• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
PCI DSS Essential Guide
 

PCI DSS Essential Guide

on

  • 7,751 views

Essential Guide to PCI DSS by Information Security September 2009

Essential Guide to PCI DSS by Information Security September 2009

Statistics

Views

Total Views
7,751
Views on SlideShare
7,749
Embed Views
2

Actions

Likes
0
Downloads
396
Comments
0

1 Embed 2

http://www.lmodules.com 2

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    PCI DSS Essential Guide PCI DSS Essential Guide Document Transcript

    • I N F O R M A T I O N S ECURITY ® E SS E NTIAL G U I D E TO PCI DSS , We’ll explain the new changes in Version 1.2 and how the standard will tackle emerging technologies such as cloud computing and virtualization. INSIDE 5 Avoiding Audit Trouble: Getting PCI Compliant 13 PCI DSS 1.2 Answers Questions and Raises Others 17 Wireless Encryption in the Wake of PCI DSS 1.2 21 Is Tokenization the Cure-all for PCI Compliance? 25 PCI, Virtualization and Cloud Computing 30 Compliance Recycling 34 PCI Issues Priority Tool for Compliance INFOSECURITYMAG.COM
    • contents ESSENTIAL GUIDE F E AT U R E S 5 Avoiding Audit Trouble: Getting PCI Compliant PCI DSS COMPLIANCE Having trouble with PCI compliance? You’re not alone. Auditors and audit survivors offer tips for how to achieve it. BY DIANA KELLEY 13 PCI DSS 1.2 Answers Questions and Raises Others CHANGES The latest version of the standard provides clarity on wireless and Web application requirements. BY DIANA KELLEY 17 Wireless Encryption in the Wake of PCI DSS 1.2 FROM WEP TO WAP Merchants using WEP networks must transition to Wi-Fi Protected Access (WPA) security no later than June 30, 2010. BY MIKE CHAPPLE 21 Is Tokenization the Cure-all for PCI Compliance? EMERGING TECHNOLOGIES The technology attempts to replace cardholder data with a token instead of a PAN. BY ED MOYLE 25 PCI, Virtualization and Cloud Computing ENFORCEMENT Compliance guidelines on virtualization will likely be in a state of flux for some time. BY MICHAEL COBB 30 Compliance Recycling BEST PRACTICES How to combine compliance efforts to manage PCI DSS. BY DIANA KELLEY 34 PCI Issues Priority Tool for Compliance LATEST NEWS The PCI Prioritized Approach framework creates a series of milestones for companies working on PCI compliance. BY ROBERT WESTERVELT 39 Advertising Index 1 I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • PCI DSS
    • What’s Everyone y Looking at on Your File Systems? Varonis Tells You. Yo Learn More about Varonis Solutions www.varonis.com
    • EDITOR’S DESK The regulation that keeps on giving p TABLE OF CONTENTS BY KELLEY DAMORE PCI DSS HAS BEEN HAILED by many as the clearest regulation/industry standard to EDITOR’S DESK follow. It’s prescriptive in nature and relatively straightforward. There are 12 requirements that must be adhered to and the requirements are typically associated with a particular security technology so you know what you have to do to become GETTING PCI compliant and secure. COMPLIANT Or do you? Many organizations that were PCI compliant, notably Heartland Payment Systems, announced massive data breaches this year that call into question the security controls that PCI requires. Some organization overuse compensating PCI DSS 1.2 controls or outline the compensating control but never get back to fixing the issues. The sad truth is it comes down to this: on that particular day when the Qualified Assessor signed off on the audit, organization X was compliant. WIRELESS To make matters worse, because this is a standard not a regulation set into law, it REQUIREMENTS is far more fluid. Changes can and will occur with the standard. It really isn’t ever done. For example late last year the PCI Council weighed in on securing wireless communications and Web applications. These are new additions to the standard TOKENIZATION that companies must adhere to even if they met all the other requirements previ- ously. And if the organization is a large merchant they need to be assessed by an outside QSA every year. Smaller companies need to do self-assessments. PCI AND VIRTUALIZATION But it is not all doom and gloom. On the bright side the PCI Council is a living and breathing entity, and they request feedback on the standard and areas of ambi- guity. For instance they are pulling together experts and a working group to talk INTEGRATING PCI about how to secure some of the emerging technologies in the market including INTO COMPLIANCE virtualization and cloud computing. Their executives answer questions and listen PROGRAMS to feedback. And because of the fines associated with PCI, this standard is taken seriously and can be a strong argument for budget in difficult and tight times. A NEW PRIORITY In this Essential Guide to PCI, we aim to outline what you need to know right TOOL FOR PCI now. We drill down into the new requirements with PCI DSS 1.2, offer suggestions on how to pass an audit and what to consider when it comes to PCI and securing virtualized machines and cloud services. SPONSOR We hope this Essential Guide to PCI is prescriptive and straightforward and we RESOURCES promise we won’t be changing it or issuing any fines.w Kelley Damore is the Editorial Director of Information Security and TechTarget’s Security Media Group. Send your comments on this column to feedback@infosecuritymag.com. 3 I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • PCI DSS
    • Three Platforms. One Provider. Complete Privileged Access Control. Introducing the new BeyondTrust. A security strategy is only effective if it grows with your company. As enterprises deploy more Linux®, UNIX®, and Windows® in heterogeneous IT environments, managing sensitive data in these multi-platform infrastructures can be difficult, complex, and costly. Meet the new BeyondTrust, a leading provider of Privileged Access Lifecycle Management solutions for heterogeneous environments. Our leading products protect sensitive and confidential data through an effective combination of privilege delegation, strict user access control, privileged password management, and secure audit trails. With solutions that prevent data breaches and achieve regulatory compliance, hundreds of Forbes 2000 companies rely on us to maximize their security while reducing complexity and administrative costs. Try it free for 30 days at www.beyondtrust.com/pci When it comes to managing risk, we have the key. Copyright© 2009 BeyondTrust Software International, Inc. All rights reserved. BeyondTrust is a trademark of BeyondTrust Software International, Inc. UNIX is a registered trademark of The Open Group. Linux is a registered trademark of Linus Torvalds. Windows is a registered trademark of Microsoft Corporation. All trademarks are registered in the United States and/or other countries. 1-800-234-9072
    • COMPLIANCE TABLE OF CONTENTS Having trouble with EDITOR’S DESK PCI compliance? You’re not alone. GETTING PCI COMPLIANT Auditors and audit survivors offer tips PCI DSS 1.2 for how to achieve it. WIRELESS REQUIREMENTS AVOIDING AUDIT TROUBLE: Getting PCI TOKENIZATION PCI AND VIRTUALIZATION INTEGRATING PCI INTO COMPLIANCE PROGRAMS Compliant BY D IANA KE LLEY A NEW PRIORITY TOOL FOR PCI BY ALL ACCOUNTS, compliance with the Payment Card Industry Data Security Standard (PCI DSS) is on the upswing. And media reports indicate the standard is gaining ground in the European Union, where many countries—the U.K. in particular—are stepping up SPONSOR compliance efforts. RESOURCES Yet successful PCI Report on Compliance (RoC) completion remains a confusing venture and elusive to many. Some of the confusion stems from the convoluted path of accountability. Although the PCI DSS is often touted as a one-stop standard, each of the five major card brands continues to maintain separate compliance programs. Some brands have announced heavy noncompliance fees in the form of penalties and higher transactions rates, but it is the acquiring banks that decide when and how to pass on these 5 I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • PCI DSS
    • fees to their retail and merchant customers. And despite the prescriptive nature of PCI, the standard changes when updates are issued, and Qualified Security Assessors (QSAs) have room to interpret the standard. It’s not uncommon for a QSA’s inter- pretation of the standard to differ from that of the company under review. Still, while PCI DSS compliance may not always be easy, it’s definitely achievable. KNOW WHO’S WHO TABLE OF CONTENTS The first step to tackling PCI DSS compliance is to understand who’s who in the PCI accountability chain; an organization may be surprised to learn who actually does what. The five card brands that constitute the payment card industry are EDITOR’S DESK American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa. Each brand had its compliance program before PCI DSS, and each continues to maintain those programs and exert final decision control over GETTING PCI compliance. However, all of the PCI brands have agreed to use the PCI DSS as a COMPLIANT baseline for compliance evaluation to simplify the process for members. In December 2004, the card brands issued the first version (1.0) of the Data Security Standard. The standard is not intended to replace the individual brand PCI DSS 1.2 compliance programs; rather, it is meant to be a single set of guidelines for entities that store, process or transact credit card data. The assumption is that if an organi- zation receives a successful PCI DSS RoC, it’s compliant with any of the card brand WIRELESS programs. REQUIREMENTS TOKENIZATION PA DSS PCI AND App Lockdown VIRTUALIZATION NEW STANDARD FOCUSES ON COMMERCIAL PAYMENT APPLICATIONS. RELEASED IN APRIL 2008, the first version of the Payment Application Data Security Standard outlines requirements that payment applications, such as point-of-sale systems, must adhere to. For those familiar INTEGRATING PCI INTO COMPLIANCE with Visa’s Payment Application Best Practices (PABP) program, which provides guidance on how to create PROGRAMS payment applications that protect cardholder data in accordance with the PCI DSS, there won’t be many surprises in the PA DSS. The majority of changes were renumbering and wording clarifications. However, some notable A NEW PRIORITY enhancements have been added such as listing code-analysis tools as an alternative option for testing. TOOL FOR PCI Compliance to the PA DSS applies to COTS payment applications that are sold to more than one cus- tomer and don’t receive significant customization. At this point, the payment card brands still hold final determination on whether the PA DSS is mandatory for all payment applications. However, Visa has SPONSOR announced a phased PA DSS compliance program that will require its merchants and processors to use RESOURCES only PABP-compliant applications. Single customer payment applications and applications developed in-house aren’t subject to the PA DSS, though they must meet the PCI DSS. The wealth of information in the PA DSS can help any team develop more secure payment applications, even if those applications aren’t required to be PA DSS compliant.w —DIANA KELLEY 6 I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • PCI DSS
