guide on

PCIcontentsMeeting the PCI Requirement for Web Security in the Cloud

Information Awareness Training: Data Protection Act Policy Template

Select PCI DSS Compliant Service Providers in India with These Tips

Mobile Payments Prompt Response from PCI DSS Council

PCI DSS Compliant Cloud Providers: No PCI Panacea

technicalTechTarget Secur i ty Med ia Group

A global perspective on the PaymentCard Industry Data Security Standard

2 TE C HTA R G E T S E C U R I T Y M E D I A G R O U P Technical Guide on PCI

| P C I

insight

contentsTECHTARGET’S SECURITY MEDIA GROUP presents a global look at PCI, and how it is impactedby today’s evolving business needs. Our technical editors from the U.S., Europe, Indiaand Asia provide their respective regions’ perspective on PCI compliance.

PCIToday’s business needs demand that applications and data not only moveacross physical, international borders, but to the cloud, and be accessedby third parties. This loss of control is significant for security teams thatmust not only keep data safe, but comply with the requirements imposed by the Payment Card Industry Data Security Standard.

Meeting the PCI Requirement for Web Security in the CloudWEB SECURITY Moving to a cloud environment complicates compliance with PCI DSS Requirement 6.6. BY ED MOYLE FOR SEARCHCLOUDSECURITY.COM

Information Awareness Training: Data Protection Act Policy TemplateEMPLOYEE AWARENESS To comply with the DPA fully, an organisation’s users must know what they can and cannot do under the DPA stipulations. BY MATHIEU GORGE FOR SEARCHSECURITY.CO.UK

Select PCI DSS Compliant Service Providers in India with These TipsOUTSOURCING Global players outsourcing sensitive information to India find it tough to choose PCI DSS compliant service providers. BY GAURAV SRIVASTAVA AND NITIN BHATNAGAR FOR SEARCHSECURITY.IN

Mobile Payments Prompt Response from PCI DSS CouncilMOBILITY Technologies that enable credit card payments via mobile phones have prompted the PCI Council to start a mobile task force. BY ROBERT WESTERVELT FOR SEARCHSECURITY.COM

PCI DSS Compliant Cloud Providers: No PCI PanaceaCLOUD SECURITY Organizations shouldn’t expect a PCI-validated cloud provider to relieve them of their PCI obligations. BY MARCIA SAVAGE FOR SEARCHCLOUDSECURITY.COM

SPONSOR RESOURCES

Meeting the PCI Requirementfor Web Security in the Cloud Organizations shouldn’t expect a PCI-validated cloudprovider to relieve them of their PCI obligations.BY ED MOYLE FOR SEARCHCLOUDSECURITY.COM

3

CONTENTS

WEB SECURITY

EMPLOYEE AWARENESS

OUTSOURCING

MOBILITY

CLOUD SECURITY

SPONSOR RESOURCES

wWHEN IT COMES to Payment Card Industry Data Security Standard compliance, notall of the 12 requirements are created equal, at least when it comes to implementationcomplexity. One requirement that has historically been difficult for organizations tomeet is the requirement to keep public-facing Web services protected from emergingthreats. And, while this particular requirement has always proven difficult for organiza-tions to address, recent developments in IT—particularly the increased prevalence ofcloud-based services—have made compliance even more difficult.

PCI requirement 6.6 and the cloudPCI requirement 6.6 is intended to ensure externally facing Web applications (includingWeb services) are protected against application-level attacks and—more importantly—that they stay protected over time. To ensure this, the requirement specifies thatorganizations employ one of two controls for public-facing (i.e. Internet accessible)Web applications: perform a periodic (at least annual) technical validation of theapplication via code review or application testing or, alternatively, deploy a Web application firewall (WAF).

What makes the situation particularly complex for organizations in a cloud contextis that just relocating applications to an environment outside the organization’s perimeter(for example, to SaaS providers) without putting some time into rethinking how itimpacts this requirement can have some unintended consequences. For example, con-sider what happens in the case that you have an application that currently intersectsyour cardholder data environment (CDE) and where you’ve historically addressed PCIrequirement 6.6 for that application by deploying a WAF. If you contract with a serviceprovider that offers everything up to and including the application server stack, you maylimit your ability to deploy a technology like a WAF in that new hosted context. If youexecute your migration plan without re-evaluating how you will address requirement

WE B S E C U R IT Y

TE C HTA R G E T S E C U R I T Y M E D I A G R O U P Technical Guide on PCI

| P C I

4

CONTENTS

WEB SECURITY

EMPLOYEE AWARENESS

OUTSOURCING

MOBILITY

CLOUD SECURITY

SPONSOR RESOURCES

6.6 in light of your new technology choices, you’re likely to encounter a nasty surprisewhen that portion of your infrastructure comes up during your yearly assessment audit.

The point is, if you’re an entity that’s regulated under the PCI DSS and goingthrough a cloud migration, it behooves you to take a hard look at the public-facingapplications that are currently in your CDE and how you will be addressing PCIrequirement 6.6 once you’ve made the cutover.

