PCI DSS Essential Guide


Published on

Essential Guide to PCI DSS by Information Security September 2009

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

PCI DSS Essential Guide

  1. 1. I N F O R M A T I O N S ECURITY ® E SS E NTIAL G U I D E TO PCI DSS , We’ll explain the new changes in Version 1.2 and how the standard will tackle emerging technologies such as cloud computing and virtualization. INSIDE 5 Avoiding Audit Trouble: Getting PCI Compliant 13 PCI DSS 1.2 Answers Questions and Raises Others 17 Wireless Encryption in the Wake of PCI DSS 1.2 21 Is Tokenization the Cure-all for PCI Compliance? 25 PCI, Virtualization and Cloud Computing 30 Compliance Recycling 34 PCI Issues Priority Tool for Compliance INFOSECURITYMAG.COM
  2. 2. contents ESSENTIAL GUIDE F E AT U R E S 5 Avoiding Audit Trouble: Getting PCI Compliant PCI DSS COMPLIANCE Having trouble with PCI compliance? You’re not alone. Auditors and audit survivors offer tips for how to achieve it. BY DIANA KELLEY 13 PCI DSS 1.2 Answers Questions and Raises Others CHANGES The latest version of the standard provides clarity on wireless and Web application requirements. BY DIANA KELLEY 17 Wireless Encryption in the Wake of PCI DSS 1.2 FROM WEP TO WAP Merchants using WEP networks must transition to Wi-Fi Protected Access (WPA) security no later than June 30, 2010. BY MIKE CHAPPLE 21 Is Tokenization the Cure-all for PCI Compliance? EMERGING TECHNOLOGIES The technology attempts to replace cardholder data with a token instead of a PAN. BY ED MOYLE 25 PCI, Virtualization and Cloud Computing ENFORCEMENT Compliance guidelines on virtualization will likely be in a state of flux for some time. BY MICHAEL COBB 30 Compliance Recycling BEST PRACTICES How to combine compliance efforts to manage PCI DSS. BY DIANA KELLEY 34 PCI Issues Priority Tool for Compliance LATEST NEWS The PCI Prioritized Approach framework creates a series of milestones for companies working on PCI compliance. BY ROBERT WESTERVELT 39 Advertising Index 1 I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • PCI DSS
  3. 3. What’s Everyone y Looking at on Your File Systems? Varonis Tells You. Yo Learn More about Varonis Solutions www.varonis.com
  4. 4. EDITOR’S DESK The regulation that keeps on giving p TABLE OF CONTENTS BY KELLEY DAMORE PCI DSS HAS BEEN HAILED by many as the clearest regulation/industry standard to EDITOR’S DESK follow. It’s prescriptive in nature and relatively straightforward. There are 12 requirements that must be adhered to and the requirements are typically associated with a particular security technology so you know what you have to do to become GETTING PCI compliant and secure. COMPLIANT Or do you? Many organizations that were PCI compliant, notably Heartland Payment Systems, announced massive data breaches this year that call into question the security controls that PCI requires. Some organization overuse compensating PCI DSS 1.2 controls or outline the compensating control but never get back to fixing the issues. The sad truth is it comes down to this: on that particular day when the Qualified Assessor signed off on the audit, organization X was compliant. WIRELESS To make matters worse, because this is a standard not a regulation set into law, it REQUIREMENTS is far more fluid. Changes can and will occur with the standard. It really isn’t ever done. For example late last year the PCI Council weighed in on securing wireless communications and Web applications. These are new additions to the standard TOKENIZATION that companies must adhere to even if they met all the other requirements previ- ously. And if the organization is a large merchant they need to be assessed by an outside QSA every year. Smaller companies need to do self-assessments. PCI AND VIRTUALIZATION But it is not all doom and gloom. On the bright side the PCI Council is a living and breathing entity, and they request feedback on the standard and areas of ambi- guity. For instance they are pulling together experts and a working group to talk INTEGRATING PCI about how to secure some of the emerging technologies in the market including INTO COMPLIANCE virtualization and cloud computing. Their executives answer questions and listen PROGRAMS to feedback. And because of the fines associated with PCI, this standard is taken seriously and can be a strong argument for budget in difficult and tight times. A NEW PRIORITY In this Essential Guide to PCI, we aim to outline what you need to know right TOOL FOR PCI now. We drill down into the new requirements with PCI DSS 1.2, offer suggestions on how to pass an audit and what to consider when it comes to PCI and securing virtualized machines and cloud services. SPONSOR We hope this Essential Guide to PCI is prescriptive and straightforward and we RESOURCES promise we won’t be changing it or issuing any fines.w Kelley Damore is the Editorial Director of Information Security and TechTarget’s Security Media Group. Send your comments on this column to feedback@infosecuritymag.com. 3 I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • PCI DSS
  5. 5. Three Platforms. One Provider. Complete Privileged Access Control. Introducing the new BeyondTrust. A security strategy is only effective if it grows with your company. As enterprises deploy more Linux®, UNIX®, and Windows® in heterogeneous IT environments, managing sensitive data in these multi-platform infrastructures can be difficult, complex, and costly. Meet the new BeyondTrust, a leading provider of Privileged Access Lifecycle Management solutions for heterogeneous environments. Our leading products protect sensitive and confidential data through an effective combination of privilege delegation, strict user access control, privileged password management, and secure audit trails. With solutions that prevent data breaches and achieve regulatory compliance, hundreds of Forbes 2000 companies rely on us to maximize their security while reducing complexity and administrative costs. Try it free for 30 days at www.beyondtrust.com/pci When it comes to managing risk, we have the key. Copyright© 2009 BeyondTrust Software International, Inc. All rights reserved. BeyondTrust is a trademark of BeyondTrust Software International, Inc. UNIX is a registered trademark of The Open Group. Linux is a registered trademark of Linus Torvalds. Windows is a registered trademark of Microsoft Corporation. All trademarks are registered in the United States and/or other countries. 1-800-234-9072
