PCI DSS in Europe

8/13/2019 PCI DSS in Europe

1/14

PCI DSS in Europe: An Overview

Jonathan Care

[email protected]

COSAC 2010

Overview

The Payment Card Industry Data Securty Standard !PCI DSS" s a#out to enter teraton 2.0 and sncreasngly #eng seen as a #aselne $or n$ormaton securty controls n #usness sectors thaththerto ha%e seen lttle regulatory dr%er $or control o$ n$ormaton assets and threats. It sadmnstered #y the Payment Card Industry Securty Standards Councl !PCI SSC"1. The PCI DSSaddresses o&eratonal rs' ssues $aced #y &rocessors o$ &ayment card data and s shortly to enter ane( teraton) PCI DSS 2.0.

Who's who in the PCI world

Payment Card

Sm&ly &ut) ths s the card ssued to the consumer. A &ayment card under the sco&e o$ PCI DSS can #e a de#t or credt card) and (ll #e #randed #y the card schemes that o%ersee the PCI SSC.Payment cards are ssued #y #an's that are not go%erned #y the PCI SSC) such as *aser Cards nIreland) se%eral n +astern +uro&e) (hch are not go%erned #y the PCI DSS. ,Store- credt cards(thout a &ayment card ndustry #rand are not n sco&e o$ the PCI DSS.

Payment Card industry

The Payment Card ndustry s de$ned as the card schemes that go%ern the PCI SSC. These are

•/ISA Inc. and ts regonal assocates. In &artcular /ISA +uro&e &art o(ned #y /sa Inc. and a

consortum o$ mem#er #an's.

•astercard

•Amercan +&ress

•Dsco%er

•JC3

These #rands com#ne strategy on &ayment card securty although there ha%e #een occasonald$$erences n rs' acce&tance le%els.

Acquiring Bank

The Ac4urng 3an' s the one that s res&ons#le $or clearng the &ayment made #y a consumer ntothe merchant organsaton5s #an' account. Ac4urers are consdered to #e ultmately la#le $or the

&ayment securty and com&lance o$ the merchants under ther care. 6nes $or non7com&lance and

#reach are le%ed #y the Payment Card Industry mem#er #rands to the ac4urng #an') (ho thenmay n turn ssue $nes to ther merchant organsatons.

1 See htt&88(((.&csecurtystandards.org

PCI DSS n +uro&e COSAC 2010 1


2/14

Issuing Bank

An Issung 3an' s one that creates and ssues a consumer (th a &ayment card ndustry #randed &ayment card. Ty&cally these are ssued to customers (th an estng #an'ng relatonsh& (th theIssuer ho(e%er there are #an'ng organsatons that $ocus eclus%ely on the ssung o$ &aymentcards) o$$erng no other $acltes. It s &erha&s (orth notng that Amercan +&ress act as an ssuerdrectly) (hch /sa and astercard do not.

Merchant

The merchant s de$ned as the rece%ng &arty n a &ayment card transacton. erchants canty&cally #e tradtonal retalers rece%ng &ayments n &erson) #y mal order8tele&hone order!OTO") or %a an e7commerce channel. In addton) merchants can nclude go%ernmentorgansatons such as the Dr%er and /ehcle *censng Agency !D/*A") charta#le organsatonssuch as Cancer 9esearch) and ndeed any organsaton that ta'es &ayment cards n settlement sconsdered a merchant under the terms o$ PCI DSS.

6or the &ur&oses o$ PCI DSS) merchants are categorsed nto rs' le%els) &rmarly de&endent onnum#er o$ card transactons &rocessed regardless of value) although the sector !e.g. gamng) money

ser%ces" and ndeed) the o&non o$ the &ayment card ndustry (ll &lay a $actor. erchants (hoha%e su$$ered a #reach are normally categorsed at the hghest le%el o$ rs'. It s the res&ons#lty o$the ac4urng #an' to determne the merchant le%el) although :SAs are commonly as'ed to %er$yt.

;hle the %arous &ayment #rands occasonally d$$er o%er the num#er o$ transactons re4ured toma'e t nto a &artcular rs' category) the re&ortng re4urements are &retty constant. I$ you arecategorsed as a *e%el 1 merchant !ty&cally o%er < mllons transactons a year" then an onsteassessment $rom a :SA s re4ured) together (th 4uarterly scans $rom an AS/. *e%el 2 and =merchants must com&lete an annual sel$7assessment 4uestonnare) and &ro%de 4uarterly AS/scans. *e%el > merchants) the lo(est rs' category !as de$ned #y num#er o$ transactons" mustcom&lete ther SA: and

Service Provider

A ser%ce &ro%der s an organsaton that stores) &rocesses or transmts cardholder data on #ehal$ o$another organsaton !ether a merchant or another ser%ce &ro%der". Ser%ce &ro%ders ether (or'as an ntermedary #et(een the merchant and the ac4urng #an') or else (ll &ro%de a ser%ce tothe merchant that s not %s#le to the ac4urng #an'.

