Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.



Published on

In this 45 minute webinar ControlCase will discuss the following in the context of PCI DSS and PA DSS
- Network Segmentation
- Card Data Discovery
- Vulnerability Scanning and Penetration Testing
- Card Data Storage in Memory
- Q&A

Published in: News & Politics


  1. 1. PCI DSS & PA DSS By Kishor Vaswani – CEO, ControlCase
  2. 2. Agenda • About PCI DSS • Overview of changes in version 3 and beyond • Segmentation and Penetration Testing • Card Data Discovery and Memory • Q&A 1
  3. 3. About PCI DSS
  4. 4. What is PCI DSS? Payment Card Industry Data Security Standard: • Guidelines for securely processing, storing, or transmitting payment card account data • Established by leading payment card issuers • Maintained by the PCI Security Standards Council (PCI SSC) 2
  5. 5. PCI DSS Requirements Control Objectives Requirements Build and maintain a secure network 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect cardholder data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a vulnerability management program 5. Use and regularly update anti-virus software on all systems commonly affected by malware 6. Develop and maintain secure systems and applications Implement strong access control measures 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly monitor and test networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an information security policy 12. Maintain a policy that addresses information security 3
  6. 6. PCI DSS 3.0 and 3.1 4 • PCI DSS 3.0 in place starting last year i.e. 2015 • PCI DSS 3.1 outlined that SSL and early TLS not secure • Some requirements such as SSL/TLS migration requirements are set for June 2018
  7. 7. Overview of changes in PCI 3.0
  8. 8. Overview 5 Segmentation • Adequacy of segmentation • Penetration test Third parties/Service providers • Must validate PCI DSS compliance; OR • Must participate is customers PCI DSS compliance audit
  9. 9. Overview contd… 6 PCI DSS as Business as Usual • Monitoring of security controls • Review changes to environment • Review changes to org structure • Periodic review of controls vs. during audit • Separation of duties (operational vs. security) Physical protection of POS, ATM and Kiosks • Maintain inventory • Periodic inspection for tampering • Train personnel
  10. 10. Segmentation and Penetration Testing
  11. 11. What is Network Segmentation • In the context of PCI DSS, Network Segmentation is a process where you isolate the CDE systems (Systems storing, processing & transmitting the CHD) from non-CDE systems. • Key thing to Note: Network Segmentation is not mandatory requirement. 7
  12. 12. Network Segmentation & Scoping Guidelines Store Process Transmit CDE Connected To Impact Security Provide Security Provide Segmentation People, Process and Technology 8
  13. 13. Flat Network Example Users Cardholder Servers Infrastructure servers Development Servers Since there is no segmentation done all the Systems will fall in PCI DSS scope 9
  14. 14. Segmented Network Example Other Users Cardholder Servers Infrastructure servers Development Servers Segmented Network using Firewall/Core Switch, ensure that traffic is limited to finance users and scope is reduces to only finance users, Cardholder servers and infrastructure servers Finance Users Firewall/Core Switch 10
  15. 15. • A method of evaluating the security of a computer system, network or application by simulating an attack by a malicious hacker. • Involves an active analysis of the system for any weaknesses, technical flaws or vulnerabilities. • Carried out from the position of a potential attacker, and involves an active exploitation of security vulnerabilities. • Performed from outside the external perimeter or from within the internal network. What is a Penetration Test? 11
  16. 16. • To determine whether and how a malicious user can gain unauthorized access to assets and eventually sensitive data • To confirm that the applicable PCI DSS controls, such as configuration standards, vulnerability management, and segmentation are in place. Why is it important? 12
  17. 17. • Entire CDE perimeter • Any critical systems that may impact the security of the CDE • External perimeter (public-facing attack surfaces) • Segmentation and scope-reduction controls What should we include in the test? 13
  18. 18. • 11.3.4 - CDE Segmentation Verification › Applicable if segmentation is used to isolate CDE from other networks › Verifies that segmentation methods are operational and effective, and isolate all out-of-scope systems from in- scope systems › Must provide tester documentation of segmentation technologies › Testing against CDE systems from outside CDE › Testing against out-of-scope systems within the CDE Segmentation Verification – PCI DSS 3.1 14