  6. 6. COMPLIANCE TABLE OF CONTENTS Having trouble with EDITOR’S DESK PCI compliance? You’re not alone. GETTING PCI COMPLIANT Auditors and audit survivors offer tips PCI DSS 1.2 for how to achieve it. WIRELESS REQUIREMENTS AVOIDING AUDIT TROUBLE: Getting PCI TOKENIZATION PCI AND VIRTUALIZATION INTEGRATING PCI INTO COMPLIANCE PROGRAMS Compliant BY D IANA KE LLEY A NEW PRIORITY TOOL FOR PCI BY ALL ACCOUNTS, compliance with the Payment Card Industry Data Security Standard (PCI DSS) is on the upswing. And media reports indicate the standard is gaining ground in the European Union, where many countries—the U.K. in particular—are stepping up SPONSOR compliance efforts. RESOURCES Yet successful PCI Report on Compliance (RoC) completion remains a confusing venture and elusive to many. Some of the confusion stems from the convoluted path of accountability. Although the PCI DSS is often touted as a one-stop standard, each of the five major card brands continues to maintain separate compliance programs. Some brands have announced heavy noncompliance fees in the form of penalties and higher transactions rates, but it is the acquiring banks that decide when and how to pass on these 5 I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • PCI DSS
  7. 7. fees to their retail and merchant customers. And despite the prescriptive nature of PCI, the standard changes when updates are issued, and Qualified Security Assessors (QSAs) have room to interpret the standard. It’s not uncommon for a QSA’s inter- pretation of the standard to differ from that of the company under review. Still, while PCI DSS compliance may not always be easy, it’s definitely achievable. KNOW WHO’S WHO TABLE OF CONTENTS The first step to tackling PCI DSS compliance is to understand who’s who in the PCI accountability chain; an organization may be surprised to learn who actually does what. The five card brands that constitute the payment card industry are EDITOR’S DESK American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa. Each brand had its compliance program before PCI DSS, and each continues to maintain those programs and exert final decision control over GETTING PCI compliance. However, all of the PCI brands have agreed to use the PCI DSS as a COMPLIANT baseline for compliance evaluation to simplify the process for members. In December 2004, the card brands issued the first version (1.0) of the Data Security Standard. The standard is not intended to replace the individual brand PCI DSS 1.2 compliance programs; rather, it is meant to be a single set of guidelines for entities that store, process or transact credit card data. The assumption is that if an organi- zation receives a successful PCI DSS RoC, it’s compliant with any of the card brand WIRELESS programs. REQUIREMENTS TOKENIZATION PA DSS PCI AND App Lockdown VIRTUALIZATION NEW STANDARD FOCUSES ON COMMERCIAL PAYMENT APPLICATIONS. RELEASED IN APRIL 2008, the first version of the Payment Application Data Security Standard outlines requirements that payment applications, such as point-of-sale systems, must adhere to. For those familiar INTEGRATING PCI INTO COMPLIANCE with Visa’s Payment Application Best Practices (PABP) program, which provides guidance on how to create PROGRAMS payment applications that protect cardholder data in accordance with the PCI DSS, there won’t be many surprises in the PA DSS. The majority of changes were renumbering and wording clarifications. However, some notable A NEW PRIORITY enhancements have been added such as listing code-analysis tools as an alternative option for testing. TOOL FOR PCI Compliance to the PA DSS applies to COTS payment applications that are sold to more than one cus- tomer and don’t receive significant customization. At this point, the payment card brands still hold final determination on whether the PA DSS is mandatory for all payment applications. However, Visa has SPONSOR announced a phased PA DSS compliance program that will require its merchants and processors to use RESOURCES only PABP-compliant applications. Single customer payment applications and applications developed in-house aren’t subject to the PA DSS, though they must meet the PCI DSS. The wealth of information in the PA DSS can help any team develop more secure payment applications, even if those applications aren’t required to be PA DSS compliant.w —DIANA KELLEY 6 I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • PCI DSS
  8. 8. ACCO U NTABI LITY Chain Reaction Here’s a guide for understanding who’s who in the PCI chain of accountability. You may be surprised to learn who actually does what. So that there would be one central point of contact WHO for PCI DSS matters, the five WHAT WHY brands formed the PCI Secu- Card brands American Express, Individual compliance rity Standards Council (PCI Discover, JCB, programs; service level SSC) in September 2006. The MasterCard, Visa agreements with council is led by a five-member TABLE OF CONTENTS banks, retail- executive committee (one from ers/merchants and each brand) and owns the offi- processors; brand rep- utation cial document repository for all EDITOR’S DESK PCI Security Independent organiza- things PCI DSS. This includes Standards Council tion led by the card Maintain the PCI DSS, the standard, as well as collateral brands with participa- PCI PED (PIN Entry such as the self-assessment tion from member Device), PA DSS and questionnaire, audit proce- GETTING PCI COMPLIANT organizations and associated content; dures, and since April, the advisers oversight and gover- nance of QSA and Payment Application Data ASV training and Security Standard (PA DSS) PCI DSS 1.2 approval process (see “App Lockdown,” p. 6). Issuing banks Banks that issue credit The council also maintains cards to consumers Issuing consumer governance over training and credit cards WIRELESS approval for QSAs and Approved REQUIREMENTS Acquiring banks Banks that enable merchants, retailers Governance to ensure Scanning Vendors (ASVs). and processors to members are PCI Something many retailers accept and process compliant; fees and find confusing is that the TOKENIZATION credit card payments penalties for failure council is not responsible for to comply compliance or decisions relating Merchants/retailers Entities that store, to compliance. The council has and processors process or transact Complying with the PCI AND credit card data PCI DSS; validating no control over fees or penalties VIRTUALIZATION compliance if Level 1 issued to retailers or processors, Qualified Security Auditors that are nor does it have any involve- Assessors approved to issue RoCs On-site assessment ment in the service-level agree- INTEGRATING PCI of compliance to PCI ments between the card INTO COMPLIANCE DSS; interpretation PROGRAMS brands, the banks and their of PCI DSS Approved Scanning Vendors that have been members. That’s why David Vendors approved to perform External scans; Hogan, CIO of the National A NEW PRIORITY PCI DSS compliance issuing reports Retail Federation, was shooting TOOL FOR PCI scanning on scan findings at the wrong target when he asked the council for changes in primary account number SPONSOR (PAN) storage requirements. RESOURCES The PCI DSS is the standard on how to protect PANs if they’re stored, but doesn’t address whether they need to be stored in the first place. That’s between the retailers/merchants, acquiring banks and card brands. Organizations that need to validate PCI DSS compliance, such as Level 1 merchants with more than 6 million Visa or MasterCard transactions annually, work with QSAs for validation. Prescriptive though the PCI DSS is, there’s still room for disagreement on specific controls and 7 I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • PCI DSS
