Understand and Implement Effective PCI Data Security Standard Compliance

Transcription

1 PCI Compliance Understand and Implement Effective PCI Data Security Standard Compliance Second Edition Dr. Anton A. Chuvakin Branden R. Williams Technical Editor Ward Spangenberg ELSEVIER AMSTERDAM BOSTON HEIDELBERG LONDON NEW YORK OXFORD PARIS SAN DIEGO SAN FRANCISCO SINGAPORE SYDNEY TOKYO Syngress is an imprint of Elsevier SYNGRESS,

2 Contents FOREWORD ACKNOWLEDGMENTS ABOUT THE AUTHORS xiii xv xvii CHAPTER 1 About PCI and This Book 1 Who Should Read This Book? 3 How to Use the Book in Your Daily Job 4 What this Book is NOT 4 Organization of the Book 4 Summary 5 CHAPTER 2 Introduction to Fraud, ID Theft, and Regulatory Mandates 9 Summary 14 CHAPTER 3 Why Is PCI Here? 15 What Is PCI and Who Must Comply? 16 Electronic Card Payment Ecosystem 17 Goal of PCI DSS 18 Applicability of PCI DSS 19 PCI DSS in Depth 21 Compliance Deadlines 21 Compliance and Validation 23 History of PCI DSS 26 PCI Council 28 QSAs 29 ASVs 31 Quick Overview of PCI Requirements 31 Changes to PCI DSS 34 PCI DSS and Risk 35 Benefits of Compliance 37 Case Study 37 The Case of the Developing Security Program 37 The Case of the Confusing Validation Requirements 39

3 Summary 39 References 40 CHAPTER 4 Building and Maintaining a Secure Network 41 Which PCI DSS Requirements Are in This Domain? 42 Establish Firewall Configuration Standards 43 Denying Traffic from Untrusted Networksand Hosts 44 Restricting Connections 45 Personal Firewalls 47 Other Considerations for Requirement 1 47 The Oddball Requirement Requirement 2: Defaults and Other Security Parameters 49 Develop Configuration Standards 51 Implement Single Purpose Servers 52 Configure System Security Parameters 53 Encrypt Nonconsole Administrative Access 54 Hosting Providers Must Protect Shared Hosted Environment...55 What Else Can You Do to Be Secure? 55 Tools and Best Practices 56 Common Mistakes and Pitfalls 57 Egress Filtering 57 Documentation 57 System Defaults 57 Case Study 58 The Case of the Small, Flat Store Network 58 The Case of the Large, Flat Corporate Network 59 Summary 61 CHAPTERS Strong Access Controls 63 Which PCI DSS Requirements Are in This Domain? 64 Principles of Access Control 64 Requirement 7: How Much Access Should a User Have? 66 Requirement 8: Authentication Basics 67 Windows and PCI Compliance 76 POSIX (UNIX/Linux-like Systems) Access Control 89 Cisco and PCI Requirements 91 Requirement 9: Physical Security 93 What Else Can You Do To Be Secure? 97 Tools and Best Practices 99 Random Password for Users 99

4 Contents VÜ Common Mistakes and Pitfalls 100 Case Study 101 The Case of the Stolen Database 101 The Case of the Loose Permissions 102 Summary 104 CHAPTER 6 Protecting Cardholder Data 105 What Is Data Protection and Why Is It Needed? 106 The Confidentiality, Integrity, Availability Triad 107 Requirements Addressed in This Chapter 108 PCI Requirement 3: Protect Stored Cardholder Data 108 Requirement 3 Walk-through 110 Encryption Methods for Data at Rest 113 PCI and Key Management 119 What Else Can You Do to Be Secure? 121 PCI Requirement 4 Walk-through 121 Transport Layer Security and Secure Sockets Layer 122 IPsec Virtual Private Networks 123 Wireless Transmission 123 Mise Card Transmission Rules 124 Requirement 12 Walk-through 125 Appendix A of PCI DSS 128 How to Become Compliant and Secure 128 Step 1: Identify Business Processes with Card Data 129 Step 2: Focus on Shrinking the Scope 129 Step3: Identify Where the Data Is Stored 129 Step 4: Determine What to Do About Data 130 Step 5: Determine Who Needs Access 130 Step 6: Develop and Document Policies 130 Common Mistakes and Pitfalls 131 Case Study 133 The Case of the Data Killers 133 Summary 135 References 135 CHAPTER 7 Using Wireless Networking 137 What Is Wireless Network Security? 138 Where Is Wireless Network Security in PCI DSS? 140 Requirements 1 and 12: Documentation 141 Actual Security of Wireless Devices: Requirements 2, 4, and 9 142

