Essentials of PCI AssessmentSucceeding with GazzangMike Frank, Director of Products, Gazzang

Overview

• Benefits of the Cloud

• What to expect - preparing for an audit

• The Gazzang data security solution

• Mapping into the 12 PCI sections

• Examples/Ideas before your PCI Audit

• Q&A

04/10/2023

Cloud Adoption 101

Public Cloud•Cloud servers

•f5 load balancers•Cloud Storage

•CDN•Firewalls

Hosted Private Cloud•A dedicated non-shared instance

Hybrid•Dedicated

•Cloud•Private Network

•Single Control Panel

Dedicated •Standard & custom dedicated servers

•Firewalls

04/10/2023

PCI (Payment Card Industry)

• Created by major credit card issuers to – Protect personal information – Ensure security when transactions are processed

• Members of the payment card industry are– financial institutions, credit card companies and merchants– Required to comply with these standards

• Failure to meet compliance standards can result in– Fines from credit card companies and banks – Loss of the ability to process credit cards.

04/10/2023

PCI

• PCI (Payment Card Industry) – DSS (Data Security Standard)

• The PCI assessment process focuses solely on the security of cardholder data– Has a company effectively implemented information

security policies and processes?– Are there adequate security measures that comply with the

requirements to protect cardholder data?

04/10/2023

PCI Assessments

• Determine if you are employing payment industry best-practices

• Assessment result in – Recommendations & Remediation to

• Processes • Procedures • System configurations• Vulnerabilities

The “Fixes” needed to comply

04/10/2023

What is Gazzang’s ezNcrypt for MySQL

• Installed as a Cloud Database Server• Sits between the storage engine and file system • Encrypts data before it hits the disk.

04/10/2023

Key Storage System (KSS)

04/10/2023 8

• Gazzangs KSS “service” runs in the Cloud– East and West Currently– Highly Available – uses F5

• Solution for– “Where do I store my key?”

• Multiple layers of security ensure that your key is protected and available when you need it.

PCI Security Problems Gazzang Helps Solve

• Unauthorized attempts to read data off the database files• Theft of the data files • Tampering of data• Protection of data on tapes and backups• Data at Rest - Protecting disks

– In case physical hardware is stolen or incorrectly disposed• Key Protection

– Automated, Zero Maintenance Key Management• Encrypts, Protects and Secures MySQL

04/10/2023

The PCI “12”

1. Install and maintain a firewall2. Do not use vendor-supplied defaults for passwords. Develop configuration

standards.3. Protect stored data4. Encrypt transmission of cardholder data across public networks5. Use and regularly update anti-virus software6. Develop and maintain secure systems and applications7. Restrict access to data by business need-to-know8. Assign a unique ID to each person with computer access9. Restrict physical access to cardholder data10.Track and monitor all access to network resources and cardholder data11.Systems should be tested to ensure security is maintained over time and

through changes12.Maintain an information security policy

04/10/2023

1 Install and maintain a firewall

The Auditor will inspect• System/Firewall Configurations• Your Network Diagram

Several options • Can be provided by the cloud host

– Fortinet Firewall – Cisco ASA 5510 dedicated hardware firewall

04/10/2023

2 Do not use vendor-supplied defaults for passwords. Develop configuration standards.

Gazzang• MySQL Linux account has strong initial password• Only local mysql root is created• Strong Initial Password is enforced• Configuration for MySQL is Secured• Added Access File Protection

The Auditor will• Interview staff, review documentation, view setup

04/10/2023

3 Protect stored data

GazzangAllows you to: • Encrypt the entire database• Encrypt individual tables• Encrypt related files (log files) • Control who can decrypt the

data, beyond normal database and file system protections.

• Manage and secure keys

04/10/2023

3 Protect stored data

The Auditor will• Look at the entire data lifecycle related to Card

Data, Authentication Data, Key Management Protecting Data, Verification Codes and much more.

You• Will need to document explain and show that

process to the auditor.– For Req 3 Sections 4, 5, and 6 are often the trickiest

04/10/2023

3 Protect stored data

Gazzang ezNcrypt helps:• Manage access control

– Only authorized users running authorized applications can decrypt cardholder data.

