SlideShare a Scribd company logo

How To: The PCI Self-Assessment Questionnaire (SAQ)

Download as PPTX, PDF
SecurityMetrics
SecurityMetrics

Step into the intensity of the PCI Data Security Standards’ (PCI DSS) most widely-waged battlefield – the Self-Assessment Questionnaire D (SAQ D). From the civilian perspective of hospitality finance and technology professionals, navigate as a unit through the chaos with one goal in mind, to successfully complete the SAQ D. To train for this mission, the SAQ D will be discussed in great detail, covering many aspects of the 240+ questions, as well as tips and tricks to help complete the questionnaire. As in battle, attendees will work together towards success by sharing their own SAQ D stories. Check out what else our auditors can do: https://securitymetrics.com/sm/pub/onsiteassessment

Business
1 of 49
SecurityMetrics SAQ D Boot Camp Defeat by questionnaire is not acceptable!
“All truths are easy to understand once they are discovered; the point is to discover them.” – Galileo Galilei
Summary of SAQs • SAQ A – Merchant outsources all card collection and processing • SAQ B – Merchant uses analog phone based POS terminal or imprint method • SAQ C – Merchant processes and transmits card data but no e-storage • SAQ C VT – Merchant does simple manual entry on single virtual terminal • SAQ D – Merchant stores card data electronically in the card processing network
What Do I Do With an SAQ? • SAQ is a merchant’s statement of PCI compliance • Acquiring bank would ask a merchant for a completed SAQ, not card brand or PCI Council • Acquiring bank’s responsibility to track a merchant’s PCI compliance • It is a merchant’s responsibility to accurately complete the SAQ
“To SAQ D, or Not to SAQ D” • SAQ D classification options 1. Change your card data processes to get out of SAQ D scope • Don’t store card data (tokenize) 2. Dig in. It’s not easy but it’s possible! • Get some help (QSA)
Know The Battlefield • Before starting, there are some things you need to gather – Complete network diagram – Detailed card data flow diagram/description – Unsecured card data locations – Written IT policies/procedures – Internal compliance team (network, workstation/POS support, HR, help desk) – Management support!
Field Research: Data Discovery “…you really need to use some kind of methodology to find where cardholder data is on the network…” – Bob Russo, PCI SSC • Must have an data discovery methodology for an accurate card data flow picture • Methodology should include: – Data discovery tool(s) – Data flow documentation – Periodic repetition (annual minimum)
Recon: Card Data & Process • Like camouflaged ground forces, unsecured card data and processes using card data can hide in rough terrain and go unnoticed until its too late • Careful tracing and documentation of all processes that deal with card data is essential • Search even locations/processes you think are “clean”
Weapons for Card Discovery • A good discovery tool… • Automated exhaustive search capability – Hard drives, systems, networks, attached storage devices, etc. – Finds unencrypted PAN and magnetic stripe data • Generates easy-to-understand reports • Shows count and location of payment card data found • Low false positive rate
Available Data Search Tools • Payment card data search tools available to use on systems: – PANscan®: https://securitymetrics.com/sm/PANscan/ – SENF: http://www.utexas.edu/its/products/senf/ – SPIDER: http://www.cit.cornell.edu/security/tools/
Where to Look? • Obvious locations: – Systems involved in storage, transmission, or processing of card data – POS systems, web server, customer service workstation, etc. – Database servers – Decommissioned systems – System backup locations
Where to Look? • Look outside typical cardholder data network: – Accounting/Finance: spreadsheets from banks, stored reports, etc. – Sales: faxed forms (printed or digital), e-mail from sales reps, etc. – Marketing: access to transaction databases/logs for research, etc.
Targeting SAQ D Scope • “The cardholder data environment (CDE) is comprised of people, processes and technology that store, process or transmit cardholder data or sensitive authentication data” –PCI DSS • PCI DSS applies to all system components included in or connected to the CDE • Minimize where card data is dealt with and reduce SAQ D compliance effort and costs
Scoping Principals • Find where data is using detailed flow and location analysis along with data discovery tools • If you find it and don’t need it, get rid of it – Remove historical data – Secure data deletion process – Change process to eliminate need • Search regularly for card data • Remember: where there is card data, there is PCI DSS scope!
Found it! Now What? • Identify network segment(s) where card data is stored, processed, or transmitted • Watch for network segments “traversed” by streams of card data on its way elsewhere • Include any process where card data is placed on media (paper, tape, CD, etc.) • Remember: • Encrypted data is in scope where decryption keys are present • Call center segments viewing full PAN data should be in scope • Securely delete any unsecure data not needed
SAQ D-DAY! • Done: Research, planning, targeting, and discovery steps • Let’s attack SAQ D in detail
PCI DSS SAQ D Summary • Build and Maintain a Secure Network – Req. 1: Install and maintain a firewall configuration to protect cardholder data – Req. 2: Do not use vendor-supplied defaults for system passwords and other security parameters • Protect Cardholder Data – Req. 3: Protect cardholder data (encrypt or mask) – Req. 4: Encrypt transmission of cardholder data across open, public networks • Maintain a Vulnerability Management Program – Req. 5: Use and regularly update anti-virus software – Req. 6: Develop and maintain secure systems and applications
PCI DSS SAQ D Summary • Implement Strong Access Control Measures – Req. 7: Restrict access to cardholder data by business need- to-know – Req. 8: Assign unique ID to each person with computer access – Req. 9: Restrict physical access to cardholder data • Monitor and Test Networks – Req. 10: Track and monitor all access to network resources and cardholder data – Req. 11: Regularly test security systems and processes • Maintain an Information Security Policy – Req. 12: Maintain documented policy and procedures that address information security
SAQ D Requirement 1 • Document and maintain firewall configuration standards (1.1) – Need formal process for approving and auditing firewall rules quarterly – Document all port traffic in/out and provide justification – Accurate network and transaction flow diagrams • Secure network firewall architecture (1.2-1.4) – Create DMZ and Secure Zone (2-tiered firewall architecture), prohibit direct public access to zone where data is stored, protect internal IP’s – Control and limit all inbound/outbound network traffic – Segment cardholder network from wireless or other network segments – Use personal firewalls on mobile/personal computers
SAQ D – Network Example Strong Edge Isolate Firewall & Wireless IDS Dedicated DMZ Separate Office 2nd Firewall Zone Dedicated Secure Zone Segment the network to minimize scope!
Network Scoping and Segmentation • Card network stores/processes/transmits card data • Most networks not designed for PCI compliance. • Card processing systems are often mixed in with back office systems (one big flat network) • “Adequate network segmentation, which isolates systems that store, process, or transmit cardholder data from those that do not, may reduce the scope of the cardholder data environment.” (PCI DSS 1.1 Page 2)
SAQ D Requirement 2 • Change or do not use vendor-supplied defaults – Change defaults before adding system component to the cardholder network (passwords, SNMP, wireless settings) • Develop and maintain system configuration standards – Create system component configuration standards based on industry best practice guidelines (CIS, NIST, etc.) – One primary function per server (or virtual server) – Disable unnecessary services/functions • Use encrypted non-console admin access tools – SSH, RDP, VPN, SSL/TLS
SAQ D Requirement 3 • Protect stored data – Minimize confidential information storage, define policy/procedure for removing old data – Do not store sensitive authentication data subsequent to an authorization event (not even if encrypted) • Track data, card identification number, PIN, PIN block – Mask (truncate) account data when displayed (last 4 numbers are max that can be displayed) • Don’t store masked and hashed PAN together
SAQ D Requirement 3 • Render PAN data unreadable anywhere it is stored – Strong 1-way hashing functions (SHA-1) – Truncate data (e.g. - first 6 last 4) – Use strong cryptography • Strong algorithms (3DES, AES, RSA, etc.) • Proper key length for the algorithm (e.g. for AES 128 bits or more) • Strong encryption key management processes – Protect Data Encryption Key (DEK) from disclosure and misuse – Secure key storage (encrypt DEK) – Periodic key changes at end of a defined crypto period
What is Sensitive Auth Data? • Track or mag stripe data – Used to duplicate a plastic card • Track 1: %B4111111111111111^Public John Q.^080910100876000 • Track 2: 4111111111111111=0809101543219987000 – Violation to store Track 1 or 2, even if encrypted • Exception: some “store and forward” situations are allowed if no authorization event occurs • Card identification number – Violation to store even if encrypted • Exception: can be stored encrypted prior to “authorization event” • PIN number or encrypted PIN block