    • ACCO U NTABI LITY Chain Reaction Here’s a guide for understanding who’s who in the PCI chain of accountability. You may be surprised to learn who actually does what. So that there would be one central point of contact WHO for PCI DSS matters, the five WHAT WHY brands formed the PCI Secu- Card brands American Express, Individual compliance rity Standards Council (PCI Discover, JCB, programs; service level SSC) in September 2006. The MasterCard, Visa agreements with council is led by a five-member TABLE OF CONTENTS banks, retail- executive committee (one from ers/merchants and each brand) and owns the offi- processors; brand rep- utation cial document repository for all EDITOR’S DESK PCI Security Independent organiza- things PCI DSS. This includes Standards Council tion led by the card Maintain the PCI DSS, the standard, as well as collateral brands with participa- PCI PED (PIN Entry such as the self-assessment tion from member Device), PA DSS and questionnaire, audit proce- GETTING PCI COMPLIANT organizations and associated content; dures, and since April, the advisers oversight and gover- nance of QSA and Payment Application Data ASV training and Security Standard (PA DSS) PCI DSS 1.2 approval process (see “App Lockdown,” p. 6). Issuing banks Banks that issue credit The council also maintains cards to consumers Issuing consumer governance over training and credit cards WIRELESS approval for QSAs and Approved REQUIREMENTS Acquiring banks Banks that enable merchants, retailers Governance to ensure Scanning Vendors (ASVs). and processors to members are PCI Something many retailers accept and process compliant; fees and find confusing is that the TOKENIZATION credit card payments penalties for failure council is not responsible for to comply compliance or decisions relating Merchants/retailers Entities that store, to compliance. The council has and processors process or transact Complying with the PCI AND credit card data PCI DSS; validating no control over fees or penalties VIRTUALIZATION compliance if Level 1 issued to retailers or processors, Qualified Security Auditors that are nor does it have any involve- Assessors approved to issue RoCs On-site assessment ment in the service-level agree- INTEGRATING PCI of compliance to PCI ments between the card INTO COMPLIANCE DSS; interpretation PROGRAMS brands, the banks and their of PCI DSS Approved Scanning Vendors that have been members. That’s why David Vendors approved to perform External scans; Hogan, CIO of the National A NEW PRIORITY PCI DSS compliance issuing reports Retail Federation, was shooting TOOL FOR PCI scanning on scan findings at the wrong target when he asked the council for changes in primary account number SPONSOR (PAN) storage requirements. RESOURCES The PCI DSS is the standard on how to protect PANs if they’re stored, but doesn’t address whether they need to be stored in the first place. That’s between the retailers/merchants, acquiring banks and card brands. Organizations that need to validate PCI DSS compliance, such as Level 1 merchants with more than 6 million Visa or MasterCard transactions annually, work with QSAs for validation. Prescriptive though the PCI DSS is, there’s still room for disagreement on specific controls and 7 I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • PCI DSS
    • their implementation. For example, one end user reports that for requirement 3.4 (render the PAN unreadable), his QSA refused to validate solutions that were not FIPS 140-2 certified. Though this federal certification provides a much higher value of assurance from a data protection standpoint, it is not specifically required for compliance by the PCI DSS Security Audit Procedures. In cases like this, it may seem that the council is a good place to turn for answers, but it’s not. The council has QSA feedback forms that companies are TABLE OF CONTENTS encouraged to fill out after audits, but these are used to determine if the QSA is performing audits properly. Finding a company out of compliance for not using FIPS 140-2 certified products is an interpreta- EDITOR’S DESK tion issue. And sometimes even QSAs feel a little lost when looking for guidance. William “They’re generally very Lynch, a manager and QSA at IT consulting reluctant to provide GETTING PCI firm CTG, says he’s tried to go to the card COMPLIANT brands and the council for help with interpre- specifics, and their tation: “They’re generally very reluctant to provide specifics, and their responses can be responses can be some- PCI DSS 1.2 somewhat slow. If I have an interpretation question, I usually discuss it with other QSAs what slow. If I have an first and contact the council as a last resort” (see “Chain Reaction,” p. 7). interpretation question, WIRELESS REQUIREMENTS I usually discuss it with GET TO KNOW THE QSA other QSAs first and As the person who issues the Report on TOKENIZATION Compliance (RoC) to the acquiring banks and card brands, the QSA has quite a bit of power. contact the council as PCI AND Working effectively with the QSA can mean the a last resort.” VIRTUALIZATION difference between attaining compliance and —WILLIAM LYNCH, manager and QSA, CTG not. The first place to go when looking for a QSA is the council’s site. For external validation, only council-approved QSAs may INTEGRATING PCI submit RoCs. Another option is to ask colleagues with whom they’ve worked, or ask INTO COMPLIANCE for a QSA reference from your acquiring bank. Evaluate acquiring bank recommen- PROGRAMS dations carefully, though. Some acquiring banks have relationships with assessor organizations that pay referral fees—which may indicate the bank is motivated to make the recommendation simply to receive the fee. A NEW PRIORITY Many organizations that have successfully completed PCI audits recommend TOOL FOR PCI treating the QSA search like any hiring process. Include requests for references and price quotes in the assessment criteria. And keep in mind that you’ll be working closely with the assessment company, so it’s important to have a good comfort level SPONSOR RESOURCES with its methodology. Another great tip from the trenches: consider two QSA firms, one for pre-assessment and one for the validation work. Even if an organization does not wish to pre-assess with a QSA, it should conduct its own pre-assessment. The PCI SSC Self-Assessment Questionnaire (SAQ) and the PCI DSS Security Audit Procedures are excellent resources. An IT professional who completed a PCI validation cycle for his company said, “By pre-assessing, we knew 8 I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • PCI DSS
    • where the holes were and could fill them before getting beat up in front of upper management by the QSA.” Though not getting “beat up” can be a benefit of pre- assessment, it’s important to keep in mind that most QSAs aren’t aiming for humili- ation and failure. Pre-assessment gives organizations key knowledge regarding what is important to QSAs during an assessment, especially with regard to documentation. By understanding where the QSA is coming from, IT professionals can engage in a more col- laborative relationship. TABLE OF CONTENTS Documentation may not be exciting but reviewing documents is a cornerstone of the QSA audit process. So be sure to include documentation review while work- ing on a gap assessment. This is particularly important for areas where there may EDITOR’S DESK be interpretation or where compensating controls have been implemented. If a risk assessment process has been completed before implementing a control, be sure the supporting documentation is there so the QSA can assess it properly. Otherwise, the GETTING PCI QSA may fail your control. COMPLIANT A money-based “gotcha” to watch out for when working with a QSA is when the QSA claims a company won’t be validated as compliant if it doesn’t buy a specific vendor product from the assessor’s reseller. The tactic can be a softer sell, recom- PCI DSS 1.2 mending the customer make the purchase rather than demanding it, but either way it’s all wrong. QSAs that attempt to increase profits by requiring product purchases should be reported to the council. WIRELESS REQUIREMENTS TOKENIZATION MANAG I N G LO GS PCI AND SIMs Stand Out VIRTUALIZATION REQUIREMENT 10.6 PCI REQUIRES DAILY LOG REVIEWS, SPURRING A BOOM IN SIMS SALES. PCI COMPLIANCE IS “a process, not a product,” says Michelle Dickman, president and CEO of security INTEGRATING PCI INTO COMPLIANCE information management (SIM) vendor TriGeo Network Security. Yet, there’s no denying that a lot of prod- PROGRAMS uct has been sold in the name of PCI. Many of these purchases were a result of shoring up security controls in areas where they did not exist. For example, most companies have firewalls (Requirement 1) in their data centers, but many did A NEW PRIORITY not have one at every retail site. Now, thanks to PCI, many do. TOOL FOR PCI One product category, however, does stand out as particularly helpful, according to those who have undergone PCI DSS audits: SIMs and log management tools. Requirement 10 calls for monitoring and test- ing of networks, and 10.6 specifies: “Review logs for all system components at least daily.” For a major SPONSOR retailer with thousands of components in the cardholder data environment, meeting those requirements RESOURCES just wasn’t feasible without a log aggregation solution. But simply centralizing all logs and alerts isn’t the end of the story, warns William Lynch, a manager and Qualified Security Assessor at IT consulting firm CTG. “Make sure the review process, accountable parties and documentation are in place to ensure that the review happens,” he says.w —DIANA KELLEY 9 I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • PCI DSS
    • KEEP IT SIMPLE An important step for a successful PCI assessment is to simplify the process by narrowing the scope of the audit with zoning, experts say. Allan Carey, senior vice president of research at IANS, which has advised a number of companies on PCI, stresses that “one of the most important things an entity can do is to reduce scope with proper network segmentation, including VLANs, air gaps and physical separa- tion.” When data must travel over public networks, such as the Internet and wireless TABLE OF CONTENTS LANs, Carey advises companies to secure the transmission using encryption proto- cols such as SSL. Segmentation was a key part of the National Aquarium in Baltimore’s strategy. EDITOR’S DESK As part of its PCI pre-assessment work, the aquarium reviewed two merchant func- tions that were operationally outsourced to third parties—the aquarium gift store and food services—and decided to physically separate the outsourced merchant GETTING PCI networks from the aquarium. This resulted in a COMPLIANT significant reduction in audit scope during the aquarium’s PCI validation work. An important step for a PCI DSS 1.2 Another tip on the simplification front— successful PCI assessment one we’ve all heard—is don’t store what you don’t need. But as Hogan’s plea to the PCI SSC is to simplify the process illustrated, many retailers—due to their service WIRELESS REQUIREMENTS level agreements—are required to store PANs by narrowing the scope in a retrievable format for up to 18 months. Companies that don’t have that requirement of the audit with zoning, TOKENIZATION have simplified their PCI compliance by elimi- experts say. nating PAN storage. Others don’t have to hang on to the PAN for months but hold it for hours during authorization. Brady Deck- er, network engineer at the aquarium, suggests that banks and card brands “take PCI AND VIRTUALIZATION the merchants out of the security loop” by not having them store the PAN, even during the authorization phase. If a company must hold on to PANs for any length of time, Carey recommends “leveraging native database encryption capabilities to INTEGRATING PCI meet [requirement] 3.4 before layering on a third-party solution that may degrade INTO COMPLIANCE performance or increase management complexity.” PROGRAMS In addition, make sure to really know what’s in your environment. Stories abound of large organizations that found untracked spreadsheets with thousands of credit card numbers when beginning their PCI assessment work. “Map the A NEW PRIORITY credit card data flow” for the entire lifecycle of the data’s existence in your organi- TOOL FOR PCI zation, says Michael Gavin, security strategist for application security company Security Innovation. That means answering these questions: Where does the information come in? Where is it being stored? Who has access along the way? SPONSOR RESOURCES THINK GLOBALLY Although PCI DSS is an internationally applicable standard, most of the PCI DSS noise has been coming out of the U.S. That’s no longer the case. Since late last year, there has been a significant increase in PCI awareness in the U.K. and parts of Europe. Some European countries still believe that the standard doesn’t apply or 10 I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • PCI DSS
