COMPLIANT
firm CSC, says, “The council is very careful
not to provide definitive guidance on compli-
definitive guidance on
ance. They’re generally very reluctant to compliance."
PCI DSS 1.2 provide definitive guidance on compliance.”
KNOW THE RULES
WIRELESS
REQUIREMENTS So in summary:
1) Understand that each card brand maintains
its own compliance program, though all use
TOKENIZATION the PCI DSS as a baseline.
2) The PCI SSC owns the PCI standards and
PCI AND provides training and approval for QSAs and
VIRTUALIZATION ASVs, but does not determine compliance
PCI DSS Guide Explains Latest Changes and Compliance Strategies
1. I N F O R M A T I O N
S ECURITY
®
E SS E NTIAL G U I D E TO
PCI DSS
,
We’ll explain the new changes in
Version 1.2 and how the standard will
tackle emerging technologies such as
cloud computing and virtualization.
INSIDE
5 Avoiding Audit Trouble: Getting PCI Compliant
13 PCI DSS 1.2 Answers Questions and Raises Others
17 Wireless Encryption in the Wake of PCI DSS 1.2
21 Is Tokenization the Cure-all for PCI Compliance?
25 PCI, Virtualization and Cloud Computing
30 Compliance Recycling
34 PCI Issues Priority Tool for Compliance
INFOSECURITYMAG.COM
2. contents ESSENTIAL GUIDE
F E AT U R E S
5 Avoiding Audit Trouble: Getting PCI Compliant
PCI DSS
COMPLIANCE Having trouble with PCI compliance?
You’re not alone. Auditors and audit survivors offer
tips for how to achieve it. BY DIANA KELLEY
13 PCI DSS 1.2 Answers Questions
and Raises Others
CHANGES The latest version of the standard provides clarity
on wireless and Web application requirements. BY DIANA KELLEY
17 Wireless Encryption in
the Wake of PCI DSS 1.2
FROM WEP TO WAP Merchants using WEP networks must
transition to Wi-Fi Protected Access (WPA) security no
later than June 30, 2010. BY MIKE CHAPPLE
21 Is Tokenization the
Cure-all for PCI Compliance?
EMERGING TECHNOLOGIES The technology attempts to replace
cardholder data with a token instead of a PAN. BY ED MOYLE
25 PCI, Virtualization and Cloud Computing
ENFORCEMENT Compliance guidelines on virtualization will
likely be in a state of flux for some time. BY MICHAEL COBB
30 Compliance Recycling
BEST PRACTICES How to combine compliance efforts
to manage PCI DSS. BY DIANA KELLEY
34 PCI Issues Priority Tool for Compliance
LATEST NEWS The PCI Prioritized Approach framework creates
a series of milestones for companies working
on PCI compliance. BY ROBERT WESTERVELT
39 Advertising Index
1 I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • PCI DSS
3. What’s Everyone
y
Looking at on Your
File Systems?
Varonis Tells You.
Yo
Learn More about
Varonis Solutions
www.varonis.com
4. EDITOR’S DESK
The regulation
that keeps on giving
p
TABLE OF CONTENTS BY KELLEY DAMORE
PCI DSS HAS BEEN HAILED by many as the clearest regulation/industry standard to
EDITOR’S DESK follow. It’s prescriptive in nature and relatively straightforward. There are 12
requirements that must be adhered to and the requirements are typically associated
with a particular security technology so you know what you have to do to become
GETTING PCI compliant and secure.
COMPLIANT Or do you? Many organizations that were PCI compliant, notably Heartland
Payment Systems, announced massive data breaches this year that call into question
the security controls that PCI requires. Some organization overuse compensating
PCI DSS 1.2 controls or outline the compensating control but never get back to fixing the issues.
The sad truth is it comes down to this: on that particular day when the Qualified
Assessor signed off on the audit, organization X was compliant.
WIRELESS To make matters worse, because this is a standard not a regulation set into law, it
REQUIREMENTS
is far more fluid. Changes can and will occur with the standard. It really isn’t ever
done. For example late last year the PCI Council weighed in on securing wireless
communications and Web applications. These are new additions to the standard
TOKENIZATION
that companies must adhere to even if they met all the other requirements previ-
ously. And if the organization is a large merchant they need to be assessed by an
outside QSA every year. Smaller companies need to do self-assessments.
PCI AND
VIRTUALIZATION But it is not all doom and gloom. On the bright side the PCI Council is a living
and breathing entity, and they request feedback on the standard and areas of ambi-
guity. For instance they are pulling together experts and a working group to talk
INTEGRATING PCI about how to secure some of the emerging technologies in the market including
INTO COMPLIANCE virtualization and cloud computing. Their executives answer questions and listen
PROGRAMS
to feedback. And because of the fines associated with PCI, this standard is taken
seriously and can be a strong argument for budget in difficult and tight times.
A NEW PRIORITY
In this Essential Guide to PCI, we aim to outline what you need to know right
TOOL FOR PCI now. We drill down into the new requirements with PCI DSS 1.2, offer suggestions
on how to pass an audit and what to consider when it comes to PCI and securing
virtualized machines and cloud services.
SPONSOR We hope this Essential Guide to PCI is prescriptive and straightforward and we
RESOURCES
promise we won’t be changing it or issuing any fines.w
Kelley Damore is the Editorial Director of Information Security and TechTarget’s Security
Media Group. Send your comments on this column to feedback@infosecuritymag.com.
3 I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • PCI DSS
6. COMPLIANCE
TABLE OF CONTENTS
Having trouble with
EDITOR’S DESK
PCI compliance?
You’re not alone.
GETTING PCI
COMPLIANT Auditors and audit
survivors offer tips
PCI DSS 1.2
for how to achieve it.