Encryption & Key Management • Don’t use weak, or non-industry standard encryption algorithms • Most common problem with encryption is insecure encryption key management • Look carefully at SAQ D sections 3.5-3.6 for correct key management practices, work with a QSA on a key management scheme
SAQ D Requirement 4 • Encrypt sensitive data over public networks – Use strong cryptography to protect card data as it traverses a public network (SSL/TLS, IPSEC, etc.) – Open (insecure) network examples: Internet, Wi- Fi, GSM, GPRS, satellite – Use strong encryption method if sending card PAN via e-mail (be careful where email stored) • Protect card data flowing over wireless networks – Use WPA/WPA2 (WEP not allowed)
SAQ D Requirement 5 • Anti-Virus/Anti-Malware – Deploy anti-virus software on all systems in the card environment commonly affected by malicious software – Software must detect and clean other types of malware (spyware, adware) – Ensure anti-virus / anti-malware software and signatures are up to date – Ensure anti-virus / anti-malware software generates logs and keep the logs
SAQ D Requirement 6 • Patch Management and Change Control – Ensure system components and software up to date (install relevant security patches within 30 days) – Keep up on newly discovered vulnerabilities that may affect systems or software; assign a risk ranking to each discovered vulnerability – Document and follow change control procedures • Track all system and software configuration changes (e.g. - network components, servers, software, etc.) • Secure Software Processes – Use PA-DSS validated software, install it correctly – If develop own software (web or client), SAQ D 6.3, 6.5, 6.6 get very important and difficult, get help from a QSA
SAQ D Requirement 7 • Limit access to computing resources and cardholder information to only those with a “need-to-know” • Ensure systems have automated access controls systems implemented • Have a traceable process for granting/denying access to cardholder network systems based on job role
SAQ D Requirement 8 • Protect access to the cardholder data network – All users must have unique ID’s to access cardholder network systems – All users must authenticate to the systems using a password (or token, or biometric) – All passwords must be stored encrypted – Remote access into the cardholder network must be secured by 2-factor authentication • Something you know (a password), and something you have (token or certificate) • Examples: RADIUS, TACACS, VPN with individual certificates, key fob, etc.
SAQ D Requirement 8 • User and password management – Process to control addition/deletion of users – Verify identity before password resets, use strong initial passwords – Revoke access of terminated users, remove inactive accounts every 90 days – No “group” or shared user IDs or passwords – Change passwords every 90 days, keep history – Password strength: 7+ chars, alpha/numeric – Lock after 6 invalid logins for at least 30 min – Idle session timeout of 15 min (can be screen saver)
SAQ D Requirement 9 • Physical security of facilities – Control access to physical location of cardholder network systems – Video and/or access control mechanisms in data center, store video data at least 3 months – Restrict access to network jacks, wireless access points, network hardware, and handheld devices
SAQ D Requirement 9 • Employee controls – Must be able to distinguish employees from visitors (ID badges or other means) – In sensitive areas: visitors must be authorized, sign log, be given physical token of visitor status that expires, and surrender token upon leaving
SAQ D Requirement 9 • Controls over the storage of media – Physically secure all electronic or paper media that contains cardholder data – Store media backups in secure location, preferably off- site – Maintain strict control over internal/external distribution of media • Management must approve all distribution of media • Classify media so it can be identified as confidential • Use secured courier or delivery mechanism that can be tracked • Inventory all distributed media – Destroy media when no longer in use (shred, degauss, physically destroy, etc.)
SAQ D Requirement 10 • Track & monitor access to systems in the cardholder network – Enable audit logging on all systems handling cardholder data – Implement log monitoring and notification software (review daily) – Track all privileged access to credit card data outside of defined payment applications – Centralize the storage of audit logs. Include all logs (system, application, firewall, IDS, web…) – Protect audit logs from modification – Sync system time throughout the cardholder network to a known, protected source
SAQ D Requirement 11 • Regularly test security systems – Quarterly external & internal vulnerability scans • PCI authorized scan vendor for external testing, internal testing can be done with VA scanning tools • Act on scan results until the scans are running clean – Conduct external penetration testing • Annually or after any significant infrastructure or application upgrade or modification • Testing conducted by experienced penetration tester who is not part of the card network admin team • Must include both network and application layer testing – Intrusion Detection System monitors all traffic – File Integrity Monitoring software watching critical files
SAQ D Requirement 12 • Document Information Security Policy and Procedures – Develop, maintain, and publish infosec policies to address all PCI requirements – Review policy and conduct risk assessment annually – Develop daily operational security procedures to ensure continued PCI compliance (watch logs, updates, etc.) – Develop employee acceptable use policies for employee facing technologies (modem, network, wireless, etc.)
SAQ D Requirement 12 • Document Information Security Policy and Procedures – Define management responsibilities (policy, control access, monitor alerts, incident response, etc.) – Develop & implement a security awareness program – Background check potential or new employees – 3rd parties that receive card data from you must have contractual language to follow PCI DSS – Develop, distribute and periodically test an Incident Response Plan
Documentation Hurdles • Amount of documentation and process development/rollout is a big deal for successful SAQ D compliance effort • Must be a comprehensive and implemented across the board • Don’t depend on “employee memory” • Carefully document security procedures and policies, train employees periodically • Good data security starts from the top down not from the IT staff up!
Why Go Through All This Work?
Compromise: Hospitality Industry • Network vulnerabilities found: – Insecure remote access – Common default passwords – Logging not enabled, not watching logs – Flat network design - limited or no segmentation – No IDS/IPS in place • Attack vectors included: – Compromised remote access – Installed suite of malware: processor memory dump program, parser looking for credit card data in dump files, shared folder search app that looked for passwords, credit card numbers, social security numbers, etc.
What Did It Cost? • Bottom line costs: – Cost of the forensic investigation $32,000 – Number of cards stolen 150,000 – Fines $80,000 – Reimburse for fraudulent uses $440,000 • All this from just two sites involved in the compromise
Emerging Technologies • Tokenization • Point to Point Encryption (P2PE) • Mobile payment technologies
Tokenization • Token representing PAN is returned from the gateway/processor, eliminates storage risk • No storage of sensitive PAN data which reduces PCI-DSS requirements but PAN data is still transmitted (potential reduction of validation to SAQ C) • Biggest advantage: Tokens have no value unless redeemed, can potentially store tokens outside of CDE without impacting PCI scope • Historical PAN data must be tokenized or removed • Many processors/gateways are beginning to support tokenization, but switching processors may be harder • Best if integrated with Point-to-Point Encryption solution
Point to Point Encryption • All card data is encrypted by the swipe device hardware, no cleartext data enters merchant POS systems • Merchant does not have keys that can decrypt the data • Has potential for a large reduction in scope since internal systems never see or transmit useable card data • Could lower PCI-DSS assessment scope but new hardware and services would have to be purchased • Format Preserving Encryption has potential for integration of legacy software (PCI-SSC still “in session” on FPE issues)
Taking Mobile Payments • Security issues: – Smart phone malware potential – Many other end user technologies potentially in use on the devices (SMS, web browsing, Wi-Fi, etc.) – Hard to control the personal device security • P2PE and EMV technologies help with “encrypt at swipe” card reader, but manual transaction entry still a problem • Long term: “sandbox” the payment app to run in a dedicated secure environment, requires new mobile hardware • More guidelines from PCI SSC expected soon
Wrap Up • PCI DSS compliance and validation is typically not a quick easy process – Know where the the card data is! – Take time to really understand the SAQ D requirements and your card network – Plan on sufficient time for the effort • Consider consulting with a QSA even if just filling out an SAQ • Remember, compliance is often more work than just SAQ validation
Don’t Give Up!