    • is less important because of the use of a smart chip and PIN (personal identification number) in European Resources credit cards. Chip and PIN does change the threat model, but not PCI Security Standards Council the PCI DSS requirement. Whether Provides information on standards, QSAs and more. the PAN was read from a magnetic www.pcisecuritystandards.org TABLE OF CONTENTS stripe, off of a smart chip, or typed into a Web form, the PAN protec- PCI Knowledge Base tion requirements are the same. Offers tips from research community. Bob Russo, general manager of www.knowpci.com EDITOR’S DESK the PCI council, notes that organi- zations in some countries, like Visa Japan, have spent a lot of time com- Includes list of validated payment applications. GETTING PCI COMPLIANT plying with security frameworks— http://usa.visa.com/merchants/risk_management/cisp.html such as the Information Security Management Systems (ISMS) PCI DSS 1.2 approach of ISO 27001 and 27002—and don’t want to spend time complying with an additional standard. The card brands, along with the council, are working to raise awareness that DSS is not optional and not replaceable by any other certifica- WIRELESS tion work. REQUIREMENTS If an organization has been concentrating only on U.S. operations, it’s time for it to start thinking globally and assessing all sites where card information is transacted. And if you are using a compliance framework, consider mapping the controls and TOKENIZATION documentation in place to those needed for the PCI assessment. Many companies report that “careful compliance recycling” can reduce overhead when certifying to new and emerging standards. PCI AND PCI compliance may not be a simple art, but there are ways—like leveraging VIRTUALIZATION compliance frameworks—to make it simpler. There are a lot of rules and require- ments for PCI, but the core goal is simple: protect credit cards on those digital “mean streets.”w INTEGRATING PCI INTO COMPLIANCE PROGRAMS Diana Kelley is a partner with Amherst, N.H.-based consulting firm SecurityCurve. She formerly served as vice president and service director with research firm Burton Group. She has extensive experience creating secure network architectures and business solutions for large corporations and delivering strategic, competitive knowledge to security software vendors. A NEW PRIORITY TOOL FOR PCI SPONSOR RESOURCES 11 I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • PCI DSS
    • Which came first? cyber criminals or Data breaches We don’t have to tell you that enterprise security and compliance is serious business. From external and internal threats to compliance violations, the risks associated with the continuity of IT infrastructure and the usage of sensitive data and applications are huge. And the constantly shifting cyber threat landscape only makes it more difficult to protect your business. The ArcSight SIEM Platform mitigates operational risk by providing scalable security, comprehensive real-time monitoring, and intelligent event analysis. With ArcSight, you’ll get the big picture so you can avoid the big problem. After all, keeping a business running is the only way to run a business. Visit us at www.arcsight.com. ArcSight Headquarters: 1-888-415-ARST © 2009 ArcSight. All rights reserved.
    • CHANGES PCI DSS 1.2 Answers TABLE OF CONTENTS Questions EDITOR’S DESK and Raises GETTING PCI COMPLIANT Others PCI DSS 1.2 The latest version of the standard provides clarity WIRELESS on wireless and Web application requirements. REQUIREMENTS BY DIANA KELLEY i TOKENIZATION IN OCTOBER 2008 the PCI Security Standards Council, stewards of the PCI Data Security Standard, released version 1.2. PCI DSS version 1.2 is not a sweeping PCI AND rewrite of version 1.1. Most of the changes listed in the summary document are VIRTUALIZATION clarifications of wording and terminology. Bob Russo, general manager of the PCI Security Standards Council, said of the group’s goal was “eliminating as many questions as possible.” INTEGRATING PCI Some welcomed the changes, since some terms were poorly defined in the last INTO COMPLIANCE PROGRAMS iteration, making them confusing and difficult to interpret. For example, Require- ment 6.6 of version 1.1 called for an “application-layer firewall.” Retailers and PCI assessors (QSAs) alike wondered whether an application-layer-aware firewall, like A NEW PRIORITY the Cisco Systems Inc. PIX or ASA firewall, would suffice, or if it called for a Web TOOL FOR PCI application firewall like Barracuda Networks Inc.’s Web Site. Although the summary changes continue to reference “application-layer firewall,” the Council issued specific guidance on the terminology in February regarding product type intended. Troy SPONSOR Leach, technical director of the PCI Security Standards Council, said that the testing RESOURCES procedures for Requirement 6.6 in version 1.2 make it clear that the Council is referring to Web application firewalls. Other terms that received clarification and usage consistency makeovers are primary account numbers (PANs) and “strong cryptography.” In version 1.1, “strong cryptography” is not defined, however, the audit/assessment procedures used by QSAs did list “Triple-DES 128-bit and AES 256-bit” as examples. 13 I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • PCI DSS
    • Another tricky one: Does the PCI DSS apply to electronic media exclusively or is paper included? According to version 1.2, it applies to both electronic and paper media that contains cardholder data. This will create additional work for those organizations that had misinterpreted version 1.1 and kept paper media out of scope during DSS compliance work. Compensating controls TABLE OF CONTENTS When enterprises are not able to meet the exact letter of the standard, they look to controls that will provide the same level of protection. Perhaps the most well- known example of this is PCI Requirement 3.4, which requires that if PANs are EDITOR’S DESK stored, they must be either rendered unreadable (by one-way hashing or truncation) or encrypted (using strong cryptography). GETTING PCI When many organizations found neither of these options was feasible, Appendix B of PCI When enterprises are not COMPLIANT DSS version 1.1 provided a list of acceptable able to meet the exact compensating controls that could be used in PCI DSS 1.2 place of those listed in the requirement. letter of the standard, Version 1.2 provides additional information about compensating controls and flexibility they look to controls WIRELESS options for other requirements. In the updated standard, Requirement 1 eases the timeline for that will provide the REQUIREMENTS reviewing firewall rules from quarterly to every same level of protection. six months. And the 30-day patch cycle, from the often-dreaded Requirement 6, now has “added flexibility…by specifying that TOKENIZATION a risk-based approach may be used to prioritize patch installation.” Under version 1.1, many retailers scrambled to install patches within 30 days, often short-circuiting their standard patch life cycle testing in an effort to meet the strict timeline. A PCI AND VIRTUALIZATION thorough approach to patching, however, requires testing, prioritization, and a robust pre-production process, which can take longer than 30 days. The change allows for risk-based approaches that may require more time. INTEGRATING PCI Another welcome change concerns physical security. PCI DSS Requirement 9 INTO COMPLIANCE called for cameras to monitor “sensitive areas,” but was an area like a restaurant PROGRAMS dining room—where credit cards are handed to staff—considered sensitive enough to require a camera? How about a point-of-sale (PoS) cash register at a food court kiosk? Under version 1.2, organizations now have more flexibility to select other A NEW PRIORITY access control mechanisms when appropriate. TOOL FOR PCI More requirements SPONSOR While the clarification and compensating control changes are welcome, there are RESOURCES some additional requirements in version 1.2. For example: “Wireless must now be implemented according to industry best practices (e.g., IEEE 802.11x) using strong encryption for authentication and transmission.” For those of you who thought perhaps the Council meant 802.1X, you’re not alone; I thought that at first, too, because 802.11x is a placeholder for upcoming standards and not an IEEE standard. 14 I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • PCI DSS
    • Leach said 802.11x was used to indicate that upcoming versions of the DSS may include recommendations for using emerging 802.11 standards, such as 802.11i. So for more specifics, we’ll all have to stay tuned. On the plus side, version 1.2 will continue to allow SSL/TLS and IPsec for protection of data transmissions over both wired and wireless networks. Some potential heartburn may come from this change regarding wireless net- work encryption: “New implementations of WEP are not allowed after March 31, TABLE OF CONTENTS 2009…Current implementations must discontinue use of WEP after June 30, 2010.” Wired Equivalent Privacy (WEP) has been broken for many years, so it makes sense for the Council to call for an end to its use in cardholder data environ- EDITOR’S DESK ments, but many “out of the box” point-of-sale packages still commonly rely on WEP for proper operation. The two-year timeline for complete replacement of these systems may be too aggressive for retailers. If so, the Council will need to GETTING PCI amend the timeline. COMPLIANT Finally, the antimalware requirement has been updated to include “all operating system types.” Antimalware for Mac platforms and Unix/Linux are available, but options are limited. As for mainframes (like System z), there just aren’t options. PCI DSS 1.2 For platforms like mainframe and some flavors of UNIX, organizations can consider layering anti-malware protection by using gateways or other compensating controls.w WIRELESS Diana Kelley is a partner with Amherst, N.H.-based consulting firm SecurityCurve. She REQUIREMENTS formerly served as vice president and service director with research firm Burton Group. She has extensive experience creating secure network architectures and business solutions for large corporations and delivering strategic, competitive knowledge to security software vendors. TOKENIZATION PCI AND VIRTUALIZATION INTEGRATING PCI INTO COMPLIANCE PROGRAMS A NEW PRIORITY TOOL FOR PCI SPONSOR RESOURCES 15 I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • PCI DSS
    • Get in Control. Stay in Control. you face tremendous pressure to secure your endpoints and servers from unauthorized applications and to comply with multiple security policies, operating procedures, and regulations such as the Payment Card Data Security Standard (PCi DSS) requirements. look to Mcafee, the recommended choice of retailers and security assessors. Download the Mcafee® application Control solution brief here. Find out how the world’s largest dedicated security technology company can help you get in control and stay in control. McAfee, Inc. 3965 Freedom Circle, Santa Clara, CA 95054, 888.847.8766, www.mcafee.com. McAfee is a registered trademark of McAfee, Inc.,and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. © 2009 McAfee, Inc. All rights reserved.
