{"id":2250,"date":"2019-07-30T13:35:24","date_gmt":"2019-07-30T13:35:24","guid":{"rendered":"http:\/\/wiki.thomasandsofia.com\/?p=2250"},"modified":"2019-07-30T14:43:08","modified_gmt":"2019-07-30T14:43:08","slug":"pci-data-security-standard-3-0-fully-explained","status":"publish","type":"post","link":"https:\/\/wiki.thomasandsofia.com\/?p=2250","title":{"rendered":"PCI Data Security Standard 3.0 Fully Explained"},"content":{"rendered":"<p><a href=\"https:\/\/www.youtube.com\/watch?v=ubeiOkXbWr4\" target=\"_blank\" rel=\"noopener\">Video: PCI DSS 3.0 Fully Explained<\/a><\/p>\n<p>.1:01:56<\/p>\n<h2>Acronymns<\/h2>\n<ul>\n<li>ACL: Access Control List<\/li>\n<li>ASV: Approved Scanning Vendor\n<ul>\n<li>Alert Logic<\/li>\n<li>ControlCase<\/li>\n<\/ul>\n<\/li>\n<li>CDE: Cardholder Data Environment.<\/li>\n<li>DSS: Data Security Standard<\/li>\n<li>FIPS: Federal Information Processing Standards<\/li>\n<li>PCI: Payment Card Industry<\/li>\n<li>PFI: Private Finance Initiative?<\/li>\n<li>QSA: Qualified Security Assessor<\/li>\n<li>ROC: Report On Compliance<\/li>\n<li>SAQ: Self Assessment Questionnaire<\/li>\n<\/ul>\n<h2>PCI DSS at a high level<\/h2>\n<ul>\n<li>Build a secure network\n<ul>\n<li>Install and maintain a firewall<\/li>\n<li>Do not use vendor supplied defaults\n<ul>\n<li>Change password &#8216;cisco&#8217;<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Protect Card Holder Data\n<ul>\n<li>If possible, don&#8217;t store this data!<\/li>\n<li>Protect stored data<\/li>\n<li>Encrypt data in transit.\n<ul>\n<li>Not required for data that is on a local network that you control.<\/li>\n<li>Only required when transferring data to a 3rd party.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Maintain a vulnerability management program\n<ul>\n<li>Use and updater antivirus<\/li>\n<li>Develop and maintain secure systems and apps\n<ul>\n<li>One of the larger pieces of pci &#8211; lots of moving parts<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Strong access control\n<ul>\n<li>Restrict access\/ need to know<\/li>\n<li>Unique IDs for access\n<ul>\n<li>No sharing of usernames and passwords.<\/li>\n<\/ul>\n<\/li>\n<li>Restrict physical access to the data.\n<ul>\n<li>This includes physical data&#8230;\n<ul>\n<li>CC receipts that might contain the full CC number (Old carbon copy systems)<\/li>\n<li>Now must be shredded<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Monitor and test\n<ul>\n<li>Track and monitor access<\/li>\n<li>Test security systems and processes<\/li>\n<\/ul>\n<\/li>\n<li>Information Security Policy\n<ul>\n<li>Maintain a policy that addresses information security for all personnel.\n<ul>\n<li>One of the hardest to meet<\/li>\n<li>Includes Risk Analysis\n<ul>\n<li>Where do threats come from<\/li>\n<li>What systems might be at risk\n<ul>\n<li>How can they be protected<\/li>\n<li>How can this be done cost effectively<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>PCI Is Not Law<\/h2>\n<ul>\n<li>It is often required by your processing bank, Investors, other 3rd party organizations.<\/li>\n<li>If found you&#8217;re out of compliance, you could lose your ability to process credit cards<\/li>\n<\/ul>\n<h2>How this works<\/h2>\n<ul>\n<li>Card Brand (Visa, MC, AmEx, etc.) tells banks, &#8220;We won&#8217;t let you issue our cards unless you&#8217;re PCI compiant&#8221;\n<ul>\n<li>Start with banks<\/li>\n<li>Move down the line<\/li>\n<\/ul>\n<\/li>\n<li>Banks tell merchants &#8220;We won&#8217;t process your payments anymore until you&#8217;re PCI compliant, or we will levy huge fines against you.&#8221;\n<ul>\n<li>Start with big merchants<\/li>\n<li>Move down the line.<\/li>\n<\/ul>\n<\/li>\n<li>Net result: If you accept or handle payment card data in your business, you will need to comply.<\/li>\n<\/ul>\n<h2>Is PCI DSS the same for everyone?<\/h2>\n<ul>\n<li>Compliance applies to any of the scope items you fall into\n<ul>\n<li>If you do not store card data, you do not fall under the scope of storing card data.<\/li>\n<li>This is part of what the self assessment questionnaires are for.