Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

How To: The PCI Self-Assessment Questionnaire (SAQ)


Published on

Step into the intensity of the PCI Data Security Standards’ (PCI DSS) most widely-waged battlefield – the Self-Assessment Questionnaire D (SAQ D). From the civilian perspective of hospitality finance and technology professionals, navigate as a unit through the chaos with one goal in mind, to successfully complete the SAQ D. To train for this mission, the SAQ D will be discussed in great detail, covering many aspects of the 240+ questions, as well as tips and tricks to help complete the questionnaire. As in battle, attendees will work together towards success by sharing their own SAQ D stories.

Check out what else our auditors can do:

Published in: Business
  • Be the first to comment

How To: The PCI Self-Assessment Questionnaire (SAQ)

  1. 1. SecurityMetricsSAQ D Boot CampDefeat by questionnaire is not acceptable!
  2. 2. “All truths are easy tounderstand once they arediscovered; the point is todiscover them.” – Galileo Galilei
  3. 3. Summary of SAQs• SAQ A – Merchant outsources all card collection and processing• SAQ B – Merchant uses analog phone based POS terminal or imprint method• SAQ C – Merchant processes and transmits card data but no e-storage• SAQ C VT – Merchant does simple manual entry on single virtual terminal• SAQ D – Merchant stores card data electronically in the card processing network
  4. 4. What Do I Do With an SAQ?• SAQ is a merchant’s statement of PCI compliance• Acquiring bank would ask a merchant for a completed SAQ, not card brand or PCI Council• Acquiring bank’s responsibility to track a merchant’s PCI compliance• It is a merchant’s responsibility to accurately complete the SAQ
  5. 5. “To SAQ D, or Not to SAQ D”• SAQ D classification options 1. Change your card data processes to get out of SAQ D scope • Don’t store card data (tokenize) 2. Dig in. It’s not easy but it’s possible! • Get some help (QSA)
  6. 6. Know The Battlefield• Before starting, there are some things you need to gather – Complete network diagram – Detailed card data flow diagram/description – Unsecured card data locations – Written IT policies/procedures – Internal compliance team (network, workstation/POS support, HR, help desk) – Management support!
  7. 7. Field Research: Data Discovery“…you really need to use some kind of methodology to find where cardholder data is on the network…” – Bob Russo, PCI SSC• Must have an data discovery methodology for an accurate card data flow picture• Methodology should include: – Data discovery tool(s) – Data flow documentation – Periodic repetition (annual minimum)
  8. 8. Recon: Card Data & Process• Like camouflaged ground forces, unsecured card data and processes using card data can hide in rough terrain and go unnoticed until its too late• Careful tracing and documentation of all processes that deal with card data is essential• Search even locations/processes you think are “clean”
  9. 9. Weapons for Card Discovery• A good discovery tool…• Automated exhaustive search capability – Hard drives, systems, networks, attached storage devices, etc. – Finds unencrypted PAN and magnetic stripe data• Generates easy-to-understand reports• Shows count and location of payment card data found• Low false positive rate
  10. 10. Available Data Search Tools• Payment card data search tools available to use on systems: – PANscan®: – SENF: – SPIDER:
  11. 11. Where to Look?• Obvious locations: – Systems involved in storage, transmission, or processing of card data – POS systems, web server, customer service workstation, etc. – Database servers – Decommissioned systems – System backup locations
  12. 12. Where to Look?• Look outside typical cardholder data network: – Accounting/Finance: spreadsheets from banks, stored reports, etc. – Sales: faxed forms (printed or digital), e-mail from sales reps, etc. – Marketing: access to transaction databases/logs for research, etc.
  13. 13. Targeting SAQ D Scope• “The cardholder data environment (CDE) is comprised of people, processes and technology that store, process or transmit cardholder data or sensitive authentication data” –PCI DSS• PCI DSS applies to all system components included in or connected to the CDE• Minimize where card data is dealt with and reduce SAQ D compliance effort and costs
  14. 14. Scoping Principals• Find where data is using detailed flow and location analysis along with data discovery tools• If you find it and don’t need it, get rid of it – Remove historical data – Secure data deletion process – Change process to eliminate need• Search regularly for card data• Remember: where there is card data, there is PCI DSS scope!
