PCI Data Security Standard 3.0 Fully Explained

  Security

Video: PCI DSS 3.0 Fully Explained

.1:01:56

Acronymns

  • ACL: Access Control List
  • ASV: Approved Scanning Vendor
    • Alert Logic
    • ControlCase
  • CDE: Cardholder Data Environment.
  • DSS: Data Security Standard
  • FIPS: Federal Information Processing Standards
  • PCI: Payment Card Industry
  • PFI: Private Finance Initiative?
  • QSA: Qualified Security Assessor
  • ROC: Report On Compliance
  • SAQ: Self Assessment Questionnaire

PCI DSS at a high level

  • Build a secure network
    • Install and maintain a firewall
    • Do not use vendor supplied defaults
      • Change password ‘cisco’
  • Protect Card Holder Data
    • If possible, don’t store this data!
    • Protect stored data
    • Encrypt data in transit.
      • Not required for data that is on a local network that you control.
      • Only required when transferring data to a 3rd party.
  • Maintain a vulnerability management program
    • Use and updater antivirus
    • Develop and maintain secure systems and apps
      • One of the larger pieces of pci – lots of moving parts
  • Strong access control
    • Restrict access/ need to know
    • Unique IDs for access
      • No sharing of usernames and passwords.
    • Restrict physical access to the data.
      • This includes physical data…
        • CC receipts that might contain the full CC number (Old carbon copy systems)
        • Now must be shredded
  • Monitor and test
    • Track and monitor access
    • Test security systems and processes
  • Information Security Policy
    • Maintain a policy that addresses information security for all personnel.
      • One of the hardest to meet
      • Includes Risk Analysis
        • Where do threats come from
        • What systems might be at risk
          • How can they be protected
          • How can this be done cost effectively

PCI Is Not Law

  • It is often required by your processing bank, Investors, other 3rd party organizations.
  • If found you’re out of compliance, you could lose your ability to process credit cards

How this works

  • Card Brand (Visa, MC, AmEx, etc.) tells banks, “We won’t let you issue our cards unless you’re PCI compiant”
    • Start with banks
    • Move down the line
  • Banks tell merchants “We won’t process your payments anymore until you’re PCI compliant, or we will levy huge fines against you.”
    • Start with big merchants
    • Move down the line.
  • Net result: If you accept or handle payment card data in your business, you will need to comply.

Is PCI DSS the same for everyone?

  • Compliance applies to any of the scope items you fall into
    • If you do not store card data, you do not fall under the scope of storing card data.
    • This is part of what the self assessment questionnaires are for.
  • Some compliance issues do change based on the volume of transactions.
    • Do you need to engage a QSA (Qualified Security Advisor) to complete an official Report On Compliance (ROC)?
      • Usually only very large merchants, service providers or those with troubled history.
      • Your processor may demand this.
  • Which Self Assessment Questionnaire must you complete
    • Do you store card holder data
    • Do you just have stand alone dial-out terminals?
    • Do you outsource all card holder functions?

How do you know what to do?

  • What is your processor telling you to do and when?
  • What do you need to provide in order to attest that you are compliant (ROC/SAQ, Quarterly external ASV scans)?
  • What is in scope?
    • Any systems that store, process, or transmit card holder data (even if only for a moment)
    • Systems that logically connect to them (this is the problem)
  • For systems in scope, what would need to be done in order to answer in the affirmative to all the objectives on the assessment instrument?

What is Logically Connected?

  • Generally system that reside on the same system, network segment, etc. with little to no restrictions between different parts.
    • Same network subnet
      • if there are acls that prevent communications, then possibly not.
    • applications on same server
    • direct communications between each other
  • Separate VLANS??
    • If there are no restrictions hopping from one to the next, then they are probably logically connected.
  • Virtualization?
    • Need to protect the hypervisor and sub systems.
    • Protect it as a physical system.
    • Keep PCI and Non-PCI scoped projects on separate hardware.\

PCI Requirement 0: Scope Management

  • PCI DSS only applies to the card holder data environment. (CDE)
  • The smaller the CDE, the lower the PCI burden
    • It is easier to secure a small environment vs a large, complex one!
  • Can you make pieces someone else’s problem?
    • Outsource!
  • Controlling the scope is the single most important thing you can do in your PCI compliance project.
    • Logical Connections can lead to extreme complexity.

PCI Approach Tool

Self Assessment Questionnaires

  • Four Flavors A, B, C, D
  • Harder as you progress.
    • B contains all in A
    • C contains all in B
    • D contains all in C

Common pitfalls

  • Cryptography
    • The algorithm is not the hard part
      • use validated crypto algorithms (FIPS validated)
    • Key management is the hard part!
    • Unable to encrypt 3rd party apps,. recorded phone calls, etc.
    • Failing to encrypt archived/legacy data
  • Where does the data live?
  • Unintentional Incurring Obligations
    • Sell/ license payment app to others? Welcome to the PA-DSS
    • Handle payment data for others?  You’re a service provider!

Challenging Environments

  • Call Centers
    • shared systems, ephemeral staffing
    • Service provider status
    • Call recording, IVR apps (cannot record CVV2 values)
      • CVV2 values cannot be recorded at all!  Not even encrypted!
  • Universities
    • Multiple, mini-it depts. No central control
      • bookstore
    • Multiple merchants and accounts.
  • Distributed retail networks
    • Multiple cardholder envinronments
    • Maintaining control over the autonomous sites
  • Custom built applications
    • many devs are unaware of PCI requirements for custom software
    • Payment card data in the core system (SAP/ CRM, etc.)

Footnotes on vulnerability scanning

  • Scans need to be passing
    • Each scan is pass or fail
    • You must fix failures and rescan.
    • Must be done quarterly.
      • QSA can fail you for not doing so, and difficult to go back.
  • Scans can be hard to read / understand
  • Get outside help to make sense of findings and prioritize large volumes of fixes.

What if you’re not compliant?

  • Bank might adjust your per-transaction rate
  • Fines
    • Might be small
    • Might be huge! (5+ figures)
  • If you have a security incident, things get really bad.
    • Fines
    • Enhanced security
    • Fees associated with the breach
    • Engaging a PFI (Not cheap)
    • Possible Lawsuits
    • Business Folds.

Compensating Controls

  • Temporary Fixes
  • Usually harder and more costly than base requirement
  • Must:
    • Meet the intent and rigor of the original PCI DSS requirement
    • Provide a similar level of defense
    • Go ‘above and beyond’ the other requirements
    • Be commensurate with the additional risk imposed by not adhering to the PCI DSS requirement.
  • In short, avoid this.

What can a 3rd party do

  • Gap analysis
    • Identify the needs and propose solutions to become compliant
  • Technology acuisistion
    • Help you purchase the products required:
      • Firewalls
      • Log management
      • IDS
      • Anti-virus
      • etc.
  • Engineering Services
    • network redesign and implementation
    • Managed services
  • Testing
    • Internal and external quarterly vulnerability scans
      • Not ASV
    • Penetration testing
    • Code review

LEAVE A COMMENT