    • FROM WEP TO WPA Wireless Encryption in the Wake of PCI DSS 1.2 TABLE OF CONTENTS EDITOR’S DESK GETTING PCI COMPLIANT Merchants using WEP networks must PCI DSS 1.2 transition to Wi-Fi Protected Access (WPA) WIRELESS security no later than June 30, 2010. REQUIREMENTS BY MIKE CHAPPLE t TOKENIZATION THE PCI SECURITY STANDARDS COUNCIL recently announced the imminent release of the PCI AND Payment Card Industry Data Security Standard (PCI DSS) version 1.2. This revision VIRTUALIZATION includes a number of changes, updates and clarifications that affect anyone involved in the storage, processing or transmission of credit card information. One of the major areas of change, however, involves the use of wireless networks to transmit cardholder data. INTEGRATING PCI In the PCI DSS 1.2 Summary of Changes, the PCI Security Standards Council INTO COMPLIANCE PROGRAMS announced several adjustments to the wireless network security requirements: • Wireless must be implemented using strong encryption for authentication and transmission. The Council cites IEEE 802.11i as an appropriate example. A NEW PRIORITY • Merchants are no longer permitted to deploy any new Wired Equivalent Privacy TOOL FOR PCI (WEP) networks. • Merchants using WEP networks must transition to Wi-Fi Protected Access (WPA) security no later than June 30, 2010. SPONSOR RESOURCES Using WEP encryption to “protect” a wireless network is a bad idea, and that fact should- n’t be news to anyone. Researchers have repeatedly discovered new flaws in WEP. The use of WEP encryption was also responsible for the well-known TJX Companies Inc. breach, one of the largest thefts of credit card information in history. Up until now, the PCI DSS allowed the use of WEP encryption with the presence of compensating controls, including quarterly key rotation, MAC-based host restrictions, and the use of supplemental encryption. 17 I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • PCI DSS
    • For smaller networks, WPA-secured networks and 802.1x, authentication may be a fairly trivial task to implement. In some cases, however, the work may require significant infrastructure and/or payment system upgrades. Converting to WPA WPA has been standard technology on all wireless equipment manufactured since September 2003. For those using such equipment, converting to WPA may be as simple TABLE OF CONTENTS as changing a setting on the wireless access points and reconfiguring networked devices to access the new WPA network. However, for those using obsolete or specialized hardware, this change may not be so simple; you may need to get EDITOR’S DESK the manufacturer involved. The good news is that everybody’s in the same boat. Manufacturers that wish to support Manufacturers that wish GETTING PCI COMPLIANT payment card applications must also support WPA encryption if they intend to continue to support payment card serving the payment card industry. The bad news is that nobody requires vendors to retrofit applications must also PCI DSS 1.2 existing equipment to accommodate the support WPA encryption upgrade. Companies may find themselves sitting on a lot of expensive but obsolete if they intend to continue WIRELESS REQUIREMENTS hardware, with no option other than upgrading it or ripping it out piece by piece. serving the payment card industry. TOKENIZATION Going “enterprise” The second task is a bit more subtle and tends to be ignored in the initial analysis of PCI DSS 1.2. The summary states: “Wireless must now be implemented according to PCI AND industry best practices (e.g., IEEE 802.11i) using strong encryption for authentica- VIRTUALIZATION tion and transmission.” But what does PCI DSS 1.2’s reference and recommendation “industry best practices” for authentication mean for enterprise security managers? From my perspective, it means that the use of a pre-shared key is not permissible INTEGRATING PCI in all but the smallest and most well-controlled environments. Rather than using the INTO COMPLIANCE authentication method of the simpler WPA-Personal mode, where every device on PROGRAMS the network uses a single shared secret key, individual machine-based or user-based authentication should be put in place to protect network access. The use of WPA- Enterprise technology allows individual users or devices to be provisioned and A NEW PRIORITY TOOL FOR PCI de-provisioned without reconfiguring the entire network. It’s clearly a good security practice, but it can be difficult to implement for those who don’t have experience with it. SPONSOR Enterprises that are already running a RADIUS and Active Directory environ- RESOURCES ment may be able to simply tie it in to the wireless infrastructure using 802.1x. Essentially, WPA-Enterprise allows you to avoid the security problems associated with a pre-shared key. Instead of all users sharing a single key, WPA-Enterprise uses 802.1x to access an external authentication server to validate access requests using the credentials of individual users. Those that don’t have this technology in place will need to think about the best way to deploy WPA-Enterprise in their environments. 18 I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • PCI DSS
    • For example, you’ll probably want to first ensure that both your wireless infra- structure (access points, controllers, etc.) support WPA-Enterprise and then ensure that your wireless devices (laptops, PDAs, etc.) are also compatible. You’ll then need to decide the appropriate authentication back end for your environment. In most Microsoft shops, you’ll want to configure RADIUS to authenticate against an existing Active Directory. Otherwise, you’ll need to find another source of user authentication data and integrate it with your RADIUS server. TABLE OF CONTENTS Finally, you’ll need to devise a rollout strategy. One common approach is to stand up the WPA-Enterprise network alongside your existing wireless networks and allow users a transition period of several weeks before shutting off the legacy network. For EDITOR’S DESK more practical advice on deploying WPA-Enterprise, read Controlling WLAN access on a tight budget. GETTING PCI Summing up COMPLIANT The new wireless requirements imposed by PCI DSS 1.2 aren’t a surprise to payment card security professionals. We’ve been expecting them ever since the first release of PCI DSS 1.0, and they represent best practices in wireless security. The time has now PCI DSS 1.2 come to comply, and the council has set a clear deadline: June 2010. That might sound far away, but the best advice I can offer you is to start planning now. If the changes are simple, you’ll finish way ahead of the deadline and have plenty of time WIRELESS to relax. However, if your infrastructure requires major changes, you’ll have the REQUIREMENTS necessary opportunity to plan and deploy those changes properly.w Mike Chapple, CISA, CISSP, is an IT security professional with the University of Notre Dame. TOKENIZATION He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles, including PCI AND the CISSP Prep Guide and Information Security Illuminated. He also answers your questions VIRTUALIZATION on network security. INTEGRATING PCI INTO COMPLIANCE PROGRAMS A NEW PRIORITY TOOL FOR PCI SPONSOR RESOURCES 19 I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • PCI DSS
    •   
    •   
    • 
    • 
    •  
    •   
    •  
    •      
    •    
    •              
    •   
    • 
    • 
    •  
    •  
    • 
    • 
    • 
    • 
    •  
    • 
    •    
    •  
    •   
    •  
    •   
    • 
    •    
    • 
    •   
    •   
    •      !   "  
    •   
    • 
    •   !    "   
    • 
    •  # 
    • 
    • 
    •    
    •  
    •  
    •  
    •    
    •  
    •      
    •  
    •    
    •  
    •  
    •  
    •  
    •  
    •  
    • 
    •  
    • 
    •  
    •   
    •  
    • 
    •    
    • 
    •      
    •  
    •    $ % 
    •   
    •   
    •   $ %
    •  
    •  
    •  
    •  
    •   &$ '
    •    &    
    •   &$ '
    •   &  
    •  !" #  !"# •   (
    • 
    •  
    •   
    • 
    •  (
    • 
    •  
    •   
    • 
    •  &$ 
    •   
    •  &$ 
    •       
    •  )       
    • )    * 
    • * )+ * 
    • )+ •   #&  
    • +  #&   
    • + • 
    • ,  
    • , 
    •   
    • 
    •  
    •  
    •  
    •  &$ 
    •   - 
    •      &$ 
    •  &$ 
    •  - 
    •  &$ 
    •    
    •        
    •  
    •  
    • 
    •  
    • 
    •   
    •  * 
    •  * )
    •     
    •  
    • 
    •     )
    •   
    •  
    •       • .  /   
    • 
    •   
    •  
    •    
    •  )  
    •  *       / 
    •     
    •     )  
    •  *  
    • 
    • * )
    •  
    •   0 ) 
    •   
    • 
    •  )
    •  
    •    ) 
    •   
    • 
    •  
    • 
    •      
    •     
    • 
    • *
    •  
    • 
    • + *
    • 
    • 
    • + •  #& (  
    •    
    •   #& (   
    •     
    •   .    )
    •      *               )
    •   *     
    • ( 
    • 
    •   
    • ( 
    • 
    •    0
    •  
    • * )  +  
    •   + • .  /   
    •   ,  
    •    *   
    • * 
    • 
    •    ,   / 
    •   ,  
    •     *  
    • *
    •    , 
    • 
    • * )
    •  
    •  
    •   
    • 
    •  
    •  
    •    
    •   
    •  
    •  
    •   
    • 
    •  
    •  
    •     
    •  
    •  
    •    1    
    •  
    • 
    •     
    • 
    •           2 
    •    + 1   
    •  
    • 
    •     
    • 
    •     2 
    •  + 3
    •  3
    • 
    •   
    •   
    •  
    •   
    •   
    •  
    •   
    •  
    • 4  
    • 
    • 4 455***+0  + 5  
    • 5 
    •  455***+0  + 5 55 
    •  5 
    •  $
    •  !  %& $
    •  !  %&     #  
    • 
    •  '()      # 
    • 
    •   '()    455***+0  + 5 455***+0  + 5   56  
    • 55 56  
    • 5