WIRELESS
REQUIREMENTS
AVOIDING AUDIT TROUBLE:
Getting PCI
TOKENIZATION
PCI AND
VIRTUALIZATION
INTEGRATING PCI
INTO COMPLIANCE
PROGRAMS Compliant BY D IANA KE LLEY
A NEW PRIORITY
TOOL FOR PCI BY ALL ACCOUNTS, compliance with the Payment Card Industry Data Security Standard
(PCI DSS) is on the upswing. And media reports indicate the standard is gaining ground
in the European Union, where many countries—the U.K. in particular—are stepping up
SPONSOR compliance efforts.
RESOURCES Yet successful PCI Report on Compliance (RoC) completion remains a confusing
venture and elusive to many. Some of the confusion stems from the convoluted path of
accountability. Although the PCI DSS is often touted as a one-stop standard, each of the
five major card brands continues to maintain separate compliance programs. Some
brands have announced heavy noncompliance fees in the form of penalties and higher
transactions rates, but it is the acquiring banks that decide when and how to pass on these
5 I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • PCI DSS
7. fees to their retail and merchant customers. And despite the prescriptive nature of
PCI, the standard changes when updates are issued, and Qualified Security Assessors
(QSAs) have room to interpret the standard. It’s not uncommon for a QSA’s inter-
pretation of the standard to differ from that of the company under review.
Still, while PCI DSS compliance may not always be easy, it’s definitely achievable.
KNOW WHO’S WHO
TABLE OF CONTENTS
The first step to tackling PCI DSS compliance is to understand who’s who in the
PCI accountability chain; an organization may be surprised to learn who actually
does what. The five card brands that constitute the payment card industry are
EDITOR’S DESK American Express, Discover Financial Services, JCB International, MasterCard
Worldwide and Visa. Each brand had its compliance program before PCI DSS, and
each continues to maintain those programs and exert final decision control over
GETTING PCI compliance. However, all of the PCI brands have agreed to use the PCI DSS as a
COMPLIANT
baseline for compliance evaluation to simplify the process for members.
In December 2004, the card brands issued the first version (1.0) of the Data
Security Standard. The standard is not intended to replace the individual brand
PCI DSS 1.2
compliance programs; rather, it is meant to be a single set of guidelines for entities
that store, process or transact credit card data. The assumption is that if an organi-
zation receives a successful PCI DSS RoC, it’s compliant with any of the card brand
WIRELESS programs.
REQUIREMENTS
TOKENIZATION PA DSS
PCI AND
App Lockdown
VIRTUALIZATION NEW STANDARD FOCUSES ON COMMERCIAL PAYMENT APPLICATIONS.
RELEASED IN APRIL 2008, the first version of the Payment Application Data Security Standard outlines
requirements that payment applications, such as point-of-sale systems, must adhere to. For those familiar
INTEGRATING PCI
INTO COMPLIANCE with Visa’s Payment Application Best Practices (PABP) program, which provides guidance on how to create
PROGRAMS payment applications that protect cardholder data in accordance with the PCI DSS, there won’t be many
surprises in the PA DSS.
The majority of changes were renumbering and wording clarifications. However, some notable
A NEW PRIORITY enhancements have been added such as listing code-analysis tools as an alternative option for testing.
TOOL FOR PCI Compliance to the PA DSS applies to COTS payment applications that are sold to more than one cus-
tomer and don’t receive significant customization. At this point, the payment card brands still hold final
determination on whether the PA DSS is mandatory for all payment applications. However, Visa has
SPONSOR announced a phased PA DSS compliance program that will require its merchants and processors to use
RESOURCES
only PABP-compliant applications.
Single customer payment applications and applications developed in-house aren’t subject to the PA DSS,
though they must meet the PCI DSS. The wealth of information in the PA DSS can help any team develop
more secure payment applications, even if those applications aren’t required to be PA DSS compliant.w
—DIANA KELLEY
6 I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • PCI DSS
8. ACCO U NTABI LITY
Chain Reaction
Here’s a guide for understanding who’s who in the PCI chain
of accountability. You may be surprised to learn who actually
does what. So that there would be
one central point of contact
WHO for PCI DSS matters, the five
WHAT WHY
brands formed the PCI Secu-
Card brands American Express, Individual compliance rity Standards Council (PCI
Discover, JCB, programs; service level SSC) in September 2006. The
MasterCard, Visa agreements with council is led by a five-member
TABLE OF CONTENTS banks, retail- executive committee (one from
ers/merchants and
each brand) and owns the offi-
processors; brand rep-
utation cial document repository for all
EDITOR’S DESK PCI Security Independent organiza- things PCI DSS. This includes
Standards Council tion led by the card Maintain the PCI DSS, the standard, as well as collateral
brands with participa- PCI PED (PIN Entry such as the self-assessment
tion from member Device), PA DSS and questionnaire, audit proce-
GETTING PCI
COMPLIANT organizations and associated content;
dures, and since April, the
advisers oversight and gover-
nance of QSA and Payment Application Data
ASV training and Security Standard (PA DSS)
PCI DSS 1.2 approval process (see “App Lockdown,” p. 6).