  9. 9. their implementation. For example, one end user reports that for requirement 3.4 (render the PAN unreadable), his QSA refused to validate solutions that were not FIPS 140-2 certified. Though this federal certification provides a much higher value of assurance from a data protection standpoint, it is not specifically required for compliance by the PCI DSS Security Audit Procedures. In cases like this, it may seem that the council is a good place to turn for answers, but it’s not. The council has QSA feedback forms that companies are TABLE OF CONTENTS encouraged to fill out after audits, but these are used to determine if the QSA is performing audits properly. Finding a company out of compliance for not using FIPS 140-2 certified products is an interpreta- EDITOR’S DESK tion issue. And sometimes even QSAs feel a little lost when looking for guidance. William “They’re generally very Lynch, a manager and QSA at IT consulting reluctant to provide GETTING PCI firm CTG, says he’s tried to go to the card COMPLIANT brands and the council for help with interpre- specifics, and their tation: “They’re generally very reluctant to provide specifics, and their responses can be responses can be some- PCI DSS 1.2 somewhat slow. If I have an interpretation question, I usually discuss it with other QSAs what slow. If I have an first and contact the council as a last resort” (see “Chain Reaction,” p. 7). interpretation question, WIRELESS REQUIREMENTS I usually discuss it with GET TO KNOW THE QSA other QSAs first and As the person who issues the Report on TOKENIZATION Compliance (RoC) to the acquiring banks and card brands, the QSA has quite a bit of power. contact the council as PCI AND Working effectively with the QSA can mean the a last resort.” VIRTUALIZATION difference between attaining compliance and —WILLIAM LYNCH, manager and QSA, CTG not. The first place to go when looking for a QSA is the council’s site. For external validation, only council-approved QSAs may INTEGRATING PCI submit RoCs. Another option is to ask colleagues with whom they’ve worked, or ask INTO COMPLIANCE for a QSA reference from your acquiring bank. Evaluate acquiring bank recommen- PROGRAMS dations carefully, though. Some acquiring banks have relationships with assessor organizations that pay referral fees—which may indicate the bank is motivated to make the recommendation simply to receive the fee. A NEW PRIORITY Many organizations that have successfully completed PCI audits recommend TOOL FOR PCI treating the QSA search like any hiring process. Include requests for references and price quotes in the assessment criteria. And keep in mind that you’ll be working closely with the assessment company, so it’s important to have a good comfort level SPONSOR RESOURCES with its methodology. Another great tip from the trenches: consider two QSA firms, one for pre-assessment and one for the validation work. Even if an organization does not wish to pre-assess with a QSA, it should conduct its own pre-assessment. The PCI SSC Self-Assessment Questionnaire (SAQ) and the PCI DSS Security Audit Procedures are excellent resources. An IT professional who completed a PCI validation cycle for his company said, “By pre-assessing, we knew 8 I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • PCI DSS
  10. 10. where the holes were and could fill them before getting beat up in front of upper management by the QSA.” Though not getting “beat up” can be a benefit of pre- assessment, it’s important to keep in mind that most QSAs aren’t aiming for humili- ation and failure. Pre-assessment gives organizations key knowledge regarding what is important to QSAs during an assessment, especially with regard to documentation. By understanding where the QSA is coming from, IT professionals can engage in a more col- laborative relationship. TABLE OF CONTENTS Documentation may not be exciting but reviewing documents is a cornerstone of the QSA audit process. So be sure to include documentation review while work- ing on a gap assessment. This is particularly important for areas where there may EDITOR’S DESK be interpretation or where compensating controls have been implemented. If a risk assessment process has been completed before implementing a control, be sure the supporting documentation is there so the QSA can assess it properly. Otherwise, the GETTING PCI QSA may fail your control. COMPLIANT A money-based “gotcha” to watch out for when working with a QSA is when the QSA claims a company won’t be validated as compliant if it doesn’t buy a specific vendor product from the assessor’s reseller. The tactic can be a softer sell, recom- PCI DSS 1.2 mending the customer make the purchase rather than demanding it, but either way it’s all wrong. QSAs that attempt to increase profits by requiring product purchases should be reported to the council. WIRELESS REQUIREMENTS TOKENIZATION MANAG I N G LO GS PCI AND SIMs Stand Out VIRTUALIZATION REQUIREMENT 10.6 PCI REQUIRES DAILY LOG REVIEWS, SPURRING A BOOM IN SIMS SALES. PCI COMPLIANCE IS “a process, not a product,” says Michelle Dickman, president and CEO of security INTEGRATING PCI INTO COMPLIANCE information management (SIM) vendor TriGeo Network Security. Yet, there’s no denying that a lot of prod- PROGRAMS uct has been sold in the name of PCI. Many of these purchases were a result of shoring up security controls in areas where they did not exist. For example, most companies have firewalls (Requirement 1) in their data centers, but many did A NEW PRIORITY not have one at every retail site. Now, thanks to PCI, many do. TOOL FOR PCI One product category, however, does stand out as particularly helpful, according to those who have undergone PCI DSS audits: SIMs and log management tools. Requirement 10 calls for monitoring and test- ing of networks, and 10.6 specifies: “Review logs for all system components at least daily.” For a major SPONSOR retailer with thousands of components in the cardholder data environment, meeting those requirements RESOURCES just wasn’t feasible without a log aggregation solution. But simply centralizing all logs and alerts isn’t the end of the story, warns William Lynch, a manager and Qualified Security Assessor at IT consulting firm CTG. “Make sure the review process, accountable parties and documentation are in place to ensure that the review happens,” he says.w —DIANA KELLEY 9 I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • PCI DSS
