Step into the intensity of the PCI Data Security Standards’ (PCI DSS) most widely-waged battlefield – the Self-Assessment Questionnaire D (SAQ D). From the civilian perspective of hospitality finance and technology professionals, navigate as a unit through the chaos with one goal in mind, to successfully complete the SAQ D. To train for this mission, the SAQ D will be discussed in great detail, covering many aspects of the 240+ questions, as well as tips and tricks to help complete the questionnaire. As in battle, attendees will work together towards success by sharing their own SAQ D stories.
Check out what else our auditors can do: https://securitymetrics.com/sm/pub/onsiteassessment
2. “All truths are easy to
understand once they are
discovered; the point is to
discover them.”
– Galileo Galilei
3. Summary of SAQs
• SAQ A – Merchant outsources all card
collection and processing
• SAQ B – Merchant uses analog phone based
POS terminal or imprint method
• SAQ C – Merchant processes and transmits
card data but no e-storage
• SAQ C VT – Merchant does simple manual
entry on single virtual terminal
• SAQ D – Merchant stores card data
electronically in the card processing network
4. What Do I Do With an SAQ?
• SAQ is a merchant’s statement of
PCI compliance
• Acquiring bank would ask a
merchant for a completed
SAQ, not card brand or PCI
Council
• Acquiring bank’s responsibility to
track a merchant’s PCI
compliance
• It is a merchant’s responsibility to
accurately complete the SAQ
5. “To SAQ D, or Not to SAQ D”
• SAQ D classification options
1. Change your card data processes to
get out of SAQ D scope
• Don’t store card data (tokenize)
2. Dig in. It’s not easy but it’s possible!
• Get some help (QSA)
6. Know The Battlefield
• Before starting, there are some things
you need to gather
– Complete network diagram
– Detailed card data flow
diagram/description
– Unsecured card data locations
– Written IT policies/procedures
– Internal compliance team (network,
workstation/POS support, HR, help
desk)
– Management support!
7. Field Research: Data Discovery
“…you really need to use some kind of
methodology to find where cardholder data is
on the network…”
– Bob Russo, PCI SSC
• Must have an data discovery methodology for
an accurate card data flow picture
• Methodology should include:
– Data discovery tool(s)
– Data flow documentation
– Periodic repetition (annual minimum)
8. Recon: Card Data & Process
• Like camouflaged ground
forces, unsecured card data and
processes using card data can hide
in rough terrain and go unnoticed
until its too late
• Careful tracing and documentation of
all processes that deal with card data
is essential
• Search even locations/processes you
think are “clean”
9. Weapons for Card Discovery
• A good discovery tool…
• Automated exhaustive search capability
– Hard drives, systems, networks, attached storage
devices, etc.
– Finds unencrypted PAN and magnetic stripe data
• Generates easy-to-understand reports
• Shows count and location of payment card data found
• Low false positive rate
10. Available Data Search Tools
• Payment card data search tools available
to use on systems:
– PANscan®: https://securitymetrics.com/sm/PANscan/
– SENF: http://www.utexas.edu/its/products/senf/
– SPIDER: http://www.cit.cornell.edu/security/tools/
11. Where to Look?
• Obvious locations:
– Systems involved in
storage, transmission, or
processing of card data
– POS systems, web
server, customer service
workstation, etc.
– Database servers
– Decommissioned systems
– System backup locations
12. Where to Look?
• Look outside typical cardholder data
network:
– Accounting/Finance: spreadsheets from
banks, stored reports, etc.
– Sales: faxed forms (printed or digital), e-mail
from sales reps, etc.
– Marketing: access to transaction
databases/logs for research, etc.
13. Targeting SAQ D Scope
• “The cardholder data environment (CDE) is
comprised of people, processes and
technology that store, process or transmit
cardholder data or sensitive authentication
data” –PCI DSS
• PCI DSS applies to all system components
included in or connected to the CDE
• Minimize where card data is dealt with and
reduce SAQ D compliance effort and costs
14. Scoping Principals
• Find where data is using detailed flow and
location analysis along with data discovery
tools
• If you find it and don’t need it, get rid of it
– Remove historical data
– Secure data deletion process
– Change process to eliminate need
• Search regularly for card data
• Remember: where there is card
data, there is PCI DSS scope!
