3G-PCI_Compliance_Insider_Tips by wanghonghx


									PCI Compliance:
Is Your Campus at Risk?
Kris Herrin, CSO, Heartland Payment Systems
NACCU – March 10, 2009

   Introduction / Goals / Objectives
   Drivers: The „Carding‟ Market
   Important Roles and Terms
   Myths of PCI Data Security Standard
   PCI DSS Compliance in 5 Easy Steps
        Step 1: No Prohibited Data
        Step 2: Scope, Scope, Scope
        Step 3: Payment Application (PA-DSS)
        Step 4: The DSS Requirements
        Step 5: Compensating Controls
   What‟s New in PCI DSS v1.2
   Tips and Tricks
   Q&A
• IANAL – I Am Not A Lawyer
• IANAQSA – I Am Not A Qualified
  Security Assessor
Drivers: The ‘Carding’ Market

National Interest                                                                 Spy

  Personal Gain                                                  Thief                  growing

 Personal Fame

        Curiosity         Vandal                                         Author

                    Script-kiddy                   Hobbyist              Expert    Specialist
                    Steve Riley, http://blogs.technet.com/steriley
Drivers: The ‘Carding’ Market
Drivers: Real-World Breaches

   The stats:
        Card Present vs. Card Not Present
        Level 4 vs. Levels 1-3
        Universities as % Compromised
        Compromised Merchants Storing Full Track
        Merchant Issue vs. Third-Party Issue

   All numbers available from Trustwave Global Compromise Statistics:
  Important Roles and Terms

                                                              PCI Security Standards Council
                                                                    Participating Brands
                                                                 Payment Card Organizations
                                                                     Acquirers / Processors
                                                           • Independent body ASVs
                                                        (banksQSAs and transactions)
                                                           (accept credit/debt card payments)
                                                                    that process
               ENFORCE                                     • • Assess and validate compliance
                                                             Eliminates competing PCI DSS
                                                           Defines enforcement of and overlapping
                                                       ••Merchants, Service Providers
                                                             brand-specific requirements details
                                                           Issues “mandates”that mandates
                                                              › Any organization with specific
                                                       •• Executes on bank cardstores, processes,
                  AUDIT                                      • Reports given merchant compliance
                                                           Determines include to customers fines
                                                       •• Reviews / approves American Express,
                                                                or transmits cardholder data
                                                           • Members scope, phases, dates,
                                                       •• Interface between merchant and site
                                                             • Listed Financial Services, JCB,
                                                           Issues fines for non-compliance and
                                                             Discover on the council Web card
                                                          Merchant or Service Provider Categorization
              IMPLEMENT                                 storage
                                                       brands of prohibited data and Visa Int‟l
                                                             MasterCard Worldwide,
                                                       • Levels
                                                       • Required to pass fines to merchants
                                                              ›1–4 for security
                                                           • Defines Merchantsand process requirements
www.pcisecuritystandards.org                                  ›1– other general security
                                                             and 3 for Service Providers guidelines
                                                       • Varying levels of audits, scans, and
                                                          • Certifies Qualified Security Assessors
                                                         assessments based on level statusVendors
                                                            (QSAs) and Approved Scanning
                                                            (ASVs) and maintains certification lists

John Cebulski, Check Point,
  Myths of PCI DSS

 1. You can buy PCI compliance in a box

 2. Outsourcing processing makes you compliant

 3. PCI is an IT problem

 4. PCI Compliance = Security

 5. PCI compliance is impossible to obtain

 6. PCI requires an army of Qualified Security Assessors

 7. PCI is only for the big companies

 8. Filling out a SAQ makes you complaint

 9. PCI requires storing more data

 10. PCI is your processor’s responsibility

Adapted from PCI SSC document PCI DSS Myths
Compliance Step #1: No Prohibited Data

   Thou Shall Not Store Full Magnetic Stripe Data, CAV2/CVV2/CVC2, or PIN/PIN
    Block After Authorization

   So … are you storing this data?? How would you know?

