Brian Herman of StillSecure presented on PCI Compliance Fundamentals for The Circuit. He offered information on what is it, why is it important, and suggestions to implement.
2. What is PCI Compliance? 2
• PCI Security Standards are technical and operational requirements set by
the PCI Security Standards Council (PCI SSC) to protect cardholder data.
– (American Express, Discover, JCB International, MasterCard, and Visa)
• Security Management and Monitoring
• Policies & Procedures
• Network Architecture
• Software design
• If you accept payment cards, you are required to be compliant with the PCI
Data Security Standard.
• PCI – The Gold Standard
– Compared to other standards the requirements are clearly defined
4. Why Is Compliance with PCI DSS Important? 4
• A security breach and subsequent compromise of payment card data has
far-reaching consequences for affected organizations, including:
– Regulatory notification requirements,
– Loss of reputation,
– Loss of customers,
– Potential financial liabilities (for example, regulatory and other fees and fines), and
– Litigation
5. Economics of an Credit Card Breach – Source CoalFire 5
A hypothetical merchant has 10,000 card numbers and account holder information compromised.
What is the potential financial impact to the merchant?
Notify Clients and Provide Privacy $30 x 10,000 = $300,000
Guard
Fines and Penalties from Card Brands $50,000 to $500,000
and Acquiring Banks
Increased PCI audits and $50,000 x 3 years = $150,000
requirements for new controls
Potential costs to re-issue credit 10,000 accounts x $20 = $200,000
cards
Reputation Loss PRICELESS!
Estimates are based on actual incidents examined by Coalfire’s forensic team. Fees and services required vary by incident.
For more information on potential costs and risk from credit card compromise, contact Coalfire (www.coalfiresystems.com)
6. Why Is Compliance with PCI DSS Important? 6
• Investigations after compromises consistently show common PCI DSS
violations, including but not limited to:
– Storage of magnetic stripe data (Requirement 3.2). It is important to note that many compromised
entities are unaware that their systems are storing this data.
– Inadequate access controls due to improperly installed merchant POS systems, allowing malicious
users in via paths intended for POS vendors (Requirements 7.1, 7.2, 8.2 and 8.3)
– Default system settings and passwords not changed when system was set up (Requirement 2.1)
– Unnecessary and insecure services not removed or secured when system was set up (Requirements
2.2.2 and 2.2.4)
– Poorly coded web applications resulting in SQL injection and other vulnerabilities, which allow access to
the database storing cardholder data directly from the web site (Requirement 6.5)
– Missing and outdated security patches (Requirement 6.1)
– Lack of logging (Requirement 10)
– Lack of monitoring (via log reviews, intrusion detection/prevention, quarterly vulnerability scans, and file
integrity monitoring systems) (Requirements 10.6, 11.2, 11.4 and 11.5)
– Poorly implemented network segmentation resulting in the cardholder data environment being
unknowingly exposed to weaknesses in other parts of the network that have not been secured
according to PCI DSS (for example, from unsecured wireless access points and vulnerabilities
introduced via employee e-mail and web browsing) (Requirements 1.2, 1.3 and 1.4)
*Source: PCI DSS Self-Assessment Questionnaire Instructions and Guidelines V2.0
8. Self-Assessment Questionnaire? 8
A) Requirement Areas: 9 & 12
13 Questions / requirements
B) Requirement Areas: 3,4,7,9 & 12
29 Questions / requirements
C-VT) Requirement Areas: 1-7,9 & 12
51 Questions / requirements
C) Requirement Areas: 1-9,11 & 12
80 Questions / requirements
D) Requirement Areas: 1-12
286 Questions / requirements
Does your company store any cardholder data in electronic format?
*Source: PCI DSS Self-Assessment Questionnaire Instructions and Guidelines V2.0
9. Policies and Procedures 9
PCI requirement Policies/procedures
Requirement 1 Configuration standards, Change control approval and testing process, Firewall placement, Maintain current
Install and maintain a firewall configuration to network diagram, Description of Roles & Responsibilities, Documentation and business justification of all
protect cardholder data
ports, protocols and services, FW and Router review.