Participating Organisations

Partc&atng Organsatons are ones (hch &ay a $ee to the PCI SSC n order to &ro%de n&ut and

sha&e to the e%ol%ng PCI Standards. Ty&cal &artc&atng organsatons nclude so$t(are %endors)large merchants) and some #an's.

Qualified Security Assessors

:ual$ed Securty Assessor com&anes !:SACs" are nstructed to &ro%de gudance and assessmento$ com&lance (th the PCI DSS. In addton) some :SACs are accredted to assess &aymentso$t(are a&&lcatons under the Payment A&&lcaton Data Securty Standard !PA7DSS".

Approved Scanning endors

A&&ro%ed Scannng /endors are accredted to &er$orm %ulnera#lty scans o$ merchant and ser%ce &ro%der n$rastructure n order to meet com&lance (th PCI DSS. It s ncreasngly common to$nd :SACs o$$erng ths as a ser%ce) (hch htherto had #een &ro%ded #y s&ecalst &enetraton



3/14

testng ser%ce &ro%ders.

What's the standard all about?

The PCI DSS s made u& o$ t(el%e re4urements) each (th su#7re4urements totallng o%er 200control &onts n all. These re4urements are sectoned as $ollo(s

Build and Maintain a Secure !et"ork

Requirement 1: Install and maintain a firewall configuration to rotectcardholder data

On the $ace o$ t) ths re4urement (ould seem sm&le. Install a state$ul $re(all) and com&lance(ould seem assured. In $act) se%eral controls are mentoned n re4urement 1 that can e&ose

&rocedural $la(s n the organsaton) such as

•9egular re%e(s o$ all $re(all and router con$guratons and rulesets.

•Documented #usness just$caton $or all o&en rulesets

•?&7to7date net(or' dagrams sho(ng the $lo( o$ cardholder data throughout the net(or'

•+nsurng a (ell7de$ned D) and remo%ng cardholder $rom D re&ostores.

•+nsurng change control s n &lace $or all $re(all and router con$guraton changes..

Requirement !: "o not use vendor#sulied defaults for s$stemasswords and other securit$ arameters

It s a (ell 'no(n $act that any attac'er !(hether so$t(are or human" (ll try to attac' usng &ass(ords nstalled #y the %endor as a de$ault !$or eam&le) the ,sa- account $or S S:*". In an

attem&t to &rom&t a mo%e a(ay $rom these %ulnera#ltes) lsts are &u#lshed on the nternet #ysecurty researchers2. It s a so#erng thought that com&romses can #e so easly accom&lshedsm&ly usng an automated tool (hch attem&ts to gan access to a crtcal system usngmanu$acturer5s de$aults. PCI DSS &onts ths out #y em&hassng that de$ault account) &ass(ord andany other securty controls $or any de%ce carryng cardholder data must #e changed.

Protect Cardholder #ata

Requirement %: Protect stored cardholder data

In many (ays) re4urement = can #e seen as the heart o$ the PCI DSS) n that t s concerned (ththe &rotecton o$ stored cardholder data. One ecellent (ay o$ reducng the sco&e o$ PCI DSS onthe organsaton s to ta'e a long hard loo' at the cardholder data stored as' the honest 4ueston,Do you need ths n$ormaton) and ho( (ould you do your jo# $ t (ent a(ay-. One o$ thehallmar's o$ an e$$ect%e :SA s that they (ll (or' (th the organsaton to reduce the amount o$cardholder data stored #e$ore engagng n costly and com&le &re%entat%e measures. 6re4uentlyseen #reaches are caused #y re&ostores o$ cardholder that are not ro#ustly &rotected

It s (orth consderng at ths &ont (hat consttutes cardholder data under the terms o$ the PCIDSS.

T(o classes o$ cardholder data est) Protected Storage Data and Sensitive Authentication Data

!SAD". ;e (ll consder &rotected storage data $rst.

2 See htt&88crt.net8&ass(ords as an eam&le.

PCI DSS n +uro&e COSAC 2010 =

http://cirt.net/passwordshttp://cirt.net/passwords


4/14

6rstly) there s the &rmary account num#er !PA". Ths s the long num#er $ound on any &aymentcard. The $rst s dgts are the 3an' Ident$caton um#er !3I") and together (th the otherdgts $orm a un4ue dent$er that can #e %aldated usng the Luhn Formula3. *uhn s not ntendedto #e cry&togra&hcally secure) has #een &laced n the &u#lc doman and s ntended to &rotectaganst accdental errors n trans&oston) not malcous attac's.