15. Found it! Now What?
• Identify network segment(s) where card data is
stored, processed, or transmitted
• Watch for network segments “traversed” by streams
of card data on its way elsewhere
• Include any process where card data is placed on
media (paper, tape, CD, etc.)
• Remember:
• Encrypted data is in scope
where decryption keys are present
• Call center segments
viewing full PAN data should be in scope
• Securely delete any unsecure data not needed
16. SAQ D-DAY!
• Done: Research, planning, targeting, and
discovery steps
• Let’s attack SAQ D in detail
17. PCI DSS SAQ D Summary
• Build and Maintain a Secure Network
– Req. 1: Install and maintain a firewall configuration to protect
cardholder data
– Req. 2: Do not use vendor-supplied defaults for system
passwords and other security parameters
• Protect Cardholder Data
– Req. 3: Protect cardholder data (encrypt or mask)
– Req. 4: Encrypt transmission of cardholder data across
open, public networks
• Maintain a Vulnerability Management Program
– Req. 5: Use and regularly update anti-virus software
– Req. 6: Develop and maintain secure systems and
applications
18. PCI DSS SAQ D Summary
• Implement Strong Access Control Measures
– Req. 7: Restrict access to cardholder data by business need-
to-know
– Req. 8: Assign unique ID to each person with computer
access
– Req. 9: Restrict physical access to cardholder data
• Monitor and Test Networks
– Req. 10: Track and monitor all access to network resources
and cardholder data
– Req. 11: Regularly test security systems and processes
• Maintain an Information Security Policy
– Req. 12: Maintain documented policy and procedures that
address information security
19. SAQ D Requirement 1
• Document and maintain firewall configuration standards (1.1)
– Need formal process for approving and auditing firewall rules
quarterly
– Document all port traffic in/out and provide justification
– Accurate network and transaction flow diagrams
• Secure network firewall architecture (1.2-1.4)
– Create DMZ and Secure Zone (2-tiered firewall
architecture), prohibit direct public access to zone where data is
stored, protect internal IP’s
– Control and limit all inbound/outbound network traffic
– Segment cardholder network from wireless or other network
segments
– Use personal firewalls on mobile/personal
computers
20. SAQ D – Network Example
Strong Edge Isolate
Firewall & Wireless
IDS
Dedicated
DMZ
Separate Office
2nd
Firewall Zone
Dedicated Secure
Zone Segment the network
to minimize scope!
21. Network Scoping and Segmentation
• Card network stores/processes/transmits card
data
• Most networks not designed for PCI compliance.
• Card processing systems are often mixed in with
back office systems (one big flat network)
• “Adequate network segmentation, which isolates
systems that store, process, or transmit cardholder
data from those that do not, may reduce the scope
of the cardholder data environment.” (PCI DSS 1.1
Page 2)
22. SAQ D Requirement 2
• Change or do not use vendor-supplied defaults
– Change defaults before adding system component to the
cardholder network (passwords, SNMP, wireless settings)
• Develop and maintain system configuration standards
– Create system component configuration standards based on
industry best practice guidelines (CIS, NIST, etc.)
– One primary function per server (or virtual server)
– Disable unnecessary services/functions
• Use encrypted non-console admin access tools
– SSH, RDP, VPN, SSL/TLS
23. SAQ D Requirement 3
• Protect stored data
– Minimize confidential information storage, define
policy/procedure for removing old data
– Do not store sensitive authentication data
subsequent to an authorization event (not even if
encrypted)
• Track data, card identification number, PIN, PIN block
– Mask (truncate) account data when displayed
(last 4 numbers are max that can be displayed)
• Don’t store masked and hashed PAN together
24. SAQ D Requirement 3
• Render PAN data unreadable anywhere it is stored
– Strong 1-way hashing functions (SHA-1)
– Truncate data (e.g. - first 6 last 4)
– Use strong cryptography
• Strong algorithms (3DES, AES, RSA, etc.)
