Frequently asked questions on the road to PCI DSS compliance
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share

Frequently asked questions on the road to PCI DSS compliance

  • 2,810 views
Uploaded on

Talk about some concerns on the way to PCI DSS compliance

Talk about some concerns on the way to PCI DSS compliance

More in: Business
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
2,810
On Slideshare
2,789
From Embeds
21
Number of Embeds
2

Actions

Shares
Downloads
82
Comments
0
Likes
1

Embeds 21

http://pcidssru.com 14
http://www.slideshare.net 7

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Frequently asked questions on the road to PCI Compliance Sergey Shustikov Digital Security Head of information security governance direction, CISA, PCI QSA March 17, 2010
  • 2. © 2002— 2010, Digital Security PCI DSS 2
    • Developed and being promoted by the PCI Security Standards Council (PCI SSC ), founded by Visa , MasterCard , American Express , Discovery , JCB payment brands
    • PCI Compliance is necessary for every company, that stores, processes or transmits the cardholder data : banks , processors , merchants and service providers
    • Annual onsite QSA-assessment is required for every company, that processes more than 300 000 PANs per year
    • As for March 2010 in Russia there is only 6 service providers, validated their PCI compliant status
    Frequently asked questions on the road to PCI Compliance
  • 3. © 2002— 2010, Digital Security Road to PCI Compliance 3 Frequently asked questions on the road to PCI Compliance
  • 4. © 2002— 2010, Digital Security Milestones on the Road to PCI Compliance 4
    • QSA-pre-assessment
      • Report on Compliance ( ROC )
      • Action Plan ( AP ) = formal table with dates only (!)
    • Development of QSA-recommendations for solving noncompliance
      • Expert’s report of QSA-consultant with detailed recommendations on how to treat compliance issues and reduce the cardholder data security risks
    • Development of technical project
      • Approved technical project, describing all planned changes and solutions
    • Implementation of developed solutions
      • Acceptance report
    • Performing the mandatory checks
      • Penetration testing report
      • ASV -scanning report
    • Certification QSA-assessment
      • Report on Compliance ( ROC )
      • Certificate of Compliance
    Frequently asked questions on the road to PCI Compliance
  • 5. © 2002— 2010, Digital Security Question 1: Scoping 5
    • PCI DSS requirements are applicable to all systems, that store, process of transmit cardholder data (cardholder data environment, CDE)
    • PCI DSS requirements are also applicable to all connected systems, which are not separated from cardholder data environment by securely configured firewall
    • There is difference between scope of PCI applicability and scope of PCI validation for bank’s in‑house processor :
      • PCI requirements are applicable to all cardholder data business processes, both issuing and acquiring
      • Acquiring process is the subject of QSA-assessment
      • Payment Brand can make a decision to assign QSA-assessment of issuing process for exact organization ( http://selfservice.talisma.com/article.aspx?article=5391&p=81 )
    Frequently asked questions on the road to PCI Compliance
  • 6. © 2002— 2010, Digital Security Question 2: Configuration standards 6
    • Configuration standards are required by Req. 2.2 PCI DSS
    • Best Practice: divide configuration standard into two logical parts :
      • Standard, that describes base configuration of sample devices or software (e.g. Oracle 10g DBMS, Windows XP workstation, Solaris 10 server, Cisco router, D-link access point);
      • Passport for each device or software installation, where current values of parameters of this exact entity are written.
    • So, for each device or software installation you’ll have base configuration standard of family + documented by passport fine tuning of exact entity
    • It is insistently recommended to embed this documentation into change management procedures to increase performance of information infrastructure management
    Frequently asked questions on the road to PCI Compliance
  • 7. © 2002— 2010, Digital Security Question 3: Cryptography 7
    • Cryptography is not only encryption of stored and transmitted cardholder data, but also it means implementation and usage of secure key management procedures
    • Key management procedures should be developed for every implemented control , that uses cryptography mechanisms
    • Common fails:
      • PANs in DB are encrypted, but encryption key is stored on the server’s HDD as plain text
      • Physical security of cryptography key media is forgotten during storage and transportation
    • Visa Inc. issued best practices for Data Field Encryption : http://usa.visa.com/download/merchants/bulletin_encryption_best_practices_10052009.pdf
    Frequently asked questions on the road to PCI Compliance
  • 8. © 2002— 2010, Digital Security Question 4: Remote access 8
    • Correct implementation of remote access mechanisms and security controls will leave remote host out of the PCI DSS scope
    • Rules of pretty good remote access implementation:
      • DMZ , separated by firewall
      • Proper firewall’s access control lists
      • Two-factor authentication of remote users
      • Encryption of communication channel (VPN)
      • Restriction of clipboard usage and cardholder data storage on remote host
    Frequently asked questions on the road to PCI Compliance
  • 9. © 2002— 2010, Digital Security Question 5: Events logging 9
    • Proper implementation of audit and event log management controls includes development of process of regular event log review
    • Commonly “paranoid” mode of logging systems is turned on, it leads to:
      • Impossibility of accurate analysis of all events
      • Disk volume problems with event logs storage
    • The solution can be found from understanding the intent of audit and log management requirements, its necessary to collect and store only events helpful for:
      • Security incident identification
      • Tracking possibilities while forensic investigation
    Frequently asked questions on the road to PCI Compliance
  • 10. © 2002— 2010, Digital Security Question 6: Information security management system (ISMS) 10
    • Information security is a process, that has its start but has not end, it needs to be managed, so ISMS effectiveness is no less important than effectiveness of controls implemented
    • QSA wants to find daily process , but not the bale of dusty paper: “once written – never been used”
    • Best Practice: use methodology, described in ISO 27001 and STO BR IBBS-1.0 standards
    Frequently asked questions on the road to PCI Compliance
  • 11. © 2002— 2010, Digital Security Question 7: Compensating controls 11
    • its possible to use compensating control only in the case of substantiated constraints for implementing the control, described in PCI DSS requirement
    • Fulfilling another PCI DSS requirement can not be recognized as a compensating control to substitute PCI DSS requirement
    • Compensating control should mitigate the security risk no less effective, than PCI DSS requirement , being substituted
    • Restriction of sensitive authentication data (CVV2/CVC2, track, PIN/PIN-block) storage after authorization can not be substituted by any compensating control
    • Compensating control should be considered as temporary measure , because the easiest way to mitigate the security risk is described in the strait requirement, all other ways – complicated bypasses
    Frequently asked questions on the road to PCI Compliance
  • 12. © 2002— 2010, Digital Security Question 8: Assessment process 12
    • Assessor makes decision about is control in place or not , basing on:
      • Employee’s interview
      • Analysis of documentation
      • Information infrastructure components configuration examination
      • Process observation
    • Assessor collects evidences of control’s performance (records, screenshots, copies of documents)
    • Collected evidences are being securely stored in QSA-company for three years from the moment of the audit, evidences can be requested and examined by PCI Council during execution of quality assurance procedures as well as ROCs
    Frequently asked questions on the road to PCI Compliance
  • 13. © 2002— 2010, Digital Security Questions ? 13
    • Answers on PCIDSSRU.COM!
    Frequently asked questions on the road to PCI Compliance