONTENTS
When enterprises are not able to meet the exact letter of the standard, they look
to controls that will provide the same level of protection. Perhaps the most well-
known example of this is PCI Requirement 3.4, which requires that if PANs are
EDITOR’S DESK stored, they must be either rendered unreadable (by one-way hashing or truncation)
or encrypted (using strong cryptography).

GETTING PCI
When many organizations found neither of
these options was feasible, Appendix B of PCI
When enterprises are not
COMPLIANT
DSS version 1.1 provided a list of acceptable able to meet the exact
compensating controls that could be used in
PCI DSS 1.2
place of those listed in the requirement. letter of the standard,
Version 1.2 provides additional information
about compensating controls and flexibility
they look to controls
WIRELESS
options for other requirements. In the updated
standard, Requirement 1 eases the timeline for
that will provide the
REQUIREMENTS
reviewing firewall rules from quarterly to every same level of protection.
six months. And the 30-day patch cycle, from
the often-dreaded Requirement 6, now has “added flexibility…by specifying that
TOKENIZATION
a risk-based approach may be used to prioritize patch installation.” Under version
1.1, many retailers scrambled to install patches within 30 days, often short-circuiting
their standard patch life cycle testing in an effort to meet the strict timeline. A
PCI AND
VIRTUALIZATION thorough approach to patching, however, requires testing, prioritization, and a
robust pre-production process, which can take longer than 30 days. The change
allows for risk-based approaches that may require more time.
INTEGRATING PCI
Another welcome change concerns physical security. PCI DSS Requirement 9
INTO COMPLIANCE called for cameras to monitor “sensitive areas,” but was an area like a restaurant
PROGRAMS dining room—where credit cards are handed to staff—considered sensitive enough
to require a camera? How about a point-of-sale (PoS) cash register at a food court
kiosk? Under version 1.2, organizations now have more flexibility to select other
A NEW PRIORITY access control mechanisms when appropriate.
TOOL FOR PCI

More requirements
SPONSOR While the clarification and compensating control changes are welcome, there are
RESOURCES some additional requirements in version 1.2. For example: “Wireless must now
be implemented according to industry best practices (e.g., IEEE 802.11x) using
strong encryption for authentication and transmission.” For those of you who
thought perhaps the Council meant 802.1X, you’re not alone; I thought that at
first, too, because 802.11x is a placeholder for upcoming standards and not an
IEEE standard.


Leach said 802.11x was used to indicate that upcoming versions of the DSS
may include recommendations for using emerging 802.11 standards, such as
802.11i. So for more specifics, we’ll all have to stay tuned. On the plus side, version
1.2 will continue to allow SSL/TLS and IPsec for protection of data transmissions
over both wired and wireless networks.
Some potential heartburn may come from this change regarding wireless net-
work encryption: “New implementations of WEP are not allowed after March 31,
TABLE OF CONTENTS
2009…Current implementations must discontinue use of WEP after June 30,
2010.” Wired Equivalent Privacy (WEP) has been broken for many years, so it
makes sense for the Council to call for an end to its use in cardholder data environ-
EDITOR’S DESK
ments, but many “out of the box” point-of-sale packages still commonly rely on
WEP for proper operation. The two-year timeline for complete replacement of
these systems may be too aggressive for retailers. If so, the Council will need to
GETTING PCI amend the timeline.
COMPLIANT
Finally, the antimalware requirement has been updated to include “all operating
system types.” Antimalware for Mac platforms and Unix/Linux are available, but
options are limited. As for mainframes (like System z), there just aren’t options.
PCI DSS 1.2
For platforms like mainframe and some flavors of UNIX, organizations can consider
layering anti-malware protection by using gateways or other compensating controls.w
WIRELESS Diana Kelley is a partner with Amherst, N.H.-based consulting firm SecurityCurve. She
REQUIREMENTS
formerly served as vice president and service director with research firm Burton Group. She
has extensive experience creating secure network architectures and business solutions for large
corporations and delivering strategic, competitive knowledge to security software vendors.
TOKENIZATION

PCI AND
VIRTUALIZATION

INTEGRATING PCI
INTO COMPLIANCE
PROGRAMS

A NEW PRIORITY
TOOL FOR PCI

SPONSOR
RESOURCES


Get in Control.
Stay in Control.
you face tremendous pressure to secure your
endpoints and servers from unauthorized
applications and to comply with multiple
security policies, operating procedures, and
regulations such as the Payment Card Data
Security Standard (PCi DSS) requirements.

look to Mcafee, the recommended choice
of retailers and security assessors.