Issuing banks Banks that issue credit The council also maintains
cards to consumers Issuing consumer governance over training and
credit cards
WIRELESS approval for QSAs and Approved
REQUIREMENTS Acquiring banks Banks that enable
merchants, retailers Governance to ensure Scanning Vendors (ASVs).
and processors to members are PCI Something many retailers
accept and process compliant; fees and find confusing is that the
TOKENIZATION credit card payments penalties for failure council is not responsible for
to comply compliance or decisions relating
Merchants/retailers Entities that store, to compliance. The council has
and processors process or transact Complying with the
PCI AND
credit card data PCI DSS; validating no control over fees or penalties
VIRTUALIZATION
compliance if Level 1 issued to retailers or processors,
Qualified Security Auditors that are nor does it have any involve-
Assessors approved to issue RoCs On-site assessment ment in the service-level agree-
INTEGRATING PCI of compliance to PCI ments between the card
INTO COMPLIANCE DSS; interpretation
PROGRAMS brands, the banks and their
of PCI DSS
Approved Scanning Vendors that have been members. That’s why David
Vendors approved to perform External scans; Hogan, CIO of the National
A NEW PRIORITY PCI DSS compliance issuing reports Retail Federation, was shooting
TOOL FOR PCI scanning on scan findings at the wrong target when he
asked the council for changes
in primary account number
SPONSOR (PAN) storage requirements.
RESOURCES
The PCI DSS is the standard on how to protect PANs if they’re stored, but doesn’t address
whether they need to be stored in the first place. That’s between the retailers/merchants,
acquiring banks and card brands.
Organizations that need to validate PCI DSS compliance, such as Level 1 merchants with
more than 6 million Visa or MasterCard transactions annually, work with QSAs for validation.
Prescriptive though the PCI DSS is, there’s still room for disagreement on specific controls and
7 I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • PCI DSS
9. their implementation. For example, one end user reports that for requirement 3.4
(render the PAN unreadable), his QSA refused to validate solutions that were not
FIPS 140-2 certified. Though this federal certification provides a much higher value
of assurance from a data protection standpoint, it is not specifically required for
compliance by the PCI DSS Security Audit Procedures.
In cases like this, it may seem that the council is a good place to turn for
answers, but it’s not. The council has QSA feedback forms that companies are
TABLE OF CONTENTS encouraged to fill out after audits, but these are used to determine if the QSA is
performing audits properly. Finding a company out of compliance for not using
FIPS 140-2 certified products is an interpreta-
EDITOR’S DESK tion issue. And sometimes even QSAs feel a
little lost when looking for guidance. William
“They’re generally very
Lynch, a manager and QSA at IT consulting reluctant to provide
GETTING PCI firm CTG, says he’s tried to go to the card
COMPLIANT brands and the council for help with interpre- specifics, and their
tation: “They’re generally very reluctant to
provide specifics, and their responses can be responses can be some-
PCI DSS 1.2 somewhat slow. If I have an interpretation
question, I usually discuss it with other QSAs
what slow. If I have an
first and contact the council as a last resort”
(see “Chain Reaction,” p. 7).
interpretation question,
WIRELESS
REQUIREMENTS I usually discuss it with
GET TO KNOW THE QSA other QSAs first and
As the person who issues the Report on
TOKENIZATION
Compliance (RoC) to the acquiring banks and
card brands, the QSA has quite a bit of power.
contact the council as
PCI AND
Working effectively with the QSA can mean the a last resort.”
VIRTUALIZATION difference between attaining compliance and
—WILLIAM LYNCH, manager and QSA, CTG
not. The first place to go when looking for a
QSA is the council’s site. For external validation, only council-approved QSAs may
INTEGRATING PCI
submit RoCs. Another option is to ask colleagues with whom they’ve worked, or ask
INTO COMPLIANCE for a QSA reference from your acquiring bank. Evaluate acquiring bank recommen-
PROGRAMS dations carefully, though. Some acquiring banks have relationships with assessor
organizations that pay referral fees—which may indicate the bank is motivated to
make the recommendation simply to receive the fee.
A NEW PRIORITY Many organizations that have successfully completed PCI audits recommend
TOOL FOR PCI
treating the QSA search like any hiring process. Include requests for references and
price quotes in the assessment criteria. And keep in mind that you’ll be working
closely with the assessment company, so it’s important to have a good comfort level
SPONSOR
RESOURCES with its methodology. Another great tip from the trenches: consider two QSA firms,
one for pre-assessment and one for the validation work.
Even if an organization does not wish to pre-assess with a QSA, it should conduct
its own pre-assessment. The PCI SSC Self-Assessment Questionnaire (SAQ) and the
PCI DSS Security Audit Procedures are excellent resources. An IT professional who
completed a PCI validation cycle for his company said, “By pre-assessing, we knew
8 I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • PCI DSS
10. where the holes were and could fill them before getting beat up in front of upper
management by the QSA.” Though not getting “beat up” can be a benefit of pre-
assessment, it’s important to keep in mind that most QSAs aren’t aiming for humili-
ation and failure. Pre-assessment gives organizations key knowledge regarding what
is important to QSAs during an assessment, especially with regard to documentation.
By understanding where the QSA is coming from, IT professionals can engage in a
more col- laborative relationship.
TABLE OF CONTENTS Documentation may not be exciting but reviewing documents is a cornerstone
of the QSA audit process. So be sure to include documentation review while work-
ing on a gap assessment. This is particularly important for areas where there may
EDITOR’S DESK be interpretation or where compensating controls have been implemented. If a risk
assessment process has been completed before implementing a control, be sure the
supporting documentation is there so the QSA can assess it properly. Otherwise, the
GETTING PCI QSA may fail your control.
COMPLIANT A money-based “gotcha” to watch out for when working with a QSA is when the
QSA claims a company won’t be validated as compliant if it doesn’t buy a specific
vendor product from the assessor’s reseller. The tactic can be a softer sell, recom-
PCI DSS 1.2 mending the customer make the purchase rather than demanding it, but either way
it’s all wrong. QSAs that attempt to increase profits by requiring product purchases
should be reported to the council.
WIRELESS
REQUIREMENTS
TOKENIZATION MANAG I N G LO GS
PCI AND
SIMs Stand Out
VIRTUALIZATION REQUIREMENT 10.6 PCI REQUIRES DAILY LOG REVIEWS,
SPURRING A BOOM IN SIMS SALES.