  15. 15. Found it! Now What?• Identify network segment(s) where card data is stored, processed, or transmitted• Watch for network segments “traversed” by streams of card data on its way elsewhere• Include any process where card data is placed on media (paper, tape, CD, etc.)• Remember: • Encrypted data is in scope where decryption keys are present • Call center segments viewing full PAN data should be in scope • Securely delete any unsecure data not needed
  16. 16. SAQ D-DAY!• Done: Research, planning, targeting, and discovery steps• Let’s attack SAQ D in detail
  17. 17. PCI DSS SAQ D Summary• Build and Maintain a Secure Network – Req. 1: Install and maintain a firewall configuration to protect cardholder data – Req. 2: Do not use vendor-supplied defaults for system passwords and other security parameters• Protect Cardholder Data – Req. 3: Protect cardholder data (encrypt or mask) – Req. 4: Encrypt transmission of cardholder data across open, public networks• Maintain a Vulnerability Management Program – Req. 5: Use and regularly update anti-virus software – Req. 6: Develop and maintain secure systems and applications
  18. 18. PCI DSS SAQ D Summary• Implement Strong Access Control Measures – Req. 7: Restrict access to cardholder data by business need- to-know – Req. 8: Assign unique ID to each person with computer access – Req. 9: Restrict physical access to cardholder data• Monitor and Test Networks – Req. 10: Track and monitor all access to network resources and cardholder data – Req. 11: Regularly test security systems and processes• Maintain an Information Security Policy – Req. 12: Maintain documented policy and procedures that address information security
  19. 19. SAQ D Requirement 1• Document and maintain firewall configuration standards (1.1) – Need formal process for approving and auditing firewall rules quarterly – Document all port traffic in/out and provide justification – Accurate network and transaction flow diagrams• Secure network firewall architecture (1.2-1.4) – Create DMZ and Secure Zone (2-tiered firewall architecture), prohibit direct public access to zone where data is stored, protect internal IP’s – Control and limit all inbound/outbound network traffic – Segment cardholder network from wireless or other network segments – Use personal firewalls on mobile/personal computers
  20. 20. SAQ D – Network Example Strong Edge Isolate Firewall & Wireless IDS Dedicated DMZ Separate Office 2nd Firewall Zone Dedicated Secure Zone Segment the network to minimize scope!
  21. 21. Network Scoping and Segmentation• Card network stores/processes/transmits card data• Most networks not designed for PCI compliance.• Card processing systems are often mixed in with back office systems (one big flat network)• “Adequate network segmentation, which isolates systems that store, process, or transmit cardholder data from those that do not, may reduce the scope of the cardholder data environment.” (PCI DSS 1.1 Page 2)
  22. 22. SAQ D Requirement 2• Change or do not use vendor-supplied defaults – Change defaults before adding system component to the cardholder network (passwords, SNMP, wireless settings)• Develop and maintain system configuration standards – Create system component configuration standards based on industry best practice guidelines (CIS, NIST, etc.) – One primary function per server (or virtual server) – Disable unnecessary services/functions• Use encrypted non-console admin access tools – SSH, RDP, VPN, SSL/TLS
  23. 23. SAQ D Requirement 3• Protect stored data – Minimize confidential information storage, define policy/procedure for removing old data – Do not store sensitive authentication data subsequent to an authorization event (not even if encrypted) • Track data, card identification number, PIN, PIN block – Mask (truncate) account data when displayed (last 4 numbers are max that can be displayed) • Don’t store masked and hashed PAN together
  24. 24. SAQ D Requirement 3• Render PAN data unreadable anywhere it is stored – Strong 1-way hashing functions (SHA-1) – Truncate data (e.g. - first 6 last 4) – Use strong cryptography • Strong algorithms (3DES, AES, RSA, etc.) • Proper key length for the algorithm (e.g. for AES 128 bits or more)• Strong encryption key management processes – Protect Data Encryption Key (DEK) from disclosure and misuse – Secure key storage (encrypt DEK) – Periodic key changes at end of a defined crypto period
  25. 25. What is Sensitive Auth Data?• Track or mag stripe data – Used to duplicate a plastic card • Track 1: %B4111111111111111^Public John Q.^080910100876000 • Track 2: 4111111111111111=0809101543219987000 – Violation to store Track 1 or 2, even if encrypted • Exception: some “store and forward” situations are allowed if no authorization event occurs• Card identification number – Violation to store even if encrypted • Exception: can be stored encrypted prior to “authorization event”• PIN number or encrypted PIN block