  11. 11. KEEP IT SIMPLE An important step for a successful PCI assessment is to simplify the process by narrowing the scope of the audit with zoning, experts say. Allan Carey, senior vice president of research at IANS, which has advised a number of companies on PCI, stresses that “one of the most important things an entity can do is to reduce scope with proper network segmentation, including VLANs, air gaps and physical separa- tion.” When data must travel over public networks, such as the Internet and wireless TABLE OF CONTENTS LANs, Carey advises companies to secure the transmission using encryption proto- cols such as SSL. Segmentation was a key part of the National Aquarium in Baltimore’s strategy. EDITOR’S DESK As part of its PCI pre-assessment work, the aquarium reviewed two merchant func- tions that were operationally outsourced to third parties—the aquarium gift store and food services—and decided to physically separate the outsourced merchant GETTING PCI networks from the aquarium. This resulted in a COMPLIANT significant reduction in audit scope during the aquarium’s PCI validation work. An important step for a PCI DSS 1.2 Another tip on the simplification front— successful PCI assessment one we’ve all heard—is don’t store what you don’t need. But as Hogan’s plea to the PCI SSC is to simplify the process illustrated, many retailers—due to their service WIRELESS REQUIREMENTS level agreements—are required to store PANs by narrowing the scope in a retrievable format for up to 18 months. Companies that don’t have that requirement of the audit with zoning, TOKENIZATION have simplified their PCI compliance by elimi- experts say. nating PAN storage. Others don’t have to hang on to the PAN for months but hold it for hours during authorization. Brady Deck- er, network engineer at the aquarium, suggests that banks and card brands “take PCI AND VIRTUALIZATION the merchants out of the security loop” by not having them store the PAN, even during the authorization phase. If a company must hold on to PANs for any length of time, Carey recommends “leveraging native database encryption capabilities to INTEGRATING PCI meet [requirement] 3.4 before layering on a third-party solution that may degrade INTO COMPLIANCE performance or increase management complexity.” PROGRAMS In addition, make sure to really know what’s in your environment. Stories abound of large organizations that found untracked spreadsheets with thousands of credit card numbers when beginning their PCI assessment work. “Map the A NEW PRIORITY credit card data flow” for the entire lifecycle of the data’s existence in your organi- TOOL FOR PCI zation, says Michael Gavin, security strategist for application security company Security Innovation. That means answering these questions: Where does the information come in? Where is it being stored? Who has access along the way? SPONSOR RESOURCES THINK GLOBALLY Although PCI DSS is an internationally applicable standard, most of the PCI DSS noise has been coming out of the U.S. That’s no longer the case. Since late last year, there has been a significant increase in PCI awareness in the U.K. and parts of Europe. Some European countries still believe that the standard doesn’t apply or 10 I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • PCI DSS
  12. 12. is less important because of the use of a smart chip and PIN (personal identification number) in European Resources credit cards. Chip and PIN does change the threat model, but not PCI Security Standards Council the PCI DSS requirement. Whether Provides information on standards, QSAs and more. the PAN was read from a magnetic www.pcisecuritystandards.org TABLE OF CONTENTS stripe, off of a smart chip, or typed into a Web form, the PAN protec- PCI Knowledge Base tion requirements are the same. Offers tips from research community. Bob Russo, general manager of www.knowpci.com EDITOR’S DESK the PCI council, notes that organi- zations in some countries, like Visa Japan, have spent a lot of time com- Includes list of validated payment applications. GETTING PCI COMPLIANT plying with security frameworks— http://usa.visa.com/merchants/risk_management/cisp.html such as the Information Security Management Systems (ISMS) PCI DSS 1.2 approach of ISO 27001 and 27002—and don’t want to spend time complying with an additional standard. The card brands, along with the council, are working to raise awareness that DSS is not optional and not replaceable by any other certifica- WIRELESS tion work. REQUIREMENTS If an organization has been concentrating only on U.S. operations, it’s time for it to start thinking globally and assessing all sites where card information is transacted. And if you are using a compliance framework, consider mapping the controls and TOKENIZATION documentation in place to those needed for the PCI assessment. Many companies report that “careful compliance recycling” can reduce overhead when certifying to new and emerging standards. PCI AND PCI compliance may not be a simple art, but there are ways—like leveraging VIRTUALIZATION compliance frameworks—to make it simpler. There are a lot of rules and require- ments for PCI, but the core goal is simple: protect credit cards on those digital “mean streets.”w INTEGRATING PCI INTO COMPLIANCE PROGRAMS Diana Kelley is a partner with Amherst, N.H.-based consulting firm SecurityCurve. She formerly served as vice president and service director with research firm Burton Group. She has extensive experience creating secure network architectures and business solutions for large corporations and delivering strategic, competitive knowledge to security software vendors. A NEW PRIORITY TOOL FOR PCI SPONSOR RESOURCES 11 I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • PCI DSS
  13. 13. Which came first? cyber criminals or Data breaches We don’t have to tell you that enterprise security and compliance is serious business. From external and internal threats to compliance violations, the risks associated with the continuity of IT infrastructure and the usage of sensitive data and applications are huge. And the constantly shifting cyber threat landscape only makes it more difficult to protect your business. The ArcSight SIEM Platform mitigates operational risk by providing scalable security, comprehensive real-time monitoring, and intelligent event analysis. With ArcSight, you’ll get the big picture so you can avoid the big problem. After all, keeping a business running is the only way to run a business. Visit us at www.arcsight.com. ArcSight Headquarters: 1-888-415-ARST © 2009 ArcSight. All rights reserved.