;hen stored (th the PA) the $ollo(ng are also consdered cardholder data

•Cardholder ame

•+&raton Date

•Ser%ce Code !6ound on the magnetc str&) and ndcates the acce&tance re4urements and

lmtatons $or the card"

Senst%e Authentcaton Data conssts o$ securty7related n$ormaton on the card) and ncludes

•Card /er$caton Codes8/alues

•agnetc Card trac' data

•PIS

•PI 3loc's

SAD must not #e stored $or any reason (hatsoe%er once an authorsaton code has #een rece%ed $orthe transacton. Ty&cally) unless &ayment termnals or POS systems are n a de#ug mode) thesedetals (ll not #e stored. Bo(e%er) snce the C/C8C// s used durng a customer not &resenttransacton to %er$y that the card s n &ossesson o$ the customer) t s ty&cally g%en o%er the

&hone to a customer ser%ce re&resentat%e) or entered nto a (e#ste at &ont o$ &ayment. Ths$ragle = dgt authentcaton to'en s ty&cally one o$ the 'ey &an &onts es&ecally (hen oneconsders that many call centres (ll record ther calls) (hch drectly %olates the re4urement notto store SAD.

There are many (ays to ensure the securty o$ &rotected storage data) ncludng•Encryption ensurng that the cardholder s stored nsde a data re&ostory usng strong

encry&ton methods such as A+S or =D+S) and that the 'eys are &rotected usng good &ractce 'eymanagement &rocesses. It seems a&&arent ho(e%er that ths a&&roach mo%es the ssue o$ storng onesenst%e data set (hch the end user organsaton struggles (th to... storng another senst%e dataset !(hch the end user organsaton then struggles (th" >

= htt&88en.('&eda.org8('8*uhnalgorthm> ISO11E

http://en.wikipedia.org/wiki/Luhn_algorithmhttp://en.wikipedia.org/wiki/Luhn_algorithm


5/14

•Hashing usng a strong cry&togra&hc algorthm to ensure a one7(ay translaton #et(een the

cardholder data and an dent$er.

•Truncation remo%ng dgts $rom the cardholder data PA. ?& to the $rst s and last $our dgts

may #e retaned) leadng to the term ,-. Ths o&ton s sm&le $or most merchants and greatlyreduces the sco&e o$ PCI DSS) as ,>=KKKKKK>=12- E s n actualty no longer cardholder dataThs method can meet resstance $rom nternal $raud and $nance o$$cers (ho are used to ha%ng theentre card num#er. At tme o$ (rtng) no &recedent has #een esta#lshed n +uro&e (hether the

dent$er together (th a transacton ID does un4uely dent$y a transacton.

•Index tokens and pads many %endors are no( o$$erng a to'ensaton ser%ce (here the %endor

underta'es to manage the storage o$ cardholder data) and &ro%des the merchant (th a to'en ndeto man&ulate. Archtecturally) ths s a non7tr%al ser%ce) as t must g%e etremely $ast res&onsetmes) great rela#lty) and must ntegrate (th the estng enter&rse archtecture.

•asking su#tly d$$erent to Truncaton) n that the change s to the ds&layed data. Ths s

actually co%ered n re4urement =.=) the ntent o$ (hch s to a%ert the rs' o$ cardholder data #engdsclosed to those (thout a need7to7'no(. Bo(e%er) e$$ect%e use o$ mas'ng does not remo%e there4urement $or sa$e cardholder storage.

9e4urement = s usually a source o$ great concern $or merchants. The PCI SSC ha%e ta'en the &ro#lem o$ data class$caton out o$ the hands o$ securty archtects n end7user organsatons) andha%e not only class$ed the n$ormaton they consder crtcal) #ut also lad do(n re4urements $orthe usage o$ that n$ormaton

Requirement &: ncr$t transmission of cardholder data across oen(ublic networ)s

The other sde o$ the store7and7$or(ard con) s o$ course the transmsson o$ cardholder data) (hchs co%ered n re4urement >. In essence) (hene%er cardholder data s sent o%er a net(or' not ncontrol o$ the merchant !or ser%ce &ro%der" t must #e &rotected usng strong encry&ton. Snce the

merchant5s nternal retal net(or' can normally #e consdered &r%ate #y de$nton) then there4urement etends only to net(or's such as the nternet.

9e4urement > does contan mandates regardng (reless. It &roh#ts (ea' encry&ton es&ecally(hen de&loyed n (reless net(or's.

Maintain a ulnera$ility Management Program

Requirement *: +se and regularl$ udate anti#virus software

One (ould not e&ect ths to #e a challenge as commercally a%ala#le solutons normally co%er ths

n entrety) and the %arous control su#7re4urements can easly #e act%ated n most enter&rse ant7%rus &ac'ages.

Bo(e%er) rght at the end s a re4urement to ensure that centralsed loggng s n &lace as &er thes&ec$catons o$ 9e4urement 10. Ths can u&7tlt the other (se clean #ll o$ health that manyorgansatons e&ect to ache%e n ths area.

• Geys $ormed $rom &ass&hrases or usng a non7secure P9M !%olates d"

• Geys used drectly #y PC a&&lcatons !%olates a"(Grateful thanks to the PCI Communit at !cians"ers.com for this in!ut#

E ot my credt card num#er.

PCI DSS n +uro&e COSAC 2010 E


6/14

Requirement ,: "evelo and maintain secure s$stems and alications

?&on encounterng re4urement


7/14

managementF.