PCI COMPLIANCE IS “a process, not a product,” says Michelle Dickman, president and CEO of security
INTEGRATING PCI
INTO COMPLIANCE information management (SIM) vendor TriGeo Network Security. Yet, there’s no denying that a lot of prod-
PROGRAMS uct has been sold in the name of PCI.
Many of these purchases were a result of shoring up security controls in areas where they did not
exist. For example, most companies have firewalls (Requirement 1) in their data centers, but many did
A NEW PRIORITY not have one at every retail site. Now, thanks to PCI, many do.
TOOL FOR PCI One product category, however, does stand out as particularly helpful, according to those who have
undergone PCI DSS audits: SIMs and log management tools. Requirement 10 calls for monitoring and test-
ing of networks, and 10.6 specifies: “Review logs for all system components at least daily.” For a major
SPONSOR retailer with thousands of components in the cardholder data environment, meeting those requirements
RESOURCES just wasn’t feasible without a log aggregation solution.
But simply centralizing all logs and alerts isn’t the end of the story, warns William Lynch, a manager
and Qualified Security Assessor at IT consulting firm CTG. “Make sure the review process, accountable
parties and documentation are in place to ensure that the review happens,” he says.w
—DIANA KELLEY
9 I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • PCI DSS
11. KEEP IT SIMPLE
An important step for a successful PCI assessment is to simplify the process by
narrowing the scope of the audit with zoning, experts say. Allan Carey, senior vice
president of research at IANS, which has advised a number of companies on PCI,
stresses that “one of the most important things an entity can do is to reduce scope
with proper network segmentation, including VLANs, air gaps and physical separa-
tion.” When data must travel over public networks, such as the Internet and wireless
TABLE OF CONTENTS
LANs, Carey advises companies to secure the transmission using encryption proto-
cols such as SSL.
Segmentation was a key part of the National Aquarium in Baltimore’s strategy.
EDITOR’S DESK As part of its PCI pre-assessment work, the aquarium reviewed two merchant func-
tions that were operationally outsourced to third parties—the aquarium gift store
and food services—and decided to physically separate the outsourced merchant
GETTING PCI networks from the aquarium. This resulted in a
COMPLIANT
significant reduction in audit scope during the
aquarium’s PCI validation work.
An important step for a
PCI DSS 1.2
Another tip on the simplification front— successful PCI assessment
one we’ve all heard—is don’t store what you
don’t need. But as Hogan’s plea to the PCI SSC is to simplify the process
illustrated, many retailers—due to their service
WIRELESS
REQUIREMENTS
level agreements—are required to store PANs by narrowing the scope
in a retrievable format for up to 18 months.
Companies that don’t have that requirement
of the audit with zoning,
TOKENIZATION
have simplified their PCI compliance by elimi- experts say.
nating PAN storage. Others don’t have to hang
on to the PAN for months but hold it for hours during authorization. Brady Deck-
er, network engineer at the aquarium, suggests that banks and card brands “take
PCI AND
VIRTUALIZATION the merchants out of the security loop” by not having them store the PAN, even
during the authorization phase. If a company must hold on to PANs for any length
of time, Carey recommends “leveraging native database encryption capabilities to
INTEGRATING PCI
meet [requirement] 3.4 before layering on a third-party solution that may degrade
INTO COMPLIANCE performance or increase management complexity.”
PROGRAMS In addition, make sure to really know what’s in your environment. Stories
abound of large organizations that found untracked spreadsheets with thousands
of credit card numbers when beginning their PCI assessment work. “Map the
A NEW PRIORITY credit card data flow” for the entire lifecycle of the data’s existence in your organi-
TOOL FOR PCI
zation, says Michael Gavin, security strategist for application security company
Security Innovation. That means answering these questions: Where does the
information come in? Where is it being stored? Who has access along the way?
SPONSOR
RESOURCES
THINK GLOBALLY
Although PCI DSS is an internationally applicable standard, most of the PCI DSS
noise has been coming out of the U.S. That’s no longer the case. Since late last year,
there has been a significant increase in PCI awareness in the U.K. and parts of
Europe. Some European countries still believe that the standard doesn’t apply or
10 I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • PCI DSS
12. is less important because of the use
of a smart chip and PIN (personal
identification number) in European Resources
credit cards. Chip and PIN does
change the threat model, but not PCI Security Standards Council
the PCI DSS requirement. Whether Provides information on standards, QSAs and more.
the PAN was read from a magnetic www.pcisecuritystandards.org
TABLE OF CONTENTS stripe, off of a smart chip, or typed
into a Web form, the PAN protec- PCI Knowledge Base
tion requirements are the same. Offers tips from research community.
Bob Russo, general manager of www.knowpci.com
EDITOR’S DESK
the PCI council, notes that organi-
zations in some countries, like Visa
Japan, have spent a lot of time com- Includes list of validated payment applications.
GETTING PCI
COMPLIANT plying with security frameworks— http://usa.visa.com/merchants/risk_management/cisp.html
such as the Information Security
Management Systems (ISMS)
PCI DSS 1.2 approach of ISO 27001 and 27002—and don’t want to spend time complying with
an additional standard. The card brands, along with the council, are working to
raise awareness that DSS is not optional and not replaceable by any other certifica-
WIRELESS tion work.
REQUIREMENTS If an organization has been concentrating only on U.S. operations, it’s time for it
to start thinking globally and assessing all sites where card information is transacted.
And if you are using a compliance framework, consider mapping the controls and
TOKENIZATION documentation in place to those needed for the PCI assessment. Many companies
report that “careful compliance recycling” can reduce overhead when certifying to
new and emerging standards.