Complying with PCI requirement 6.6 in the cloudFirst of all, it’s important to determine if you will need to investigate other compliancestrategies in your particular use case. For example, there are a number of scenarioswhere 6.6 will not necessarily apply to you, depending on what types of cloud-basedservices you are looking to deploy. This is particularly true if you are a buying a SaaSservice from a provider that specializes in payment processing.

In the case of a cloud service that is governedand certified under the Payment Application DataSecurity Standard (PA-DSS), your complianceburden will be to ensure you’re using the productin a manner that is consistent with the vendor’sdeployment instructions. In that case, yourresponsibility will not be to undertake the appli-cation-specific technical controls outlined in 6.6(unless, of course, the vendor’s instructionsrequire those controls for the application to beused in a compliant manner.) Why? Because it’spart of what the vendor is required to prove aspart of certifying the application (see PA-DSSrequirement 5).

Alternatively, if you’re purchasing a straightSaaS solution covered by the scope of the serviceprovider’s PCI DSS review (for example, a Web virtual terminal), your compliance bur-den won’t include these specific application-level technical controls because it’s coveredunder the auspices of the vendor’s PCI DSS certification. In that case, you’ll need tokeep track of the service provider’s compliance status rather than implement the tech-nical controls themselves (however, note the scoping defined by the PA-DSS: namely,that the product is not relicensed and you’re not customizing the deployment/use).

So, if your cloud transition includes one of those two scenarios, moving to a cloudenvironment may be beneficial from a compliance standpoint. That being said, thosetwo options aren’t the normative case. The normative case is usually either 1) a non-payment system intersecting the CDE moving to a service provider, or 2) discovery after

TE C HTA R G E T S E C U R I T Y M E D I A G R O U P Technical Guide on PCI

| P C I

In the case of a cloudservice that is governedand certified under thePayment Application Data Security Standard(PA-DSS), your complianceburden will be to ensureyou’re using the product in a manner that is consis-tent with the vendor’sdeployment instructions.

5

CONTENTS

WEB SECURITY

EMPLOYEE AWARENESS

OUTSOURCING

MOBILITY

CLOUD SECURITY

SPONSOR RESOURCES

the fact of a non-payment SaaS application containing cardholder data. Neither of thosetwo situations is ideal from a compliance standpoint; they leave you responsible forensuring compliance with 6.6, but architecturally not ideally positioned to do so.

Given those set of circumstances, some of the issues should be obvious. First of all,it’s the rare SaaS vendor that is going to let you do code review, annual or otherwise.Second, multi-tenancy is likely to make it unlikely that you’ll be permitted to do activeapplication testing. And third, lack of control over the infrastructure is likely to precludelarge footprint WAF filters in front of applications. Should you find yourself in this boat,your options are somewhat limited but not completely eradicated; you can address thesituation via a scoping strategy, business process strategy or technology strategy.

From a scoping strategy, one of the most expedient methods would be to removecardholder data from the equation. You could, for example, alter the use of the appli-cation to remove cardholder data from the scope of application processing. From abusiness process standpoint, you can put pressure on the vendor to certify to the PCIDSS or pressure them to let you conduct application testing, either directly or by anindependent, reputable third-party. Lastly, from a technical standpoint, you can lookto leverage a WAF, either by pressuring the vendor to install a WAF directly, or byconsidering a WAF with a lighter footprint, such as the open source OpenWAF. Asmaller footprint may allow for installation where a large footprint WAF might not.

Whichever strategy you select, the important part is to do it strategically: If you’rean organization going through a cloud transition and you have a CDE with external-facing websites in it, planning ahead can mean the difference between approaching apotentially sticky situation with options vs. scrambling at the last minute to kludgesomething together.�

Ed Moyle is a senior security strategist with Savvis as well as a founding partner of Security Curve.

TE C HTA R G E T S E C U R I T Y M E D I A G R O U P Technical Guide on PCI

| P C I

Information AwarenessTraining: Data Protection Act Policy TemplateTo comply with the DPA fully, an organisation’s users must know what they can and cannot do under the DPA stipulations. BY MATHIEU GORGE FOR SEARCHSECURITY.CO.UK

6

CONTENTS

WEB SECURITY

EMPLOYEE AWARENESS

OUTSOURCING

MOBILITY

CLOUD SECURITY

SPONSOR RESOURCES

tTHE FOLLOWING PCI policy templates are aimed at providing PCI DSS programmanagers and CSOs with tips to conduct informative, time-efficient and cost-effectiveinformation awareness training programs to comply with PCI DSS requirements andprovide staff with security skills.

1. There are three standards related to credit card security, not just one.The Payment Card Industry Data Security Standard (PCI DSS) is one of three securitystandards managed by the Payment Card Industry Standards Security Council. PCI DSScovers requirements that acquiring banks, payment service providers, and gateways andmerchants must comply with.

The Payment Application Data Security Standard, or PA-DSS, covers requirementsthat software vendors producing commercial payment applications must comply with.These applications include ecommerce payment products and payment applicationsinstalled on point-of-sale (POS) or electronic POS (EPOS) devices. PCI PIN TransactionSecurity (PCI PTS) covers security for all personal identification number (PIN) terminals,including POS devices, encryption of PIN pads and unattended payment s, such as thoseat car park or train kiosks, where there is no person-to-person interaction.