  14. 14. CHANGES PCI DSS 1.2 Answers TABLE OF CONTENTS Questions EDITOR’S DESK and Raises GETTING PCI COMPLIANT Others PCI DSS 1.2 The latest version of the standard provides clarity WIRELESS on wireless and Web application requirements. REQUIREMENTS BY DIANA KELLEY i TOKENIZATION IN OCTOBER 2008 the PCI Security Standards Council, stewards of the PCI Data Security Standard, released version 1.2. PCI DSS version 1.2 is not a sweeping PCI AND rewrite of version 1.1. Most of the changes listed in the summary document are VIRTUALIZATION clarifications of wording and terminology. Bob Russo, general manager of the PCI Security Standards Council, said of the group’s goal was “eliminating as many questions as possible.” INTEGRATING PCI Some welcomed the changes, since some terms were poorly defined in the last INTO COMPLIANCE PROGRAMS iteration, making them confusing and difficult to interpret. For example, Require- ment 6.6 of version 1.1 called for an “application-layer firewall.” Retailers and PCI assessors (QSAs) alike wondered whether an application-layer-aware firewall, like A NEW PRIORITY the Cisco Systems Inc. PIX or ASA firewall, would suffice, or if it called for a Web TOOL FOR PCI application firewall like Barracuda Networks Inc.’s Web Site. Although the summary changes continue to reference “application-layer firewall,” the Council issued specific guidance on the terminology in February regarding product type intended. Troy SPONSOR Leach, technical director of the PCI Security Standards Council, said that the testing RESOURCES procedures for Requirement 6.6 in version 1.2 make it clear that the Council is referring to Web application firewalls. Other terms that received clarification and usage consistency makeovers are primary account numbers (PANs) and “strong cryptography.” In version 1.1, “strong cryptography” is not defined, however, the audit/assessment procedures used by QSAs did list “Triple-DES 128-bit and AES 256-bit” as examples. 13 I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • PCI DSS
  15. 15. Another tricky one: Does the PCI DSS apply to electronic media exclusively or is paper included? According to version 1.2, it applies to both electronic and paper media that contains cardholder data. This will create additional work for those organizations that had misinterpreted version 1.1 and kept paper media out of scope during DSS compliance work. Compensating controls TABLE OF CONTENTS When enterprises are not able to meet the exact letter of the standard, they look to controls that will provide the same level of protection. Perhaps the most well- known example of this is PCI Requirement 3.4, which requires that if PANs are EDITOR’S DESK stored, they must be either rendered unreadable (by one-way hashing or truncation) or encrypted (using strong cryptography). GETTING PCI When many organizations found neither of these options was feasible, Appendix B of PCI When enterprises are not COMPLIANT DSS version 1.1 provided a list of acceptable able to meet the exact compensating controls that could be used in PCI DSS 1.2 place of those listed in the requirement. letter of the standard, Version 1.2 provides additional information about compensating controls and flexibility they look to controls WIRELESS options for other requirements. In the updated standard, Requirement 1 eases the timeline for that will provide the REQUIREMENTS reviewing firewall rules from quarterly to every same level of protection. six months. And the 30-day patch cycle, from the often-dreaded Requirement 6, now has “added flexibility…by specifying that TOKENIZATION a risk-based approach may be used to prioritize patch installation.” Under version 1.1, many retailers scrambled to install patches within 30 days, often short-circuiting their standard patch life cycle testing in an effort to meet the strict timeline. A PCI AND VIRTUALIZATION thorough approach to patching, however, requires testing, prioritization, and a robust pre-production process, which can take longer than 30 days. The change allows for risk-based approaches that may require more time. INTEGRATING PCI Another welcome change concerns physical security. PCI DSS Requirement 9 INTO COMPLIANCE called for cameras to monitor “sensitive areas,” but was an area like a restaurant PROGRAMS dining room—where credit cards are handed to staff—considered sensitive enough to require a camera? How about a point-of-sale (PoS) cash register at a food court kiosk? Under version 1.2, organizations now have more flexibility to select other A NEW PRIORITY access control mechanisms when appropriate. TOOL FOR PCI More requirements SPONSOR While the clarification and compensating control changes are welcome, there are RESOURCES some additional requirements in version 1.2. For example: “Wireless must now be implemented according to industry best practices (e.g., IEEE 802.11x) using strong encryption for authentication and transmission.” For those of you who thought perhaps the Council meant 802.1X, you’re not alone; I thought that at first, too, because 802.11x is a placeholder for upcoming standards and not an IEEE standard. 14 I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • PCI DSS
  16. 16. Leach said 802.11x was used to indicate that upcoming versions of the DSS may include recommendations for using emerging 802.11 standards, such as 802.11i. So for more specifics, we’ll all have to stay tuned. On the plus side, version 1.2 will continue to allow SSL/TLS and IPsec for protection of data transmissions over both wired and wireless networks. Some potential heartburn may come from this change regarding wireless net- work encryption: “New implementations of WEP are not allowed after March 31, TABLE OF CONTENTS 2009…Current implementations must discontinue use of WEP after June 30, 2010.” Wired Equivalent Privacy (WEP) has been broken for many years, so it makes sense for the Council to call for an end to its use in cardholder data environ- EDITOR’S DESK ments, but many “out of the box” point-of-sale packages still commonly rely on WEP for proper operation. The two-year timeline for complete replacement of these systems may be too aggressive for retailers. If so, the Council will need to GETTING PCI amend the timeline. COMPLIANT Finally, the antimalware requirement has been updated to include “all operating system types.” Antimalware for Mac platforms and Unix/Linux are available, but options are limited. As for mainframes (like System z), there just aren’t options. PCI DSS 1.2 For platforms like mainframe and some flavors of UNIX, organizations can consider layering anti-malware protection by using gateways or other compensating controls.w WIRELESS Diana Kelley is a partner with Amherst, N.H.-based consulting firm SecurityCurve. She REQUIREMENTS formerly served as vice president and service director with research firm Burton Group. She has extensive experience creating secure network architectures and business solutions for large corporations and delivering strategic, competitive knowledge to security software vendors. TOKENIZATION PCI AND VIRTUALIZATION INTEGRATING PCI INTO COMPLIANCE PROGRAMS A NEW PRIORITY TOOL FOR PCI SPONSOR RESOURCES 15 I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • PCI DSS
  17. 17. Get in Control. Stay in Control. you face tremendous pressure to secure your endpoints and servers from unauthorized applications and to comply with multiple security policies, operating procedures, and regulations such as the Payment Card Data Security Standard (PCi DSS) requirements. look to Mcafee, the recommended choice of retailers and security assessors. Download the Mcafee® application Control solution brief here. Find out how the world’s largest dedicated security technology company can help you get in control and stay in control. McAfee, Inc. 3965 Freedom Circle, Santa Clara, CA 95054, 888.847.8766, www.mcafee.com. McAfee is a registered trademark of McAfee, Inc.,and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. © 2009 McAfee, Inc. All rights reserved.