  19. 19. • Based on the best practices from Open-Source Security Testing Methodology Manual (OSSTMM), Open Web Application Security Project (OWASP) and NIST SP800-115 • Includes coverage of the CDE perimeter and critical systems • Includes testing from both inside and outside the network • Includes testing from non CDE internal network to CDE internal network • Includes testing to validate any segmentation and scope-reduction controls Methodology 15
  20. 20. Example Segmentation PT Result • Segmentation Failed › If we note that firewall is configured to allow unrestricted access (any ports and services) from the store/corporate General Network into the store POS Network (CDE) • Segmentation Passed › If there is no access detected for any of the ports and services from the store General Network into the store POS Network (CDE). 16
  21. 21. Best Practices to Pass Segmentation PT • Rule-set review shall be done to verify the rules against the business requirements. • All unused rules shall be removed • All ACLs shall be configured in a way that they do not allow access from Non-CDE to CDE. • All changes in network shall be done through change management process and in line with the “Network Segmentation” policy and procedure. • If non-CDE segments have access into the CDE, either the organization needs to restrict that access or a full network-layer penetration test should be performed to characterize the access. 17
  22. 22. Card Data Discovery & Memory
  23. 23. What is Data Discovery • Ability to identify and pinpoint sensitive data across › File Shares › Servers › Databases › Email › Log files › Etc. 18
  24. 24. Why is it important • CIA focuses on confidentiality, integrity and availability • Confidentiality is always focused on “Data” • Data that is sensitive must be protected, however the first step of that is to know where the data resides • Hence, it is important to identify where sensitive data resides 19
  25. 25. Protect Stored Cardholder Data You must ensure stored data is encrypted and protected. 20
  26. 26. PCI Council Advisory… • Importance of Updating Scope for PCI DSS Assessments There have been a number of high profile data compromises in the press recently. These reports serve as a daily reminder of the damage caused by compromises and of the need to keep business environments secure. Businesses evolve and change over time, and the scope of an entity's cardholder data environment must be reviewed and verified each time a PCI DSS assessment is undertaken. As has always been the case, many compromises are the result of businesses having data they weren't aware of. Please remember that scoping an assessment includes verifying that no cardholder data exists outside of the defined cardholder data environment. By ensuring the scope of an assessment is appropriate, the risk of data compromise is greatly reduced - a benefit to everyone involved. 21
  27. 27. Methods for Data Discovery • DLP Solutions (McAfee etc.) • Card Data Discovery Solutions (ControlCase etc.) • Manual Scripts and Regular Expressions • Forensic Technology (EnCase etc.) 22
  28. 28. Data Discovery Planning Considerations • Deployment and agents › Can get expensive › Technologically complicated › Long deployment cycles › Databases are a challenge • False Positives › Luhn’s formula narrows down but is not full proof › Many schemes use Luhn’s formula to generate numbers › Separators and delimiters change 23
  29. 29. Planning Considerations contd… • Performance within production environments › Database load › Large number of records in databases › Active directory scanning › Emails storing cardholder data • Tokenization › Differentiation between tokens and real card numbers • Exclusions › Directories › Files › Extension types › Tables/Columns 24
  30. 30. PA DSS and Card Data in Memory • PA DSS has two requirements around card data storage in memory › Sensitive data (CVV, PIN) cannot be stored in memory per Requirement 1 › Coding techniques must include how PAN and sensitive data is handled in memory per requirement 5 • Test for data in memory using memory dump tools such as Winhex • Cardholder Data in volatile memory must be handled securely to avoid Memory-Scraping Attacks • POS devices are primary targets • Applications must rewrite memory with NULL once the transaction authorization is completed 25
  31. 31. To Learn More About PCI Compliance… • Visit •
  32. 32. Thank You for Your Time