2. Understand the Structure of PCI DSS and associated standardsPCI DSS has 12 high-level requirements including more than 200 controls categorizedinto three areas: technical solutions and settings, policies and procedures, and training.PA-DSS has 13 high-level requirements using a similar structure. PTS is a suite of mod-ules-based controls.

PCI DSS is validated either through a self-assessment questionnaire or through anannual on-site audit performed by a Qualified Security Assessor (QSA), depending

E M P LOYE E AWAR E N E S S

TE C HTA R G E T S E C U R I T Y M E D I A G R O U P Technical Guide on PCI

| P C I

7

CONTENTS

WEB SECURITY

EMPLOYEE AWARENESS

OUTSOURCING

MOBILITY

CLOUD SECURITY

SPONSOR RESOURCES

upon the number of transactions your organisation processes per year.

3. So which requirements cover training in the PCI standards suite?PCI DSS requirement 12.6 covers in-scope staff security training: “Implement a formalsecurity awareness program to make all personnel aware of the importance of cardholderdata security.” It has two sub requirements. 12.6.1: “Educate personnel upon hire and atleast annually. Note: Methods can vary depending on the role of the personnel and theirlevel of access to the cardholder data” and 12.6.2: “Require personnel to acknowledge atleast annually that they have read and understood the security policy and procedures.”This applies to all staff members who have physical or logical access to credit cardholderdata (CHD) regardless of whether they use that privilege.

Thus, in theory, any person working on computer systems that contain credit card-holder data must be trained, even if he or she never accesses payment application soft-ware. Any person working at a cashier or in a call center environment where CHD maybe provided by customers is in scope for such training. By extension of this, all technicalstaff managing call-recording systems, which may contain CHD (even if encryptedaccording to rules of PCI DSS), are also in scope for such training.

PCI DSS requirement 6.5.a also includes secure coding requirements for developersof in-house non-commercially sold payment applications. “Obtain and review softwaredevelopment processes. Verify that processes require training in secure coding techniquesfor developers, based on industry best practices and guidance.” Further references totraining on specific procedures or technical training are spread throughout the standard.For instance, control 12.9.4 mandates that entities “provide appropriate training to staffwith security breach response responsibilities.”

In any event, commitment to complying with the standard must come from topmanagement and filter down to all staff. Therefore, program managers, their teamsand C-level team members must receive appropriate best practice security trainingcovering physical security, personnel security, data security, IT security and crisismanagement.

Note: PA-DSS dedicates a full high-level requirement to training. Requirement 13:“Maintain instructional documentation and training programs for customers, resellersand integrators.” This requires payment application vendors to provide training programs to end users and distribution channels.

PTS does not have any explicit requirement for training, but implies training is provided to administrators and users of devices covered by the standard.

4. What should PCI DSS training for in-scope staff cover?It should cover the following items:

• Structure of PCI DSS– PCI DSS is one of three interlinked payment data security standards, namely

PA-DSS, PTS and PCI DSS

TE C HTA R G E T S E C U R I T Y M E D I A G R O U P Technical Guide on PCI

| P C I

8

CONTENTS

WEB SECURITY

EMPLOYEE AWARENESS

OUTSOURCING

MOBILITY

CLOUD SECURITY

SPONSOR RESOURCES

• PCI DSS has 12 high-level requirements structured in six control groups

• Information held on credit cards – PAN, CVV2, exp date, holder details– Your training program should clearly explain the information that’s on

credit cards, which of that information is sensitive, and how it can be handled according to PCI DSS, especially requirement 3.4.

• Actors of credit card payments chain and how credit card transactions work– Staff needs to understand the lifecycle of a credit card transaction, from the

point-of-sale device or virtual terminal, to the payment gateway, to banks and back. It is crucial to understand that all actors within the payments ecosystem have to be in compliance, and that credit cardholder data is safe at all stages of the transaction.

• Overview of key controls– PCI DSS includes a mix of requirements for policies and procedures, technical

settings and solutions, as well as requirements for awareness training.– All controls are aimed at protecting cardholder data and ensuring that all

transactions, and all activity within the cardholder environment, is traceable.

• Do’s and don’ts of CHD handling– Credit cardholder data is sensitive. Full stop. Staff should not communicate

it for any other purpose than the payment it is being shared for.– Paper-based payments, including credit cardholder data, are also protected

under PCI DSS: Data needs to be protected, stored securely and disposed of securely.

• How to report an incident– PCI DSS is meant to be pro-active, to allow staff to take corrective action

should anything go wrong, e.g. Implementing an Incident response plan that helps employees identify potential incidents, and understand what steps to follow in the event of potential credit cardholder data breaches.

All of the above information helps in-scope employees mitigate the most commonphysical, logical and social engineering-based attacks on CHD.

5. What should secure coding training cover as regards to PCI DSS?Ideally, developers should learn about the software development lifecycle, best practicesoftware security, OWASP top 10 and the SANS top 25. The ultimate aim is to ensurepayment application security becomes part of the DNA of your organization to protectcustomers’ CHD.