Recommended

PCI DSS & PA DSS Version 3.0
PCI DSS & PA DSS Version 3.0PCI DSS & PA DSS Version 3.0
PCI DSS & PA DSS Version 3.0
ControlCase
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSS
Kimberly Simon MBA
 
These are not the credit cards you're looking for
These are not the credit cards you're looking forThese are not the credit cards you're looking for
These are not the credit cards you're looking for
Ryan Stenhouse
 
1 final secnet_pci
1 final secnet_pci1 final secnet_pci
1 final secnet_pci
mosyas
 
11 Strategies to Deploy PCI Compliant Networks
11 Strategies to Deploy PCI Compliant Networks11 Strategies to Deploy PCI Compliant Networks
11 Strategies to Deploy PCI Compliant Networks
CradlePoint
 
You Know You Need PCI Compliance Help When…
You Know You Need PCI Compliance Help When…You Know You Need PCI Compliance Help When…
You Know You Need PCI Compliance Help When…
Rochester Security Summit
 
Pci dss v2
Pci dss v2Pci dss v2
Pci dss v2
LeviKnight
 
Networking Technologies : Segmentation
Networking Technologies : Segmentation Networking Technologies : Segmentation
Networking Technologies : Segmentation
Learning Community, University of Southeastern Philippines
 

Recommended

PCI DSS & PA DSS Version 3.0
PCI DSS & PA DSS Version 3.0PCI DSS & PA DSS Version 3.0
PCI DSS & PA DSS Version 3.0
ControlCase
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSS
Kimberly Simon MBA
 
These are not the credit cards you're looking for
These are not the credit cards you're looking forThese are not the credit cards you're looking for
These are not the credit cards you're looking for
Ryan Stenhouse
 
1 final secnet_pci
1 final secnet_pci1 final secnet_pci
1 final secnet_pci
mosyas
 
11 Strategies to Deploy PCI Compliant Networks
11 Strategies to Deploy PCI Compliant Networks11 Strategies to Deploy PCI Compliant Networks
11 Strategies to Deploy PCI Compliant Networks
CradlePoint
 
You Know You Need PCI Compliance Help When…
You Know You Need PCI Compliance Help When…You Know You Need PCI Compliance Help When…
You Know You Need PCI Compliance Help When…
Rochester Security Summit
 
Pci dss v2
Pci dss v2Pci dss v2
Pci dss v2
LeviKnight
 
Networking Technologies : Segmentation
Networking Technologies : Segmentation Networking Technologies : Segmentation
Networking Technologies : Segmentation
Learning Community, University of Southeastern Philippines
 
Navigating the PCI Self-Assessment questionaire
Navigating the PCI Self-Assessment questionaireNavigating the PCI Self-Assessment questionaire
Navigating the PCI Self-Assessment questionaire
David Strom
 
Making PCI V3.0 Business as Usual (BAU)
Making PCI V3.0 Business as Usual (BAU)Making PCI V3.0 Business as Usual (BAU)
Making PCI V3.0 Business as Usual (BAU)
ControlCase
 
Data Discovery and PCI DSS
Data Discovery and PCI DSSData Discovery and PCI DSS
Data Discovery and PCI DSS
ControlCase
 
PCI DSS Business as Usual
PCI DSS Business as UsualPCI DSS Business as Usual
PCI DSS Business as Usual
ControlCase
 
Risk Management Practices for PCI DSS 2.0
Risk Management Practices for PCI DSS 2.0Risk Management Practices for PCI DSS 2.0
Risk Management Practices for PCI DSS 2.0
Ulf Mattsson
 
Segmenting your Network for Security - The Good, the Bad and the Ugly
Segmenting your Network for Security - The Good, the Bad and the UglySegmenting your Network for Security - The Good, the Bad and the Ugly
Segmenting your Network for Security - The Good, the Bad and the Ugly
AlgoSec
 
ControlCase Data Discovery and PCI DSS
ControlCase Data Discovery and PCI DSSControlCase Data Discovery and PCI DSS
ControlCase Data Discovery and PCI DSS
ControlCase
 