  18. 18. FROM WEP TO WPA Wireless Encryption in the Wake of PCI DSS 1.2 TABLE OF CONTENTS EDITOR’S DESK GETTING PCI COMPLIANT Merchants using WEP networks must PCI DSS 1.2 transition to Wi-Fi Protected Access (WPA) WIRELESS security no later than June 30, 2010. REQUIREMENTS BY MIKE CHAPPLE t TOKENIZATION THE PCI SECURITY STANDARDS COUNCIL recently announced the imminent release of the PCI AND Payment Card Industry Data Security Standard (PCI DSS) version 1.2. This revision VIRTUALIZATION includes a number of changes, updates and clarifications that affect anyone involved in the storage, processing or transmission of credit card information. One of the major areas of change, however, involves the use of wireless networks to transmit cardholder data. INTEGRATING PCI In the PCI DSS 1.2 Summary of Changes, the PCI Security Standards Council INTO COMPLIANCE PROGRAMS announced several adjustments to the wireless network security requirements: • Wireless must be implemented using strong encryption for authentication and transmission. The Council cites IEEE 802.11i as an appropriate example. A NEW PRIORITY • Merchants are no longer permitted to deploy any new Wired Equivalent Privacy TOOL FOR PCI (WEP) networks. • Merchants using WEP networks must transition to Wi-Fi Protected Access (WPA) security no later than June 30, 2010. SPONSOR RESOURCES Using WEP encryption to “protect” a wireless network is a bad idea, and that fact should- n’t be news to anyone. Researchers have repeatedly discovered new flaws in WEP. The use of WEP encryption was also responsible for the well-known TJX Companies Inc. breach, one of the largest thefts of credit card information in history. Up until now, the PCI DSS allowed the use of WEP encryption with the presence of compensating controls, including quarterly key rotation, MAC-based host restrictions, and the use of supplemental encryption. 17 I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • PCI DSS
  19. 19. For smaller networks, WPA-secured networks and 802.1x, authentication may be a fairly trivial task to implement. In some cases, however, the work may require significant infrastructure and/or payment system upgrades. Converting to WPA WPA has been standard technology on all wireless equipment manufactured since September 2003. For those using such equipment, converting to WPA may be as simple TABLE OF CONTENTS as changing a setting on the wireless access points and reconfiguring networked devices to access the new WPA network. However, for those using obsolete or specialized hardware, this change may not be so simple; you may need to get EDITOR’S DESK the manufacturer involved. The good news is that everybody’s in the same boat. Manufacturers that wish to support Manufacturers that wish GETTING PCI COMPLIANT payment card applications must also support WPA encryption if they intend to continue to support payment card serving the payment card industry. The bad news is that nobody requires vendors to retrofit applications must also PCI DSS 1.2 existing equipment to accommodate the support WPA encryption upgrade. Companies may find themselves sitting on a lot of expensive but obsolete if they intend to continue WIRELESS REQUIREMENTS hardware, with no option other than upgrading it or ripping it out piece by piece. serving the payment card industry. TOKENIZATION Going “enterprise” The second task is a bit more subtle and tends to be ignored in the initial analysis of PCI DSS 1.2. The summary states: “Wireless must now be implemented according to PCI AND industry best practices (e.g., IEEE 802.11i) using strong encryption for authentica- VIRTUALIZATION tion and transmission.” But what does PCI DSS 1.2’s reference and recommendation “industry best practices” for authentication mean for enterprise security managers? From my perspective, it means that the use of a pre-shared key is not permissible INTEGRATING PCI in all but the smallest and most well-controlled environments. Rather than using the INTO COMPLIANCE authentication method of the simpler WPA-Personal mode, where every device on PROGRAMS the network uses a single shared secret key, individual machine-based or user-based authentication should be put in place to protect network access. The use of WPA- Enterprise technology allows individual users or devices to be provisioned and A NEW PRIORITY TOOL FOR PCI de-provisioned without reconfiguring the entire network. It’s clearly a good security practice, but it can be difficult to implement for those who don’t have experience with it. SPONSOR Enterprises that are already running a RADIUS and Active Directory environ- RESOURCES ment may be able to simply tie it in to the wireless infrastructure using 802.1x. Essentially, WPA-Enterprise allows you to avoid the security problems associated with a pre-shared key. Instead of all users sharing a single key, WPA-Enterprise uses 802.1x to access an external authentication server to validate access requests using the credentials of individual users. Those that don’t have this technology in place will need to think about the best way to deploy WPA-Enterprise in their environments. 18 I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • PCI DSS
  20. 20. For example, you’ll probably want to first ensure that both your wireless infra- structure (access points, controllers, etc.) support WPA-Enterprise and then ensure that your wireless devices (laptops, PDAs, etc.) are also compatible. You’ll then need to decide the appropriate authentication back end for your environment. In most Microsoft shops, you’ll want to configure RADIUS to authenticate against an existing Active Directory. Otherwise, you’ll need to find another source of user authentication data and integrate it with your RADIUS server. TABLE OF CONTENTS Finally, you’ll need to devise a rollout strategy. One common approach is to stand up the WPA-Enterprise network alongside your existing wireless networks and allow users a transition period of several weeks before shutting off the legacy network. For EDITOR’S DESK more practical advice on deploying WPA-Enterprise, read Controlling WLAN access on a tight budget. GETTING PCI Summing up COMPLIANT The new wireless requirements imposed by PCI DSS 1.2 aren’t a surprise to payment card security professionals. We’ve been expecting them ever since the first release of PCI DSS 1.0, and they represent best practices in wireless security. The time has now PCI DSS 1.2 come to comply, and the council has set a clear deadline: June 2010. That might sound far away, but the best advice I can offer you is to start planning now. If the changes are simple, you’ll finish way ahead of the deadline and have plenty of time WIRELESS to relax. However, if your infrastructure requires major changes, you’ll have the REQUIREMENTS necessary opportunity to plan and deploy those changes properly.w Mike Chapple, CISA, CISSP, is an IT security professional with the University of Notre Dame. TOKENIZATION He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles, including PCI AND the CISSP Prep Guide and Information Security Illuminated. He also answers your questions VIRTUALIZATION on network security. INTEGRATING PCI INTO COMPLIANCE PROGRAMS A NEW PRIORITY TOOL FOR PCI SPONSOR RESOURCES 19 I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • PCI DSS
  21. 21. !