6. Small print and other tips for PCI DSS training strategiesIf you are validating compliance using a self-assessment questionnaire, ensure you can

TE C HTA R G E T S E C U R I T Y M E D I A G R O U P Technical Guide on PCI

| P C I

9

CONTENTS

WEB SECURITY

EMPLOYEE AWARENESS

OUTSOURCING

MOBILITY

CLOUD SECURITY

SPONSOR RESOURCES

demonstrate compliance with all requirements, including 12.6, 6.5.a and 12.9.4. Ifassessed by a QSA, then note that staff may be interviewed and training attendancesheets signed by staff may be requested. Training materials should be made available to assessors for both standard and secure coding training.

The best, most cost-effective way to provide training is via e-learning . Since e-learn-ing is typically cloud-based, it requires almost no maintenance from the organisation’sside. This allows PCI program managers to easily disseminate security information,forces staff to read and acknowledge security policies and procedures, and test that staffunderstands CHD security best practice. Furthermore, staff can take the training ontheir own time, in several chunks. Given that training is required annually, e-learningalso allows organisations to continually train and retrain users in a verifiable wayaccepted by QSAs. Online tests are likely to be mandatory with 24 months.�

Mathieu Gorge is the CEO and founder of VigiTrust. He specializes in PCI DSS, HIPAA & ISO 27001 and

speaks regularly at international security conferences.

TE C HTA R G E T S E C U R I T Y M E D I A G R O U P Technical Guide on PCI

| P C I

Copyright © 2011 Hewlett-Packard Development Company, L.P.

For more information go to www.hpenterprisesecurity.com.

HP Security Intelligence and Risk

Management (SIRM) enables your

business to understand and manage

risks in your business operations.

Your business is at risk.

isn’t it?

Select PCI DSS CompliantService Providers in India with These TipsGlobal players outsourcing sensitive information to India find it tough to choose PCI DSS compliant service providers.BY GAURAV SRIVASTAVA AND NITIN BHATNAGAR FOR SEARCHSECURITY.IN

11

CONTENTS

WEB SECURITY

EMPLOYEE AWARENESS

OUTSOURCING

MOBILITY

CLOUD SECURITY

SPONSOR RESOURCES

wWITH GLOBAL COMPANIES outsourcing payment card industry (PCI) processes toIndia, the country’s information security paradigms may be shifting to meet internationalstandards. However, since PCI Data Security Standard (DSS) compliance is a relativelynew development in India, it would be prudent to evaluate how it is actually addressed.This tip highlights important considerations to be kept in mind while forging an out-sourcing relationship with a PCI DSS compliant Indian service provider.

Step 1: Analyze the service providerBefore outsourcing services, it is important to evaluate the service provider’s financialstability, offerings, customer references, industry experience, and other such details. It isa standard due diligence practice to verify the service provider’s financial records for upto three years.

Technical expertise may be evaluated on the basis of previous projects, used platforms,and associated manpower. Competence can be validated through on-site assessments offollowed practices or live monitoring using virtual environments. For verification of PCIDSS compliance and its scope, review Attestation of Compliance and Report on Com-pliance. These documents are main deliverables of the PCI DSS compliance exercise.

Step 2: Ensure PCI DSS complianceCompliance and security are different parameters in India. While certain companiestake security very seriously, others simply try to meet PCI DSS compliance’s minimummandatory requirements. A continuous validation and remediation process is vital, as isdesignated manpower to maintain security.

O UTS O U R C I N G

TE C HTA R G E T S E C U R I T Y M E D I A G R O U P Technical Guide on PCI

| P C I

12

CONTENTS

WEB SECURITY

EMPLOYEE AWARENESS

OUTSOURCING

MOBILITY

CLOUD SECURITY

SPONSOR RESOURCES

The PCI council mandates annual PCI DSS compliance audits. Under PCI DSS com-pliance requirement 12.8, outsourcing entities should regularly monitor their serviceprovider’s compliance. You can ensure a service provider’s PCI DSS compliance levelsusing the following steps:

• Conduct surprise audits and regular validation. Do frequent random audits initially until the operation stabilizes. Constant monitoring can locate problem areas,which can be appropriately addressed.

• The service provider’s information security policy and approach to security areparticularly relevant for effective PCI DSS compliance. The focus should be on effectivemanagement of existing resources, rather than adding new variables.

• The definition of scope is an important aspect of PCI DSS compliance. Scoperefers to the extent to which a service provider falls within the compliance guidelines.For example, a service provider may be PCI DSS compliant at one of its operations, andnot others. The best approach is to segregate the PCI environment from the rest of thenetwork and ensure implementation of your designated PCI controls. Reducing scopethrough network segmentation lessens exposure and the possibility of internal fraud.Segmentation also enables you to scope out network areas not dealing with PCI data.This makes PCI DSS compliance cheaper to maintain by reducing security overheads, as well as makes it easier to respond to incidents.

• Ascertain implementation of strong access control measures. Access to cardholderdata should be restricted by business need-to-know. This is the toughest part of achievingPCI DSS compliance. In an outsourcing relationship, access control should be definedby the outsourcer. Practices such as role-based access control on the principle of leastprivilege are robust for securing sensitive information. It is mandated that access bebased on white-lists, denying all other access requests.