PCI DSS 2.0 Detailed Introduction
PCI DSS 2.0 Detailed IntroductionPCI DSS 2.0 Detailed Introduction
PCI DSS 2.0 Detailed Introduction
ControlCase
 
Integrated Compliance
Integrated ComplianceIntegrated Compliance
Integrated Compliance
ControlCase
 
PCI Compliance in Cloud
PCI Compliance in CloudPCI Compliance in Cloud
PCI Compliance in Cloud
ControlCase
 
Making Compliance Business as Usual
Making Compliance Business as UsualMaking Compliance Business as Usual
Making Compliance Business as Usual
ControlCase
 
Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 1...
Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 1...Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 1...
Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 1...
Smart Assessment
 
Log Monitoring and File Integrity Monitoring for PCI DSS, EI3PA and ISO 27001
Log Monitoring and File Integrity Monitoring for PCI DSS, EI3PA and ISO 27001Log Monitoring and File Integrity Monitoring for PCI DSS, EI3PA and ISO 27001
Log Monitoring and File Integrity Monitoring for PCI DSS, EI3PA and ISO 27001
ControlCase
 
Top PCI Pitfalls and How to Avoid Them: The QSA’s Perspective
Top PCI Pitfalls and How to Avoid Them: The QSA’s PerspectiveTop PCI Pitfalls and How to Avoid Them: The QSA’s Perspective
Top PCI Pitfalls and How to Avoid Them: The QSA’s Perspective
AlgoSec
 
Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 ...
Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 ...Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 ...
Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 ...
ControlCase
 
P2PE - PCI DSS
P2PE - PCI DSSP2PE - PCI DSS
P2PE - PCI DSS
ControlCase
 
MCQ Workshop - Dr Jane Holland
MCQ Workshop - Dr Jane HollandMCQ Workshop - Dr Jane Holland
MCQ Workshop - Dr Jane Holland
Ireland & UK Moodlemoot 2012
 
Michael W. Meissner - Cyber Security Engineering Biography
Michael W. Meissner - Cyber Security Engineering BiographyMichael W. Meissner - Cyber Security Engineering Biography
Michael W. Meissner - Cyber Security Engineering Biography
Michael W. Meissner, RCDD
 
Hipaa Reality Check
Hipaa Reality CheckHipaa Reality Check
Hipaa Reality Check
SecurityMetrics
 
Understanding the New PCI DSS Scoping Supplement
Understanding the New PCI DSS Scoping SupplementUnderstanding the New PCI DSS Scoping Supplement
Understanding the New PCI DSS Scoping Supplement
SecurityMetrics
 
How to Effectively Manage a Data Breach
How to Effectively Manage a Data Breach How to Effectively Manage a Data Breach
How to Effectively Manage a Data Breach
SecurityMetrics
 
How to Secure Your Medical Devices
How to Secure Your Medical DevicesHow to Secure Your Medical Devices
How to Secure Your Medical Devices
SecurityMetrics
 

More Related Content

Viewers also liked

Top PCI Pitfalls and How to Avoid Them: The QSA’s Perspective
Top PCI Pitfalls and How to Avoid Them: The QSA’s PerspectiveTop PCI Pitfalls and How to Avoid Them: The QSA’s Perspective
Top PCI Pitfalls and How to Avoid Them: The QSA’s Perspective
AlgoSec
 

Viewers also liked (18)

Navigating the PCI Self-Assessment questionaire
Navigating the PCI Self-Assessment questionaireNavigating the PCI Self-Assessment questionaire
Navigating the PCI Self-Assessment questionaire
 
Making PCI V3.0 Business as Usual (BAU)
Making PCI V3.0 Business as Usual (BAU)Making PCI V3.0 Business as Usual (BAU)
Making PCI V3.0 Business as Usual (BAU)
 
Data Discovery and PCI DSS
Data Discovery and PCI DSSData Discovery and PCI DSS
Data Discovery and PCI DSS
 
PCI DSS Business as Usual
PCI DSS Business as UsualPCI DSS Business as Usual
PCI DSS Business as Usual
 
Risk Management Practices for PCI DSS 2.0
Risk Management Practices for PCI DSS 2.0Risk Management Practices for PCI DSS 2.0
Risk Management Practices for PCI DSS 2.0
 
Segmenting your Network for Security - The Good, the Bad and the Ugly
Segmenting your Network for Security - The Good, the Bad and the UglySegmenting your Network for Security - The Good, the Bad and the Ugly
Segmenting your Network for Security - The Good, the Bad and the Ugly
 
ControlCase Data Discovery and PCI DSS
ControlCase Data Discovery and PCI DSSControlCase Data Discovery and PCI DSS
ControlCase Data Discovery and PCI DSS
 
PCI DSS 2.0 Detailed Introduction
PCI DSS 2.0 Detailed IntroductionPCI DSS 2.0 Detailed Introduction
PCI DSS 2.0 Detailed Introduction
 
Integrated Compliance
Integrated ComplianceIntegrated Compliance
Integrated Compliance
 
PCI Compliance in Cloud
PCI Compliance in CloudPCI Compliance in Cloud
PCI Compliance in Cloud
 
Making Compliance Business as Usual
Making Compliance Business as UsualMaking Compliance Business as Usual
Making Compliance Business as Usual
 
Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 1...
Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 1...Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 1...
Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 1...
 
Log Monitoring and File Integrity Monitoring for PCI DSS, EI3PA and ISO 27001
Log Monitoring and File Integrity Monitoring for PCI DSS, EI3PA and ISO 27001Log Monitoring and File Integrity Monitoring for PCI DSS, EI3PA and ISO 27001
Log Monitoring and File Integrity Monitoring for PCI DSS, EI3PA and ISO 27001
 
Top PCI Pitfalls and How to Avoid Them: The QSA’s Perspective
Top PCI Pitfalls and How to Avoid Them: The QSA’s PerspectiveTop PCI Pitfalls and How to Avoid Them: The QSA’s Perspective
Top PCI Pitfalls and How to Avoid Them: The QSA’s Perspective
 
Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 ...
Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 ...Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 ...
Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 ...
 