  22. 22. !
  23. 23. #
  24. 24. $ %
  25. 25. $ %
  26. 26. $ '
  27. 27. $ '
  28. 28. ! # !# • (
  29. 29. (
  30. 30. $
  31. 31. $
  32. 32. )
  33. 33. ) *
  34. 34. * )+ *
  35. 35. )+ • #
  36. 36. + #
  37. 37. + •
  38. 38. ,
  39. 39. ,
  40. 40. $
  41. 41. -
  42. 42. $
  43. 43. $
  44. 44. -
  45. 45. $
  46. 46. *
  47. 47. * )
  48. 48. )
  49. 49. • . /
  50. 50. )
  51. 51. * /
  52. 52. )
  53. 53. *
  54. 54. * )
  55. 55. 0 )
  56. 56. )
  57. 57. )
  58. 58. *
  59. 59. + *
  60. 60. + • # (
  61. 61. # (
  62. 62. . )
  63. 63. * )
  64. 64. *
  65. 65. (
  66. 66. (
  67. 67. 0
  68. 68. * ) +
  69. 69. + • . /
  70. 70. ,
  71. 71. *
  72. 72. *
  73. 73. , /
  74. 74. ,
  75. 75. *
  76. 76. *
  77. 77. ,
  78. 78. * )
  79. 79. 1
  80. 80. 2
  81. 81. + 1
  82. 82. 2
  83. 83. + 3
  84. 84. 3
  85. 85. 4
  86. 86. 4 455***+0 + 5
  87. 87. 5
  88. 88. 455***+0 + 5 55
  89. 89. 5
  90. 90. $
  91. 91. ! % $
  92. 92. ! % #
  93. 93. '() #
  94. 94. '() 455***+0 + 5 455***+0 + 5 56
  95. 95. 55 56
  96. 96. 5
  97. 97. SECURING PANs IS TOKENIZATION THE CURE-ALL FOR TABLE OF CONTENTS EDITOR’S DESK GETTING PCI PCI Compliance? BY ED MOYLE COMPLIANT The technology attempts to replace STOP FOR A MOMENT and imagine what it would be like if PCI DSS 1.2 cardholder data all of the sensitive data in your company suddenly went away. It wasn’t stolen; your company just found a way to with a token operate without needing to keep that sensitive data on WIRELESS REQUIREMENTS instead of a PAN. hand. Sounds pretty sweet, right? For everyone in the payment lifecycle, the sensitive data our firms need to do business is like a giant albatross around our necks. We need to TOKENIZATION protect it, constantly monitor who has access to it, and we live in constant fear of it getting stolen. Financial-services firms such as card issuers and acquirers have it worst of all—we have a vested interest in making sure our merchants are protecting the data, but we often PCI AND don’t have direct control over whether or not they do. VIRTUALIZATION So it’s no wonder a technology hitting the scene that promises to make all these headaches go away would get a lot of attention. While we’re all struggling to get and stay compliant with the PCI Data Security Standard, the idea that we could install some technology INTEGRATING PCI that reduces the stress of protecting sensitive data has quite an appeal. And this is exactly INTO COMPLIANCE what tokenization promises to do. PROGRAMS What is tokenization? A NEW PRIORITY To see how tokenization works and why it’s useful, it helps to compare how a typical payment TOOL FOR PCI transaction currently works versus the ideal of a fully tokenized scenario. When a customer goes to a company and hands off his or her card for authorization, the default scenario is that the merchant needs to keep the cardholder data on file to perform a variety of functions. For SPONSOR example, the merchant needs to keep a record of the account to settle transactions, process RESOURCES recurring payments (like at a gym), modify or update the transaction amount based on instructions from the customer (such as when a customer wants to add a tip to a restaurant bill), or issue refunds. In this case, the cardholder data is necessary for a company to do business. But while it’s necessary, it also carries a serious compliance burden: much of the PCI DSS speaks directly to the requirements related to that data storage. 21 I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • PCI DSS
  98. 98. By contrast, tokenization attempts to minimize the amount of data the business needs to keep on hand; in this case, by replacing the cardholder data with a “token”— a randomly-generated value the merchant can use instead of the primary account number (PAN). Since the token is not a PAN, and can’t be used outside the context of that unique transaction with the merchant, it doesn’t have the same high level of sensitivity that a PAN carries. In a tokenization scenario, the organization outsources their payment process- TABLE OF CONTENTS ing to a service provider that provides a “tokenization option,” such as Shift4 Corp., Electronic Payment Exchange, Merchant Link or Braintree Payment Solutions. The service provider handles the issuance of the token value and also handles the heavy EDITOR’S DESK lifting of keeping the cardholder data locked down. Alternatively, a more in-house approach might leverage a product like nuBridges Inc.’s Protect to bring the service- GETTING PCI provider functionality on premises. From an integration COMPLIANT standpoint, companies Pros and cons of tokenization The relative benefits of a tokenization scenario offering these services are PCI DSS 1.2 should probably be pretty clear for folks who’ve been worried about complying with the PCI heavily incented to keep WIRELESS DSS. Requirements like 3.4 (“Render PAN, at complexity down because minimum, unreadable anywhere it is stored…”) REQUIREMENTS go from being an “Oh my gosh” to a “Who it enables them to sell to cares.” Why? Because the token isn’t a PAN, and once you make the switch, you’re no longer pro- smaller merchants and TOKENIZATION cessing PANs, that requirement, as well as numerous others in the PCI DSS that target data retailers with limited in- PCI AND storage, ceases to apply. house technical expertise. VIRTUALIZATION From an integration standpoint, companies offering these