Cyber-attacks designed for financial gain are on the rise, targeting proprietary information including customer and financial information. With over 127 million records exposed in 2007 in the US alone, attacks are becoming increasingly more sophisticated. Learn more about best practices to protect the cardholder data environment and achieve PCI compliance.

1. White Paper
Best Practices to Protect the Cardholder Data
Environment and Achieve PCI Compliance

2. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com
Best Practices to Protect the Cardholder Data Environment and
Achieve PCI Compliance
Executive Overview
Cyber-attacks designed for financial gain are on the rise, targeting proprietary information including customer and
financial information. With over 127 million records exposed in 2007 in the US alone, attacks have become more
sophisticated, involving not only attacks at both the network layer and the application layer but also other attack
vectors such as social manipulation, breakdown in internal security processes and trusted insider abuse. The cost to
businesses, in lost revenue and customer loss, can be staggering. TJX estimates that it spent over $20M related to
its late 2006 breach, including settling lawsuits and addressing data security issues.
The Payment Card Industry Data Security Standard (PCI DSS) is a worldwide standard designed to help organizations
secure cardholder processing environments. Formed in 2004 by Visa, MasterCard, American Express, Discover, and
JCB, in response to the emerging threat to cardholder information, the PCI Standard Security Council (PCI SSC)
provides 12 requirements that must be met for compliance with the standard; failure to do so may result in steep
fines that can reach in the hundreds of thousands of dollars. PCI DSS V1.2, the latest update, was released in
October 2008; the complete document, as well as what is new with V1.2 can be found at the PCI Security Standards
Council website.
Best practices to effectively secure the cardholder environment and achieve compliance with the standard start
with a properly documented, executive management endorsed, information security policy that must be broadly
communicated, tested and enforced. These best practices also include understanding the organization’s cardholder
data environment (where the data is located and stored and how it moves between applications), regular monitoring
of network for potential vulnerabilities, on-going reporting of network activity, and regular inside and third-party
penetration testing.
Data Breach Profile
Targeted, financially motivated attacks via the Internet continue to be on the rise, fueled even further by current
economic factors. Internally originated threats are still considered to be a primary cause of security breaches, but
external attacks are still a very serious threat. When asked at a recent e-Crime Survey who caused more damage,
internal or external attacks, the distribution was fairly even, at 34% vs. 37%, respectively
. Acquiring unsecured financial information is the primary objective of hackers and organized crime in order to fuel
a thriving black market for stolen credit card numbers, bank accounts, passwords, personal identification numbers
and other data. With dramatically reduced budgets, the associated layoffs and fierce competition for revenues,
industrial espionage is also likely to pose an increased threat. These attacks not only target online retailers but also,
increasingly, higher education, government, manufacturing and bio-medical organizations. Furthermore, breaches
now also occur on point-of-sale, back office, and wireless technology systems. Recent reported vulnerabilities, also
on the rise (Figure 1), include SQL injections, poor/default server configuration, and Cross Site Scripting.

3. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com
The Business Threat
According to the Identity Theft Resource Center (ITRC), in 2007 the total number of records containing sensitive
personal information involved in security breaches was 127,726,343, involving companies that span all industries –
retail, education, financial, government, telecommunications, healthcare, publishing, manufacturing, bio-med – no
industry was immune. All companies handle personal information of some type, which subjects them to attack.
Recently, the most successful attacks have been sophisticated, targeting particular organizations and designed for
financial gain. Attacks have become more complex and involve other factors such as social engineering, insider
abuse, and process breakdown in addition to technology weaknesses.
While the impact of the loss of personal information can be traumatic for consumers, who must go through the
anxiety and remediation steps of potential or real identity theft, the cost to businesses can be staggering. Fines,
loss of revenue, loss of customer loyalty, irreparable damage to brand or image, have all been experienced by
organizations that have been hit by a data breach.
Figure 1 – Based on US Computer Emergency Readiness Team (CERT) Vulnerability Remediation Statistics; (total # of
vulnerabilities cataloged based on public sources or directly submitted to CERT)
*2008 estimated based on actual information through 3Q2008

4. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com
Payment Card Industry Data Security Standard (PCI DSS)
To combat data theft, the major credit card companies created a Data Security Standard that requires merchants,
web-based retailers, and service providers that accept or process credit cards to comply with well-defined security
directives. According to the standard, all members, merchants, and service providers that store, process, or
transmit cardholder data must meet specific security requirements, which necessitate building a secure network
and maintaining a vulnerability management program (see Table 1). To demonstrate compliance, most merchants
and service providers must provide security assessments and perform quarterly network scans to locate and fix
vulnerabilities to mitigate the risk of intrusion. Those organizations found not to be in compliance can face hefty
penalties, in the hundreds of millions of dollars, if data breaches are discovered.
Merchant Validation Requirements1
Level/Tier Merchant Criteria
(Annual Transactions)
Validation Requirements
1 Over 6 million Annual Report on Compliance (ROC) by Qualified Security
Assessor (QSA)
Quarterly network scan by Approved Scan Vendor (ASV)
2 1 to 6 million (all
channels)
Annual Self-Assessment Questionnaire (SAQ)
Attestation of Compliance Form
3 20K to 1 million Annual SAQ
Quarterly network scan by ASV
Attestation of Compliance Form
4 Less than 20K
e-commerce and
all other merchants
processing up to 1
million
Annual SAQ recommended
Quarterly network scan by ASV if applicable
Compliance validation requirement set by acquirer
Table 1: Merchant Validation Requirements
PCI DSS is designed to facilitate global adoption of consistent data security measures to eliminate the loss of
cardholder information, and clearly defines the steps needed to secure a networked environment. The scope of
these requirements is broad but straightforward, giving direction to the service providers and merchants on what
technologies, policies and procedures are needed to achieve compliance. PCI DSS incorporates best practices for
perimeter security, data privacy, and application security.
Lacking any other guide to network security, the PCI DSS has been used by many network security professionals to
develop a network security plan. But more specifically, the PCI DSS is a framework of best practice requirements
for those companies that handle sensitive credit card data to ensure that they properly protect that information.
By banding together and supporting the PCI DSS, the major credit card companies have developed momentum for
standard adoption.

5. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com
Even though merchant compliance is up significantly (by end of 2007, 77% of large merchants vs. 12% in March 2006,
and 62% of midsize merchants vs. 15% in 2006, according to a report issued by Visa in early 2008), a recent Gartner
report1
indicates that “newly released statistics show Visa making strong progress in driving Payment Card Industry
security compliance…but other card brands’ compliance efforts, and PCI Security Council communications, still
need improvement.” Merchants that fail to meet the standards risk stiff penalties imposed for non-compliance.
According to Visa, penalties for noncompliance range from fines of up to $500,000 to increased auditing requirements
or even losing the ability to process credit card transactions. And these new regulations are holding all merchants,
regardless of size, to much higher standards of performance when it comes to protecting the financial and personal
information of their customers.
What is PCI Compliance?
The PCI DSS requires any merchant, processor, point-of-sale vendors, financial institutions and payment companies
to implement processes, procedures and technology to protect credit card information. There are twelve PCI DSS-
required controls that cover access management, network security, incident response, network monitoring and
testing and information security policies:
Build and Maintain a Secure Network (*) Install and maintain a firewall configuration to protect
cardholder data
Do not use vendor-supplied defaults for system passwords and
other security parameters
Protect Cardholder Data Protect stored cardholder data
Encrypt transmission of cardholder data across open, public
networks
Maintain a Vulnerability Management Program Use and regularly update antivirus software
Develop and maintain secure systems and applications
Implement Strong Access Control Measures Restrict access to cardholder data by business need-to-know
Assign a unique ID to each person with computer access
Restrict physical access to cardholder data
Regularly Monitor and Test Networks (*) Track and monitor all access to network resources and
cardholder data
Regularly test security systems and processes
Maintain an Information Security Policy Maintain a policy that addresses information security
* PCI DSS also provides guidelines to prevent breaches involving wireless networks used in environments that contain
credit card data:
1. Firewall segmentation between wireless networks and POS networks
2. Use of a wireless analyzer to detect unauthorized wireless devices and attacks
1 Gartner Research Report “PCI Compliance Grows but Major Industry Problems Remain,” by Avivah Lilan, January 2008

6. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com
As stated in Table 1, the process to become PCI DSS compliant requires that many organizations complete a detailed
self-assessment questionnaire and receive quarterly network vulnerability scans for all Internet facing systems from
an independent scanning vendor. PCI SSC New Self-Assessment Questionnaire (SAQ) Summary V1.2 is designed to help
organizations determine which SAQ is appropriate for their company. For merchants that execute 6 million or more
transactions annually, the regulations require a detailed onsite assessment. In addition, merchants who experience
an incident will automatically be treated as a level 1 merchant, and are therefore required to employ a Qualified
Security Assessor to audit the cardholder environment, at the discretion of the PCI Security Council in conjunction
with Visa/MC. Regardless of transaction rate or company size, failure to comply can lead to steep penalties and
unwanted publicity. News of a security breach taints brand image, reduces consumer trust and results in serious fines
and class action lawsuits from consumers or banks that have to reissue new credit cards.
Best Practices to Enable PCI Compliance
Policies, processes and training are as important to PCI compliance as the technologies that are implemented.
Network and security administrators must be guided by policies that embed the security standard’s requirements into
ongoing operational activities. Developing security best practices will help organizations put the controls in place to
achieve and maintain PCI compliance. These best practices must include:
• A formal Information Security Policy supported by executive management
• Broad communication, training, testing and enforcement of policies and processes
• Constant and accurate knowledge of location and movement of cardholder data
• Implementation of an enterprise level vulnerability assessment program, including regular monitoring of
network for potential vulnerabilities
• Reporting of network activity and log entries to quickly react to attacks and to validate effectiveness of
policies and technologies
• Validation of third-party as well as custom applications in the cardholder environment
• Regular third-party testing
Define Security Policies
An organization entrusted with cardholder information must develop an information security policy focused on
protecting this sensitive data from unauthorized access and from the risk of identity theft. The security policy is
a formal definition of what is allowed and what is not allowed, including acceptable use of systems, applications
and data for all categories of users, including the administrators. This policy must have executive management
support, must be fully documented and should be reviewed at minimum annually, allowing for new requirements and
updates as identified by audits and feedback. Roles and responsibilities need to be defined and employees need to
understand how he or she contributes to the security of the organization.
Implementing industry defined security policies from Microsoft, NSA, the Center for Internet Security (CIS) and
National Institute of Standards and Technology (NIST) is a good first step in ensuring that networks are properly
secured.

7. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com
Communication, Training, Testing & Enforcement
Once an information security policy has been defined, it must be communicated throughout the organization. Proper
communication must include a required training process whereby users learn policy procedures as well as their roles
and responsibilities; they also learn about the implications of not complying with the organization’s policies. A
comprehensive test should be administered to validate successful completion of this important training. To maximize
the effectiveness of the policies, it is imperative that organizations strictly enforce them.
It is important to note that training must also include external users that have access to the data infrastructure. For
example, for simplicity many merchants unfortunately use generic usernames and passwords to access point-of-sale
systems; since a critical aspect of the security policy must ensure knowledge of who is accessing what information
and from where, these merchants must be trained to use specific names and passwords, and to change them
according to the organization’s password policy.
A clear goal of training an organization about the information security policy is to address the growing problem of
Social Engineering. Social engineering is a term that describes the non-technical intrusion into an organization’s
data environment that relies on human interaction, often involving tricking people in order to break normal security
policies. Similar to traditional “con games” where one person is duped because they are naturally trusting, social
engineers will use any technique to gain unauthorized information. Social engineering techniques include everything
from phone calls with urgent requests to people with administrative privileges to viruses lurking behind email
messages that attempt to lure the user into opening the attachments.
Most people have a tendency to trust others. The naïve insider who falls for a phishing scam or takes a phone call
from someone who needs ‘inside’ information occurs frequently in the workplace. Employees need to be trained on
social engineering tricks, on what constitutes sensitive information, and how revealing seemingly unimportant data
can result in unauthorized access. Training should include security policies and procedures on credit card acceptance
and incident response.
Some organizations periodically test for social engineering exposure by calling individuals from a phone number
without caller id and asking some simple questions to try to learn about the business from the employee on the
phone. It is considered a best practice to integrate ‘audit response validation’ around the manipulation of the human
element.
Where is the Data?
PCI DSS V1.2 illustrates the different types of requirements that apply to cardholder data and sensitive
authentication data -- whether or not storage of the data is permitted and whether the data must be protected:
Data Element Storage
Permitted
Protection
Required
PCI DSS
Cardholder Data
Primary Account Number
(PAN)
Yes Yes Yes
Cardholder Name Yes Yes No
Service Code Yes Yes No
Expiration Date Yes Yes No
Sensitive Authentication Data* Full Magnetic Stripe Data No N/A N/A
CAV2/CVC2/CVV2/CID No N/A N/A
PIN/PIN Block No N/A N/A
Table 2 * Must not be stored after authentication (even if encrypted)

8. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com
Unfortunately, it is common practice for employees to duplicate data in spreadsheets, documents and other
unsecured files to share with others and simplify business processes, unknowingly exposing the company to violations.
Unnecessarily storing credit card data and failing to isolate the data from traveling across less secure parts of the
network compounds the problem. Encryption is often inconsistent across a company’s computer system and credit
card data may be protected in some instances, but not others. Organizations are often not aware of systems that
have retained cardholder data such as data warehouses, staging servers, backup systems, desktops or other systems
that for some reason received a copy of a transaction. Understanding where cardholder data is stored and where it
moves through the network and whether it is encrypted is a critical step in beginning to put together a PCI strategy
designed to protect it. Only when the location of the data is known can it be protected from unauthorized access.
As stated above, retaining full magnetic stripe or CVV2 data is in violation of the PCI DSS requirements. The PCI
standard only allows the account number, expiration date and name to be retained and cardholder data must never
be stored on a server connected to the Internet. When asking for a CVV2 code, it must not be documented or
recorded on any database after transaction authorization.
PCI compliance is more easily achieved by reducing the amount of cardholder data that is stored, and reducing the
number of systems that touch it. Organizations may need to restructure their network to consolidate all systems
that handle credit card transactions into a single network segment. By doing so, the risk of compromise is reduced,
the management and execution of the compliance process is simplified, and the scope of PCI compliance validation
efforts is contained. In addition, steps can be taken to mitigate risk via IT procedural policies. For example, IT
organizations can conduct regular scans of public/private networks to expose sensitive cardholder information
vulnerabilities and take the necessary remediation steps.
Organizations using wireless networks to connect remote locations to the central database for data consolidation
either need to provide strong encryption for the data for transfer or may want to consider moving to a more secure
medium such as secure point-to-point virtual private network connections.
Vulnerability Program – Monitoring of Network for Potential Vulnerabilities
The networked environment is not static – new systems are introduced, laptops come in an out of the network,
new software and upgrades get installed regularly. Regularly scanning the network environment for software
vulnerabilities and abnormal activity is paramount to network security and is an important PCI objective (#3), which
requires quarterly network scans; it ensures that network administrators keep track of activity that could introduce
new exposures. Scanning often uncovers new exposures introduced by updates, new systems, new software or other
changes to the environment. As noted earlier in the paper, vulnerabilities continue to be on the rise and constitute a
serious security exposure.
Organizations with online e-commerce application should protect against SQL injection attacks caused by insecure
shopping carts. The credit card companies have created lists of validated applications that should be considered for
use. Even if a proven shopping cart is used, in many organizations Internet facing systems must be scanned quarterly
for vulnerabilities that could compromise the online business.
Reporting – Required for Compliance, to Monitor Effectiveness, to Respond to Attacks
PCI compliance requires detailed documentation and reporting; PCI DSS V1.2 includes a template to be used for
creating the Report on Compliance. This template outlines the need to document, “the four most recent quarterly
scan results;” detailed report descriptions and findings on each requirement and sub-requirement; details on
specific devices, vulnerabilities and transmission; and processing of cardholder data, including authorization,
capture, settlement, charge-back and other flows as applicable, among other things. To support the requirements
of the report, organizations must document how the security policy is implemented to protect cardholder data. A

9. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com
frequently updated document that proves that security policies, practices and tools are in place to maintain the
confidentiality of cardholder data will also come in extremely handy if the network is breached and data is stolen.
To ensure that the necessary information is properly documented to prove compliance as required by PCI DSS,
organizations must ensure that every security technology implemented comes with strong reporting capabilities. The
reports delivered help security staff understand the effectiveness of security programs and whether policies need
to be updated or modified. Robust reporting can help identify instances when malicious hackers or anyone without
authorization tries to access cardholder data, and thus take the necessary steps to respond. Installing products that
centrally manage the IT assets and push out software patches and antivirus updates to the systems ensures all remote
sites are up to date with security software. Being able to log and audit all transactions involving cardholder data is
required by PCI.
Selecting Validated Payment Applications
Any software vendor that develops applications for processing credit card payment should have the software
validated by a third-party, Visa-accredited assessor as part of their development process. The card associations have
developed a set of voluntary application best practices, the Payment Application Data Security Standard (PA-DSS), for
software providers that ensure an acceptable level of security and reduce the scope and costs of compliance.
These best practices also pertain to custom applications developed specifically for an organization:
Do not retain full magnetic strip or CVV2 data – Cardholder data must not be recorded in any file or database
including logs, diagnostic files, audit trails, transaction history, and images. If cardholder information must be stored,
it should never be stored on a server connected to the Internet.
• Protect stored data – Any displayed cardholder data used to populate forms must be masked.
• Provide secure passwords features – Unique usernames and complex passwords for all administrative access
and access to cardholder data must be used.
• Log application activity – Records and audit trails of anyone who accesses cardholder data must be retained.
• Develop secure applications – System development practices, secure coding practices, code reviews and
security testing must be implemented; non-essential application accounts, usernames, and passwords,
unnecessary and insecure services and protocols must be removed before applications go live.
• Protect wireless transmissions – Strongly encrypted wireless connections deployed outside firewalls must be
in place.
• Test applications to address vulnerabilities – All applications, especially those running on Internet facing
systems must be scanned, before they are deployed and regularly thereafter to ensure no exposures were
introduced via upgrades or bug fixes.
• Facilitate secure network implementation – Remote access to the network needs to be secured via firewalls,
VPNs, and two-factor authentication (username/password plus token). If the application transmits cardholder
data, it much be encrypted, especially over public networks. All non-console administrative access must also
be encrypted.

10. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com
Third Party Assistance
Much assistance is available to organizations striving to protect the cardholder environment and achieve PCI
compliance. DSS trains and certifies third-parties to help with the process. For some organizations, third-party
involvement is required to validate compliance but for all organizations it is required to perform quarterly network
scans. The largest (Level 1) merchants are required to have annual on-site assessments by Qualified Security
Assessors (QSA’s); other merchants may choose to use these expensive QSA’s to help validate compliance but for Level
2 – 4 merchants the Self-Assessment Questionnaire (SAQ) is all that is mandated. Many merchants are required to use
Approved Scan Vendors (ASV’s) for their mandatory quarterly scans.
Using security consultants that are experienced in holistically testing organizations’ security is highly recommended.
These consultants understand the threat and vulnerability landscape and know what needs to be tested to validate
effective policies and practices. They are also skilled at training organizations on best practices that must be
adopted to fully deploy security policies.
Achieving PCI DSS Compliance
Achieving PCI DSS compliance is no longer an option but a mandatory business requirement for any business that
wants to maintain customer relationships. Effective security policies that continuously assess and remediate
enterprise systems keep businesses compliant. By ensuring a continuous state of compliance, organizations
can proactively eliminate threats which exploit the ever changing network landscape, protect their cardholder
environment and ensure ongoing compliance.
PCI DSS has been put in place to provide valuable guidance and direction to organizations that must protect the
cardholder environment; it includes requirements that organizations must follow. Information security best practices
will help organizations achieve and maintain PCI compliance.
About Rapid7
Rapid7 is a leading provider of IT security risk management software. Its integrated vulnerability management and
penetration testing products, Nexpose and Metasploit, and mobile risk management solution, Mobilisafe, enable
defenders to gain contextual visibility and manage the risk associated with the IT environment, users and threats
relevant to their organization. Rapid7’s simple and innovative solutions are used by more than 2,000 enterprises and
government agencies in more than 65 countries, while the Company’s free products are downloaded more than one
million times per year and enhanced by more than 175,000 members of its open source security community. Rapid7
has been recognized as one of the fastest growing security companies by Inc. Magazine and as a “Top Place to Work”
by the Boston Globe. Its products are top rated by Gartner®, Forrester® and SC Magazine. The Company is backed by
Bain Capital and Technology Crossover Ventures. For more information about Rapid7, please visit http://www.rapid7.
com.
PCI BP 1208
(Footnotes)
1 Visa November 10, 2008 Press Release: “Visa Sets Global DSS Deadlines”