P2PE - PCI DSS
P2PE - PCI DSSP2PE - PCI DSS
P2PE - PCI DSS
 
MCQ Workshop - Dr Jane Holland
MCQ Workshop - Dr Jane HollandMCQ Workshop - Dr Jane Holland
MCQ Workshop - Dr Jane Holland
 
Michael W. Meissner - Cyber Security Engineering Biography
Michael W. Meissner - Cyber Security Engineering BiographyMichael W. Meissner - Cyber Security Engineering Biography
Michael W. Meissner - Cyber Security Engineering Biography
 

More from SecurityMetrics

The Case of the Mistaken Malware
The Case of the Mistaken MalwareThe Case of the Mistaken Malware
The Case of the Mistaken Malware
SecurityMetrics
 
The Case of the Stockpiled Credit Cards
The Case of the Stockpiled Credit CardsThe Case of the Stockpiled Credit Cards
The Case of the Stockpiled Credit Cards
SecurityMetrics
 

More from SecurityMetrics (20)

Hipaa Reality Check
Hipaa Reality CheckHipaa Reality Check
Hipaa Reality Check
 
Understanding the New PCI DSS Scoping Supplement
Understanding the New PCI DSS Scoping SupplementUnderstanding the New PCI DSS Scoping Supplement
Understanding the New PCI DSS Scoping Supplement
 
How to Effectively Manage a Data Breach
How to Effectively Manage a Data Breach How to Effectively Manage a Data Breach
How to Effectively Manage a Data Breach
 
How to Secure Your Medical Devices
How to Secure Your Medical DevicesHow to Secure Your Medical Devices
How to Secure Your Medical Devices
 
How to Prepare for a PCI DSS Audit
How to Prepare for a PCI DSS AuditHow to Prepare for a PCI DSS Audit
How to Prepare for a PCI DSS Audit
 
Medical Data Encryption 101
Medical Data Encryption 101Medical Data Encryption 101
Medical Data Encryption 101
 
Securing Your Remote Access Desktop Connection
Securing Your Remote Access Desktop ConnectionSecuring Your Remote Access Desktop Connection
Securing Your Remote Access Desktop Connection
 
Window of Compromise
Window of CompromiseWindow of Compromise
Window of Compromise
 
HIPAA PHI Protection: Where is Your PHI Stored?
HIPAA PHI Protection: Where is Your PHI Stored? HIPAA PHI Protection: Where is Your PHI Stored?
HIPAA PHI Protection: Where is Your PHI Stored?
 
The 5 Step HIPAA Risk Analysis
The 5 Step HIPAA Risk AnalysisThe 5 Step HIPAA Risk Analysis
The 5 Step HIPAA Risk Analysis
 
5 Documents to Prepare for a HIPAA Audit
5 Documents to Prepare for a HIPAA Audit5 Documents to Prepare for a HIPAA Audit
5 Documents to Prepare for a HIPAA Audit
 
Don't Let Phishing Emails Hook Your Empolyees
Don't Let Phishing Emails Hook Your EmpolyeesDon't Let Phishing Emails Hook Your Empolyees
Don't Let Phishing Emails Hook Your Empolyees
 
What's Causing You to Store Unencrypted Payment Cards?
What's Causing You to Store Unencrypted Payment Cards? What's Causing You to Store Unencrypted Payment Cards?
What's Causing You to Store Unencrypted Payment Cards?
 
5 Steps to Manage a Data Breach
5 Steps to Manage a Data Breach5 Steps to Manage a Data Breach
5 Steps to Manage a Data Breach
 
Auditing Archives: The Case of the File Sharing Franchisee
Auditing Archives: The Case of the File Sharing FranchiseeAuditing Archives: The Case of the File Sharing Franchisee
Auditing Archives: The Case of the File Sharing Franchisee
 
Auditing Archives: The Case of the Evil Java Script
Auditing Archives: The Case of the Evil Java ScriptAuditing Archives: The Case of the Evil Java Script
Auditing Archives: The Case of the Evil Java Script
 
Auditing Archives: The Case of the Overly Helpful Front Desk Clerk
Auditing Archives: The Case of the Overly Helpful Front Desk ClerkAuditing Archives: The Case of the Overly Helpful Front Desk Clerk
Auditing Archives: The Case of the Overly Helpful Front Desk Clerk
 
The Case of the Suspiciously Flawless Investigation
The Case of the Suspiciously Flawless InvestigationThe Case of the Suspiciously Flawless Investigation
The Case of the Suspiciously Flawless Investigation
 
The Case of the Mistaken Malware
The Case of the Mistaken MalwareThe Case of the Mistaken Malware
The Case of the Mistaken Malware
 
The Case of the Stockpiled Credit Cards
The Case of the Stockpiled Credit CardsThe Case of the Stockpiled Credit Cards
The Case of the Stockpiled Credit Cards
 

Recently uploaded

Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al MizharAl Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
allensay1
 
Uneak White's Personal Brand Exploration Presentation
Uneak White's Personal Brand Exploration PresentationUneak White's Personal Brand Exploration Presentation
Uneak White's Personal Brand Exploration Presentation
uneakwhite
 
Nashik Call Girl Just Call 7091819311 Top Class Call Girl Service Available
Nashik Call Girl Just Call 7091819311 Top Class Call Girl Service AvailableNashik Call Girl Just Call 7091819311 Top Class Call Girl Service Available
Nashik Call Girl Just Call 7091819311 Top Class Call Girl Service Available
pr788182
 
Chennai Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Av...
Chennai Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Av...Chennai Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Av...
Chennai Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Av...
pujan9679
 
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
daisycvs
 
Pre Engineered Building Manufacturers Hyderabad.pptx
Pre Engineered Building Manufacturers Hyderabad.pptxPre Engineered Building Manufacturers Hyderabad.pptx
Pre Engineered Building Manufacturers Hyderabad.pptx
Roofing Contractor
 
Mckinsey foundation level Handbook for Viewing
Mckinsey foundation level Handbook for ViewingMckinsey foundation level Handbook for Viewing
Mckinsey foundation level Handbook for Viewing
Nauman Safdar
 
GUWAHATI 💋 Call Girl 9827461493 Call Girls in Escort service book now
GUWAHATI 💋 Call Girl 9827461493 Call Girls in Escort service book nowGUWAHATI 💋 Call Girl 9827461493 Call Girls in Escort service book now
GUWAHATI 💋 Call Girl 9827461493 Call Girls in Escort service book now
kapoorjyoti4444
 
Challenges and Opportunities: A Qualitative Study on Tax Compliance in Pakistan
Challenges and Opportunities: A Qualitative Study on Tax Compliance in PakistanChallenges and Opportunities: A Qualitative Study on Tax Compliance in Pakistan
Challenges and Opportunities: A Qualitative Study on Tax Compliance in Pakistan
vineshkumarsajnani12
 

Recently uploaded (20)

Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al MizharAl Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
 
Uneak White's Personal Brand Exploration Presentation
Uneak White's Personal Brand Exploration PresentationUneak White's Personal Brand Exploration Presentation
Uneak White's Personal Brand Exploration Presentation
 
Nashik Call Girl Just Call 7091819311 Top Class Call Girl Service Available
Nashik Call Girl Just Call 7091819311 Top Class Call Girl Service AvailableNashik Call Girl Just Call 7091819311 Top Class Call Girl Service Available
Nashik Call Girl Just Call 7091819311 Top Class Call Girl Service Available
 