Download the Mcafee® application
Control solution brief here. Find out
how the world’s largest dedicated
security technology company can
help you get in control and stay
in control.

McAfee, Inc. 3965 Freedom Circle, Santa Clara, CA 95054, 888.847.8766, www.mcafee.com.
McAfee is a registered trademark of McAfee, Inc.,and/or its affiliates in the US and/or other
countries. McAfee Red in connection with security is distinctive of McAfee brand products.
© 2009 McAfee, Inc. All rights reserved.

FROM WEP TO WPA

Wireless Encryption
in the Wake
of PCI DSS 1.2
TABLE OF CONTENTS

EDITOR’S DESK

GETTING PCI
COMPLIANT

Merchants using WEP networks must
PCI DSS 1.2 transition to Wi-Fi Protected Access (WPA)
WIRELESS
security no later than June 30, 2010.
REQUIREMENTS BY MIKE CHAPPLE

t
TOKENIZATION

THE PCI SECURITY STANDARDS COUNCIL recently announced the imminent release of the
PCI AND Payment Card Industry Data Security Standard (PCI DSS) version 1.2. This revision
VIRTUALIZATION includes a number of changes, updates and clarifications that affect anyone involved in
the storage, processing or transmission of credit card information. One of the major areas
of change, however, involves the use of wireless networks to transmit cardholder data.
INTEGRATING PCI In the PCI DSS 1.2 Summary of Changes, the PCI Security Standards Council
INTO COMPLIANCE
PROGRAMS announced several adjustments to the wireless network security requirements:
• Wireless must be implemented using strong encryption for authentication and
transmission. The Council cites IEEE 802.11i as an appropriate example.
A NEW PRIORITY
• Merchants are no longer permitted to deploy any new Wired Equivalent Privacy
TOOL FOR PCI (WEP) networks.
• Merchants using WEP networks must transition to Wi-Fi Protected Access (WPA)
security no later than June 30, 2010.
SPONSOR
RESOURCES Using WEP encryption to “protect” a wireless network is a bad idea, and that fact should-
n’t be news to anyone. Researchers have repeatedly discovered new flaws in WEP. The use of
WEP encryption was also responsible for the well-known TJX Companies Inc. breach, one of
the largest thefts of credit card information in history. Up until now, the PCI DSS allowed the
use of WEP encryption with the presence of compensating controls, including quarterly key
rotation, MAC-based host restrictions, and the use of supplemental encryption.


For smaller networks, WPA-secured networks and 802.1x, authentication may
be a fairly trivial task to implement. In some cases, however, the work may require
significant infrastructure and/or payment system upgrades.