   Tip #1: It is your responsibility to make sure your payment application is PABP /
    PA-DSS compliant, preferably listed on Visa‟s list of Validated Payment
    Applications (http://www.visa.com/cisp) .

   Tip #2: If your payment application was simply upgraded to a „compliant‟
    version, chances are good that old data still exists.

   Tip #3: The only way to know for sure is to search for it. Commercial Data Loss
    Prevention (DLP) tools or open source search are required.
Compliance Step #2: Scope, Scope, Scope

   Definition #1: PCI applies to all system components that “store, process, or
    transmit cardholder data”

   Definition #2: “System components” are defined as network component, server,
    or application included in or connected to the cardholder data environment

   Definition #3: “Network components” include firewalls, switches, routers,
            Basically … any system that touches
    wireless access points, network appliances, and other security appliances
              cardholder data AND anything that
                    can types include web application,
    Definition #4: “Server”touch those systems database, authentication,
    mail, proxy, network time protocol, and domain name server

   Definition #5: “Applications” include all purchased and custom applications,
    including internal and external (internet) applications
Compliance Step #2: Scope, Scope, Scope

   Cardholder Data is defined as the full card number (aka Primary Account
    Number or PAN)

   To comply with PCI … don‟t store, transmit, or process Cardholder Data

   Failing that, limiting the data and segmenting the systems can dramatically
    reduce scope, and, consequently compliance cost

   To put it another way: you should try really, really hard not to store data
  Compliance Step #2: Scope, Scope, Scope

      Network Segmentation 101

                                                    POS System
                                                    5466 1601 1234 1234

                                                                          Flat network – All
                                                                          systems in scope
                              Admissions                 Library


Adapted from Visa‟s PCI DSS Seminar for
Acquirers, Merchants and Agents
  Compliance Step #2: Scope, Scope, Scope

      Network Segmentation 101

                                                    POS System
                                                    5466 1601 1234 1234

                                                                          2 Cardholder
                             Admissions                  Library
                     5466 1601 1234 1234


Adapted from Visa‟s PCI DSS Seminar for
Acquirers, Merchants and Agents
  Compliance Step #2: Scope, Scope, Scope

      Network Segmentation 101

          Called a „6/4 mask‟                        POS System
          and must be done                           5466 1601 1234 1234
          before it gets to
          this machine to
                                                                           1 Cardholder
                              Admissions                  Library
                      5466 16xx xxxx 1234


Adapted from Visa‟s PCI DSS Seminar for
Acquirers, Merchants and Agents
Compliance Step #3: Payment Application (PA-DSS)

   Time for another acronym … Payment Application Data Security Standard

   PA-DSS, originally Visa‟s PABP program, is targeted at payment app vendors
   PA-DSS applies to the payment application software/hardware only

   PCI DSS applies to merchant networks

                                POS System
Compliance Step #3: Payment Application (PA-DSS)

   What do you need to know??

1. Call your vendor or acquirer to make sure you specific application (down to the
   version number) is NOT on Visa‟s known vulnerable list – this is the bad list

2. Check your specific application on Visa‟s Validate Payment App List
   (http://www.visa.com/cisp) – this is the certified good list

3. What if your app is on neither list?? Ask your application vendor and/or acquirer
   for attestation that the application is PA-DSS compliant

4. Last, keep in mind that just because the application is compliant does not mean
   your systems are compliant
Compliance Step #4: The DSS Requirements

Build and Maintain         1. Install and maintain a firewall configuration to protect data
A Secure Network           2. Do not use vendor supplied defaults for system passwords
                              and other security parameters
Protect Cardholder         3. Protect stored cardholder data
Data                       4. Encrypt transmission of cardholder data across open, public
Maintain A Vulnerability   5. Use and regularly update antivirus software
Management Program         6. Develop and maintain secure systems and applications
Implement Strong           7. Restrict access to data by business need-to-know
Access Control             8. Assign a unique ID to each person with computer access
Measures                   9. Restrict physical access to cardholder data
Regularly Monitor          10. Track and monitor all access to network resources and
and Test Networks              cardholder data
                           11. Regularly test security systems and processes
Maintain an Information    12. Maintain a policy that addresses information security
Security Policy
Compliance Step #5: Compensating Controls

   Raise your hand if you think this stuff is complicated, complex, impossible to
    meet, and most companies can not be compliant with this standard.