/ISA Inc. has m&lemented a set o$ mandates $or &ayment a&&lcaton securty (th deadlnes as$ollo(sL

Phase Compliance MandateEffectiveDate

1

Newly boarded merchants must not useknown vulnerable payment applications,and VisaNet Processors VNPs! and

a"ents must not certify new paymentapplications to their platforms that areknown vulnerable payment applications

1#1#$%

&VNPs and a"ents must only certify newpayment applications to their platformsthat are P'(D))(compliant

*#1#$%

+Newly boarded evel + and - merchantsmust be PC. D)) compliant or use P'(D))(compliant applications/

1$#1#$%

-VNPs and a"ents must decertify allvulnerable payment applications//

1$#1#$0

'c2uirers must ensure their merchants,VNPs and a"ents use only P'(D))compliant applications

$*#$1#1$

/ .n(house use only developed applications 3 stand(alone P4) hardware terminals are not applicable

// VisaNet Processors VNPs! and a"ents must decertify vulnerable payment applications within 1& months of identification

O$ note s the last &ont. PA7DSS no( has some edge to t) and $ de&loyng a ne( &aymenta&&lcaton) t must #e PA7DSS com&lant. +stng a&&lcatons (ll re4ure an u&grade &lan tomo%e to a com&lant %erson. I ha%e seen many a&&lcaton %endors (ho see ths as an o&&ortuntyto etract large u&grade $ees $rom ther customers. Snce PA7DSS com&lance s a re4urement $orthe &roduct to #e o$ merchanta#le 4ualty) then there s the o&&ortunty to re%e( %endor 4ualtyshould ths occur

Implement Strong Access Control Measures

Requirement -: Restrict access to cardholder data b$ business need#to#)now

6arly sm&ly) and n algnment (th the PCI SSC ta'ng the ste& o$ class$yng (hat cardholderdata s and (hy t s m&ortant) s the need7to7'no( restrcton. It s a 'ey &rnc&le o$ securty thatsenst%e assets should reman con$dental) and that there should #e a (ay o$ controllng (ho canha%e access to them) (hether that #e read) (rte) or some com#naton.

Agan) ths seemngly sm&le re4urement can land an organsaton n hot (ater. ost drectory7 #ased authorsaton systems can #e set u& to control and lmt access) ho(e%er) (hen one loo's ata&&lcaton &ermssons) t may #e d$$cult to ensure that the a&&lcaton desgners $ollo( the accesscontrol rulesets set out #y the archtects. +%en more m&ortant) so$t(are #ugs can allo( adetermned attac'er to ele%ate &r%lege and #rea' the desgned access control lmtatons.10

The choces seem to #e to &rogress do(n the road o$ $ull7$ledged dentty and access managementsolutons) or entrust each a&&lcaton (th the res&ons#lty o$ authorsng users. The com&lety o$IA a&&ears to scale geometrcally de&endent on the num#er o$ a&&lcatons and users relyng u&ont) and the rela#lty re4urements are hgh.

F ore (ays to (orry your :SA Tell them that no one really 'no(s ho( to con$gure a ;A6 as the one guy that dd(as do(nsed months ago

L See htt&88%sa.com8&a#& $or more detals and related n$ormaton10 A (hle #ac' I &er$ormed a &enetraton test o$ an ol e&loraton data#ase (th a (ell desgned herarchcal

authorsaton system #ased on #usness rules and role (thn the com&any. Bo(e%er a lttle tra$$c sn$$ng $ollo(ed #y 'noc'ng on the door o$ the data#ase and usng some manu$acturer5s de$ault credentals led me around theauthorsaton system) and nto the data Although ths s not PCI DSS) ts an eam&le o$ ho( the sm&le controls nths standard can really u&l$t an organsaton5s securty maturty.

PCI DSS n +uro&e COSAC 2010 N

http://visa.com/pabphttp://visa.com/pabphttp://visa.com/pabp


8/14

Requirement .: /ssign a unique I" to each erson with comuteraccess

Along (th the re4urement to esta#lsh need7to7'no() so$t(are 4ualty) and e$$ect%e montorngand loggng !n re4urement 10) yet to come" (e ha%e to #e a#le to esta#lsh "ho &er$ormed anacton. Ths means esta#lshng e%eryone (th ther o(n ID) and #eng to trac' #ac' act%tes to theorgnal user) ncludng ,admn-) ,root-) or D3A &r%leged actons.

PCI DSS goes nto some detal a#out ho( to ma'e a &ass(ord secure) ncludng e&ry) &ass(ordhstory) and com&lety. ost organsatons are &retty a(are o$ ths and can meet or eceed thesere4urements !although #ear n mnd that your a&&lcatons &er$ormng ther o(n authentcatonmust su&&ort ths as (ell".

;here the com&lety can le s the ,un4ue- re4urement. I (or' (th many clents (ho $or the #est o$ reasons ha%e set u& generc or shared accounts hotel $ront des's) $nance o&eratons) retalsta$$. PCI DSS e&lctly $or#ds these ty&es o$ accounts $or user access.