Converting to WPA
WPA has been standard technology on all wireless equipment manufactured since
September 2003. For those using such equipment, converting to WPA may be as simple
TABLE OF CONTENTS
as changing a setting on the wireless access points and reconfiguring networked
devices to access the new WPA network. However, for those using obsolete or
specialized hardware, this change may not be so simple; you may need to get
EDITOR’S DESK the manufacturer involved.
The good news is that everybody’s in the
same boat. Manufacturers that wish to support Manufacturers that wish
GETTING PCI
COMPLIANT
payment card applications must also support
WPA encryption if they intend to continue
to support payment card
serving the payment card industry. The bad
news is that nobody requires vendors to retrofit
applications must also
PCI DSS 1.2
existing equipment to accommodate the support WPA encryption
upgrade. Companies may find themselves
sitting on a lot of expensive but obsolete if they intend to continue
WIRELESS
REQUIREMENTS
hardware, with no option other than
upgrading it or ripping it out piece by piece.
serving the payment card
industry.
TOKENIZATION Going “enterprise”
The second task is a bit more subtle and tends to be ignored in the initial analysis of
PCI DSS 1.2. The summary states: “Wireless must now be implemented according to
PCI AND industry best practices (e.g., IEEE 802.11i) using strong encryption for authentica-
VIRTUALIZATION tion and transmission.” But what does PCI DSS 1.2’s reference and recommendation
“industry best practices” for authentication mean for enterprise security managers?
From my perspective, it means that the use of a pre-shared key is not permissible
INTEGRATING PCI in all but the smallest and most well-controlled environments. Rather than using the
INTO COMPLIANCE authentication method of the simpler WPA-Personal mode, where every device on
PROGRAMS
the network uses a single shared secret key, individual machine-based or user-based
authentication should be put in place to protect network access. The use of WPA-
Enterprise technology allows individual users or devices to be provisioned and
A NEW PRIORITY
TOOL FOR PCI de-provisioned without reconfiguring the entire network. It’s clearly a good security
practice, but it can be difficult to implement for those who don’t have experience
with it.
SPONSOR Enterprises that are already running a RADIUS and Active Directory environ-
RESOURCES ment may be able to simply tie it in to the wireless infrastructure using 802.1x.
Essentially, WPA-Enterprise allows you to avoid the security problems associated
with a pre-shared key. Instead of all users sharing a single key, WPA-Enterprise uses
802.1x to access an external authentication server to validate access requests using
the credentials of individual users. Those that don’t have this technology in place will
need to think about the best way to deploy WPA-Enterprise in their environments.


For example, you’ll probably want to first ensure that both your wireless infra-
structure (access points, controllers, etc.) support WPA-Enterprise and then ensure
that your wireless devices (laptops, PDAs, etc.) are also compatible. You’ll then need
to decide the appropriate authentication back end for your environment. In most
Microsoft shops, you’ll want to configure RADIUS to authenticate against an existing
Active Directory. Otherwise, you’ll need to find another source of user authentication
data and integrate it with your RADIUS server.
TABLE OF CONTENTS Finally, you’ll need to devise a rollout strategy. One common approach is to stand
up the WPA-Enterprise network alongside your existing wireless networks and allow
users a transition period of several weeks before shutting off the legacy network. For
EDITOR’S DESK more practical advice on deploying WPA-Enterprise, read Controlling WLAN access
on a tight budget.

GETTING PCI Summing up
COMPLIANT The new wireless requirements imposed by PCI DSS 1.2 aren’t a surprise to payment
card security professionals. We’ve been expecting them ever since the first release of
PCI DSS 1.0, and they represent best practices in wireless security. The time has now
PCI DSS 1.2 come to comply, and the council has set a clear deadline: June 2010. That might
sound far away, but the best advice I can offer you is to start planning now. If the
changes are simple, you’ll finish way ahead of the deadline and have plenty of time
WIRELESS to relax. However, if your infrastructure requires major changes, you’ll have the
REQUIREMENTS
necessary opportunity to plan and deploy those changes properly.w

Mike Chapple, CISA, CISSP, is an IT security professional with the University of Notre Dame.
TOKENIZATION He previously served as an information security researcher with the National Security Agency
and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for
Information Security magazine and the author of several information security titles, including
PCI AND the CISSP Prep Guide and Information Security Illuminated. He also answers your questions
VIRTUALIZATION on network security.

INTEGRATING PCI
INTO COMPLIANCE
PROGRAMS

A NEW PRIORITY
TOOL FOR PCI

SPONSOR
RESOURCES


PCI DSS Guide Explains Latest Changes and Compliance Strategies

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (14)

Similar to PCI DSS Guide Explains Latest Changes and Compliance Strategies

Similar to PCI DSS Guide Explains Latest Changes and Compliance Strategies (20)

More from Kim Jensen

More from Kim Jensen (20)

Recently uploaded

Recently uploaded (20)

PCI DSS Guide Explains Latest Changes and Compliance Strategies