QSM Chap 10 Service Culture in Tourism and Hospitality Industry.pptx
QSM Chap 10 Service Culture in Tourism and Hospitality Industry.pptxQSM Chap 10 Service Culture in Tourism and Hospitality Industry.pptx
QSM Chap 10 Service Culture in Tourism and Hospitality Industry.pptx
 
HomeRoots Pitch Deck | Investor Insights | April 2024
HomeRoots Pitch Deck | Investor Insights | April 2024HomeRoots Pitch Deck | Investor Insights | April 2024
HomeRoots Pitch Deck | Investor Insights | April 2024
 
Durg CALL GIRL ❤ 82729*64427❤ CALL GIRLS IN durg ESCORTS
Durg CALL GIRL ❤ 82729*64427❤ CALL GIRLS IN durg ESCORTSDurg CALL GIRL ❤ 82729*64427❤ CALL GIRLS IN durg ESCORTS
Durg CALL GIRL ❤ 82729*64427❤ CALL GIRLS IN durg ESCORTS
 
Falcon Invoice Discounting: Empowering Your Business Growth
Falcon Invoice Discounting: Empowering Your Business GrowthFalcon Invoice Discounting: Empowering Your Business Growth
Falcon Invoice Discounting: Empowering Your Business Growth
 
Chennai Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Av...
Chennai Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Av...Chennai Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Av...
Chennai Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Av...
 
Berhampur 70918*19311 CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Berhampur 70918*19311 CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDINGBerhampur 70918*19311 CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Berhampur 70918*19311 CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
 
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
 
Pre Engineered Building Manufacturers Hyderabad.pptx
Pre Engineered Building Manufacturers Hyderabad.pptxPre Engineered Building Manufacturers Hyderabad.pptx
Pre Engineered Building Manufacturers Hyderabad.pptx
 
Mckinsey foundation level Handbook for Viewing
Mckinsey foundation level Handbook for ViewingMckinsey foundation level Handbook for Viewing
Mckinsey foundation level Handbook for Viewing
 
Getting Real with AI - Columbus DAW - May 2024 - Nick Woo from AlignAI
Getting Real with AI - Columbus DAW - May 2024 - Nick Woo from AlignAIGetting Real with AI - Columbus DAW - May 2024 - Nick Woo from AlignAI
Getting Real with AI - Columbus DAW - May 2024 - Nick Woo from AlignAI
 
Buy gmail accounts.pdf buy Old Gmail Accounts
Buy gmail accounts.pdf buy Old Gmail AccountsBuy gmail accounts.pdf buy Old Gmail Accounts
Buy gmail accounts.pdf buy Old Gmail Accounts
 
GUWAHATI 💋 Call Girl 9827461493 Call Girls in Escort service book now
GUWAHATI 💋 Call Girl 9827461493 Call Girls in Escort service book nowGUWAHATI 💋 Call Girl 9827461493 Call Girls in Escort service book now
GUWAHATI 💋 Call Girl 9827461493 Call Girls in Escort service book now
 
Falcon Invoice Discounting: The best investment platform in india for investors
Falcon Invoice Discounting: The best investment platform in india for investorsFalcon Invoice Discounting: The best investment platform in india for investors
Falcon Invoice Discounting: The best investment platform in india for investors
 
Challenges and Opportunities: A Qualitative Study on Tax Compliance in Pakistan
Challenges and Opportunities: A Qualitative Study on Tax Compliance in PakistanChallenges and Opportunities: A Qualitative Study on Tax Compliance in Pakistan
Challenges and Opportunities: A Qualitative Study on Tax Compliance in Pakistan
 
New 2024 Cannabis Edibles Investor Pitch Deck Template
New 2024 Cannabis Edibles Investor Pitch Deck TemplateNew 2024 Cannabis Edibles Investor Pitch Deck Template
New 2024 Cannabis Edibles Investor Pitch Deck Template
 
Organizational Transformation Lead with Culture
Organizational Transformation Lead with CultureOrganizational Transformation Lead with Culture
Organizational Transformation Lead with Culture
 
Lundin Gold - Q1 2024 Conference Call Presentation (Revised)
Lundin Gold - Q1 2024 Conference Call Presentation (Revised)Lundin Gold - Q1 2024 Conference Call Presentation (Revised)
Lundin Gold - Q1 2024 Conference Call Presentation (Revised)
 

How To: The PCI Self-Assessment Questionnaire (SAQ)