Requirement 0: Restrict h$sical access to cardholder data

ost retalers are all to $amlar (th the rs's o$ &hyscal securty the case o$ (hs'y that

dsa&&ears out o$ the #ac' door) e&ens%e small tems such as raor heads that esca&e n the &oc'ets o$ dshonest sta$$ and customers) and o$ course the rs's that come (th handlng anyamount o$ cash. The change agan comes (th the $act that cardholder data has a %alue to theattac'er) and so must #e &rotected. I5%e seen #reaches ha&&en to com&anes o$ %arous ses #ecausea &rntout contanng cardholder data s le$t around) and then s(&ed #y an unscru&ulous &erson)(hch n the &ast has ncluded securty guards) cleaners as (ell as dsa$$ected sta$$.

*et5s also &ay attenton to merchant tll rece&ts. As most o$ us 'no() (hen (e get our rece&t $romthe chec'out the card num#er on the co&y (e get s truncated ty&cally the last > dgts only areds&layed. Bo(e%er) most merchant rece&ts contan the $ull PA on ds&lay. M%en that Martnerha%e estmated the cost o$ #reach reco%ery at a&&romately =00 &er tem o$ cardholder lost !as

o&&osed to 1L to &rotect t" then each o$ those merchant rece&ts can #e thought o$ as a &otentalche4ue made &aya#le to the attac'er and dra(n on the account o$ the careless organsaton

One o$ the odd e$$ects o$ :SAs can come nto &lay es&ecally n ths secton. :SAs tend to ha%ether &re$erences $or &artcularly controls #ased on ther career e&erence) and I recall meetng ane( clent (ho (ere $rantcally s&endng thousands on hgh7s&ec$caton shredders that turnedcardholder rece&ts nto &a&er dust. Secton L states that materals should #e cross7cut shredded)ncnerated or &ul&ed so that they cannot #e reconstructed. It5s m&ortant that your :SA g%es youad%ce that s nether under the com&lance standard) or o%er t #ut eactly #ang on (hat sre4ured $or com&lance. 3est &ractces that eceed that re4urement can o$ course #e suggested)ho(e%er ma'e sure you understand (hether somethng s necessary) or a #est7&ractce.

%egularly Monitor and &est !et"orks

Requirement 1: 2rac) and monitor all access to networ) resources andcardholder data

One o$ the realtes s that PCI com&lance does not assure n%ulnera#lty $rom a #reach. or s t &er$ect securty. PCI DSS s ntended as a #aselne) amed at a %ery #road audence thn' o$ all thed$$erent retalers that are out there) $rom corner sho&s to glo#al mega7mar'ets) and not $orgettngall the #an's) &ayment &ro%ders) and other ser%ce &ro%ders that are also under the sco&e o$ thestandard.

So (hen a #reach occurs) the #an's as' the merchant to nstruct an nde&endent ,:ual$ed 6orenscIn%estgator- to understand (hat cardholder data has #een lost) (hat s at rs') ho( t ha&&ened) and

PCI DSS n +uro&e COSAC 2010 F


9/14

o$ course the PCI com&lance status o$ the #reached organsaton at the tme o$ the #reach11. One o$the 'ey tools that n%estgators need s to see clear audt trals) (hch s the &ur&ose o$ re4urement10 to s&ec$y (hat good loggng s) and ho( to &rotect the audt trals aganst tam&erng. It alsos&ec$es that PCI DSS com&lant organsatons should ha%e a daly &ractce o$ re%e(ng the logs!(hch can #e done #y ha%ng an automated &rocess &roduce an ece&ton re&ort (hch humansloo' at". A num#er o$ com&anes sell COTS loggng systems) #ut the desgn o$ a really goodcentralsed securty ncdent e%ent management !SI+" system s one that I al(ays enjoy as tn%ol%e ntegraton) &rocess analyss) ncdent res&onse) and thorough net(or' securty re%e(s norder to ma'e t $ly.

Archtecturally) SI+ should allo( you to ache%e the $ollo(ng

• Ident$y (hch log sources and automated tools you can use durng the analyss.

• Co&y log records to a sngle locaton (here you (ll #e a#le to re%e( them.

• nme ,nose- #y remo%ng routne) re&ett%e log entres $rom %e( a$ter con$rmng

that they are #engn.

• Determne (hether you can rely on logs5 tme stam&sQ consder tme one d$$erences.

•6ocus on recent changes) $alures) errors) status changes) access and admnstraton e%ents)and other e%ents unusual $or your en%ronment.

• Mo #ac'(ards n tme $rom no( to reconstruct actons a$ter and #e$ore the ncdent.

• Correlate act%tes across d$$erent logs to get a com&rehens%e &cture.

• De%elo& theores a#out (hat occurredQ e&lore logs to con$rm or ds&ro%e them.