services are heavily incented to keep complexity down because it enables them to sell to smaller merchants and retailers with limited in-house technical INTEGRATING PCI expertise. This is good news for larger organizations as well. Now, no integration is INTO COMPLIANCE ever truly “seamless,” but since the majority of changes are on the backend (service PROGRAMS provider) side, changes to the merchant environment should be relatively few. Given that, if you’re like many organizations, deploying a tokenization solution can be a more cost-effective way to meet PCI requirements than implementing a A NEW PRIORITY host of technical security controls around data storage. While there are fees associated TOOL FOR PCI with the implementation of a tokenization solution, the reduced scope of compliance and the reduced need for storage-related technical controls is likely to wind up a net gain. SPONSOR RESOURCES But just as there’s no such thing as a free lunch, there’s also no panacea—at least not in information security. In most scenarios, it’s the merchant who supplies the cardholder data to the service provider in order for the tokenization to occur. This means the merchant does have a role in the transaction flow. And because the PCI DSS applies to everyone who stores, processes or transmits the data, they still have compliance obligations. While it’s certainly true that those compliance requirements 22 I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • PCI DSS
  99. 99. are less when dealing with tokens versus live PANs, organizations still need to make sure they comply with the requirements designed to protect data in transit, at least for the machines and processes involved in the transaction before tokenization occurs.w Ed Moyle is a manager with CTG’s Information Security Solutions practice and a founding partner of consulting firm SecurityCurve. He is co-author of “Cryptographic Libraries for Developers” and a frequent contributor to the information security industry as an author, TABLE OF CONTENTS public speaker, and analyst. EDITOR’S DESK GETTING PCI COMPLIANT PCI DSS 1.2 WIRELESS REQUIREMENTS TOKENIZATION PCI AND VIRTUALIZATION INTEGRATING PCI INTO COMPLIANCE PROGRAMS A NEW PRIORITY TOOL FOR PCI SPONSOR RESOURCES 23 I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • PCI DSS
  100. 100. UNLEASH LOG POWER COMPLY, PROTECT SAVE AUTOMATE COMPLIANCE • SIMPLIFY SECURITY • UNIFY DATABASE SECURITY LogLogic offers log-powered applications in compliance management, database activity monitoring and security event management that seamlessly integrate with our Open Log Management Platform and work together – delivering the industry’s only one-stop shop for corporate security, IT efficiency and compliance management. FOR MORE INFORMATION www.loglogic.com READ OUR LATEST REPORT FROM BLOOR www.loglogic.com/bloor
  101. 101. EMERGING TECHNOLOGIES PCI, VIRTUALIZATION AND CLOUD COMPUTING TABLE OF CONTENTS BY M I C HAE L C O B B EDITOR’S DESK Compliance guidelines on virtualization GETTING PCI will likely be in a state of flux for some time. COMPLIANT i PCI DSS 1.2 MAGINE THIS SCENARIO: You’ve successfully migrated all the company’s non-criti- cal applications, the internal infrastructure and the development center on to vir- WIRELESS REQUIREMENTS tual servers. Management is happy because you’ve lowered both capital and oper- ating costs, increased energy efficiencies, as well as improved business continuity. But like every business at the moment, your managers need you to reduce costs even further. They’re pushing for you to consolidate and run the mission-criti- TOKENIZATION cal applications, including the Internet-facing e-commerce ones, on virtualized servers, too. But can you remain compliant with the Payment Card Industry Data Security Standard (PCI DSS) while fully leveraging the business benefits of virtualization? PCI AND VIRTUALIZATION What PCI has to say about virtualization This is a problem many IT managers face, and there’s a distinct lack of guidance on virtu- INTEGRATING PCI alization from the PCI Security Standards Council. Version 1.2 of the standard, released INTO COMPLIANCE PROGRAMS in October, did clarify a number of issues, but it didn’t address virtualized environments. To benefit from virtualization, virtual servers will typically have multiple functions running on a single physical server. Section 2.2.1 of the PCI DSS, however, states that a A NEW PRIORITY server should perform only one primary function. So, according to the standard, Web TOOL FOR PCI servers and database servers should each be implemented on a separate machine. For a company that needs to be PCI compliant, those restrictions make the task of virtualizing an infrastructure a difficult one. SPONSOR The PCI Data Security Standard does not yet address virtualized servers or related RESOURCES audit requirements, meaning that qualified security assessors (QSAs) must use their own judgment to determine whether organizations that implement virtualized servers meet the PCI mandates. This less-than-ideal situation is compounded when you consider that IT and security professionals themselves are still unsure of how virtualization changes the risk profile of a system, especially when the technology has been described as one that keeps “all the eggs in one basket,” due to the fact that a compromise of the VM host 25 I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • PCI DSS