    • SECURING PANs IS TOKENIZATION THE CURE-ALL FOR TABLE OF CONTENTS EDITOR’S DESK GETTING PCI PCI Compliance? BY ED MOYLE COMPLIANT The technology attempts to replace STOP FOR A MOMENT and imagine what it would be like if PCI DSS 1.2 cardholder data all of the sensitive data in your company suddenly went away. It wasn’t stolen; your company just found a way to with a token operate without needing to keep that sensitive data on WIRELESS REQUIREMENTS instead of a PAN. hand. Sounds pretty sweet, right? For everyone in the payment lifecycle, the sensitive data our firms need to do business is like a giant albatross around our necks. We need to TOKENIZATION protect it, constantly monitor who has access to it, and we live in constant fear of it getting stolen. Financial-services firms such as card issuers and acquirers have it worst of all—we have a vested interest in making sure our merchants are protecting the data, but we often PCI AND don’t have direct control over whether or not they do. VIRTUALIZATION So it’s no wonder a technology hitting the scene that promises to make all these headaches go away would get a lot of attention. While we’re all struggling to get and stay compliant with the PCI Data Security Standard, the idea that we could install some technology INTEGRATING PCI that reduces the stress of protecting sensitive data has quite an appeal. And this is exactly INTO COMPLIANCE what tokenization promises to do. PROGRAMS What is tokenization? A NEW PRIORITY To see how tokenization works and why it’s useful, it helps to compare how a typical payment TOOL FOR PCI transaction currently works versus the ideal of a fully tokenized scenario. When a customer goes to a company and hands off his or her card for authorization, the default scenario is that the merchant needs to keep the cardholder data on file to perform a variety of functions. For SPONSOR example, the merchant needs to keep a record of the account to settle transactions, process RESOURCES recurring payments (like at a gym), modify or update the transaction amount based on instructions from the customer (such as when a customer wants to add a tip to a restaurant bill), or issue refunds. In this case, the cardholder data is necessary for a company to do business. But while it’s necessary, it also carries a serious compliance burden: much of the PCI DSS speaks directly to the requirements related to that data storage. 21 I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • PCI DSS
    • By contrast, tokenization attempts to minimize the amount of data the business needs to keep on hand; in this case, by replacing the cardholder data with a “token”— a randomly-generated value the merchant can use instead of the primary account number (PAN). Since the token is not a PAN, and can’t be used outside the context of that unique transaction with the merchant, it doesn’t have the same high level of sensitivity that a PAN carries. In a tokenization scenario, the organization outsources their payment process- TABLE OF CONTENTS ing to a service provider that provides a “tokenization option,” such as Shift4 Corp., Electronic Payment Exchange, Merchant Link or Braintree Payment Solutions. The service provider handles the issuance of the token value and also handles the heavy EDITOR’S DESK lifting of keeping the cardholder data locked down. Alternatively, a more in-house approach might leverage a product like nuBridges Inc.’s Protect to bring the service- GETTING PCI provider functionality on premises. From an integration COMPLIANT standpoint, companies Pros and cons of tokenization The relative benefits of a tokenization scenario offering these services are PCI DSS 1.2 should probably be pretty clear for folks who’ve been worried about complying with the PCI heavily incented to keep WIRELESS DSS. Requirements like 3.4 (“Render PAN, at complexity down because minimum, unreadable anywhere it is stored…”) REQUIREMENTS go from being an “Oh my gosh” to a “Who it enables them to sell to cares.” Why? Because the token isn’t a PAN, and once you make the switch, you’re no longer pro- smaller merchants and TOKENIZATION cessing PANs, that requirement, as well as numerous others in the PCI DSS that target data retailers with limited in- PCI AND storage, ceases to apply. house technical expertise. VIRTUALIZATION From an integration standpoint, companies offering these services are heavily incented to keep complexity down because it enables them to sell to smaller merchants and retailers with limited in-house technical INTEGRATING PCI expertise. This is good news for larger organizations as well. Now, no integration is INTO COMPLIANCE ever truly “seamless,” but since the majority of changes are on the backend (service PROGRAMS provider) side, changes to the merchant environment should be relatively few. Given that, if you’re like many organizations, deploying a tokenization solution can be a more cost-effective way to meet PCI requirements than implementing a A NEW PRIORITY host of technical security controls around data storage. While there are fees associated TOOL FOR PCI with the implementation of a tokenization solution, the reduced scope of compliance and the reduced need for storage-related technical controls is likely to wind up a net gain. SPONSOR RESOURCES But just as there’s no such thing as a free lunch, there’s also no panacea—at least not in information security. In most scenarios, it’s the merchant who supplies the cardholder data to the service provider in order for the tokenization to occur. This means the merchant does have a role in the transaction flow. And because the PCI DSS applies to everyone who stores, processes or transmits the data, they still have compliance obligations. While it’s certainly true that those compliance requirements 22 I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • PCI DSS
    • are less when dealing with tokens versus live PANs, organizations still need to make sure they comply with the requirements designed to protect data in transit, at least for the machines and processes involved in the transaction before tokenization occurs.w Ed Moyle is a manager with CTG’s Information Security Solutions practice and a founding partner of consulting firm SecurityCurve. He is co-author of “Cryptographic Libraries for Developers” and a frequent contributor to the information security industry as an author, TABLE OF CONTENTS public speaker, and analyst. EDITOR’S DESK GETTING PCI COMPLIANT PCI DSS 1.2 WIRELESS REQUIREMENTS TOKENIZATION PCI AND VIRTUALIZATION INTEGRATING PCI INTO COMPLIANCE PROGRAMS A NEW PRIORITY TOOL FOR PCI SPONSOR RESOURCES 23 I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • PCI DSS
    • UNLEASH LOG POWER COMPLY, PROTECT & SAVE AUTOMATE COMPLIANCE • SIMPLIFY SECURITY • UNIFY DATABASE SECURITY LogLogic offers log-powered applications in compliance management, database activity monitoring and security event management that seamlessly integrate with our Open Log Management Platform and work together – delivering the industry’s only one-stop shop for corporate security, IT efficiency and compliance management. FOR MORE INFORMATION www.loglogic.com READ OUR LATEST REPORT FROM BLOOR www.loglogic.com/bloor
    • EMERGING TECHNOLOGIES PCI, VIRTUALIZATION AND CLOUD COMPUTING TABLE OF CONTENTS BY M I C HAE L C O B B EDITOR’S DESK Compliance guidelines on virtualization GETTING PCI will likely be in a state of flux for some time. COMPLIANT i PCI DSS 1.2 MAGINE THIS SCENARIO: You’ve successfully migrated all the company’s non-criti- cal applications, the internal infrastructure and the development center on to vir- WIRELESS REQUIREMENTS tual servers. Management is happy because you’ve lowered both capital and oper- ating costs, increased energy efficiencies, as well as improved business continuity. But like every business at the moment, your managers need you to reduce costs even further. They’re pushing for you to consolidate and run the mission-criti- TOKENIZATION cal applications, including the Internet-facing e-commerce ones, on virtualized servers, too. But can you remain compliant with the Payment Card Industry Data Security Standard (PCI DSS) while fully leveraging the business benefits of virtualization? PCI AND VIRTUALIZATION What PCI has to say about virtualization This is a problem many IT managers face, and there’s a distinct lack of guidance on virtu- INTEGRATING PCI alization from the PCI Security Standards Council. Version 1.2 of the standard, released INTO COMPLIANCE PROGRAMS in October, did clarify a number of issues, but it didn’t address virtualized environments. To benefit from virtualization, virtual servers will typically have multiple functions running on a single physical server. Section 2.2.1 of the PCI DSS, however, states that a A NEW PRIORITY server should perform only one primary function. So, according to the standard, Web TOOL FOR PCI servers and database servers should each be implemented on a separate machine. For a company that needs to be PCI compliant, those restrictions make the task of virtualizing an infrastructure a difficult one. SPONSOR The PCI Data Security Standard does not yet address virtualized servers or related RESOURCES audit requirements, meaning that qualified security assessors (QSAs) must use their own judgment to determine whether organizations that implement virtualized servers meet the PCI mandates. This less-than-ideal situation is compounded when you consider that IT and security professionals themselves are still unsure of how virtualization changes the risk profile of a system, especially when the technology has been described as one that keeps “all the eggs in one basket,” due to the fact that a compromise of the VM host 25 I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • PCI DSS