  26. 26. Encryption & Key Management• Don’t use weak, or non-industry standard encryption algorithms• Most common problem with encryption is insecure encryption key management• Look carefully at SAQ D sections 3.5-3.6 for correct key management practices, work with a QSA on a key management scheme
  27. 27. SAQ D Requirement 4• Encrypt sensitive data over public networks – Use strong cryptography to protect card data as it traverses a public network (SSL/TLS, IPSEC, etc.) – Open (insecure) network examples: Internet, Wi- Fi, GSM, GPRS, satellite – Use strong encryption method if sending card PAN via e-mail (be careful where email stored)• Protect card data flowing over wireless networks – Use WPA/WPA2 (WEP not allowed)
  28. 28. SAQ D Requirement 5• Anti-Virus/Anti-Malware – Deploy anti-virus software on all systems in the card environment commonly affected by malicious software – Software must detect and clean other types of malware (spyware, adware) – Ensure anti-virus / anti-malware software and signatures are up to date – Ensure anti-virus / anti-malware software generates logs and keep the logs
  29. 29. SAQ D Requirement 6• Patch Management and Change Control – Ensure system components and software up to date (install relevant security patches within 30 days) – Keep up on newly discovered vulnerabilities that may affect systems or software; assign a risk ranking to each discovered vulnerability – Document and follow change control procedures • Track all system and software configuration changes (e.g. - network components, servers, software, etc.)• Secure Software Processes – Use PA-DSS validated software, install it correctly – If develop own software (web or client), SAQ D 6.3, 6.5, 6.6 get very important and difficult, get help from a QSA
  30. 30. SAQ D Requirement 7• Limit access to computing resources and cardholder information to only those with a “need-to-know”• Ensure systems have automated access controls systems implemented• Have a traceable process for granting/denying access to cardholder network systems based on job role
  31. 31. SAQ D Requirement 8• Protect access to the cardholder data network – All users must have unique ID’s to access cardholder network systems – All users must authenticate to the systems using a password (or token, or biometric) – All passwords must be stored encrypted – Remote access into the cardholder network must be secured by 2-factor authentication • Something you know (a password), and something you have (token or certificate) • Examples: RADIUS, TACACS, VPN with individual certificates, key fob, etc.
  32. 32. SAQ D Requirement 8• User and password management – Process to control addition/deletion of users – Verify identity before password resets, use strong initial passwords – Revoke access of terminated users, remove inactive accounts every 90 days – No “group” or shared user IDs or passwords – Change passwords every 90 days, keep history – Password strength: 7+ chars, alpha/numeric – Lock after 6 invalid logins for at least 30 min – Idle session timeout of 15 min (can be screen saver)
  33. 33. SAQ D Requirement 9• Physical security of facilities – Control access to physical location of cardholder network systems – Video and/or access control mechanisms in data center, store video data at least 3 months – Restrict access to network jacks, wireless access points, network hardware, and handheld devices
  34. 34. SAQ D Requirement 9• Employee controls – Must be able to distinguish employees from visitors (ID badges or other means) – In sensitive areas: visitors must be authorized, sign log, be given physical token of visitor status that expires, and surrender token upon leaving
  35. 35. SAQ D Requirement 9• Controls over the storage of media – Physically secure all electronic or paper media that contains cardholder data – Store media backups in secure location, preferably off- site – Maintain strict control over internal/external distribution of media • Management must approve all distribution of media • Classify media so it can be identified as confidential • Use secured courier or delivery mechanism that can be tracked • Inventory all distributed media – Destroy media when no longer in use (shred, degauss, physically destroy, etc.)
  36. 36. SAQ D Requirement 10• Track & monitor access to systems in the cardholder network – Enable audit logging on all systems handling cardholder data – Implement log monitoring and notification software (review daily) – Track all privileged access to credit card data outside of defined payment applications – Centralize the storage of audit logs. Include all logs (system, application, firewall, IDS, web…) – Protect audit logs from modification – Sync system time throughout the cardholder network to a known, protected source