;hen selectng your SI+ ma'e sure that t can &c' u& the $ollo(ng

• Ser%er and (or'staton o&eratng system logs

• A&&lcaton logs !e.g.) (e# ser%er) data#ase ser%er"

• Securty tool logs !e.g.) ant7%rus) change detecton) ntruson detecton8&re%enton system"

• Out#ound &roy logs and end7user a&&lcaton logs

Also) remem#er to consder other) non7log sources $or securty e%ents.

SI+ s #ased on the a#lty to correlate e%ents $rom mult&le sources and #uld a tmelne o$act%ty $or use n an ncdent res&onse n%estgaton. 9esearch organsatons such as Martnerclass$y SI+ technologes and &ro%de the usual ,agc :uadrant- o$ (ho5s (ho. O&en Sourcesolutons est) ncludng OSS+C and OSSI.

Requirement 11: Regularl$ test securit$ s$stems and rocesses3ecause threat landsca&es change o%er tme) the PCI DSS re4ures that regular securty testng o$n$rastructure and a&&lcatons s carred out #y suta#ly 4ual$ed &ro$essonals. Ths ncludes

!"Interna% and externa% vu%nera$i%ity scans o# the network" Scannng s a sem7automatedact%ty that s desgned to act as an early7(arnng to the securty admnstrator. A good scan (lldetect mssng &atches) %endor de$ault &ass(ords) and (ea' con$guraton settngs that could #ee&loted #y an attac'er. +ternal scans must #e &er$ormed #y a PCI SSC accredted a&&ro%edscannng %endor as descr#ed &re%ously. Internal scans can #e carred out #y an nternal em&loyee(ho s ,suta#ly 4ual$ed- n other (ords) someone (ho can con$gure and run the scans

11 The PCI SSC state that no #reached organsaton has #een com&lant at the tme o$ #reach. 6rom my e&erence as a:6I ths s true) ho(e%er there5s al(ays a catch. Organsatons (ho ha%en5t m&lemented PCI DSS as #usness7as7usual tend to $nd that they dr$t o$$ sgnal once com&lant) #ut I5%e &ersonally n%estgated #reaches (here the :SAhas le$t ste (thn days ho( s that &oss#le

PCI DSS n +uro&e COSAC 2010 L


10/14

a&&ro&rately) and can then analyse the results and recommend changes.

("Per#or& app%ication and network %ayer penetration tests at %east year%y' and a#ter a

signi#icant change in the cardho%der data environ&ent" In the (ords o$ the ad%ert Just Do It.Mood 4ualty &enetraton tests are a 'eystone o$ e$$ect%ely measurng (here your securty threatsle) and ho( your securty archtecture res&onds and mtgates those threats. Penetraton testngcom&lements %ulnera#lty scannng and does not re&lace t) and %ce %ersa.

)".i%e integrity &onitoring on critica% syste& co&ponents" The &ur&ose o$ ths re4urement s to

ensure that $ someone changes an m&ortant $le thatRs not su&&osed to change) thatRs a #g red $lagas $ar as securty s concerned. 6or eam&le) ;I*OMO.++ should ne%er change a&art $roma&&ro%ed &atch u&dates $rom the manu$acturer. I$ t does change) thatRs &ro#a#ly a sgn that anattac'er has mod$ed t) and n ths &artcular case s loo'ng $or usernames and &ass(ords toca&ture

*"/uarter%y wire%ess scanning at every %ocation to identi#y a%% wire%ess devices" ItRs $ar to saythat ths re4urement s the one that causes the most consternaton and con$uson among &eo&le Is&ea' to. ?sually the source o$ $rustraton s #ased on d$$culty n understandng ho( haardous arogue (reless access &ont can #e) and ho( easy t can #e $or a dsgruntled nsder to set one u&.;reless net(or'ng re4ures care and %glance to manage &ro&erly) and should ne%er #e connected

to the core cardholder data en%ronment. Se%eral nota#le #reaches ha%e occurred (here attac'ersha%e &enetrated a (reless *A set u& n a store) and ha%e $rom the sa$ety o$ a near#y locaton)ha%e gone o%er the entre net(or'. O$tentmes) these (reless net(or's are set u& #y (ell meanngstore managers to $ a short term &ro#lem) $or eam&le) needng a concesson stand out n the mallcentre) or to sa%e runnng ca#lng through a (all. ItRs m&ortant to realse that one can use (reless*As to connect &ayment termnals) se%eral %endors o$$er ths as a soluton to merchants)es&ecally those n the hos&talty ndustry. The (ay to ma'e ths (or' s to treat the (relesssegment as an untrusted net(or') and there$ore to o%erlay encry&ton #et(een the &ayment &ontand the central ser%er. Payment ser%ce &ro%der solutons o$$er ths no( !mostly" and (llunderta'e the tas' o$ 'ey management) remo%ng ths #urden $rom the merchant.

Testng can co%er re4urements n secton < !s&ec$cally secton


11/14

•/er$yng &re%ous 2 em&loyment re$erencesQ

•Credt SearchQ

•County Court Judgement SearchQ

•Insol%ency SearchQ

•3an'ru&tcy Search

(hch should sats$y the re4urements o$ PCI DSS.