   Now for the truth … PCI compliant != 100% adherence to the standard

   Compensating controls exist when “an entity cannot meet a requirement
    explicitly as stated, due to legitimate technical or documented business

   Compensating controls are a legitimate way to become compliant and they are
    use by most companies
Compliance Step #5: Compensating Controls

   Here are some important things you should know about compensating controls

1. You can use compensating controls for any requirement except requirement
   3.2 (prohibited data storage)

2. There are some requirements for compensating controls
    1. Must meet the “intent and rigor” of the original requirement
    2. Must provide a “similar level of defense” as the original requirement
    3. Must be “above and beyond” other requirements
    4. Must be “commensurate with the additional risk imposed”

3. Who decides all this?? Your assessor, your aquirer, and ultimately the card

4. Compensating controls must be revalidated annually
  Compliance Step #5: Compensating Controls
    Requirement Number: 8.1—Are all users identified with a unique user name before allowing them to access system
    components or cardholder data?
                           Information Required                         Explanation
   1.   Constraints        List constraints precluding compliance       Company XYZ employs stand-alone Unix Servers without LDAP. As such,
                           with the original requirement.               they each require a “root” login. It is not possible for Company XYZ to
                                                                        manage the “root” login nor is it feasible to log all “root” activity by each

   1.   Objective          Define the objective of the original         The objective of requiring unique logins is twofold. First, it is not considered
                           control; identify the objective met by the   acceptable from a security perspective to share login credentials. Secondly,
                           compensating control.                        having shared logins makes it impossible to state definitively that a person
                                                                        is responsible for a particular action.

   1.   Identified Risk    Identify any additional risk posed by the    Additional risk is introduced to the access control system by not ensuring all
                           lack of the original control.                users have a unique ID and are able to be tracked.

   1.   Definition of Define the compensating controls and      Company XYZ is going to require all users to log into the servers from their
        Compensating  explain how they address the objectives desktops using the SU command. SU allows a user to access the “root”
        Controls      of the original control and the increased account and perform actions under the “root” account but is able to be
                           risk, if any.                                logged in the SU-log directory. In this way, each user’s actions can be
                                                                        tracked through the SU account.

   1.   Validation of Define how the compensating controls              Company XYZ demonstrates to assessor that the SU command being
        Compensating were validated and tested.                         executed and that those individuals utilizing the command are logged to
        Controls                                                        identify that the individual is performing actions under root privileges

   1.   Maintenance        Define process and controls in place to      Company XYZ documents processes and procedures to ensure SU
                           maintain compensating controls.              configurations are not changed, altered, or removed to allow individual
                                                                        users to execute root commands without being individually tracked or

PCI DSS v1.2 October 2008
What’s New in PCI DSS v1.2

   PCI DSS v1.2 was released October, 2008 and became effective immediately

   If you started your assessment before Dec 31, 2008, you can still use v1.1,
    otherwise you must you v1.2

   New Self Assessment Questionnaires were just uploaded

   Some new stuff, some not-so-new stuff:
      Mostly clarifications (i.e. words people argued over)
      Combined some requirements
      New sunset dates for old wireless technologies (i.e. WEP)
      Removed a magic 500K number from scoping (bad for service providers)
      Generalized some things like intrusion detection
Tips and Tricks

   Tip #1: If you have a QSA, work with them. Don‟t withhold information.

   Tip #2: If you need help, engage a QSA as a consultant.

   Tip #3: Nobody said you have to test once at the end of your year! Get an
    interim ROC done.

   Tip #4: Ping your acquirer if you are having problems.

   Tip #5: Don‟t bury your head in the sand!! Be proactive.

To top