  • 1. SecurityMetrics SAQ D Boot Camp Defeat by questionnaire is not acceptable!
  • 2. “All truths are easy to understand once they are discovered; the point is to discover them.” – Galileo Galilei
  • 3. Summary of SAQs • SAQ A – Merchant outsources all card collection and processing • SAQ B – Merchant uses analog phone based POS terminal or imprint method • SAQ C – Merchant processes and transmits card data but no e-storage • SAQ C VT – Merchant does simple manual entry on single virtual terminal • SAQ D – Merchant stores card data electronically in the card processing network
  • 4. What Do I Do With an SAQ? • SAQ is a merchant’s statement of PCI compliance • Acquiring bank would ask a merchant for a completed SAQ, not card brand or PCI Council • Acquiring bank’s responsibility to track a merchant’s PCI compliance • It is a merchant’s responsibility to accurately complete the SAQ
  • 5. “To SAQ D, or Not to SAQ D” • SAQ D classification options 1. Change your card data processes to get out of SAQ D scope • Don’t store card data (tokenize) 2. Dig in. It’s not easy but it’s possible! • Get some help (QSA)
  • 6. Know The Battlefield • Before starting, there are some things you need to gather – Complete network diagram – Detailed card data flow diagram/description – Unsecured card data locations – Written IT policies/procedures – Internal compliance team (network, workstation/POS support, HR, help desk) – Management support!
  • 7. Field Research: Data Discovery “…you really need to use some kind of methodology to find where cardholder data is on the network…” – Bob Russo, PCI SSC • Must have an data discovery methodology for an accurate card data flow picture • Methodology should include: – Data discovery tool(s) – Data flow documentation – Periodic repetition (annual minimum)
  • 8. Recon: Card Data & Process • Like camouflaged ground forces, unsecured card data and processes using card data can hide in rough terrain and go unnoticed until its too late • Careful tracing and documentation of all processes that deal with card data is essential • Search even locations/processes you think are “clean”
  • 9. Weapons for Card Discovery • A good discovery tool… • Automated exhaustive search capability – Hard drives, systems, networks, attached storage devices, etc. – Finds unencrypted PAN and magnetic stripe data • Generates easy-to-understand reports • Shows count and location of payment card data found • Low false positive rate
  • 10. Available Data Search Tools • Payment card data search tools available to use on systems: – PANscan®: https://securitymetrics.com/sm/PANscan/ – SENF: http://www.utexas.edu/its/products/senf/ – SPIDER: http://www.cit.cornell.edu/security/tools/
  • 11. Where to Look? • Obvious locations: – Systems involved in storage, transmission, or processing of card data – POS systems, web server, customer service workstation, etc. – Database servers – Decommissioned systems – System backup locations
  • 12. Where to Look? • Look outside typical cardholder data network: – Accounting/Finance: spreadsheets from banks, stored reports, etc. – Sales: faxed forms (printed or digital), e-mail from sales reps, etc. – Marketing: access to transaction databases/logs for research, etc.
  • 13. Targeting SAQ D Scope • “The cardholder data environment (CDE) is comprised of people, processes and technology that store, process or transmit cardholder data or sensitive authentication data” –PCI DSS • PCI DSS applies to all system components included in or connected to the CDE • Minimize where card data is dealt with and reduce SAQ D compliance effort and costs
  • 14. Scoping Principals • Find where data is using detailed flow and location analysis along with data discovery tools • If you find it and don’t need it, get rid of it – Remove historical data – Secure data deletion process – Change process to eliminate need • Search regularly for card data • Remember: where there is card data, there is PCI DSS scope!
  • 15. Found it! Now What? • Identify network segment(s) where card data is stored, processed, or transmitted • Watch for network segments “traversed” by streams of card data on its way elsewhere • Include any process where card data is placed on media (paper, tape, CD, etc.) • Remember: • Encrypted data is in scope where decryption keys are present • Call center segments viewing full PAN data should be in scope • Securely delete any unsecure data not needed
  • 16. SAQ D-DAY! • Done: Research, planning, targeting, and discovery steps • Let’s attack SAQ D in detail
  • 17. PCI DSS SAQ D Summary • Build and Maintain a Secure Network – Req. 1: Install and maintain a firewall configuration to protect cardholder data – Req. 2: Do not use vendor-supplied defaults for system passwords and other security parameters • Protect Cardholder Data – Req. 3: Protect cardholder data (encrypt or mask) – Req. 4: Encrypt transmission of cardholder data across open, public networks • Maintain a Vulnerability Management Program – Req. 5: Use and regularly update anti-virus software – Req. 6: Develop and maintain secure systems and applications
  • 18. PCI DSS SAQ D Summary • Implement Strong Access Control Measures – Req. 7: Restrict access to cardholder data by business need- to-know – Req. 8: Assign unique ID to each person with computer access – Req. 9: Restrict physical access to cardholder data • Monitor and Test Networks – Req. 10: Track and monitor all access to network resources and cardholder data – Req. 11: Regularly test security systems and processes • Maintain an Information Security Policy – Req. 12: Maintain documented policy and procedures that address information security
  • 19. SAQ D Requirement 1 • Document and maintain firewall configuration standards (1.1) – Need formal process for approving and auditing firewall rules quarterly – Document all port traffic in/out and provide justification – Accurate network and transaction flow diagrams • Secure network firewall architecture (1.2-1.4) – Create DMZ and Secure Zone (2-tiered firewall architecture), prohibit direct public access to zone where data is stored, protect internal IP’s – Control and limit all inbound/outbound network traffic – Segment cardholder network from wireless or other network segments – Use personal firewalls on mobile/personal computers
  • 20. SAQ D – Network Example Strong Edge Isolate Firewall & Wireless IDS Dedicated DMZ Separate Office 2nd Firewall Zone Dedicated Secure Zone Segment the network to minimize scope!
  • 21. Network Scoping and Segmentation • Card network stores/processes/transmits card data • Most networks not designed for PCI compliance. • Card processing systems are often mixed in with back office systems (one big flat network) • “Adequate network segmentation, which isolates systems that store, process, or transmit cardholder data from those that do not, may reduce the scope of the cardholder data environment.” (PCI DSS 1.1 Page 2)
  • 22. SAQ D Requirement 2 • Change or do not use vendor-supplied defaults – Change defaults before adding system component to the cardholder network (passwords, SNMP, wireless settings) • Develop and maintain system configuration standards – Create system component configuration standards based on industry best practice guidelines (CIS, NIST, etc.) – One primary function per server (or virtual server) – Disable unnecessary services/functions • Use encrypted non-console admin access tools – SSH, RDP, VPN, SSL/TLS
  • 23. SAQ D Requirement 3 • Protect stored data – Minimize confidential information storage, define policy/procedure for removing old data – Do not store sensitive authentication data subsequent to an authorization event (not even if encrypted) • Track data, card identification number, PIN, PIN block – Mask (truncate) account data when displayed (last 4 numbers are max that can be displayed) • Don’t store masked and hashed PAN together
  • 24. SAQ D Requirement 3 • Render PAN data unreadable anywhere it is stored – Strong 1-way hashing functions (SHA-1) – Truncate data (e.g. - first 6 last 4) – Use strong cryptography • Strong algorithms (3DES, AES, RSA, etc.) • Proper key length for the algorithm (e.g. for AES 128 bits or more) • Strong encryption key management processes – Protect Data Encryption Key (DEK) from disclosure and misuse – Secure key storage (encrypt DEK) – Periodic key changes at end of a defined crypto period
  • 25. What is Sensitive Auth Data? • Track or mag stripe data – Used to duplicate a plastic card • Track 1: %B4111111111111111^Public John Q.^080910100876000 • Track 2: 4111111111111111=0809101543219987000 – Violation to store Track 1 or 2, even if encrypted • Exception: some “store and forward” situations are allowed if no authorization event occurs • Card identification number – Violation to store even if encrypted • Exception: can be stored encrypted prior to “authorization event” • PIN number or encrypted PIN block
  • 26. Encryption & Key Management • Don’t use weak, or non-industry standard encryption algorithms • Most common problem with encryption is insecure encryption key management • Look carefully at SAQ D sections 3.5-3.6 for correct key management practices, work with a QSA on a key management scheme