3isconcetions around PCI "44

!" PCI DSS doesn0t app%y to us1

It does. I$ you store) &rocess or transmt &ayment cards) t a&&les to your #usness.

(" PCI DSS is con#using and non speci#ic1

PCI DSS s %ery s&ec$c on (hat controls must #e &ut n &lace) (hat &rocesses must #em&lemented) and (hat documentaton s re4ured. 6urthermore t class$es the n$ormaton

that s rele%ant to PCI DSS com&lance) and de$nes the a&&lca#lty.)" PCI DSS is too hard1

PCI DSS s com&le) and a lot o$ organsatons $nd that the num#er o$ changes re4uredn%ol%e resstance. Bo(e%er each ste& s relat%ely sm&le) and $or an organsaton that hasloo'ed at a mature securty model such as ISO 2N001 there (ll #e %ery $e( sur&rses.

*" PCI DSS is irre%evant 2 3ust %ook at a%% those $reaches1

o #reached organsaton (as com&lant at tme o$ #reach. One o$ the thngs that has cometo #te organsatons (ho are etremely cost $ocused s that the lo(est7cost ad%ce s notnecessarly the #est. I$ your :SA tells you they can audt your organsaton n a $e( days)

then tread care$ully.+" PCI DSS is achieva$%e with a scan' and this $right $ox #ro& &y #avourite vendor1

ost organsatons are deluged #y %endors &romsng to ta'e PCI DSS a(ay. In realty) $you are a merchant you cannot remo%e yoursel$ $rom PCI DSS. Anyone (ho tells youother(se s sellng sna'e ol. Scans are only use$ul $ you act on the results) $ the

&ro#lems) and then em#ed ths &ractce nto the (ay you run your IT systems.

," PCI DSS is security1

Sadly not. PCI DSS s #aselne com&lance $or &re%enton o$ retal $raud. It doesn5t &rotectaganst

• our secret rec&e #eng stolen. !In one &enetraton test) I $ound that the ser%er (th thesecret sauce rec&e (as (de o&en) #ut the &ayment channel (as encry&ted securely".

• ?nscru&ulous &ersons stealng money) stoc') and other tems.

• on7PCI DSS data lea'ng out. PCI DSS doesn5t care $ your loyalty card customer

detals get &u#lshed. ou mght

4" PCI DSS 2 i# I get $reached' it0s the $ank0s pro$%e&1

The o&eratng contract that merchants sgn (th ther #an' ncludes a la#lty acce&tanceand loss (a%er that means any losses due to a #reach n your &ayment securty s do(n toyou. I ha%e had organsatons &rotest ths e%en (hen I am on ste n%estgatng a #reach



12/14

Comensating control 5u#5itsu

Ju7jtsu s 'no(n as ,the gentle art- or e%en ,the art o$ com&lance- de&endng on the translaton.One o$ the rs'7#ased $actors n PCI DSS s (hen t s m&oss#le to meet a &artcular com&lancere4urement. A com&ensatng control must

• meet the ntent and rgor o$ the orgnal PCI DSS re4urement

• &ro%de a smlar le%el o$ de$ense as the orgnal PCI DSS re4urement

• #e ,a#o%e and #eyond- other PCI DSS re4urements

• #e commensurate (th the addtonal rs' m&osed #y not adherng to the PCI DSS

re4urement

Ths means that com&ensatng controls are not a get7out clause that allo(s an organsaton to e%adePCI DSS. 9ather) a com&ensatng control s l'ely to #e more e&ens%e n the long term) andre4ures regular re%e(s) and s used (here there s a legtmate #usness or techncal constrant 12.

Com&ensatng controls must #e a&&ro%ed $rst #y the :SA and ultmately #y the ac4urng #an'. It5srare that a com&ensatng control (ll yeld lo(er cost and e$$ort than actually meetng thecom&lance re4urement n the $rst &lace) there$ore ts a msta'e to see them as a alternat%e tocom&lance.

One o$ the ,eroth7*a(- &onts around com&ensatng controls s at the start o$ a PCI &rogramme)ta'e an n%entory o$ eactly (hat cardholder data you ha%e. $hen get rid of as much of it as

!ossi%le. A ro#ust remo%al &roject to mnmse the cardholder data held (thn the organsaton candramatcally reduce the costs o$ PCI DSS com&lance. any merchants are turnng to &aymentser%ce &ro%ders n an attem&t to get cardholder data out o$ ther net(or') ado&tng to'ensaton o$cardholder data and ho&e$ully remo%ng nternal POS and &ayment systems $rom sco&e.

6reaches

A #reach ha&&ens (hen cardholder data s lost $rom the merchant. One o$ the m&ortant &ontsa#out ensurng that the agreement #et(een merchant and ser%ce &ro%der contans an assgnment o$la#lty s that other(se the merchant (ll $nd that the #uc' lterally sto&s (th them (hen a

#reach occurs.