<\/li>\n<\/ul>\n<\/li>\n<li>Some compliance issues do change based on the volume of transactions.\n<ul>\n<li>Do you need to engage a QSA (Qualified Security Advisor) to complete an official Report On Compliance (ROC)?\n<ul>\n<li>Usually only very large merchants, service providers or those with troubled history.<\/li>\n<li>Your processor may demand this.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Which Self Assessment Questionnaire must you complete\n<ul>\n<li>Do you store card holder data<\/li>\n<li>Do you just have stand alone dial-out terminals?<\/li>\n<li>Do you outsource all card holder functions?<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>How do you know what to do?<\/h2>\n<ul>\n<li>What is your processor telling you to do and when?<\/li>\n<li>What do you need to provide in order to attest that you are compliant (ROC\/SAQ, Quarterly external ASV scans)?<\/li>\n<li>What is in scope?\n<ul>\n<li>Any systems that store, process, or transmit card holder data (even if only for a moment)<\/li>\n<li>Systems that logically connect to them (this is the problem)<\/li>\n<\/ul>\n<\/li>\n<li>For systems in scope, what would need to be done in order to answer in the affirmative to all the objectives on the assessment instrument?<\/li>\n<\/ul>\n<h2>What is Logically Connected?<\/h2>\n<ul>\n<li>Generally system that reside on the same system, network segment, etc. with little to no restrictions between different parts.\n<ul>\n<li>Same network subnet\n<ul>\n<li>if there are acls that prevent communications, then possibly not.<\/li>\n<\/ul>\n<\/li>\n<li>applications on same server<\/li>\n<li>direct communications between each other<\/li>\n<\/ul>\n<\/li>\n<li>Separate VLANS??\n<ul>\n<li>If there are no restrictions hopping from one to the next, then they are probably logically connected.<\/li>\n<\/ul>\n<\/li>\n<li>Virtualization?\n<ul>\n<li>Need to protect the hypervisor and sub systems.<\/li>\n<li>Protect it as a physical system.<\/li>\n<li>Keep PCI and Non-PCI scoped projects on separate hardware.\\<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>PCI Requirement 0: Scope Management<\/h2>\n<ul>\n<li>PCI DSS only applies to the card holder data environment. (CDE)<\/li>\n<li>The smaller the CDE, the lower the PCI burden\n<ul>\n<li>It is easier to secure a small environment vs a large, complex one!<\/li>\n<\/ul>\n<\/li>\n<li>Can you make pieces someone else&#8217;s problem?\n<ul>\n<li>Outsource!<\/li>\n<\/ul>\n<\/li>\n<li><strong>Controlling the scope is the single most important thing you can do in your PCI compliance project.<\/strong>\n<ul>\n<li>Logical Connections can lead to extreme complexity.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>PCI Approach Tool<\/h2>\n<ul>\n<li><a href=\"https:\/\/www.pcisecuritystandards.org\/security\/prioritized.php\" target=\"_blank\" rel=\"noopener\">https:\/\/www.pcisecuritystandards.org\/security\/prioritized.php<\/a><\/li>\n<\/ul>\n<p>Self Assessment Questionnaires<\/p>\n<ul>\n<li>Four Flavors A, B, C, D<\/li>\n<li>Harder as you progress.\n<ul>\n<li>B contains all in A<\/li>\n<li>C contains all in B<\/li>\n<li>D contains all in C<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Common pitfalls<\/h2>\n<ul>\n<li>Cryptography\n<ul>\n<li>The algorithm is not the hard part\n<ul>\n<li>use validated crypto algorithms (FIPS validated)<\/li>\n<\/ul>\n<\/li>\n<li>Key management is the hard part!<\/li>\n<li>Unable to encrypt 3rd party apps,. recorded phone calls, etc.<\/li>\n<li>Failing to encrypt archived\/legacy data<\/li>\n<\/ul>\n<\/li>\n<li>Where does the data live?<\/li>\n<li>Unintentional Incurring Obligations\n<ul>\n<li>Sell\/ license payment app to others? Welcome to the PA-DSS<\/li>\n<li>Handle payment data for others?\u00a0 You&#8217;re a service provider!<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Challenging Environments<\/h2>\n<ul>\n<li>Call Centers\n<ul>\n<li>shared systems, ephemeral staffing<\/li>\n<li>Service provider status<\/li>\n<li>Call recording, IVR apps (cannot record CVV2 values)\n<ul>\n<li>CVV2 values cannot be recorded at all!\u00a0 Not even encrypted!