The document discusses scoping and controls for PCI DSS compliance. It describes how applications, servers, networks, and desktops can fall within or outside the PCI DSS scope depending on whether they process, store, or transmit full payment card details. It provides examples of controls that should be implemented for in-scope systems, including password policies, encryption, logging, patching, and vulnerability scanning. Finally, it outlines steps an organization can take to accurately map their PCI DSS scope, such as using a card finder tool and analyzing where full card numbers are received and stored.
2. By Manish Mahapatra
PCI DSS and it’s applicability
• Payment Card Industry Data Security Standard (PCI DSS) is an Information Security Standard created by
Payment Card Industry Security Standard Council (PCI SSC) for protecting the card eco-system.
• PCI SSC body was created by the Payment Brands (VISA , MasterCard, AMEX, JCB and Discover) and they
drive the implementation of the standard across the globe.
• Any entity which Process, Store OR Transmit the full card number, needs to comply with all the PCI DSS
controls. The entity can be a small brick and store merchant or an e-commerce site or a bank, but if they
process, store or Transmit the full card number, then all of them needs to comply with PCI DSS.
3. By Manish Mahapatra
PCI DSS Scoping – Applications
• This slide describes on how an Application come under the purview of PCI DSS
• In-scope – If the application process, store or transmit the full card number at any point of time, then the
application fall under the PCI DSS scope.
◦ Application can receive the card number as part of transaction processing, settlement process or as part
of querying a transaction.
• Out of scope – An application is out of scope, if it only receives the truncated card number.
◦ A card number is truncated, if only few of the digits are visible while the rest of the digits are marked
with ‘X’ or replaced with any character.
◦ As per PCI DSS requirement, only the first 6 digits and last 4 digits of the card number can be displayed,
while the middle six digits needs to be truncated. It is ok for truncating the first 6 and last 4 digits, but
the middle six needs to be truncated always.
◦ If the application receives the full 16-digit card number and then truncates it during storage, then the
application comes under the PCI DSS scope.
4. By Manish Mahapatra
PCI DSS Scoping – Network and Servers
• This slide describes how Servers and Network falls under PCI DSS scope –
• In-Scope (Servers) – If the server process, store or transmit the full card number, then the server falls
under the PCI DSS scope.
◦ OR if the server is deployed in the same V-LAN where another server which process, store or transmit
the full card number, then the V-LAN or network segment with all the servers deployed in the V-LAN,
comes under the purview of PCI DSS scope.
◦ For example, consider V-LAN 101 which has around 50 servers. If one of the 50 servers, process, transmit
or store the full card number, then the entire 50 servers comes under the purview of PCI DSS scope.
• In-Scope (Support Servers) – Any support servers like AV server, NTP server, domain server which provides
supporting function to the PCI DSS scoped servers, will also come under the purview of PCI DSS scope.
5. By Manish Mahapatra
PCI DSS Scoping – Network and Servers
• This slide describes the measures for reducing the PCI DSS scope -
• Scoping out – Using the following measures one can reduce the PCI DSS scope –
◦ Create a dedicate V-LAN for PCI scoped servers (Servers processing, transmitting or storing card number)
◦ Deploy all the PCI scoped servers within the PCI V-LAN
◦ Restrict inter V-LAN routing and deploy IP and port based ACL (Access Control List) for all in-coming and
out-going traffic
◦ A jump server and two-factor authentication for accessing the jump server, and restricting access to PCI
scoped servers from the jump server only
◦ Create dedicated V-LAN for the following segment –
◦ Support V-LAN for support serves like AV, Domain, NTP, etc..
◦ Allow inbound and outbound traffic to PCI server V-LAN from these V-LAN, and deny all other in-bound
and out-bound traffic.
6. By Manish Mahapatra
PCI DSS Controls – Application
• This slide describes the list of controls to be deployed for applications processing, storing or transmitting card
number -
◦ Password policy – 7 character alpha-numeric password with maximum age of 90 days, password history of 4
previous passwords, account lock out after 6 in-valid login attempts with a lock out period of 30 minutes and
session time out of 15 minutes.
◦ User access control –
◦ Zero privilege or permission while creating a new user or role
◦ Option for giving permission for viewing full card number and permission for viewing full card number can be
granted to a user and not to a role
◦ User passwords needs to be hashed using either SHA-256 or SHA-512 hashing algorithm
◦ Audit trails –
◦ All successful and unsuccessful login attempts to the application
◦ All actions taken by the application administrator
◦ Any system object level changes made by the application
7. By Manish Mahapatra
PCI DSS Controls – Application
• This slide describes the list of controls to be deployed for applications processing, storing or transmitting card
number -
◦ Encryption and Key Management –
◦ In-case the application stores the card number (full 16-digit) then the application should use either AES-128
bit or above, 3-DES or RSA – 1024 bit or above encryption algorithm for encrypting the card number
◦ Application should use the controls specified in PCI DSS Requirement 3.5 and 3.6 for managing the
encryption keys
◦ Secure Code Review –
◦ For every major change to the application, Client needs to conduct a secure code review following the
OWASP secure code review guide as reference.
◦ In-case of minor changes, then conduct the secure code review on an annual basis
◦ Application penetration testing following OWASP Testing Guide –
◦ If the application has a web interface or have web-service call, then web application penetration testing for
the web interface and web-service, on a bi-annual basis following the OWASP Testing Guide
8. By Manish Mahapatra
PCI DSS Controls – Servers
• This slide describes the list of controls to be deployed on the Servers –
◦ Hardening – Client needs harden the server based on industry best practice. Hardening should be carried out
for database and web servers as well.