PCI AND PCI compliance may not be a simple art, but there are ways—like leveraging
VIRTUALIZATION
compliance frameworks—to make it simpler. There are a lot of rules and require-
ments for PCI, but the core goal is simple: protect credit cards on those digital
“mean streets.”w
INTEGRATING PCI
INTO COMPLIANCE
PROGRAMS Diana Kelley is a partner with Amherst, N.H.-based consulting firm SecurityCurve. She formerly
served as vice president and service director with research firm Burton Group. She has extensive
experience creating secure network architectures and business solutions for large corporations and
delivering strategic, competitive knowledge to security software vendors.
A NEW PRIORITY
TOOL FOR PCI
SPONSOR
RESOURCES
11 I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • PCI DSS
14. CHANGES
PCI DSS 1.2
Answers
TABLE OF CONTENTS
Questions
EDITOR’S DESK and Raises
GETTING PCI
COMPLIANT Others
PCI DSS 1.2
The latest version of the standard provides clarity
WIRELESS
on wireless and Web application requirements.
REQUIREMENTS BY DIANA KELLEY
i
TOKENIZATION
IN OCTOBER 2008 the PCI Security Standards Council, stewards of the PCI Data
Security Standard, released version 1.2. PCI DSS version 1.2 is not a sweeping
PCI AND rewrite of version 1.1. Most of the changes listed in the summary document are
VIRTUALIZATION clarifications of wording and terminology. Bob Russo, general manager of the
PCI Security Standards Council, said of the group’s goal was “eliminating as many
questions as possible.”
INTEGRATING PCI Some welcomed the changes, since some terms were poorly defined in the last
INTO COMPLIANCE
PROGRAMS iteration, making them confusing and difficult to interpret. For example, Require-
ment 6.6 of version 1.1 called for an “application-layer firewall.” Retailers and PCI
assessors (QSAs) alike wondered whether an application-layer-aware firewall, like
A NEW PRIORITY the Cisco Systems Inc. PIX or ASA firewall, would suffice, or if it called for a Web
TOOL FOR PCI application firewall like Barracuda Networks Inc.’s Web Site. Although the summary
changes continue to reference “application-layer firewall,” the Council issued specific
guidance on the terminology in February regarding product type intended. Troy
SPONSOR Leach, technical director of the PCI Security Standards Council, said that the testing
RESOURCES procedures for Requirement 6.6 in version 1.2 make it clear that the Council is
referring to Web application firewalls.
Other terms that received clarification and usage consistency makeovers are
primary account numbers (PANs) and “strong cryptography.” In version 1.1,
“strong cryptography” is not defined, however, the audit/assessment procedures
used by QSAs did list “Triple-DES 128-bit and AES 256-bit” as examples.
13 I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • PCI DSS
15. Another tricky one: Does the PCI DSS apply to electronic media exclusively or
is paper included? According to version 1.2, it applies to both electronic and paper
media that contains cardholder data. This will create additional work for those
organizations that had misinterpreted version 1.1 and kept paper media out of
scope during DSS compliance work.
Compensating controls
TABLE OF CONTENTS
When enterprises are not able to meet the exact letter of the standard, they look
to controls that will provide the same level of protection. Perhaps the most well-
known example of this is PCI Requirement 3.4, which requires that if PANs are
EDITOR’S DESK stored, they must be either rendered unreadable (by one-way hashing or truncation)
or encrypted (using strong cryptography).
GETTING PCI
When many organizations found neither of
these options was feasible, Appendix B of PCI
When enterprises are not
COMPLIANT
DSS version 1.1 provided a list of acceptable able to meet the exact
compensating controls that could be used in
PCI DSS 1.2
place of those listed in the requirement. letter of the standard,
Version 1.2 provides additional information
about compensating controls and flexibility
they look to controls
WIRELESS
options for other requirements. In the updated
standard, Requirement 1 eases the timeline for
that will provide the
REQUIREMENTS
reviewing firewall rules from quarterly to every same level of protection.
six months. And the 30-day patch cycle, from
the often-dreaded Requirement 6, now has “added flexibility…by specifying that
TOKENIZATION
a risk-based approach may be used to prioritize patch installation.” Under version
1.1, many retailers scrambled to install patches within 30 days, often short-circuiting
their standard patch life cycle testing in an effort to meet the strict timeline. A
PCI AND
VIRTUALIZATION thorough approach to patching, however, requires testing, prioritization, and a
robust pre-production process, which can take longer than 30 days. The change
allows for risk-based approaches that may require more time.
INTEGRATING PCI
Another welcome change concerns physical security. PCI DSS Requirement 9
INTO COMPLIANCE called for cameras to monitor “sensitive areas,” but was an area like a restaurant
PROGRAMS dining room—where credit cards are handed to staff—considered sensitive enough
to require a camera? How about a point-of-sale (PoS) cash register at a food court
kiosk? Under version 1.2, organizations now have more flexibility to select other
A NEW PRIORITY access control mechanisms when appropriate.
TOOL FOR PCI
More requirements
SPONSOR While the clarification and compensating control changes are welcome, there are
RESOURCES some additional requirements in version 1.2. For example: “Wireless must now
be implemented according to industry best practices (e.g., IEEE 802.11x) using
strong encryption for authentication and transmission.” For those of you who
thought perhaps the Council meant 802.1X, you’re not alone; I thought that at
first, too, because 802.11x is a placeholder for upcoming standards and not an
IEEE standard.
14 I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • PCI DSS
16. Leach said 802.11x was used to indicate that upcoming versions of the DSS
may include recommendations for using emerging 802.11 standards, such as
802.11i. So for more specifics, we’ll all have to stay tuned. On the plus side, version
1.2 will continue to allow SSL/TLS and IPsec for protection of data transmissions
over both wired and wireless networks.