    • comprises all the virtual servers running on it. PCI virtualization specifications on the way Thankfully, this is a short-term situation, as a PCI Security Standards Council special interest group (SIG) for virtualization is currently taking shape. Its aim will be to address the challenges and issues associated with virtualization and PCI compliance, providing much-needed explanation in the same way the clarification document TABLE OF CONTENTS regarding Web application firewalls and code reviews had done in early 2008. The virtualization SIG will solicit feedback from not only participating organi- zations, such as VMware Inc., Microsoft and other industry stakeholders, but also EDITOR’S DESK the security assessors that currently perform assessments. They will no doubt focus on the security of host servers. Any VM containing credit card-related data means its host server is also in-scope. Other issues to be addressed include access control, GETTING PCI monitoring and the security of remote console sessions to the VMs. Adequate COMPLIANT security for clones and copies of virtualized servers, such as those used for disaster recovery and business continuity, should be covered as well. The decision that will have the biggest effect on merchants will be whether vir- PCI DSS 1.2 tualization provides adequate zoning and separation of functions. That choice will specify if virtual servers are acceptable as long WIRELESS as they are only performing a single function. For example, will a merchant be able to run in- The decision that will REQUIREMENTS scope and out-of-scope virtual servers on the same hardware? In such a situation, there would have the biggest effect on TOKENIZATION certainly need to be a firewall in place to sepa- merchants will be whether rate the virtual servers into zones. One approach may be for a single hypervi- virtualization provides PCI AND sor to only allow the compliant systems han- dling data covered by PCI, which would avoid adequate zoning and VIRTUALIZATION the non-compliant state of having multiple separation of functions. classifications of data residing on the one stor- INTEGRATING PCI age medium. A current best practice is to not use virtual machines that run across INTO COMPLIANCE multiple secure zones on the same host. In the upcoming clarification document, it PROGRAMS will also be important to monitor not just the VM workloads, but also the hypervi- sors, using products such as those from Tripwire Inc. Comprehensive monitoring offers reporting ability, which will certainly help towards demonstrating compliance. A NEW PRIORITY It will be some time before the virtualization SIG is able to quantify the risks TOOL FOR PCI posed by a virtualized environment and establish auditing standards to assess host servers and guest virtual machines. QSAs are used for auditing and assessing risk in highly segmented and layered architectures where duties and responsibilities are SPONSOR RESOURCES largely separated and well-defined. The opposite is true in virtualized architectures, which means another auditing approach is necessary. My view is that the most conservative approach would be to delay implementing virtualization and wait for the findings and recommendations of the SIG in order to ensure your chosen product doesn’t fail any upcoming revisions to requirements. When the PCI requirements for security in virtual environments are announced, it 26 I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • PCI DSS
    • will have some fairly broad implications for the whole cloud computing community. For those who are more bullish on virtualization, when researching some of the virtualization security products coming onto the market today, I would recommend paying particular attention to their management control features. For example, to what degree can an organization limit the scope of permissions to specific objects or parts of the infrastructure and grant the correct access rights to the right people, without violating the principle of “least privilege?” Separation of duties between TABLE OF CONTENTS hosts and VMs will be critical to achieve compliance. To that end, administrators looking to get a head-start should be aware that VMware, one of the major virtualization vendors, has launched the VMware Com- EDITOR’S DESK pliance Center website: an initiative to help merchants understand how to achieve, maintain and demonstrate compliance of various industry standards in virtual environments. I also recommend reading the case studies of companies that have GETTING PCI successfully passed compliance audits in their VMware environments. Good docu- COMPLIANT mentation to prove there are sufficient controls in the virtualized environment seems to be a common component of setups that have passed an audit. It’s also important to choose an assessor who understands security controls in a virtual PCI DSS 1.2 environment and has experience in how they should be deployed. The bottom line is that virtualization is a complex and evolving technology, and those looking to implement virtualized systems in the near-term—regardless of the WIRELESS business drivers, such as cost reduction, availability and resiliency—should be aware REQUIREMENTS that PCI compliance guidelines will likely be in a state of flux for some time. That means implementations may be forced to evolve as well.w TOKENIZATION Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for several SearchSecurity.com Security Schools and, as a SearchSecurity.com site expert, PCI AND VIRTUALIZATION answers user questions on application security and platform security. INTEGRATING PCI INTO COMPLIANCE PROGRAMS A NEW PRIORITY TOOL FOR PCI SPONSOR RESOURCES 27 I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • PCI DSS
    • Q & A Cloud and Virtualized Servers Pose Challenges for PCI Compliance IN THE Q&A TROY LEACH, TECHNICAL DIRECTOR FOR THE PAYMENT CARD INDUSTRY SECURITY STANDARDS COUNCIL, EXPLAINS HOW A SIG HOPES TO ADDRESS THE CONFUSION. BY ROBERT WESTERVELT Troy Leach, technical director for the Payment Card Industry Security Standards TABLE OF CONTENTS Council recognizes a gap in the standard when it comes to addressing the security of payment card data in cloud computing and virtualized environments. In an EDITOR’S DESK interview Leach said he hopes a newly-formed special interest group (SIG) and an emerging technologies study will recommend ways the standard can address securing payment data in the cloud. The council needs a better understanding GETTING PCI of the rules and responsibilities within a virtualized server and whether or not COMPLIANT virtual segmentation in a network is appropriate segmentation, Leach said. In addition, the PCI SSC announced an expansion of its PIN Entry Device (PED) PCI DSS 1.2 Security Requirements addressing unattended payment terminals and hardware security modules. The devices will now undergo thorough security testing, Leach said. WIRELESS The PCI SSC has a special interest group (SIG) around virtualization security. What will its REQUIREMENTS ultimate goal be, and what are some of the issues the group will be looking at? TROY LEACH: Just to take one step back, we have a wireless special interest group that has submitted a new wireless implementation guide. It’s a phenomenal document and I can’t TOKENIZATION wait to put this in the marketplace. It provides a guide for any merchant that either has wireless in their environment and is making changes, or is implementing wireless. It’s a robust guide, and we hope to see the same from the virtualization SIG. PCI AND I would assume the [virtualization group] will be tackling issues such as the chain of VIRTUALIZATION custody and the rules and responsibilities within a virtualized server. They’ll probably discuss cloud computing. They’ll probably discuss virtual local area networks (VLANs) and whether or not virtual segmentation in a network is appropriate segmentation. It’s INTEGRATING PCI similar to another SIG we launched last month on scoping. So there may be some overlap INTO COMPLIANCE PROGRAMS when it comes to virtualization. Is the SIG on scoping related to just virtualization issues or all network segmentation issues? LEACH: It’s going to include all scoping issues. This is going to be determined by the A NEW PRIORITY TOOL FOR PCI merchants and participating organizations and how they want to cover the topic. They have a very broad interest in different aspects of segmentation and reducing a PCI assessment. If someone walks up to you and says they’re doing cloud computing, is there anything in the SPONSOR RESOURCES standards as they are right now that you can point them to for guidance? LEACH: It’s a tough question. We have an emerging technologies request for proposal (RFP) that will explore some of these issues, and we’re going to see how virtualization applies. We try to stay technology agnostic, but we recognize that there are times when you have to call out certain types. 28 I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • PCI DSS