– 3.4.1.a If disk encryption is used, verify that logical access to encrypted file systems is implemented via a mechanism that is separate from the native OS mechanisms

04/10/2023

3 Protect stored data

Gazzang ezNcrypt helps:• Secure key management procedures

– PCI 3.5 - Protect cryptographic keys used for encryption of cardholder data against both disclosure and misuse:

– PCI 3.6 - Fully document and implement all key-management processes and procedures for cryptographic keys used for encryption of cardholder data

– 3.6.1 - The auditor can verify that procedures are implemented that require automated generation of strong keys using ezNcrypt

04/10/2023

4 Encrypt transmission of cardholder data across public networks

• You– Verify the use of encryption (for example, SSL/TLS or IPSEC)

wherever cardholder data is transmitted or received over open, public networks

– Require SSL Connections in MySQL Access Control Settings for any “remote” User

04/10/2023

4 Encrypt transmission of cardholder data across public networks

• Gazzang – Cloud data storage in cloud systems sends data across the

network to storage– With ezNcrypt your critical data is encrypted before it

moves into the physical file system – • All data from ezNcrypt is encrypted across the network or through

other devices that could be monitored or tapped.

04/10/2023

5 Use and regularly update anti-virus software

The Auditor will• Verify that all OS types commonly affected by

malicious software have anti-virus software implemented.

You• Make sure AV is setup and deployed properly

04/10/2023

X

6 Develop and maintain secure systems and applications

Gazzang • Adding a new layer of security• As-Is the system is more secure• You will be downloading the latest MySQL Version• We will secure the configuration and protect the data

and logs

04/10/2023

7 Restrict access to data by business need-to-know

Gazzang• Helps meet this by Restricting Access using

encryption, key control, and application only access controls

• Linux Users can’t read the data – only MySQL

You• Ensure that cloud host allows customers to manage

local server credentials themselves

04/10/2023

8 Assign a unique ID to each person with computer access

You • Need to manage your users• Create a unique login for each user with access to the

server • Create unique accounts within MySQL and Linux• Limit access to only what the account requiresThe Auditor will• Want reports on each of the systems• Want to know who and what authentication methods• Verify documentation on processes and procedures

04/10/2023

8.3 - Incorporate two-factor authentication for remote access (network-level access originating from outside the network) to the network by employees, administrators, and third parties.You• Ensure your cloud host provides hardware firewalls

that allow for the implementation of site-to-site, or IPSec VPNs– Two-factor - Requiring user/password and certificate

04/10/2023

8 Assign a unique ID to each person with computer access

9 Restrict physical access to cardholder data

The 3 Gs – Guards, Guns, and Gates• Access to physical equipment

You • Ensure that your cloud host takes security

measures to maintain integrity of hardware and facility.– Certification– Multiple forms of authentication to gain access

04/10/2023

10 Track and monitor all access to network resources and cardholder data

You• Will need to show auditor that you have the process

to collect, track, and monitor your environment• Ensure that cloud host tracks and monitors up to the

customer's environment

The Auditor will• Inspect all of the above

04/10/2023

11 Systems should be tested to ensure security is maintained over time and through changes

You• Make sure cloud host reviews and updates images

regularly• Maintaining sever images locally

Gazzang• Starts from the cloud host image• Protects MySQLs files – increasing your security level

04/10/2023

12 Maintain an Information Security Policy

You• Establish, publish, maintain, and disseminate a

security policy

Auditors• Will examine this information and see that it

addresses all of the PCI requirements

04/10/2023

Have your documentation ready

• Network Diagram • PCI Policies and Standards • Documentation

– Antivirus– Internal/External Scans– Logging and Monitoring– Penetration Test Results– System Configurations

04/10/2023

Design a Secure System andDiagram your Credit Card Dataflow

04/10/2023

Consumer

Web Site

Card ProcessingMerchant Bank Cardholder Bank

Potential Components

04/10/2023

• Load Balancers• Cloud Servers

– Gazzang ezNcrypt for MySQL• Dedicated Servers

– Include Gazzang ezNcrypt • Hardware Firewalls

Conclusion

• There are many steps to PCI Compliance• PCI provides the groundwork broader security “best

practices”• Gazzang’s ezNcrypt helps solve some of the more

daunting challenges with an easy to implement robust solution

04/10/2023

Contact Information / Resources

White Paperhttp://

More about Gazzang - www.gazzang.com

For more information - info@gazzang.comContact - mike.frank@gazzang.com

04/10/2023