• Proper key length for the algorithm (e.g. for AES 128 bits or more)
• Strong encryption key management processes
– Protect Data Encryption Key (DEK) from disclosure and misuse
– Secure key storage (encrypt DEK)
– Periodic key changes at end of a defined crypto period
25. What is Sensitive Auth Data?
• Track or mag stripe data
– Used to duplicate a plastic card
• Track 1: %B4111111111111111^Public John
Q.^080910100876000
• Track 2: 4111111111111111=0809101543219987000
– Violation to store Track 1 or 2, even if encrypted
• Exception: some “store and forward” situations are allowed if
no authorization event occurs
• Card identification number
– Violation to store even if encrypted
• Exception: can be stored encrypted prior to “authorization
event”
• PIN number or encrypted PIN block
26. Encryption & Key Management
• Don’t use weak, or non-industry standard encryption
algorithms
• Most common problem with encryption is insecure
encryption key management
• Look carefully at SAQ D sections 3.5-3.6 for correct
key management practices, work with a QSA on a key
management scheme
27. SAQ D Requirement 4
• Encrypt sensitive data over public networks
– Use strong cryptography to protect card data as it
traverses a public network (SSL/TLS, IPSEC, etc.)
– Open (insecure) network examples: Internet, Wi-
Fi, GSM, GPRS, satellite
– Use strong encryption method if sending card PAN via
e-mail (be careful where email stored)
• Protect card data flowing over wireless networks
– Use WPA/WPA2 (WEP not allowed)
28. SAQ D Requirement 5
• Anti-Virus/Anti-Malware
– Deploy anti-virus software on all systems in the
card environment commonly affected by
malicious software
– Software must detect and clean other types of
malware (spyware, adware)
– Ensure anti-virus / anti-malware software and
signatures are up to date
– Ensure anti-virus / anti-malware software
generates logs and keep the logs
29. SAQ D Requirement 6
• Patch Management and Change Control
– Ensure system components and software up to date (install relevant
security patches within 30 days)
– Keep up on newly discovered vulnerabilities that may affect systems
or software; assign a risk ranking to each discovered vulnerability
– Document and follow change control procedures
• Track all system and software configuration changes
(e.g. - network components, servers, software, etc.)
• Secure Software Processes
– Use PA-DSS validated software, install it correctly
– If develop own software (web or client), SAQ D 6.3, 6.5, 6.6 get very
important and difficult, get help from a QSA
30. SAQ D Requirement 7
• Limit access to computing
resources and cardholder
information to only those with a
“need-to-know”
• Ensure systems have
automated access controls
systems implemented
• Have a traceable process for
granting/denying access to
cardholder network systems
based on job role
31. SAQ D Requirement 8
• Protect access to the cardholder data network
– All users must have unique ID’s to access cardholder
network systems
– All users must authenticate to the systems using a
password (or token, or biometric)
– All passwords must be stored encrypted
– Remote access into the cardholder network must be
secured by 2-factor authentication
• Something you know (a password), and something you have
(token or certificate)
• Examples: RADIUS, TACACS, VPN with individual
certificates, key fob, etc.
32. SAQ D Requirement 8
• User and password management
– Process to control addition/deletion of users
– Verify identity before password resets, use strong
initial passwords
– Revoke access of terminated users, remove inactive
accounts every 90 days
– No “group” or shared user IDs or passwords
– Change passwords every 90 days, keep history
– Password strength: 7+ chars, alpha/numeric
– Lock after 6 invalid logins for at least 30 min
– Idle session timeout of 15 min (can be screen saver)
33. SAQ D Requirement 9
• Physical security of facilities
– Control access to physical
location of cardholder network
systems
– Video and/or access control
mechanisms in data center, store
video data at least 3 months
– Restrict access to network
jacks, wireless access
points, network hardware, and
handheld devices
34. SAQ D Requirement 9
• Employee controls
– Must be able to distinguish
employees from visitors (ID
badges or other means)
– In sensitive areas: visitors
must be authorized, sign log,
be given physical token of
visitor status that expires, and
surrender token upon leaving
35. SAQ D Requirement 9
• Controls over the storage of media
– Physically secure all electronic or paper media that
contains cardholder data
– Store media backups in secure location, preferably off-
site
– Maintain strict control over internal/external
distribution of media
• Management must approve all distribution of media
• Classify media so it can be identified as confidential
• Use secured courier or delivery mechanism that can be tracked
• Inventory all distributed media
– Destroy media when no longer in use
(shred, degauss, physically destroy, etc.)