    • Q & A We do have certain requirements that are a challenge. I think the one that most folks look to is ‘one primary function per server’ and whether or not virtualization creates TABLE OF CONTENTS enough separation within those operating systems to have that one function per server. That’s a challenge for a lot of organizations. We’re seeing some new work with hypervisors being able to hop from one operating system to another and whether or not antivirus at EDITOR’S DESK that level is appropriate. There are a lot of challenges with that technology, and we’re hoping to have a position paper presented to us from the emerging technologies RFP by the end of the summer. GETTING PCI COMPLIANT What are some of the challenges around network segmentation? LEACH: I think the first challenge many merchants face when they are segmenting is that they don’t know where their cardholder data is. The discovery phase of finding cardholder PCI DSS 1.2 information, especially if you’re new to that type of discovery, can be quite a challenge. As a former chief technology officer, I can say that sometimes I didn’t know if a marketing team somehow collected information or a business group collected information unbeknownst to system administrators and database administrators. We’re getting there. Many organizations WIRELESS REQUIREMENTS are now very cognizant of security and that it needs to be an ongoing practice, not just a once a year validation. The PIN Entry Device (PED) Security Program is expanding to include UPTs and HSMs. What are TOKENIZATION these two new standards? LEACH: The PED standard is now plural, and we have multiple standards for those devices that actually record PIN transactions. The part of the program related to unattended pay- PCI AND ment terminals (UPT) focuses on additional security requirements for those types of VIRTUALIZATION devices, like fuel pumps and movie ticket kiosks. These are transactions that are done with- out a cashier, and we recognize that there are additional physical and logical security con- trols that need to be in place for those types of devices. INTEGRATING PCI INTO COMPLIANCE In addition, the hardware security module (HSM) is within the device itself. It manages PROGRAMS how that PIN is being handled by the device. For example, it encrypts the PIN from the point that it is taken from the device onto the processor and onto the acquiring bank. A NEW PRIORITY If I’m a merchant and I already have some of these devices installed, what happens to these TOOL FOR PCI devices? LEACH: These requirements are going to be similar to the PED requirements, in that it will be the responsibility of the manufacturer of those devices to go through and become vali- SPONSOR dated against these requirements. Many of these manufacturers are very aware of these RESOURCES standards. They’ve helped to vet the requirements themselves. So we anticipate that many of these manufacturers will have the products go through the process with the laboratories real soon.w Robert Westervelt is the news editor for SearchSecurity.com. 29 I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • PCI DSS
    • BEST PRACTICES Compliance TABLE OF CONTENTS Recycling EDITOR’S DESK How to combine compliance efforts to manage PCI DSS. g GETTING PCI COMPLIANT BY DIANA KELLEY PCI DSS 1.2 GOING “GREEN” is becoming a way of life for many of us. The “reduce, reuse and recycle” approach can help save materials and decrease impact on the environment. In compliance work, the concepts of reducing work and “reusing” existing controls WIRELESS can also be applied. Many organizations have invested time and effort to implement REQUIREMENTS ISO 27002 controls and certify against 27001 Information Security Management System (ISMS) processes. Others have adopted the IT management techniques from the UK Office of Government Commerce (OGC), known as ITIL. And many organi- TOKENIZATION zations have made significant investments to create a standardized compliance framework for use across business units and divisions. Although compliance with the Payment Card Industry Data Security Standard PCI AND (PCI DSS) cannot be accomplished by using another framework or methodology VIRTUALIZATION exclusively, organizations have found that they can leverage valuable mappings between existing frameworks. Additionally, some of the policies and tools implemented for PCI DSS may provide unexpected compliance benefits for other initiatives. INTEGRATING PCI David Howell, senior manager of compliance solutions at RSA, the security divi- INTO COMPLIANCE PROGRAMS sion of EMC Corp., said he’s observed a desire for compliance normalization. Com- panies are looking for a “common framework that can be used to eviscerate the walls between disparate compliance programs,” Howell said, “defining commonalities so A NEW PRIORITY that pieces can be leveraged.” TOOL FOR PCI Reuse can work bidirectionally. Controls implemented for PCI DSS can be used for other initiatives in the organization, and controls implemented before or inde- pendently of PCI DSS may be reusable as part of PCI DSS validation work. SPONSOR Examples of PCI DSS controls that can be reused are policies and procedures RESOURCES related to protection of sensitive data. PCI mandates that sensitive authentication data cannot be stored after the authorization phase, but primary account numbers (PANs) can. Requirement 3.4 of the PCI DSS provides specific details on how PANs must be stored in order to achieve compliance. Implementing these specifics can be a challenge, involving the use of native encryption on databases, or a cryptographic gateway or library to encrypt the data before passing it to the database for storage. 30 I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • PCI DSS
    • Such encryption requires key management, and PCI DSS also details rules regarding proper key storage, aging and control. With sophisticated storage protection in place, a number of companies have found that the techniques in Requirement 3.4 can be applied to other sensitive data in the organization. Michelle Stewart, manager of data security for AirTran Airways, discovered some unexpected benefits from using PCI DSS controls. Monitoring systems that were put in place for PCI DSS became valuable tools for the operations and audit teams. TABLE OF CONTENTS Information from network and host scans were used to identify “devices that weren’t in compliance with company policy,” Stewart said. The increased visibility provided by the tools helped AirTran enforce policy management for non-PCI DSS-related EDITOR’S DESK initiatives like ensuring that no unwanted applications, such as streaming radio, were running on the corporate network. Stewart said savvy companies can leverage IT spending intended for PCI DSS compliance for work beyond PCI DSS and card data GETTING PCI protection. COMPLIANT The relationship between ISO 27001/27002 and PCI DSS is a little more complex, but worth investigating, especially for organizations that are ISO 27001 certified. ISO 27001 is a methodology for managing a security program using the Plan-Do-Check- PCI DSS 1.2 Act (PDCA) quality control cycle. Organizations that build security programs can use ISO 27001 to certify their ISMS approach to WIRELESS the standard. ISO 27002, on the other hand, is a list of controls. The PCI DSS is something of a The relationship between REQUIREMENTS mix of the two; it encompasses both technical controls and defines management techniques ISO 27001/27002 and and approaches. While a company could be PCI DSS is a little more TOKENIZATION fully ISO 27001 certified, that is no assurance that it is also PCI DSS compliant. Since controls complex, but worth PCI AND in ISO 27001 are adopted based on an organiza- tion’s risk assessment determination, the final investigating, especially VIRTUALIZATION decision regarding which controls to implement rests with the organization itself. PCI DSS is not for organizations that INTEGRATING PCI that flexible; controls listed in the standard are are ISO 27001 certified. mandatory for compliance. INTO COMPLIANCE PROGRAMS However, if a company is ISO 27001 certified, it is likely that the organization has already implemented many of the controls that PCI DSS requires. Though the two aren’t aligned, an organization could perform a gap assessment of existing controls, A NEW PRIORITY such as those implemented from ISO 27002, to the mandatory PCI DSS controls. TOOL FOR PCI Sections A.10, A.11 and A.12 of the ISO standard focus on more technical controls, and this is where the majority of the overlaps occur. The end result would be a delta highlighting additional controls required for PCI, potentially streamlining compliance SPONSOR and assessment work. Another benefit for ISO 27001 certified organizations is that RESOURCES extensive documentation is required. Insufficient documentation is a core reason that companies fail PCI DSS compliance, so having it in place for ISO will make the PCI compliance work easier. Finally, the Unified Compliance Framework (UCF) is an interesting approach to compliance. Developed by Dorian Cougias and Marcelo Halpern, UCF attempts to help companies streamline compliance work by mapping normalized controls and 31 I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • PCI DSS
    • management approaches. In February 2008, the group behind UCF published a “harmonization” that integrates the PCI DSS Self-Assessment Questionnaire (SAQ) v1.1 and PCI DSS requirements into the UCF. Companies using the UCF as a meta- compliance framework may find the integration document helpful for normaliza- tion and mapping between the two. The document is available to all PCI Qualified Security Assessors (QSAs) as well as UCF subscribers. Compliance is a cornerstone to a healthy IT environment. Consider “going green” TABLE OF CONTENTS when it comes to compliance. In other words, rather than throwing out previous compliance work when new regulations comes along, look for areas where controls and policies can be mapped and “recycled” for applicability to the new mandates.w EDITOR’S DESK Diana Kelley is a partner with Amherst, N.H.-based consulting firm SecurityCurve. She formerly served as vice president and service director with research firm Burton Group. She has extensive experience creating secure network architectures and business solutions for large corporations GETTING PCI COMPLIANT and delivering strategic, competitive knowledge to security software vendors. PCI DSS 1.2 WIRELESS REQUIREMENTS TOKENIZATION PCI AND VIRTUALIZATION INTEGRATING PCI INTO COMPLIANCE PROGRAMS A NEW PRIORITY TOOL FOR PCI SPONSOR RESOURCES 32 I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • PCI DSS
    • Building Trust Around The Globe When you want to establish trusted relationships with anyone, anywhere on the internet, turn to thawte. Securing Web sites around the globe with: • strong SSL encryption • expansive browser support • multi-lingual customer support • recognized trust seal in 18 languages thawte offers outstanding value on a full range of of digital certificates. Secure your site today with a thawte SSL Certificate. www.thawte.com © 2009 thawte, Inc. All rights reserved. thawte; the thawte logo; it’s a trust thing; thawte, and other trademarks, service marks, and designs are registered or unregistered trademarks of thawte, Inc. and its subsidiaries and affiliates in the United States and in foreign countries. All other trademarks are property of their respective owners.