• Under PCI DSS compliance requirement 11.2, external vulnerability scans mustbe conducted by an approved scanning vendor (ASV) every quarter. The serviceprovider may have an environment with public facing IPs, or on certain cases [such asaccess through multi-protocol label switching (MPLS) environments and end-to-endconnectivity], it may have none. An ASV audit will only be applicable in the former. It is recommended that virtual private networks be used even with MPLS environments,since the transmissions are not encrypted.

Step 3: Clearly mention project prerequisitesIt’s essential to define project requirements in the service level agreement. Needs likenetwork segmentation, redundancy in terms of data/security, load balancers, and serversshould be explicitly defined by the client. At present, most Indian service providers donot provide redundancy and segmentation as basic services.

TE C HTA R G E T S E C U R I T Y M E D I A G R O U P Technical Guide on PCI

| P C I

13

CONTENTS

WEB SECURITY

EMPLOYEE AWARENESS

OUTSOURCING

MOBILITY

CLOUD SECURITY

SPONSOR RESOURCES

Since PCI DSS compliance does not mandate redundancy, such needs must bedefined by the outsourcer. For instance, companies requiring high data availability may request 100% redundancy. Similarly, you should explicitly define segmentationrequirements.

Restriction of physical access to cardholder data storage locations is another aspect. It is a common practice to use physical swipe cards with unique IDs, defining user-access privileges. These may be used in conjunction with closed-circuit televisions and layered security measures to prevent access to sensitive data center areas. PCI DSScompliance requirement 9.1 mandates appropriate facility controls, which could beeither or both of these measures.

It is interesting to note that PCI DSS is based on extensive layered logical and physicalsecurity measures and is very much within the ambit for compliance by data centers(including those providing managed services). With respect to protection of data duringtransmission, end-to-end encryption is not being implemented anywhere in India.�

Gaurav Srivastava is an information security consultant and trainer with more than six years of infosecexperience. He is currently working as a consultant (project manager) at SISA. Nitin Bhatnagar works as the senior consultant/global head business development and marketing -

information security services with SISA Information Security Pvt. Ltd.

TE C HTA R G E T S E C U R I T Y M E D I A G R O U P Technical Guide on PCI

| P C I

IT Security Made Easy

Today’s users work everywhere, and we help you keep them

protected against malware and data loss. We keep you productive

and secure. By keeping resource impact low, we make sure

security doesn’t get in the way.

Business-grade malware and data protection that’s effective and easy to use

Endpoint | Web | Email | Encryption | Mobile

Mobile Payments Prompt Response from PCI DSS CouncilTechnologies that enable credit card payments via mobilephones have prompted the PCI Council to start a mobile task force. BY ROB WESTERVELT FOR SEARCHSECURITY.COM

15

CONTENTS

WEB SECURITY

EMPLOYEE AWARENESS

OUTSOURCING

MOBILITY

CLOUD SECURITY

SPONSOR RESOURCES

tTHE GROWING USE of smartphones and technologies that turn them into paymentdevices has prompted the Payment Card Industry Security Standards Council (PCI SSC)to start a mobile task force to study the issue.

Apple, Google and other mobile device makers are reportedly readying near field com-munications (NFC) or short-range wireless technologies that could turn a smartphoneinto a virtual wallet. It is drawing interest from data security experts who say the tech-nology could put credit card data at risk. Bob Russo, general manager of the PCI SSC,said an internal team is investigating technologies for securing mobile payment systems.

“We’re trying to dissect the mobile area now because there are just so many unknownsout there and so many different devices that don’t have any security we can see,” Russosaid. “You look at a mobile phone and you look at a cash register and cash registers aremuch more mature. Even though cash registers have applications running on them thatmay not be secure, there are technologies available that make them more secure.”

The PCI SSC has no plans to update PCI DSS 2.0 until 2013, but the organization isplanning to issue guidance on emerging technologies over the next several years. LastOctober, the council issued guidance on end-to-end encryption. A guidance documentoffering best practices on tokenization technologies and securing payment data in virtu-al environments will be released later this year, Russo said.

The use of mobile devices to buy goods and services has skyrocketed, mostly due tothe success of Apple’s iPhone and smartphones running Google’s Android platform.But few best practices exist to protect credit card data flowing in and out of mobileenvironments. Security experts are already pointing out dozens of mobile applicationvulnerabilities. There is also growing evidence that cybercriminals setting their sites on mobile platforms. Google recently removed nearly 60 applications from its officialmarketplace for containing dangerous DroidDream malware.

M O B I L IT Y

TE C HTA R G E T S E C U R I T Y M E D I A G R O U P Technical Guide on PCI

| P C I

16

CONTENTS

WEB SECURITY

EMPLOYEE AWARENESS

OUTSOURCING

MOBILITY

CLOUD SECURITY

SPONSOR RESOURCES

“The app store owners are responsible for policing their infrastructures,” said DonBailey, a mobile security expert and researcher at iSEC Partners. “Mobile devices at thisstage of the game are almost inherently vulnerable to application level attacks. All upand down the spectrum there are issues of developing and deploying on a device like this.”