Some potential heartburn may come from this change regarding wireless net-
work encryption: “New implementations of WEP are not allowed after March 31,
TABLE OF CONTENTS
2009…Current implementations must discontinue use of WEP after June 30,
2010.” Wired Equivalent Privacy (WEP) has been broken for many years, so it
makes sense for the Council to call for an end to its use in cardholder data environ-
EDITOR’S DESK
ments, but many “out of the box” point-of-sale packages still commonly rely on
WEP for proper operation. The two-year timeline for complete replacement of
these systems may be too aggressive for retailers. If so, the Council will need to
GETTING PCI amend the timeline.
COMPLIANT
Finally, the antimalware requirement has been updated to include “all operating
system types.” Antimalware for Mac platforms and Unix/Linux are available, but
options are limited. As for mainframes (like System z), there just aren’t options.
PCI DSS 1.2
For platforms like mainframe and some flavors of UNIX, organizations can consider
layering anti-malware protection by using gateways or other compensating controls.w
WIRELESS Diana Kelley is a partner with Amherst, N.H.-based consulting firm SecurityCurve. She
REQUIREMENTS
formerly served as vice president and service director with research firm Burton Group. She
has extensive experience creating secure network architectures and business solutions for large
corporations and delivering strategic, competitive knowledge to security software vendors.
TOKENIZATION
PCI AND
VIRTUALIZATION
INTEGRATING PCI
INTO COMPLIANCE
PROGRAMS
A NEW PRIORITY
TOOL FOR PCI
SPONSOR
RESOURCES
15 I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • PCI DSS
18. FROM WEP TO WPA
Wireless Encryption
in the Wake
of PCI DSS 1.2
TABLE OF CONTENTS
EDITOR’S DESK
GETTING PCI
COMPLIANT
Merchants using WEP networks must
PCI DSS 1.2 transition to Wi-Fi Protected Access (WPA)
WIRELESS
security no later than June 30, 2010.
REQUIREMENTS BY MIKE CHAPPLE
t
TOKENIZATION
THE PCI SECURITY STANDARDS COUNCIL recently announced the imminent release of the
PCI AND Payment Card Industry Data Security Standard (PCI DSS) version 1.2. This revision
VIRTUALIZATION includes a number of changes, updates and clarifications that affect anyone involved in
the storage, processing or transmission of credit card information. One of the major areas
of change, however, involves the use of wireless networks to transmit cardholder data.
INTEGRATING PCI In the PCI DSS 1.2 Summary of Changes, the PCI Security Standards Council
INTO COMPLIANCE
PROGRAMS announced several adjustments to the wireless network security requirements:
• Wireless must be implemented using strong encryption for authentication and
transmission. The Council cites IEEE 802.11i as an appropriate example.
A NEW PRIORITY
• Merchants are no longer permitted to deploy any new Wired Equivalent Privacy
TOOL FOR PCI (WEP) networks.
• Merchants using WEP networks must transition to Wi-Fi Protected Access (WPA)
security no later than June 30, 2010.
SPONSOR
RESOURCES Using WEP encryption to “protect” a wireless network is a bad idea, and that fact should-
n’t be news to anyone. Researchers have repeatedly discovered new flaws in WEP. The use of
WEP encryption was also responsible for the well-known TJX Companies Inc. breach, one of
the largest thefts of credit card information in history. Up until now, the PCI DSS allowed the
use of WEP encryption with the presence of compensating controls, including quarterly key
rotation, MAC-based host restrictions, and the use of supplemental encryption.
17 I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • PCI DSS
19. For smaller networks, WPA-secured networks and 802.1x, authentication may
be a fairly trivial task to implement. In some cases, however, the work may require
significant infrastructure and/or payment system upgrades.
Converting to WPA
WPA has been standard technology on all wireless equipment manufactured since
September 2003. For those using such equipment, converting to WPA may be as simple
TABLE OF CONTENTS
as changing a setting on the wireless access points and reconfiguring networked
devices to access the new WPA network. However, for those using obsolete or
specialized hardware, this change may not be so simple; you may need to get
EDITOR’S DESK the manufacturer involved.
The good news is that everybody’s in the
same boat. Manufacturers that wish to support Manufacturers that wish
GETTING PCI
COMPLIANT
payment card applications must also support
WPA encryption if they intend to continue
to support payment card
serving the payment card industry. The bad
news is that nobody requires vendors to retrofit
applications must also
PCI DSS 1.2
existing equipment to accommodate the support WPA encryption
upgrade. Companies may find themselves
sitting on a lot of expensive but obsolete if they intend to continue
WIRELESS
REQUIREMENTS
hardware, with no option other than
upgrading it or ripping it out piece by piece.
serving the payment card
industry.
TOKENIZATION Going “enterprise”
The second task is a bit more subtle and tends to be ignored in the initial analysis of
PCI DSS 1.2. The summary states: “Wireless must now be implemented according to
PCI AND industry best practices (e.g., IEEE 802.11i) using strong encryption for authentica-
VIRTUALIZATION tion and transmission.” But what does PCI DSS 1.2’s reference and recommendation
“industry best practices” for authentication mean for enterprise security managers?
From my perspective, it means that the use of a pre-shared key is not permissible
INTEGRATING PCI in all but the smallest and most well-controlled environments. Rather than using the
INTO COMPLIANCE authentication method of the simpler WPA-Personal mode, where every device on
PROGRAMS
the network uses a single shared secret key, individual machine-based or user-based
authentication should be put in place to protect network access. The use of WPA-
Enterprise technology allows individual users or devices to be provisioned and
A NEW PRIORITY
TOOL FOR PCI de-provisioned without reconfiguring the entire network. It’s clearly a good security
practice, but it can be difficult to implement for those who don’t have experience
with it.