  37. 37. SAQ D Requirement 11• Regularly test security systems – Quarterly external & internal vulnerability scans • PCI authorized scan vendor for external testing, internal testing can be done with VA scanning tools • Act on scan results until the scans are running clean – Conduct external penetration testing • Annually or after any significant infrastructure or application upgrade or modification • Testing conducted by experienced penetration tester who is not part of the card network admin team • Must include both network and application layer testing – Intrusion Detection System monitors all traffic – File Integrity Monitoring software watching critical files
  38. 38. SAQ D Requirement 12• Document Information Security Policy and Procedures – Develop, maintain, and publish infosec policies to address all PCI requirements – Review policy and conduct risk assessment annually – Develop daily operational security procedures to ensure continued PCI compliance (watch logs, updates, etc.) – Develop employee acceptable use policies for employee facing technologies (modem, network, wireless, etc.)
  39. 39. SAQ D Requirement 12• Document Information Security Policy and Procedures – Define management responsibilities (policy, control access, monitor alerts, incident response, etc.) – Develop & implement a security awareness program – Background check potential or new employees – 3rd parties that receive card data from you must have contractual language to follow PCI DSS – Develop, distribute and periodically test an Incident Response Plan
  40. 40. Documentation Hurdles• Amount of documentation and process development/rollout is a big deal for successful SAQ D compliance effort• Must be a comprehensive and implemented across the board• Don’t depend on “employee memory”• Carefully document security procedures and policies, train employees periodically• Good data security starts from the top down not from the IT staff up!
  41. 41. Why Go Through All This Work?
  42. 42. Compromise: Hospitality Industry• Network vulnerabilities found: – Insecure remote access – Common default passwords – Logging not enabled, not watching logs – Flat network design - limited or no segmentation – No IDS/IPS in place• Attack vectors included: – Compromised remote access – Installed suite of malware: processor memory dump program, parser looking for credit card data in dump files, shared folder search app that looked for passwords, credit card numbers, social security numbers, etc.
  43. 43. What Did It Cost?• Bottom line costs: – Cost of the forensic investigation $32,000 – Number of cards stolen 150,000 – Fines $80,000 – Reimburse for fraudulent uses $440,000• All this from just two sites involved in the compromise
  44. 44. Emerging Technologies• Tokenization• Point to Point Encryption (P2PE)• Mobile payment technologies
  45. 45. Tokenization• Token representing PAN is returned from the gateway/processor, eliminates storage risk• No storage of sensitive PAN data which reduces PCI-DSS requirements but PAN data is still transmitted (potential reduction of validation to SAQ C)• Biggest advantage: Tokens have no value unless redeemed, can potentially store tokens outside of CDE without impacting PCI scope• Historical PAN data must be tokenized or removed• Many processors/gateways are beginning to support tokenization, but switching processors may be harder• Best if integrated with Point-to-Point Encryption solution
  46. 46. Point to Point Encryption• All card data is encrypted by the swipe device hardware, no cleartext data enters merchant POS systems• Merchant does not have keys that can decrypt the data• Has potential for a large reduction in scope since internal systems never see or transmit useable card data• Could lower PCI-DSS assessment scope but new hardware and services would have to be purchased• Format Preserving Encryption has potential for integration of legacy software (PCI-SSC still “in session” on FPE issues)
  47. 47. Taking Mobile Payments• Security issues: – Smart phone malware potential – Many other end user technologies potentially in use on the devices (SMS, web browsing, Wi-Fi, etc.) – Hard to control the personal device security• P2PE and EMV technologies help with “encrypt at swipe” card reader, but manual transaction entry still a problem• Long term: “sandbox” the payment app to run in a dedicated secure environment, requires new mobile hardware• More guidelines from PCI SSC expected soon
  48. 48. Wrap Up• PCI DSS compliance and validation is typically not a quick easy process – Know where the the card data is! – Take time to really understand the SAQ D requirements and your card network – Plan on sufficient time for the effort• Consider consulting with a QSA even if just filling out an SAQ• Remember, compliance is often more work than just SAQ validation
  49. 49. Don’t Give Up!