;hen a #reach s dsco%ered #y the card #rands through ther $raud systems) the ac4urng #an' snot$ed o$ a &otental common &ont o$ &urchase !CPP" orgnatng merchant. The ac4urer (llthen communcate (th the merchant) and ad%se them o$ the ssue.

The d$$erent card #rands currently ha%e %aryng res&onse &rogrammes) ho(e%er n 2011 ths &rocess (ll come under the go%ernance o$ the PCI SSC. It s l'ely to ta'e on the name used #y/ISA +uro&e) the &ualified Forensic Investigator ) !:6I". :6Is are nstructed to &ro%de a re&ort to

the card #rands on (hat data has #een lost) (hat data s at rs') the method o$ the #reach) and thePCI com&lance status at tme o$ #reach. PCI com&lant organsatons 4ual$y $or ,Sa$e Bar#or-1=) nother (ords) are not la#le $or $nes. It s at ths &ont that the la#ltes assumed #y the :SA $oraccredtng the com&lant organsaton come nto &lay

One &ont o$ contenton on the :6I n%ol%ement s that the re&ort ssued #y the :6I s sent to thecard #rands as (ell as the #reached organsaton. The #reached organsaton s la#le $or the :6I5scosts and ths can $re4uently #rng much heated dscusson n a stuaton that s already $raught.

Costs o$ a #reach can #e consdera#le) and can dr%e an organsaton nto #an'ru&tcy.

3y an o%er(helmng $actor) most #reaches occur n small merchants !le%el = and >" and the

commonest #reach channel s through the (e#.

12 ot ,I don5t (ant to-1= Bo&e$ully ,Sa$e Bar#our- n euro&e



13/14

3asterCard 4ecific 4tes

htt&88(((.mastercard.com8us8merchant8su&&ort8rules.html

6rom the ln' a#o%e) clc' on the ln' to the document enttled Securit 'ules and Procedures )erchant *dition. Secton 10.= deals (th account data com&romse e%ents.

7isa +848/8 4ecific 4tes

!+cer&ted $rom /sa ?.S.A. Cardholder In$ormaton Securty Program !CISP") ;hat To Do I$Com&romsed) 128200F"

htt&88usa.%sa.com8do(nload8merchants8cs&(hattodo$com&romsed.&d$

"iscover Card 4ecific 4tes

htt&88(((.dsco%ernet(or'.com8$raudsecurty8data#reach.html

/merican 9ress 4ecific 4tes

htt&s88(((20L.amercane&ress.com8merchant8sngle%oce8ds(86rontSer%letre4uestty&eUds(V&gnmUmerchn$oVlnUenV$rmU?SVta##edU#reachVntsearchctU==$0NN$d#c00


14/14

What to e9ect from the 4/

The role o$ the :SA s to assess the organsaton $or com&lance (th the PCI DSS. 6re4uently:SAs are as'ed to g%e ad%ce to organsatons on (hat s re4ured to ache%e com&lance and otherrelated n$ormaton securty to&cs. Puttng t charta#ly) the 4ualty o$ ad%ce g%en #y :SAcom&anes s %ara#le. Common concerns e&ressed nclude

•*ac' o$ a#lty to translate techncal %ulnera#ltes to #usness rs'

•*ac' o$ e&erence n assessment

•Ind%dual :SA5s o%er7em&hassng $a%ourte techncal measures (hch do not strctly meet the

com&lance re4urements

•:SA5s not &ro%dng on7ste assessments) nstead usng mostly clent7&ro%ded assertons and

remote nter%e(s.

It5s m&ortant that (hen a :SA g%es ad%ce) they are o&eratng $rom a &oston o$ 'no(ledge notonly n the n$ormaton securty doman) #ut also (hat (ll (or' $or the clent.

ou should e&ect your :SA to #e a#le to nter&ret the PCI DSS and e&lan ts a&&lca#lty toyour organsaton. Also) you should e&ect your :SA to #e ready to nter$ace (th your #an' and

&artc&ate n the u&date &rocess to ensure your #an' understand and su&&ort your &rogress to(ardcom&lance. In addton to doman e&ertse n the %arous sectons o$ the standard) your :SAshould #e a#le to assst you n structurng the remedaton &rogramme and mo%ng $rom the ,#rea'7$- cycle nto o&eratonal su&&ort and mantenance mode.

Conclusion

PCI DSS 2.0 s on the horon) although the PCI SSC s 'ee&ng t5s cards close to ther chest) astatement has #een made that ths ne( teraton o$ the standard (ll #e e%olutonary) and see' to

#uld acce&tance and clar$y uncertanty (thn organsatons.

;e can e&ect to see the $ollo(ng changes

!" Clar$y &rocesses and ncrease $le#lty $or cry&togra&hc 'ey changes) retred or re&laced'eys) and use o$ s&lt control and dual 'no(ledge.

(" A&&ly a rs' #ased a&&roach $or addressng %ulnera#ltes.

)" erge re4urement

PCI DSS in Europe

Documents

Transcript of PCI DSS in Europe