<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Universities\n<ul>\n<li>Multiple, mini-it depts. No central control\n<ul>\n<li>bookstore<\/li>\n<\/ul>\n<\/li>\n<li>Multiple merchants and accounts.<\/li>\n<\/ul>\n<\/li>\n<li>Distributed retail networks\n<ul>\n<li>Multiple cardholder envinronments<\/li>\n<li>Maintaining control over the autonomous sites<\/li>\n<\/ul>\n<\/li>\n<li>Custom built applications\n<ul>\n<li>many devs are unaware of PCI requirements for custom software<\/li>\n<li>Payment card data in the core system (SAP\/ CRM, etc.)<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Footnotes on vulnerability scanning<\/h2>\n<ul>\n<li>Scans need to be passing\n<ul>\n<li>Each scan is pass or fail<\/li>\n<li>You must fix failures and rescan.<\/li>\n<li>Must be done quarterly.\n<ul>\n<li>QSA can fail you for not doing so, and difficult to go back.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Scans can be hard to read \/ understand<\/li>\n<li>Get outside help to make sense of findings and prioritize large volumes of fixes.<\/li>\n<\/ul>\n<h2>What if you&#8217;re not compliant?<\/h2>\n<ul>\n<li>Bank might adjust your per-transaction rate<\/li>\n<li>Fines\n<ul>\n<li>Might be small<\/li>\n<li>Might be huge! (5+ figures)<\/li>\n<\/ul>\n<\/li>\n<li>If you have a security incident, things get really bad.\n<ul>\n<li>Fines<\/li>\n<li>Enhanced security<\/li>\n<li>Fees associated with the breach<\/li>\n<li>Engaging a PFI (Not cheap)<\/li>\n<li>Possible Lawsuits<\/li>\n<li>Business Folds.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Compensating Controls<\/h2>\n<ul>\n<li>Temporary Fixes<\/li>\n<li>Usually harder and more costly than base requirement<\/li>\n<li>Must:\n<ul>\n<li>Meet the intent and rigor of the original PCI DSS requirement<\/li>\n<li>Provide a similar level of defense<\/li>\n<li>Go &#8216;above and beyond&#8217; the other requirements<\/li>\n<li>Be commensurate with the additional risk imposed by not adhering to the PCI DSS requirement.<\/li>\n<\/ul>\n<\/li>\n<li>In short, avoid this.<\/li>\n<\/ul>\n<h2>What can a 3rd party do<\/h2>\n<ul>\n<li>Gap analysis\n<ul>\n<li>Identify the needs and propose solutions to become compliant<\/li>\n<\/ul>\n<\/li>\n<li>Technology acuisistion\n<ul>\n<li>Help you purchase the products required:\n<ul>\n<li>Firewalls<\/li>\n<li>Log management<\/li>\n<li>IDS<\/li>\n<li>Anti-virus<\/li>\n<li>etc.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Engineering Services\n<ul>\n<li>network redesign and implementation<\/li>\n<li>Managed services<\/li>\n<\/ul>\n<\/li>\n<li>Testing\n<ul>\n<li>Internal and external quarterly vulnerability scans\n<ul>\n<li>Not ASV<\/li>\n<\/ul>\n<\/li>\n<li>Penetration testing<\/li>\n<li>Code review<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Video: PCI DSS 3.0 Fully Explained .1:01:56 Acronymns ACL: Access Control List ASV: Approved Scanning Vendor Alert Logic ControlCase CDE: Cardholder Data Environment. DSS: Data Security Standard FIPS: Federal Information Processing Standards PCI: Payment Card Industry PFI: Private Finance Initiative? QSA: Qualified Security Assessor ROC: Report On Compliance SAQ: Self Assessment Questionnaire PCI DSS at ..<\/p>\n<div class=\"clear-fix\"><\/div>\n<p><a href=\"https:\/\/wiki.thomasandsofia.com\/?p=2250\" title=\"read more...\">Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[49],"tags":[],"class_list":["post-2250","post","type-post","status-publish","format-standard","hentry","category-security-2"],"_links":{"self":[{"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=\/wp\/v2\/posts\/2250","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2250"}],"version-history":[{"count":3,"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=\/wp\/v2\/posts\/2250\/revisions"}],"predecessor-version":[{"id":2253,"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=\/wp\/v2\/posts\/2250\/revisions\/2253"}],"wp:attachment":[{"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2250"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2250"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2250"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}