36. SAQ D Requirement 10
• Track & monitor access to systems in the
cardholder network
– Enable audit logging on all systems handling
cardholder data
– Implement log monitoring and notification software
(review daily)
– Track all privileged access to credit card data outside
of defined payment applications
– Centralize the storage of audit logs. Include all logs
(system, application, firewall, IDS, web…)
– Protect audit logs from modification
– Sync system time throughout the cardholder network
to a known, protected source
37. SAQ D Requirement 11
• Regularly test security systems
– Quarterly external & internal vulnerability scans
• PCI authorized scan vendor for external testing, internal testing
can be done with VA scanning tools
• Act on scan results until the scans are running clean
– Conduct external penetration testing
• Annually or after any significant infrastructure or application
upgrade or modification
• Testing conducted by experienced penetration tester who is not
part of the card network admin team
• Must include both network and application layer testing
– Intrusion Detection System monitors all traffic
– File Integrity Monitoring software watching critical files
38. SAQ D Requirement 12
• Document Information Security Policy and
Procedures
– Develop, maintain, and publish infosec policies to
address all PCI requirements
– Review policy and conduct risk assessment annually
– Develop daily operational security procedures to
ensure continued PCI compliance (watch
logs, updates, etc.)
– Develop employee acceptable use policies for
employee facing technologies
(modem, network, wireless, etc.)
39. SAQ D Requirement 12
• Document Information Security Policy and
Procedures
– Define management responsibilities (policy, control
access, monitor alerts, incident response, etc.)
– Develop & implement a security awareness program
– Background check potential or new employees
– 3rd parties that receive card data from you must have
contractual language to follow PCI DSS
– Develop, distribute and periodically test an Incident
Response Plan
40. Documentation Hurdles
• Amount of documentation and process
development/rollout is a big deal for
successful SAQ D compliance effort
• Must be a comprehensive and
implemented across the board
• Don’t depend on “employee memory”
• Carefully document security
procedures and policies, train
employees periodically
• Good data security starts from the top
down not from the IT staff up!
42. Compromise: Hospitality Industry
• Network vulnerabilities found:
– Insecure remote access
– Common default passwords
– Logging not enabled, not watching logs
– Flat network design - limited or no segmentation
– No IDS/IPS in place
• Attack vectors included:
– Compromised remote access
– Installed suite of malware: processor memory dump program,
parser looking for credit card data in dump files, shared folder
search app that looked for passwords, credit card numbers,
social security numbers, etc.
43. What Did It Cost?
• Bottom line costs:
– Cost of the forensic investigation $32,000
– Number of cards stolen 150,000
– Fines $80,000
– Reimburse for fraudulent uses $440,000
• All this from just two sites involved in the
compromise
45. Tokenization
• Token representing PAN is returned from the
gateway/processor, eliminates storage risk
• No storage of sensitive PAN data which reduces PCI-DSS
requirements but PAN data is still transmitted (potential
reduction of validation to SAQ C)
• Biggest advantage: Tokens have no value unless
redeemed, can potentially store tokens outside of CDE
without impacting PCI scope
• Historical PAN data must be tokenized or removed
• Many processors/gateways are beginning to support
tokenization, but switching processors may be harder
• Best if integrated with Point-to-Point Encryption solution
46. Point to Point Encryption
• All card data is encrypted by the swipe device
hardware, no cleartext data enters merchant POS
systems
• Merchant does not have keys that can decrypt the data
• Has potential for a large reduction in scope since internal
systems never see or transmit useable card data
• Could lower PCI-DSS assessment scope but new
hardware and services would have to be purchased
• Format Preserving Encryption has potential for
integration of legacy software (PCI-SSC still “in session”
on FPE issues)
47. Taking Mobile Payments
• Security issues:
– Smart phone malware potential
– Many other end user technologies potentially in use
on the devices (SMS, web browsing, Wi-Fi, etc.)
– Hard to control the personal device security
• P2PE and EMV technologies help with “encrypt at
swipe” card reader, but manual transaction entry
still a problem
• Long term: “sandbox” the payment app to run in a
dedicated secure environment, requires new
mobile hardware
• More guidelines from PCI SSC expected soon
48. Wrap Up
• PCI DSS compliance and validation is
typically not a quick easy process
– Know where the the card data is!
– Take time to really understand the SAQ D
requirements and your card network
– Plan on sufficient time for the effort
• Consider consulting with a QSA even if just
filling out an SAQ
• Remember, compliance is often more work
than just SAQ validation