SPONSOR Enterprises that are already running a RADIUS and Active Directory environ-
RESOURCES ment may be able to simply tie it in to the wireless infrastructure using 802.1x.
Essentially, WPA-Enterprise allows you to avoid the security problems associated
with a pre-shared key. Instead of all users sharing a single key, WPA-Enterprise uses
802.1x to access an external authentication server to validate access requests using
the credentials of individual users. Those that don’t have this technology in place will
need to think about the best way to deploy WPA-Enterprise in their environments.
18 I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • PCI DSS
20. For example, you’ll probably want to first ensure that both your wireless infra-
structure (access points, controllers, etc.) support WPA-Enterprise and then ensure
that your wireless devices (laptops, PDAs, etc.) are also compatible. You’ll then need
to decide the appropriate authentication back end for your environment. In most
Microsoft shops, you’ll want to configure RADIUS to authenticate against an existing
Active Directory. Otherwise, you’ll need to find another source of user authentication
data and integrate it with your RADIUS server.
TABLE OF CONTENTS Finally, you’ll need to devise a rollout strategy. One common approach is to stand
up the WPA-Enterprise network alongside your existing wireless networks and allow
users a transition period of several weeks before shutting off the legacy network. For
EDITOR’S DESK more practical advice on deploying WPA-Enterprise, read Controlling WLAN access
on a tight budget.
GETTING PCI Summing up
COMPLIANT The new wireless requirements imposed by PCI DSS 1.2 aren’t a surprise to payment
card security professionals. We’ve been expecting them ever since the first release of
PCI DSS 1.0, and they represent best practices in wireless security. The time has now
PCI DSS 1.2 come to comply, and the council has set a clear deadline: June 2010. That might
sound far away, but the best advice I can offer you is to start planning now. If the
changes are simple, you’ll finish way ahead of the deadline and have plenty of time
WIRELESS to relax. However, if your infrastructure requires major changes, you’ll have the
REQUIREMENTS
necessary opportunity to plan and deploy those changes properly.w
Mike Chapple, CISA, CISSP, is an IT security professional with the University of Notre Dame.
TOKENIZATION He previously served as an information security researcher with the National Security Agency
and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for
Information Security magazine and the author of several information security titles, including
PCI AND the CISSP Prep Guide and Information Security Illuminated. He also answers your questions
VIRTUALIZATION on network security.
INTEGRATING PCI
INTO COMPLIANCE
PROGRAMS
A NEW PRIORITY
TOOL FOR PCI
SPONSOR
RESOURCES
19 I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • PCI DSS
110. SECURING PANs
IS TOKENIZATION
THE CURE-ALL FOR
TABLE OF CONTENTS
EDITOR’S DESK
GETTING PCI
PCI Compliance? BY ED MOYLE
COMPLIANT
The technology
attempts to replace STOP FOR A MOMENT and imagine what it would be like if
PCI DSS 1.2
cardholder data all of the sensitive data in your company suddenly went
away. It wasn’t stolen; your company just found a way to
with a token operate without needing to keep that sensitive data on
WIRELESS
REQUIREMENTS instead of a PAN. hand. Sounds pretty sweet, right?
For everyone in the payment lifecycle, the sensitive
data our firms need to do business is like a giant albatross around our necks. We need to
TOKENIZATION protect it, constantly monitor who has access to it, and we live in constant fear of it getting
stolen. Financial-services firms such as card issuers and acquirers have it worst of all—we
have a vested interest in making sure our merchants are protecting the data, but we often
PCI AND
don’t have direct control over whether or not they do.
VIRTUALIZATION So it’s no wonder a technology hitting the scene that promises to make all these
headaches go away would get a lot of attention. While we’re all struggling to get and stay
compliant with the PCI Data Security Standard, the idea that we could install some technology
INTEGRATING PCI that reduces the stress of protecting sensitive data has quite an appeal. And this is exactly
INTO COMPLIANCE what tokenization promises to do.
PROGRAMS
What is tokenization?
A NEW PRIORITY To see how tokenization works and why it’s useful, it helps to compare how a typical payment
TOOL FOR PCI transaction currently works versus the ideal of a fully tokenized scenario. When a customer
goes to a company and hands off his or her card for authorization, the default scenario is that
the merchant needs to keep the cardholder data on file to perform a variety of functions. For
SPONSOR example, the merchant needs to keep a record of the account to settle transactions, process
RESOURCES recurring payments (like at a gym), modify or update the transaction amount based on
instructions from the customer (such as when a customer wants to add a tip to a restaurant
bill), or issue refunds.
In this case, the cardholder data is necessary for a company to do business. But while it’s
necessary, it also carries a serious compliance burden: much of the PCI DSS speaks directly
to the requirements related to that data storage.
21 I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • PCI DSS
111. By contrast, tokenization attempts to minimize the amount of data the business
needs to keep on hand; in this case, by replacing the cardholder data with a “token”—
a randomly-generated value the merchant can use instead of the primary account
number (PAN). Since the token is not a PAN, and can’t be used outside the context
of that unique transaction with the merchant, it doesn’t have the same high level of
sensitivity that a PAN carries.