  • 27. SAQ D Requirement 4 • Encrypt sensitive data over public networks – Use strong cryptography to protect card data as it traverses a public network (SSL/TLS, IPSEC, etc.) – Open (insecure) network examples: Internet, Wi- Fi, GSM, GPRS, satellite – Use strong encryption method if sending card PAN via e-mail (be careful where email stored) • Protect card data flowing over wireless networks – Use WPA/WPA2 (WEP not allowed)
  • 28. SAQ D Requirement 5 • Anti-Virus/Anti-Malware – Deploy anti-virus software on all systems in the card environment commonly affected by malicious software – Software must detect and clean other types of malware (spyware, adware) – Ensure anti-virus / anti-malware software and signatures are up to date – Ensure anti-virus / anti-malware software generates logs and keep the logs
  • 29. SAQ D Requirement 6 • Patch Management and Change Control – Ensure system components and software up to date (install relevant security patches within 30 days) – Keep up on newly discovered vulnerabilities that may affect systems or software; assign a risk ranking to each discovered vulnerability – Document and follow change control procedures • Track all system and software configuration changes (e.g. - network components, servers, software, etc.) • Secure Software Processes – Use PA-DSS validated software, install it correctly – If develop own software (web or client), SAQ D 6.3, 6.5, 6.6 get very important and difficult, get help from a QSA
  • 30. SAQ D Requirement 7 • Limit access to computing resources and cardholder information to only those with a “need-to-know” • Ensure systems have automated access controls systems implemented • Have a traceable process for granting/denying access to cardholder network systems based on job role
  • 31. SAQ D Requirement 8 • Protect access to the cardholder data network – All users must have unique ID’s to access cardholder network systems – All users must authenticate to the systems using a password (or token, or biometric) – All passwords must be stored encrypted – Remote access into the cardholder network must be secured by 2-factor authentication • Something you know (a password), and something you have (token or certificate) • Examples: RADIUS, TACACS, VPN with individual certificates, key fob, etc.
  • 32. SAQ D Requirement 8 • User and password management – Process to control addition/deletion of users – Verify identity before password resets, use strong initial passwords – Revoke access of terminated users, remove inactive accounts every 90 days – No “group” or shared user IDs or passwords – Change passwords every 90 days, keep history – Password strength: 7+ chars, alpha/numeric – Lock after 6 invalid logins for at least 30 min – Idle session timeout of 15 min (can be screen saver)
  • 33. SAQ D Requirement 9 • Physical security of facilities – Control access to physical location of cardholder network systems – Video and/or access control mechanisms in data center, store video data at least 3 months – Restrict access to network jacks, wireless access points, network hardware, and handheld devices
  • 34. SAQ D Requirement 9 • Employee controls – Must be able to distinguish employees from visitors (ID badges or other means) – In sensitive areas: visitors must be authorized, sign log, be given physical token of visitor status that expires, and surrender token upon leaving
  • 35. SAQ D Requirement 9 • Controls over the storage of media – Physically secure all electronic or paper media that contains cardholder data – Store media backups in secure location, preferably off- site – Maintain strict control over internal/external distribution of media • Management must approve all distribution of media • Classify media so it can be identified as confidential • Use secured courier or delivery mechanism that can be tracked • Inventory all distributed media – Destroy media when no longer in use (shred, degauss, physically destroy, etc.)
  • 36. SAQ D Requirement 10 • Track & monitor access to systems in the cardholder network – Enable audit logging on all systems handling cardholder data – Implement log monitoring and notification software (review daily) – Track all privileged access to credit card data outside of defined payment applications – Centralize the storage of audit logs. Include all logs (system, application, firewall, IDS, web…) – Protect audit logs from modification – Sync system time throughout the cardholder network to a known, protected source
  • 37. SAQ D Requirement 11 • Regularly test security systems – Quarterly external & internal vulnerability scans • PCI authorized scan vendor for external testing, internal testing can be done with VA scanning tools • Act on scan results until the scans are running clean – Conduct external penetration testing • Annually or after any significant infrastructure or application upgrade or modification • Testing conducted by experienced penetration tester who is not part of the card network admin team • Must include both network and application layer testing – Intrusion Detection System monitors all traffic – File Integrity Monitoring software watching critical files
  • 38. SAQ D Requirement 12 • Document Information Security Policy and Procedures – Develop, maintain, and publish infosec policies to address all PCI requirements – Review policy and conduct risk assessment annually – Develop daily operational security procedures to ensure continued PCI compliance (watch logs, updates, etc.) – Develop employee acceptable use policies for employee facing technologies (modem, network, wireless, etc.)
  • 39. SAQ D Requirement 12 • Document Information Security Policy and Procedures – Define management responsibilities (policy, control access, monitor alerts, incident response, etc.) – Develop & implement a security awareness program – Background check potential or new employees – 3rd parties that receive card data from you must have contractual language to follow PCI DSS – Develop, distribute and periodically test an Incident Response Plan
  • 40. Documentation Hurdles • Amount of documentation and process development/rollout is a big deal for successful SAQ D compliance effort • Must be a comprehensive and implemented across the board • Don’t depend on “employee memory” • Carefully document security procedures and policies, train employees periodically • Good data security starts from the top down not from the IT staff up!
  • 41. Why Go Through All This Work?
  • 42. Compromise: Hospitality Industry • Network vulnerabilities found: – Insecure remote access – Common default passwords – Logging not enabled, not watching logs – Flat network design - limited or no segmentation – No IDS/IPS in place • Attack vectors included: – Compromised remote access – Installed suite of malware: processor memory dump program, parser looking for credit card data in dump files, shared folder search app that looked for passwords, credit card numbers, social security numbers, etc.
  • 43. What Did It Cost? • Bottom line costs: – Cost of the forensic investigation $32,000 – Number of cards stolen 150,000 – Fines $80,000 – Reimburse for fraudulent uses $440,000 • All this from just two sites involved in the compromise
  • 44. Emerging Technologies • Tokenization • Point to Point Encryption (P2PE) • Mobile payment technologies
  • 45. Tokenization • Token representing PAN is returned from the gateway/processor, eliminates storage risk • No storage of sensitive PAN data which reduces PCI-DSS requirements but PAN data is still transmitted (potential reduction of validation to SAQ C) • Biggest advantage: Tokens have no value unless redeemed, can potentially store tokens outside of CDE without impacting PCI scope • Historical PAN data must be tokenized or removed • Many processors/gateways are beginning to support tokenization, but switching processors may be harder • Best if integrated with Point-to-Point Encryption solution
  • 46. Point to Point Encryption • All card data is encrypted by the swipe device hardware, no cleartext data enters merchant POS systems • Merchant does not have keys that can decrypt the data • Has potential for a large reduction in scope since internal systems never see or transmit useable card data • Could lower PCI-DSS assessment scope but new hardware and services would have to be purchased • Format Preserving Encryption has potential for integration of legacy software (PCI-SSC still “in session” on FPE issues)
  • 47. Taking Mobile Payments • Security issues: – Smart phone malware potential – Many other end user technologies potentially in use on the devices (SMS, web browsing, Wi-Fi, etc.) – Hard to control the personal device security • P2PE and EMV technologies help with “encrypt at swipe” card reader, but manual transaction entry still a problem • Long term: “sandbox” the payment app to run in a dedicated secure environment, requires new mobile hardware • More guidelines from PCI SSC expected soon
  • 48. Wrap Up • PCI DSS compliance and validation is typically not a quick easy process – Know where the the card data is! – Take time to really understand the SAQ D requirements and your card network – Plan on sufficient time for the effort • Consider consulting with a QSA even if just filling out an SAQ • Remember, compliance is often more work than just SAQ validation