◦ Deploy AV – AV solutions needs to be deployed on all the PCI scoped server and should be configured for
running a full system scan on a weekly basis.
◦ Deploy File Integrity Monitoring (FIM) solution – FIM solution should be deployed for monitoring any changes
made to system configuration file and application configuration file
◦ Configure NTP – Server should be configured for time synchronization from a central NTP server
◦ Configure the audit trails – Server should be configured for generating all types of logs and audit trails, and
pushing the same to a central log server
◦ Monthly patching – Client should have a process of patching up the servers on a monthly basis and it should
not be restricted to just OS patches, but should cover application and application library patches as well
◦ Quarterly Vulnerability Assessment Scans – Client needs to conduct a credential based vulnerability
assessment scan using either Nessus or Qualys Guard on a quarterly basis
9. By Manish Mahapatra
PCI DSS Controls – Infrastructure
• This slide describes the list of controls to be deployed at the infrastructure –
◦ Create de-militarized zone (DMZ) – Create a PCI DMZ for deploying all PCI scope web servers
◦ Deploying Intrusion Prevention System (IPS) – Deploy IPS for monitoring both incoming and outgoing
traffic from the PCI scoped server segment
◦ Deploying a Centralized log server and log monitoring process –
◦ Logs and audit trail from all applications, servers and network components needs to be pushed to a
central log server
◦ A log monitoring solutions needs to be deployed for generating security alerts
◦ Deploying Centralized AV console and patch management system – The AV solution and patch
management system needs to be a centralized solution
10. By Manish Mahapatra
PCI DSS Controls – Process Controls
• This slide describes the list of process controls to be deployed for achieving PCI DSS –
◦ Change Management Process for making any changes at –
◦ For any Firewall rule change
◦ For any changes to the network component configuration
◦ For any changes to the server
◦ For any application level changes
◦ Hardening guidelines for hardening system and network components like –
◦ Hardening the server OS
◦ Hardening other application deployed in the server like data base, web server, etc.
◦ Hardening the network components
11. By Manish Mahapatra
PCI DSS Controls – Process Controls
• This slide describes the list of process controls to be deployed for achieving PCI DSS –
◦ Incorporate security controls into the Software Development Life Cycle (SDLC) for developing internal
application
◦ Process of reviewing the user list in Domain, applications, network components on a quarterly basis
◦ Process of conducting risk assessment on an annual basis for all process and environment handling card
number
◦ Process for conducting internal information security awareness and training program on an annual basis
◦ Card finder tool should be run on a quarterly basis on all the servers to identify all the locations where
the card number are getting captured
◦ A credential based internal vulnerability assessment should be conducted on a quarterly basis
◦ An internal pen-test should be conducted on a bi-annual basis
12. By Manish Mahapatra
PCI DSS Controls – Desktops
• This slide describes the list of controls to be deployed for User Desktops which process card number
◦ The user desktops cover all client personnel who will be entering or viewing the full card number (like the
finance or collection department)
◦ The desktops should have a DLP solution deployed
◦ Card finder tools should be run on a quarterly basis to identify whether cad number is getting captured or not
◦ Internet access should be restricted to a few white listed URL’s
◦ Desktops should be configured for generating the audit trails / logs and pushing the same to a central log
server
◦ Other solutions like AV, FIM and VAPT (Vulnerability Assessment) needs to be deployed
◦ The user V-LAN or network segment will come under the purview of PCI DSS scope and all PCI DSS controls like
AV, VAPT, FIM, audit trails needs to be configured on all the systems deployed in that V-LAN or network
segment.
13. By Manish Mahapatra
Steps for confirming the PCI Scope
• This slide details the next set of steps to be taken by client for determining the PCI DSS Scope –
◦ Run Card Finder Tool – Client needs to run card finder tools on all the servers and desktops across Client
network. The objective of running the card finder tool is to identify all the locations (maybe excel sheet,
log files, database, etc..) where the full card number are getting stored.
◦ Analyze to terminate or to include – Analyze each location where the full card number are getting stored
and confirm on the following –
◦ Source from where the location is receiving the full card number
◦ Whether the full card number is required or whether only truncated card number will suffice
◦ Please note that in 99.99% of cases, the full card number will not be required. If any of the user or
business function requires the full card number, then confirm the following from them –
◦ When have they last used the full card number
◦ And whether they can use any other data apart from the full card number for the business function
14. By Manish Mahapatra
Steps for confirming the Scope
• This slide details the next set of steps to be taken by Client for determining the PCI DSS Scope –
◦ Finalize the locations – Finalize all the locations where the full card number is required to processed,
stored or transmitted. Please note that if the full card number is received and application only stores the
truncated card number, then that system will be in PCI DSS scope.
◦ Based on the above step, identify and finalize all the servers and user desktops within Client network
which process, store or transmit full card number.
◦ The V-LAN or network segment in which these servers and user desktops are deployed, will come
under the PCI DSS scope including all the servers and user desktops deployed in the scoped V-LAN’s /
network segment.
15. By Manish Mahapatra
Thank You!
Manish M
Cyber Security Training Provider
Manish.cor@gmail.com
Contact: +91-9036350000
Linked-in: https://www.linkedin.com/in/manishmahapatra
Join my group on https://www.linkedin.com/groups/6517220 for more updates.