5 viii Contents Logging and Wireless Networks: Requirement Testing for Unauthorized Wireless: Requirement Why Do We Need Wireless Network Security? 147 Tools and Best Practices 148 Common Mistakes and Pitfalls 149 Why Is WEP So Bad? 150 Case Study 150 The Case of the Untethered Laptop 150 The Case of the Expansion Plan 152 The Case of the Double Secret Wireless Network 153 Summary 154 CHAPTER 8 Vulnerability Management 155 PCI DSS Requirements Covered 157 Vulnerability Management in PCI 157 Stages of Vulnerability Management Process 159 Requirement 5 Walk-through 164 What to Do to Be Secure and Compliant? 165 Requirement 6 Walk-through 165 Web-Application Security and Web Vulnerabilities 170 What to Do to Be Secure and Compliant? 179 Requirement 11 Walk-through 179 External Vulnerability Scanning with ASV 181 Considerations when Picking an ASV 182 How ASV Scanning Works 186 PCI DSS Scan Validation Walk-through 189 Operationalizing ASV Scanning 191 What Do You Expect from an ASV? 192 Internal Vulnerability Scanning 194 Penetration Testing 196 Common PCI Vulnerability Management Mistakes 196 Case Study 199 PCI ata Retail Chain 199 PCI at an E-Commerce Site 201 Summary 201 References 202 CHAPTER 9 Logging Events and Monitoring the Cardholder Data Environment 203 PCI Requirements Covered 204 Why Logging and Monitoring in PCI DSS? 205

6 Contents ix Logging and Monitoring in Depth 206 PCI Relevance of Logs 210 Logging in PCI Requirement Monitoring Data and Log Security Issues 216 Logging and Monitoring in PCI - All Other Requirements 219 Tools for Logging in PCI 224 Log Management Tools 229 Other Monitoring Tools 231 Intrusion Detection and Prevention 231 Integrity Monitoring 236 Common Mistakes and Pitfalls 238 Case Study 238 The Case of the Risky Risk-Based Approach 239 The Case of Tweaking to Comply 240 Summary 241 References 241 CHAPTER 10 Managing a PCI DSS Project to Achieve Compliance 243 Justifying a Business Case for Compliance 244 Figuring Out If You Need to Comply 244 Compliance Overlap 245 The Level of Validation 246 What Is the Cost for Noncompliance? 247 Bringing the Key Players to the Table 249 Obtaining Corporate Sponsorship 250 Forming Your Compliance Team 251 Getting Results Fast 251 Notes from the Front Line 252 Budgeting Time and Resources 252 Setting Expectations 253 Establishing Goals and Milestones 253 Having Status Meetings 254 Educating Staff 255 Training Your Compliance Team 255 Training the Company on Compliance 256 Setting Up the Corporate Compliance Training Program 256 Project Quickstart Guide 258 The Steps 258 PCI SSC New Prioritized Approach 261 Summary 262 Reference 263

7 X Contents CHAPTER 11 Don't Fear the Assessor 265 Remember, Assessors Are There to Help 266 Balancing Remediation Needs 268 How FAIL == WIN 268 Dealing With Assessors' Mistakes 269 Planning for Remediation 271 Fun Ways to Use Common Vulnerability Scoring System 273 Planning for Reassessing 275 Summary 276 CHAPTER 12 The Art of Compensating Control 277 What Is a Compensating Control? 278 Where Are Compensating Controls in PCI DSS? 279 What a Compensating Control Is Not 280 Funny Controls You Didn't Design 281 How to Create a Good Compensating Control 283 Summary 288 CHAPTER 13 You're Compliant, Now What? 289 Security Is a Process, Not an Event 289 Plan for Periodic Review and Training 291 PCI Requirements with Periodic Maintenance 293 Build and Maintain a Secure Network 293 Protect Cardholder Data 294 Maintain a Vulnerability Management Program 295 Implement Strong Access Control Measures 297 Regularly Monitor and Test Networks 297 Maintain an Information Security Policy 299 PCI Self-Assessment 300 Case Study 301 The Case of the Compliant Company 301 Summary 302 CHAPTER 14 PCI and Other Laws, Mandates, and Frameworks 305 PCI and State Data Breach Notification Laws 306 Origins of State Data Breach Notification Laws 306 Commonalities Among State Data Breach Laws 307 How Does It Compare to PCI? 308 Final Thoughts on State Laws 309 PCI and the IS Series 309 PCI and Sarbanes-Oxley (SOX) 311

8 Contents xi Regulation Matrix 313 How Do You Leverage Your Efforts for PCI DSS? 314 Summary 314 References 315 CHAPTER 15 Myths and Misconceptions of PCI DSS 317 Myth #1 PCI Doesn't Apply 318 Myth #2 PCI Is Confusing 322 Myth #3 PCI DSS Is Too Onerous 324 Myth #4 Breaches Prove PCI DSS Irrelevant 326 Myth #5 PCI Is All We Need for Security 328 Myth #6 PCI DSS Is Really Easy 331 Myth #7 My Tool Is PCI Compliant 333 Myth #8 PCI Is Toothless 336 Case Study 339 The Case of the Cardless Merchant 339 Summary 340 References 340 INDEX 343