Bailey said that for now, the consumer needs to be aware of the risks in using andstoring sensitive data on a mobile device. The NFC system, he said, will make mobilemalware a more attractive option for cybercriminals. “The mobile device was a placewhere interesting data may be stored, but now you’re almost guaranteed that a user isgoing to have interesting data on their phone,” Bailey said.

Merchants can reference guidance documents to gain data security best practices, but the standard itself won’t change to address mobile issues—at least not now. Russowouldn’t rule out changes in version 3.0 of PCI DSS—due in 2013—to address certainemerging payment technologies and processes. The revised document may also recom-mend new security technologies to better protectcredit card data. The PCI SSC hosts special inter-est groups made up of about 700 participatingorganizations. In addition to technology vendors,security consultants and merchants are invited toparticipate in the SIGs which examine the use ofemerging technologies for payment processes.Russo said the Council could get outside help ininvestigating mobile payments or set up a SIG todetermine a set of best practices around mobilepayment technologies.

“The merchants are the ones that are drivingus to give guidance on these kinds of things,”Russo said. “Whether or not they’ll work theirway into the standard remains to be seen and Idon’t want to discount that.”

But critics of the PCI standards say one of theunintended consequences of the standard has been to turn security technology spendingby enterprises into compliance checklist spending. Joshua Corman, director of enterprisesecurity research at the 451 Group, said PCI DSS has had a hard time keeping up withemerging technologies.

“The technology landscape and adversary landscape change so frequently and thestandard hasn’t really substantively changed in a few years,” Corman said. “A lot of thepeople in the research side are concerned it might not be setting the bar high enoughand were disappointed to see very few changes last year and no outlook for substantivechanges for a few more years.”

Proponents of PCI say the standards have improved data security by forcing merchants

“Mobile devices at this stage of the gameare almost inherently vulnerable to applicationlevel attacks. All up anddown the spectrumthere are issues ofdeveloping and deploying on a device like this.”

—DON BAILEY, mobile security expert and researcher, iSEC Partners

TE C HTA R G E T S E C U R I T Y M E D I A G R O U P Technical Guide on PCI

| P C I

17

CONTENTS

WEB SECURITY

EMPLOYEE AWARENESS

OUTSOURCING

MOBILITY

CLOUD SECURITY

SPONSOR RESOURCES

to deploy security technologies or risk being denied the ability to accept credit cards. Forexample, PCI 6.6 fostered adoption of Web application firewalls and also encouragedmerchants to conduct a code review for Internet-facing payment applications. Com-pliance often helps stimulate innovation in certain markets, said noted security expertPaul Judge, chief research officer and vice president of Campbell, Calif.-based BarracudaNetworks Inc. Security vendors often have to improve the effectiveness of their products,boost the ease-of-use of their tools or reduce the price of their products.

“You stimulate a market and the vendors in that market crank up competition,”Judge said. “Everyone benefits from vast improvements over a short amount of time, so it’s very different than a market that just sits there stagnated.”

Rob Westervelt is the News Director for TechTarget’s Security Media Group.

TE C HTA R G E T S E C U R I T Y M E D I A G R O U P Technical Guide on PCI

| P C I

Compliance VulnerabilityAre you Compliant or Not?

SOX DS 5.4 - Maintain user access rights in a central repository; ensure that rights are enforced

PCI-DSS 7,8, and 10 - Restrict access rights of privileged users; do not use shared passwords

HIPAA 4.14 and 4.16 - Ensure that system activity can be traced to a specific user

Enterprise Access Management

FoxT provides Enterprise Access Management solutions that will enable you to control access to privileged accounts and data across your diverse servers and business applications.

In addition to enabling you to achieve compliance with HIPAA, SOX, PCI, NERC-CIP and other regulations, centralized access management will also protect corporate value by reducing the risk of insider fraud.

FOR MORE INFORMATION: www.foxt.com

PCI DSS Compliant CloudProviders: No PCI PanaceaMoving to a cloud environment complicates compliance with PCI DSS Requirement 6.6. BY MARCIA SAVAGE FOR SEARCHCLOUDSECURITY.COM

19

CONTENTS

WEB SECURITY

EMPLOYEE AWARENESS

OUTSOURCING

MOBILITY

CLOUD SECURITY

SPONSOR RESOURCES

wWHEN A CLOUD service provider says it’s been validated as PCI DSS compliant,what does that mean for the enterprise customer?

First off, it doesn’t mean an enterprise is automatically PCI DSS compliant if it’s atenant of that provider, security experts said.

“When these cloud providers tout that they’re PCI compliant, there’s a perceptionthat people will inherit compliance if they become a tenant,” said Joshua Corman,research director of the enterprise security practice at The 451 Group. “This is nottrue. Only a tenant can be compliant.”

For example, part of PCI compliance is reviewing logs on a daily basis, he said. Acloud provider like Amazon isn’t going to do that, “so you could have everythinghanded to you and if you aren’t reviewing your logs daily, then you aren’t compliant.You can’t magically inherit compliance,” Corman said.