In a tokenization scenario, the organization outsources their payment process-
TABLE OF CONTENTS ing to a service provider that provides a “tokenization option,” such as Shift4 Corp.,
Electronic Payment Exchange, Merchant Link or Braintree Payment Solutions. The
service provider handles the issuance of the token value and also handles the heavy
EDITOR’S DESK lifting of keeping the cardholder data locked down. Alternatively, a more in-house
approach might leverage a product like
nuBridges Inc.’s Protect to bring the service-
GETTING PCI provider functionality on premises. From an integration
COMPLIANT
standpoint, companies
Pros and cons of tokenization
The relative benefits of a tokenization scenario offering these services are
PCI DSS 1.2
should probably be pretty clear for folks who’ve
been worried about complying with the PCI
heavily incented to keep
WIRELESS
DSS. Requirements like 3.4 (“Render PAN, at complexity down because
minimum, unreadable anywhere it is stored…”)
REQUIREMENTS
go from being an “Oh my gosh” to a “Who it enables them to sell to
cares.” Why? Because the token isn’t a PAN, and
once you make the switch, you’re no longer pro-
smaller merchants and
TOKENIZATION
cessing PANs, that requirement, as well as
numerous others in the PCI DSS that target data
retailers with limited in-
PCI AND
storage, ceases to apply. house technical expertise.
VIRTUALIZATION From an integration standpoint, companies
offering these services are heavily incented to keep complexity down because it
enables them to sell to smaller merchants and retailers with limited in-house technical
INTEGRATING PCI
expertise. This is good news for larger organizations as well. Now, no integration is
INTO COMPLIANCE ever truly “seamless,” but since the majority of changes are on the backend (service
PROGRAMS provider) side, changes to the merchant environment should be relatively few.
Given that, if you’re like many organizations, deploying a tokenization solution
can be a more cost-effective way to meet PCI requirements than implementing a
A NEW PRIORITY host of technical security controls around data storage. While there are fees associated
TOOL FOR PCI
with the implementation of a tokenization solution, the reduced scope of compliance
and the reduced need for storage-related technical controls is likely to wind up a net
gain.
SPONSOR
RESOURCES But just as there’s no such thing as a free lunch, there’s also no panacea—at least
not in information security. In most scenarios, it’s the merchant who supplies the
cardholder data to the service provider in order for the tokenization to occur. This
means the merchant does have a role in the transaction flow. And because the PCI
DSS applies to everyone who stores, processes or transmits the data, they still have
compliance obligations. While it’s certainly true that those compliance requirements
22 I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • PCI DSS
112. are less when dealing with tokens versus live PANs, organizations still need to make
sure they comply with the requirements designed to protect data in transit, at least
for the machines and processes involved in the transaction before tokenization
occurs.w
Ed Moyle is a manager with CTG’s Information Security Solutions practice and a founding
partner of consulting firm SecurityCurve. He is co-author of “Cryptographic Libraries for
Developers” and a frequent contributor to the information security industry as an author,
TABLE OF CONTENTS
public speaker, and analyst.
EDITOR’S DESK
GETTING PCI
COMPLIANT
PCI DSS 1.2
WIRELESS
REQUIREMENTS
TOKENIZATION
PCI AND
VIRTUALIZATION
INTEGRATING PCI
INTO COMPLIANCE
PROGRAMS
A NEW PRIORITY
TOOL FOR PCI
SPONSOR
RESOURCES
23 I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • PCI DSS
113. UNLEASH
LOG POWER
COMPLY, PROTECT SAVE
AUTOMATE COMPLIANCE • SIMPLIFY SECURITY • UNIFY DATABASE SECURITY
LogLogic offers log-powered applications in compliance management,
database activity monitoring and security event management that
seamlessly integrate with our Open Log Management Platform
and work together – delivering the industry’s only one-stop shop for
corporate security, IT efficiency and compliance management.
FOR MORE INFORMATION
www.loglogic.com
READ OUR LATEST REPORT FROM BLOOR
www.loglogic.com/bloor
114. EMERGING TECHNOLOGIES
PCI, VIRTUALIZATION
AND CLOUD COMPUTING
TABLE OF CONTENTS
BY M I C HAE L C O B B
EDITOR’S DESK Compliance guidelines on virtualization
GETTING PCI
will likely be in a state of flux for some time.
COMPLIANT
i
PCI DSS 1.2
MAGINE THIS SCENARIO: You’ve successfully migrated all the company’s non-criti-
cal applications, the internal infrastructure and the development center on to vir-
WIRELESS
REQUIREMENTS tual servers. Management is happy because you’ve lowered both capital and oper-
ating costs, increased energy efficiencies, as well as improved business continuity.
But like every business at the moment, your managers need you to reduce
costs even further. They’re pushing for you to consolidate and run the mission-criti-
TOKENIZATION
cal applications, including the Internet-facing e-commerce ones, on virtualized
servers, too. But can you remain compliant with the Payment Card Industry Data
Security Standard (PCI DSS) while fully leveraging the business benefits of virtualization?
PCI AND
VIRTUALIZATION
What PCI has to say about virtualization
This is a problem many IT managers face, and there’s a distinct lack of guidance on virtu-
INTEGRATING PCI alization from the PCI Security Standards Council. Version 1.2 of the standard, released
INTO COMPLIANCE
PROGRAMS in October, did clarify a number of issues, but it didn’t address virtualized environments.
To benefit from virtualization, virtual servers will typically have multiple functions
running on a single physical server. Section 2.2.1 of the PCI DSS, however, states that a
A NEW PRIORITY
server should perform only one primary function. So, according to the standard, Web
TOOL FOR PCI servers and database servers should each be implemented on a separate machine. For a
company that needs to be PCI compliant, those restrictions make the task of virtualizing
an infrastructure a difficult one.
SPONSOR The PCI Data Security Standard does not yet address virtualized servers or related
RESOURCES audit requirements, meaning that qualified security assessors (QSAs) must use their own
judgment to determine whether organizations that implement virtualized servers meet
the PCI mandates. This less-than-ideal situation is compounded when you consider that
IT and security professionals themselves are still unsure of how virtualization changes
the risk profile of a system, especially when the technology has been described as one
that keeps “all the eggs in one basket,” due to the fact that a compromise of the VM host
25 I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • PCI DSS