Requirement 2 Pre-production modifications, Develop configuration hardening standards, Removing/disabling
Do not use vendor supplied defaults for system insecure/unnecessary services, protocols and functionality, One function per server, Encrypting all non-
passwords and other security Parameters
console access
Requirement 3 Limit duration of data retention, Secure deletion, Data types retained, Display masking, Safe storage,
Protect stored cardholder data Encryption key management
Requirement 4 Minimum encryption standards, Wireless standards
Encrypt transmission of cardholder data across
open, public networks
Requirement 5 Antivirus validation, current-actively running and generating logs,
Use and regularly update anti-virus software or programs
Requirement 6 Vulnerability identification, rank and management, Patching and patch validation, Secure application
Develop and maintain secure systems and development and deployment, Change control, Code reviews
applications
Requirement 7 Data control need-to-know requirements, Role-based access
Restrict access to cardholder data by business need to
know
Requirement 8 Authentication and password management policies and procedures, Unique ID, user verification for password
Assign a unique ID to each person with computer access resets, Employee termination, Remove inactive users, Vendor access, length, duration, strength
Requirement 9 Access control, Badge assignment, Visitors, Media access, distribution and destruction
Restrict physical access to cardholder data
Requirement 10 Daily log review, Exception handling, log retention and availability
Track and monitor all access to network resources and
cardholder data
Requirement 11 Detect and identify wireless access points, Alerting, incident handling and response, IDS/IPS configuration
Regularly test security systems and processes and updates, Change control
Requirement 12 Information security policy, Risk assessment, Daily operational procedures, Usage policy, Personnel roles
Maintain a policy that addresses information security for and responsibilities, monitoring & analysis, incident response and escalation plan, security awareness
employees and contractors
program
10. Technologies 10
PCI requirement Technologies
Requirement 1 Firewall (network and personal), Routers and Switches, File Integrity Monitoring
Install and maintain a firewall configuration to
protect cardholder data
Requirement 2 Vulnerability Scanning / Management, VPN
Do not use vendor supplied defaults for system passwords and other security
Parameters
Requirement 3 Encryption, Backup / data retention
Protect stored cardholder data
Requirement 4 Encryption, VPN, Firewall, WAF, IDS/IPS
Encrypt transmission of cardholder data across
open, public networks
Requirement 5 Antivirus, File Integrity Monitoring, Log Management
Use and regularly update anti-virus software or programs
Requirement 6 Vulnerability Scanning / Management, Patch Management, WAF
Develop and maintain secure systems and
applications
Requirement 7 Firewall, VPN, Authentication, Application level access control
Restrict access to cardholder data by business need to know
Requirement 8 Multi-Factor Authentication, Application level access control, Firewall, VPN
Assign a unique ID to each person with computer access
Requirement 9 PCI Certified Data Centers
Restrict physical access to cardholder data
Requirement 10 Log Management, SIM , SEIM, File Integrity Monitoring, NTP Service
Track and monitor all access to network resources and cardholder data
Requirement 11 Vulnerability Scanning, IDS/IPS, File Integrity Monitoring, Log Management
Regularly test security systems and processes
Requirement 12 Log Management, SIM , SEIM, IDS/IPS
Maintain a policy that addresses information security for employees and contractors
11. Ten Common Myths of PCI DSS 11
Myth 1 – One vendor and product will make us compliant
Myth 2 – Outsourcing card processing makes us compliant
Myth 3 – PCI compliance is an IT project
Myth 4 – PCI will make us secure
Myth 5 – PCI is unreasonable; it requires too much
Myth 6 – PCI requires us to hire a Qualified Security Assessor
Myth 7 – We don’t take enough credit cards to be compliant
Myth 8 – We completed a SAQ so we’re compliant
Myth 9 – PCI makes us store cardholder data
Myth 10 – PCI is too hard
*Source: PCI Security Standards Council
12. Proven PCI management practices 12
• Limit the Scope of the PCI environment
• PCI embedded in an overall security program
• PCI compliant policies, procedures, and training
• Monitoring and Reporting
• Due diligence of your service provides, vendors
• Work with a QSA
• PCI DSS General Tips and Strategies to Prepare for Compliance Validation
1. Sensitive Authentication Data (includes the full track contents of the magnetic strip or
chip, card verification codes and values, PINs and PIN blocks:
1. NEVER STORE THIS DATA
2. Ask your POS vendor about the security of your system
3. Card holder data- if you don’t need it don’t store it!
1. Payment brand rules allow for the storage of Personal Account Number (PAN),
expiration date, cardholder name, and service code.
4. Card holder data- if you do need it, consolidate and isolate it.
5. Compensating Controls
*Source: PCI DSS Self-Assessment Questionnaire Instructions and Guidelines V2.0