Among the cloud providers saying they’re PCI DSS compliant is cloud heavyweightAmazon, which announced in December that its cloud computing platform, AmazonWeb Services, was validated as compliant with PCI DSS version 2 by an independentQuality Security Assessor. Four months earlier, Verizon said its Computing as a Service(CaaS) was validated as PCI DSS compliant.

Cloud providers and PCI DSSWhen cloud providers say they’re PCI DSS compliant, it means they’ve been validatedagainst specific PCI requirements, Corman said. In the case of an Amazon EC2 customer,the client would be responsible for PCI requirements above the hypervisor. “Some PCIrequirements will be in the span of Amazon’s control and some will be in the span ofcontrol of the tenant,” he said.

Ed Moyle, a senior security strategist with Savvis and a founding partner of Security-Curve, agreed. Organizations “need to evaluate what the vendor is saying about theircompliance and fold that in to their own usage of that vendor,” he said. “Keep in mind

C LO U D S E C U R IT Y

TE C HTA R G E T S E C U R I T Y M E D I A G R O U P Technical Guide on PCI

| P C I

20

CONTENTS

WEB SECURITY

EMPLOYEE AWARENESS

OUTSOURCING

MOBILITY

CLOUD SECURITY

SPONSOR RESOURCES

that the organization itself is still responsible for full compliance of the CDE (cardholderdata environment)—and only a part of that CDE might intersect a service provider.”

“Understand that a certified vendor is a strategy toward overall compliance and not apanacea in and of itself,” he added.

Michael Clark, enterprise cloud security andnetworking product manager at Verizon, said it’simportant for customers to understand that theydon’t inherit PCI compliance because of Verizon’sstatus. The only way a customer could becomeautomatically compliant would be if a PCI-com-pliant cloud provider “actually managed all theway up the application stack and had a SaaS offer-ing that’s specific around one application that doesa specific function,” he said.

He agreed with Corman’s description of being a “PCI-ready platform.” Verizonmakes it clear to customers what it does and doesn’t provide for PCI and offers guidanceto help them understand their PCI obligations, Clark said.

The process for Verizon’s CaaS achieving compliance with PCI DSS 1.2 was nearlya year-long process that included documentation for operations like patch managementand change management, installation of protections like intrusion detection, and acomprehensive review by a QSA. “We had to purposefully build the architecture so wecould ensure we’d be compliant,” Clark said. “We had to ensure every single customer,whether they’re on physical or virtual servers, had the same level of security and sepa-ration.” Compliance also requires quarterly scans and for certain customers, the abilityto provide onsite audits, he added.

PCI DSS and virtualizationBut adding to PCI cloud compliance complexity, Corman said, is how the latest versionof PCI DSS remains light on virtualization guidance, leading to confusion among QSAs.“You add gasoline to that fire when you talk cloud and shared responsibilities,” he said.

“It’s not impossible to be compliant in the cloud,” Corman said. “But it is very hardand confusing.”

Verizon’s Clark said, “The way the industry and PCI are moving and QSAs areeducated, we’re not at that golden moment where everyone understands the cloud. To many, it’s still very vague. We try to bring to customers facts, information, docu-mentation and guidance … so they can get obtain their own compliancy.”

Troy Leach, chief standards architect at the PCI Security Standards Council said inan email that the same PCI DSS requirements apply to a cloud provider with environ-ments that store, process or transmit cardholder data as other environments that handle

TE C HTA R G E T S E C U R I T Y M E D I A G R O U P Technical Guide on PCI

| P C I

“Understand that a certified vendor is a strategy toward overallcompliance and not apanacea in and of itself.”

—ED MOYLE, senior security strategist with Savvis and a founding partner of SecurityCurve

21

CONTENTS

WEB SECURITY

EMPLOYEE AWARENESS

OUTSOURCING

MOBILITY

CLOUD SECURITY

SPONSOR RESOURCES

cardholder data.“Where cloud solutions and virtualization technologies are in use, the questions

are about how to implement these technologies in a PCI DSS compliant mannerrather than about which requirements apply,” he said.

Leach noted that the council is working with the virtualization Special InterestGroup (SIG) to clarify virtualization as it relates to PCI DSS compliance and expectsto publish a guidance whitepaper this year.

The danger Corman sees is that companies are equating PCI compliance withsecurity. Smaller hosting providers are becoming PCI DSS compliant despite havingno intention of handling card data “just to say they’re more secure than others,” Corman said.

“By no means should we confuse PCI with security,” he said. “It’s a minimum standard meant to raise the bar for the negligent ones who have done nothing.”�

Marcia Savage is the Site Editor for SearchCloudSecurity.com.