    • LATEST NEWS PCI Council TABLE OF CONTENTS Issues Priority EDITOR’S DESK Tool for GETTING PCI COMPLIANT Compliance PCI DSS 1.2 The PCI Prioritized Approach frame- work creates a series of milestones WIRELESS REQUIREMENTS for organizations working on PCI compliance. t TOKENIZATION BY ROBERT WESTERVELT THE PCI SECURITY STANDARDS COUNCIL has issued a new tool designed to walk companies PCI AND through the compliance process by setting a series of six milestones companies must VIRTUALIZATION meet before being signed off as compliant by a security assessor. The milestones were set by weighing certain risk factors and threats to credit card data that often lead to a breach. The PCI Prioritized Approach framework is INTEGRATING PCI meant to be used as a roadmap to give merchants a prioritized check-off list, said INTO COMPLIANCE PROGRAMS Bob Russo, general manager of the PCI Council. Russo said the tool could help improve communication on compliance progress between merchants, quality security assessors (QSAs) and acquiring banks. A NEW PRIORITY “It will keep track of how close to being compliant you are so when your TOOL FOR PCI acquirer asks if you’re doing something with this you can actually show some progress and let them know how close you are to being compliant,” Russo said. Heartland breach highlights PCI limitations: The benefits of complete PCI and SPONSOR the necessity of full compliance are now being widely questioned, says Eric Ogren, RESOURCES principal analyst, The Ogren Group. PCI is about eliminating data, not securing it. Former QSA turned Forrester analyst John Kindervag calls PCI a “communicable disease.” Anything introduced to the network is in PCI scope if credit card systems aren’t segmented. The PCI Council issued version 1.2 of PCI DSS in October. The standards were updated to address wireless security, antivirus use and the review of firewall rules. 34 I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • PCI DSS
    • Russo said he doesn’t anticipate another update (version 2.0) until 2010. Ultimately, the council hopes the PCI Prioritized Approach framework helps acquiring banks track merchant compliance. The new tool is available on the Council’s website. It consists of a downloadable worksheet that allows merchants to sort through specific PCI DSS requirements by a priority list of milestones. The priority list starts by listing steps merchants must take to ensure credit card data isn’t stored followed by ensuring technologies are in place to secure the TABLE OF CONTENTS perimeter, payment applications and other software that may contain credit card data and the monitoring and access to systems. If mer- “Security is one area in EDITOR’S DESK chants determine that credit card data must be stored, the fifth milestone offers a checklist for this down economy that is protecting the information. It covers the protec- tion and storing of cryptographic keys to prop- holding its own,” Santos GETTING PCI COMPLIANT erly maintain inventory logs. The final mile- said “In fact there may be stone deals with conducting application penetration tests and reviewing controls and even a slight increase in PCI DSS 1.2 procedures. “There are many merchants out there that security spending because know how important PCI DSS is, but they need people are more worried a little help,” said Lib de Veyra, vice president, WIRELESS REQUIREMENTS emerging technologies at JCB International than ever about data Co., and chairperson of the PCI Standards Council. “This is a good way to approach it by leakage and breaches.” TOKENIZATION dealing with the highest risks first.” —JACK SANTOS, executive strategist, Burton Group While PCI DSS should be pretty clear to IT pros and compliance executives, the new tool should prove valuable to companies PCI AND trying to prioritize compliance initiatives based on risk factors, said Jack Santos, an VIRTUALIZATION executive strategist with the Burton Group who has had experience with PCI proj- ects. Santos said compliance initiatives are continuing at many firms despite the down economy. INTEGRATING PCI “Security is one area in this down economy that is holding its own,” Santos said INTO COMPLIANCE PROGRAMS “In fact there may be even a slight increase in security spending because people are more worried than ever about data leakage and breaches.”w A NEW PRIORITY Robert Westervelt is the news editor for SearchSecurity.com. TOOL FOR PCI SPONSOR RESOURCES 35 I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • PCI DSS
    • Total control over your network infrastructure and endpoints Comprehensive network security products and services that protect your organization from the perimeter to the endpoint Simplify your PCI compliance program PCI compliance with StillSecure products and services: FREEconsultation ½ day PCI StillSecure has helped numerous organizations comply with PCI and other info-security regulations. StillSecure products and services help you comply with 8 of the 12 top-level PCI requirements and dozens of specific sub-requirements. Email pciaudit@stillsecure.com today For information on how we can help you become PCI compliant visit http://stillsecure.com/pci/index.php StillSecure delivers: Network security products Managed security services Professional services 100 Superior Plaza Way, Suite 200 Superior, CO 80027 P: 303.381.3800 www.stillsecure.com ©2002-2009 StillSecure ® All rights reserved.
    • TECHTARGET SECURITY MEDIA GROUP I N F O R M A T I O N SR. VICE PRESIDENT AND GROUP PUBLISHER Andrew Briney S ECURITY ® PUBLISHER Josh Garland EDITORIAL DIRECTOR Kelley Damore DIRECTOR OF PRODUCT MANAGEMENT Susan Shaver EDITOR Michael S. Mimoso DIRECTOR OF MARKETING Kristin Hadley SENIOR TECHNOLOGY EDITOR Neil Roiter SALES MANAGER, EAST Zemira DelVecchio FEATURES EDITOR Marcia Savage SALES MANAGER, WEST Dara Such ART & DESIGN CREATIVE DIRECTOR Maureen Joyce CIRCULATION MANAGER Kate Sullivan TABLE OF CONTENTS COLUMNISTS ASSOCIATE PROJECT MANAGER Jay G. Heiser, Marcus Ranum, Bruce Schneier Suzanne Jackson CONTRIBUTING EDITORS PRODUCT MANAGEMENT & MARKETING EDITOR’S DESK Michael Cobb, Eric Cole, James C. Foster, Corey Strader, Jennifer Labelle, Andrew McHugh Shon Harris, Richard Mackey Jr., Lisa Phifer, Ed Skoudis, Joel Snyder SALES REPRESENTATIVES Eric Belcher ebelcher@techtarget.com TECHNICAL EDITORS GETTING PCI Greg Balaze, Brad Causey, Mike Chapple, Peter Neil Dhanowa ndhanowa@techtarget.com COMPLIANT Giannacopoulos, Brent Huston, Phoram Mehta, Sandra Kay Miller, Gary Moser, David Strom, Patrick Eichmann peichmann@techtarget.com Steve Weil, Harris Weisman Jason Olson jolson@techtarget.com USER ADVISORY BOARD PCI DSS 1.2 Edward Amoroso, AT&T Jeff Tonello jtonello@techtarget.com Anish Bhimani, JPMorgan Chase Larry L. Brock, DuPont Nikki Wise nwise@techtarget.com Dave Dittrich Ernie Hayden, Seattle City Light TECHTARGET INC. WIRELESS Patrick Heim, Kaiser Permanente CHIEF EXECUTIVE OFFICER Greg Strakosch REQUIREMENTS Dan Houser, Cardinal Health Patricia Myers, Williams-Sonoma PRESIDENT Don Hawk Ron Woerner, TD Ameritrade EXECUTIVE VICE PRESIDENT Kevin Beam SEARCHSECURITY.COM TOKENIZATION SENIOR SITE EDITOR Eric Parizo CHIEF FINANCIAL OFFICER Eric Sockol NEWS EDITOR Robert Westervelt EUROPEAN DISTRIBUTION Parkway Gordon Phone 44-1491-875-386 ASSOCIATE EDITOR William Hurley www.parkway.co.uk PCI AND VIRTUALIZATION ASSISTANT EDITOR Maggie Wright LIST RENTAL SERVICES Kelly Weinhold ASSISTANT EDITOR Carolyn Gibney Phone 781-657-1691 Fax 781-657-1100 INFORMATION SECURITY DECISIONS REPRINTS INTEGRATING PCI GENERAL MANAGER OF EVENTS Amy Cleary FosteReprints Rhonda Brown INTO COMPLIANCE Phone 866-879-9144 x194 PROGRAMS EDITORIAL EVENTS MANAGER Karen Bagley rbrown@fostereprints.com A NEW PRIORITY TOOL FOR PCI SPONSOR INFORMATION SECURITY (ISSN 1096-8903) is pub- lished monthly with a combined July/Aug., Dec./Jan. RESOURCES issue by TechTarget, 117 Kendrick St., Suite 800, Needham, MA 02494 U.S.A.; Phone 781-657-1000; Fax 781-657-1100. All rights reserved. Entire contents, Copyright © 2009 TechTarget. No part of this publication may be transmitted or reproduced in any form, or by any means without permission in writing from the pub- lisher, TechTarget or INFORMATION SECURITY. 37 I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • PCI DSS
    • Your One Stop Shop for All Things Security Nowhere else will you find such a highly targeted combination of resources specifically dedicated to the success of today’s IT-security professional. Free. IT security pro's turn to the TechTarget Security Media Group for the information they require to keep their corporate data, systems and assets secure. We’re the only information resource that provides immediate access to breaking industry news, virus alerts, new hacker threats and attacks, security standard compliance, videos, webcasts, white papers, podcasts, a selection of highly focused security newsletters and more — all at no cost. Feature stories and analysis designed to meet Breaking news, technical tips, security schools the ever-changing need for information on and more for enterprise IT professionals. security technologies and best practices. www.SearchSecurity.com www.SearchSecurity.com Learning materials geared towards ensuring UK-focused case studies and technical advice on security in high-risk financial environments. the hottest topics in the UK Security industry. www.SearchFinancialSecurity.com www.SearchSecurity.co.UK Information Security strategies for the Technical guidance AND business advice Midmarket IT professional. specialized for VARs, IT resellers and systems integrators. www.SearchMidmarketSecurity.com www.SearchSecurityChannel.com
    • SPONSOR RESOURCES ArcSight, Inc. See ad page 12 • White Paper: Achieving PCI Data Security Standard (DSS) Compliance • Product Brief: ArcSight PCI Protection Suite • Product Brief: ArcSight PCI Logger TABLE OF CONTENTS EDITOR’S DESK LogLogic See ad page 24 GETTING PCI • LogLogic Database Security Manager COMPLIANT • LogLogic Corporate Brochure • Database Security and Log Management: A Foundation for Health Information and Quality of Care PCI DSS 1.2 WIRELESS REQUIREMENTS McAfee See ad page 16 • McAfee Application Control TOKENIZATION • McAfee Change Control • McAfee PCI Pro PCI AND VIRTUALIZATION Qualys INTEGRATING PCI INTO COMPLIANCE See ad page 20 PROGRAMS • QualysGuard PCI Trial • PCI Compliance for Dummies eBook A NEW PRIORITY • Winning the PCI Compliance Battle Whitepaper TOOL FOR PCI SPONSOR RESOURCES BeyondTrust Corporation Control Access. Control Risk. See ad page 4 • From Trust to Process: Closing the Risk Gap in Privileged Access Control • Preventing Data Breaches in Privileged Accounts Using Access Control 39 I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • PCI DSS
    • SPONSOR RESOURCES thawte Inc. See ad page 33 • Extended Validation - the New Standard in SSL Security • Sign your Code and Content for Secure Distribution Online • Get a Free SSL Trial Certificate from Thawte TABLE OF CONTENTS EDITOR’S DESK Varonis See ad page 2 GETTING PCI • 10 Things IT Should Be Doing (but isn’t) COMPLIANT • Stop SharePoint Administrative Chaos • 30-Day Varonis DatAdvantage Free Trial PCI DSS 1.2 WIRELESS REQUIREMENTS StillSecure See ad page 38 • PCI compliance with StillSecure products and services TOKENIZATION • PCI compliance: A technology overview • PCI requirements met by StillSecure® solutions PCI AND VIRTUALIZATION INTEGRATING PCI INTO COMPLIANCE PROGRAMS A NEW PRIORITY TOOL FOR PCI SPONSOR RESOURCES 40 I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • PCI DSS