TE C HTA R G E T S E C U R I T Y M E D I A G R O U P Technical Guide on PCI

| P C I

22

CONTENTS

WEB SECURITY

EMPLOYEE AWARENESS

OUTSOURCING

MOBILITY

CLOUD SECURITY

SPONSOR RESOURCES

TE C HTA R G E T S E C U R I T Y M E D I A G R O U P Technical Guide on PCI

| P C I

TECHTARGET SECUR ITY MED IA GROUP

VICE PRESIDENT/GROUP PUBLISHER Doug Olender

PUBLISHER Josh Garland

DIRECTOR OF PRODUCT MANAGEMENTSusan Shaver

DIRECTOR OF MARKETING Kathleen Quinn

SALES DIRECTOR Tom Click

CIRCULATION MANAGER Kate Sullivan

PROJECT MANAGER Elizabeth Lareau

PRODUCT MANAGEMENT & MARKETINGKim Dugdale, Kevin Martin

SALES REPRESENTATIVESEric Belcher ebelcher@techtarget.com

Patrick Eichmann peichmann@techtarget.com

Sean Flynn seflynn@techtarget.com

Jennifer Gebbie jgebbie@techtarget.com

Jaime Glynn jglynn@techtarget.com

Leah Paikin lpaikin@techtarget.com

Jeff Tonello jtonello@techtarget.com

Vanessa Tonello vtonello@techtarget.com

George Whetstone gwhetstone@techtarget.com

Nikki Wise nwise@techtarget.com

TECHTARGET INC.CHIEF EXECUTIVE OFFICER Greg Strakosch

PRESIDENT Don Hawk

EXECUTIVE VICE PRESIDENT Kevin Beam

CHIEF FINANCIAL OFFICER Jeff Wakely

EUROPEAN DISTRIBUTIONParkway Gordon

Phone 44-1491-875-386www.parkway.co.uk

LIST RENTAL SERVICESJulie Brown

Phone 781-657-1336 Fax 781-657-1100

“Technical Guide on PCI” is published by TechTarget, 275 Grove Street, Newton, MA 02466 U.S.A.; Toll-Free 888-274-4111; Phone 617-431-9200; Fax 617-431-9201.

All rights reserved. Entire contents, Copyright © 2011 TechTarget. No part of this publication may be transmitted or reproduced in any form, or by anymeans without permission in writing from the publisher, TechTarget or SearchSecurity.com.

EDITORIAL DIRECTOR Michael S. Mimoso

SENIOR SITE EDITOR Eric Parizo

SITE EDITOR Marcia Savage

UK BUREAU CHIEF Ron Condon

NEWS DIRECTOR Robert Westervelt

SITE EDITOR Jane McPherson

ASSOCIATE EDITOR Carolyn Gibney

ASSISTANT EDITOR Maggie Sullivan

SENIOR MANAGING EDITOR Kara Gattine

ART & DESIGNCREATIVE DIRECTOR Maureen Joyce

The most comprehensive security services around.

Dell SecureWorks o� ers the most complete range

of world-class information security services.

A full breadth of Managed Security, Counter Threat

Intelligence, and Security and Risk Consulting.

Consistently awarded for quality and service, our

security services have the fl exibility to integrate into

even the most complex environments.

So you get a tailored service that fi ts your needs,

whether that’s full outsourcing, co-management,

monitoring or automated correlation and reporting.

And because Dell SecureWorks is a vendor-neutral

provider, your technology solution will be the one

that’s best and most cost-eff ective too.

Just choose which services are best for you.

For more information, please contact us on

0131 718 0700 or email UKenquiry@secureworks.com

Visit us at: www.secureworks.com/uk

RESOURCES FROM OUR SPONSOR

See ad page 10

• Download the Information Security Essential Guide to PCI DSS

• Aberdeen Group Research on Protecting Cardholder Data

• Sort out your compliance responsibilities and find solutions for strong security posture

About ArcSight, an HP company:ArcSight, an HP company, is a leading global provider of cybersecurity and compliance solu-tions that protect organizations from enterprise threats and risks. Based on the market-lead-ing security information and event management offering, the ArcSight Enterprise Threat andRisk Management platform enables businesses and government agencies to proactively safe-guard digital assets, comply with corporate and regulatory policy and control the internal andexternal risks associated with cybertheft, cyberfraud, cyberwarfare and cyberespionage.

RESOURCES FROM OUR SPONSOR

See ad page 18

• Satisfy Multiple Compliance Regulations with Centralized Access Controls

• 2011 Technology Guide: Essentials for Privileged Access Management

• FoxT PCI Report Pack

About Company Fox Technologies, Inc.:FoxT protects corporate information and privileged accounts with an enterprise access man-agement solution that centrally enforces access across diverse business applications andservers, both physical and virtual. The FoxT EAM solution enables to implement the four es-sentials for access management: centralized administration, contextual multi-factor authenti-cation, fine-grained authorization, and automatic consolidation and production of audit andcompliance-specific reports. As well, FoxT EAM seamlessly interfaces with your identity man-agement, directories, SIEM, and Help Desk systems. The ability to proactively enforce accessacross your infrastructure will streamline administration, mitigate insider fraud, and simplifycompliance.

RESOURCES FROM OUR SPONSOR

See ad page 14

• Download the PCI Compliance Toolkit

• Get more resources on data loss and regulations

• Learn how Sophos can help with PCI compliance

About Sophos:Sophos enables enterprises to secure and control their IT infrastructure. Our network accesscontrol, endpoint, web, email and encryption solutions simplify security to provide integrateddefenses against malware, spyware, intrusions, unwanted applications, spam, policy abuse,data leakage and compliance drift. We protect over 100 million users in nearly 150 countries.