Payment Card Industry Internal Security Assessor: Quick Reference V1.0

Transcription

1 PCI SSC by formed by: 1. AMEX 2. Discover 3. JCB 4. MasterCard 5. Visa Inc. PCI SSC consists of: 1. PCI DSS Standards 2. PA DSS Standards 3. P2PE - Standards 4. PTS (P01,HSM and PIN) Standards 5. PCI Card Production Standards Three Main steps when you swipe you card* 1. Authorization 2. Cleaning 3. Settlement *detailed process at Merchants levels by Card Brands: Level 1: Require and onsite Assessment (ROC & ASV Scan Report) Level 2: Self-Assessment is accepted (SAQ & ASV Scan Report) Level 3 & 4: Determined by Payment Brand or Acquirer Service Providers levels by Card Brands: Level 1: Require and onsite Assessment (ROC & ASV Scan Report) Level 2: Self-Assessment, Require (SAQ & ASV Scan Report) Level 3 (AMEX): Self-Assessment, Require (SAQ & ASV Scan Report) PCI DSS SAQ: The PCI Data Security Standard Self-Assessment Questionnaire (SAQ) is a validation tool intended to assist merchants and service providers who are permitted by the payment brands to self-evaluate their compliance with the Payment Card Industry Data Security Standard (PCI DSS). SAQ A: Card not Present (e-commerce or MO/TO) Merchants SAQ A EP: E commerce merchants who outsource the payment page to third party and does not require CHD

2 SAQ B IP: Merchants using only stand alone, PTS Approved Payment terminals with an IP Connections SAQ C: Merchants with segmented payment app.systems connected to internet SAQ C VT: Merchants using only web-based virtual payment terminals, with no electric CHD storage SAQ D: For service providers and merchants P2PE: Merchants who implemented point to point encryption solution PCI Data Security Standard High Level Overview Build and Maintain a Secure Network and Systems Protect Cardholder Data Maintain a Vulnerability Management Program Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks 5. Protect all systems against malware and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications 7. Restrict access to cardholder data by business need to know 8. Identify and authenticate access to system components 9. Restrict physical access to cardholder data 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security for all personnel

3 Requirement 1 Requirement 1.1 Firewall & Router Config Standards Requirement Firewall is required at each internet connection & between only DMZ & the internal network Requirement List of all the services, protocols & Ports Requirement Review Firewall & Router rulesets at least 6 months Requirement a Require a perimeter firewall between all wireless networks and CHD environment Requirement 1.3 No direct access between internet and system components Requirement 1.4 Personal firewall software or equivalent is required Requirement 2 Requirement 2.1.a Attempt to log on all system components with vendor supplied defaults Requirement 2.1.b Verify all default accounts are removed or disabled Requirement a Encryption keys are changed from default Requirement d Verify firmware on wireless devices is updated Requirement 2.2 Verify if all system components have industry accepted system changing standards Requirement a Only are primary function per server Requirement 2.3 Strong cryptography for remote/non- console admin logins (SSH, VPN, TLS) Requirement 3 Requirement 3.1 Limit the data storage as per legal, regulatory and business requirement. Secure deletion of CHD. A quarterly process of identifying and securely deleting stored CHD. Requirement 3.2 Do not store Sensitive authentication data (SAD) after authorization. For issues, there should be documented business justification. Requirement Test the track data is present or not Requirement Test the card verification code is present or not Requirement Test the PIN or encrypted PIN blocks present or not

4 Requirement 3.3 PAN must be masked when displayed Requirement 3.4 Stored PAN data rendered unreadable Requirement 3.5 Key encrypting keys are as strong as the data encrypting keys. Key encrypting keys are stored separately from data encrypting keys. Requirement 3.6 Script Knowledge of keys and Dual control of keys. Key custodian accept their responsibilities. Requirement 4 Requirement 4.1 Only trusted keys & certificates are accepted. Use of only secure Versions & configs of the protocols. Enough encryption strength for encryption methodology. Requirement 5 Requirement Review Vendor guide & examine Anti-virus configurations Requirement Threats are monitored & evaluated for systems not currently considered to be commonly affected. Requirement 5.3 AV actively running, cannot be disable by other users. AV should not be disabled unless specifically authorized by management on a case-by-case basis for a limited time period. Requirement 6 Requirement 6.2.a Vendor supplied critical security patches should be installed within one month of release. Requirement a Custom code changes must be reviewed code reviews ensure code is developed according to secure coding guidelines. Requirement Separation of Dev/Test environments from prod. Separation of duties must be created to ensure Prod & Dev/Test environment access doesn t mix up. Prod data (Live PAN) should not use for Testing or Dev. Test accounts & data are removed before Prod system is live. Change control procedures with defined impact, approved, testing & back out procedures. Requirement At least annually trained in secure coding techniques. Requirement 6.6 Public facing web applications should be reviewed at least annually. Automated technical solutions that detects & prevents web based attacks

5 Requirement 7 Requirement 7.1 Verify privileges assigned are necessary for that individual s job function. Requirement 7.2 Use an access control system and set to deny all as per user s need to know basis. Requirement 8 Requirement 8.1 All users are assigned a unique ID. Implement the privileges specified on the document approval IDs are deactivated & removed from the access list of term Inactive accounts over 90 days are either removed or disabled Account used by third parties should be enable when in use & disabled when not in use Lock the account after not more than 6 invalid logon attempts Lock out for a minimum of 30 mins or until sys admin resets Session with 15 min idle time should be re authorized Requirement 8.2 Passwords should be protected with strong cryptography during transmission & storage Password should be at least 7 char with alphanumeric Change Password at least 90 days Passwords cannot be the same as the Previous 4 Set unique value for user & change after first use. Requirement 8.3 Multi factor authentication is required for the non console admin access & all remote access to CDE. Requirement 8.5 Generic user IDs are disabled or removed. Shared IDs do not exist for sys admin & other critical functions Requirement 8.6 All authentication mechanisms like hard token, smart cards, certificates are assigned to an individual account Requirement 8.7 All user access to, user queries of, and user actions on (for example, move, copy, delete), the database are through programmatic methods only (for example, through stored procedures). Requirement 9 Requirement 9.1 Access needs to be controlled by badge readers or other devices which including authorized badges Requirement a Verify That Video cameras/ access controls mechanisms or both in place to monitor entry/exit points to sensitive areas.

6 Requirement b either video cameras or access control mechanisms (or both) are protected from tampering or disabling Requirement c Data from VC/ACM is stored for at least 3 months Requirement b Observe the use of visitor badges or other identification to verify that a physical token badge does not permit unescorted access to physical areas where cardholder data is processed or maintained. Requirement C Verify that log is retained for at least 3 months Requirement 9.5 Physical secure all media and the storage location is reviewed at least annually Requirement 9.6 Verify that all media is classified Requirement Verify media inventory logs to check logs are maintained & media inventories performed at least annually. Requirement 10 Requirement 10.1 Audit trails should be enabled for all individuals access to CHD storage Requirement 10.3 Who? What? When? Where? And How? Should be logged user identification, Type of event Date & Time, name of effected area, success or fail Requirement 10.4 Access to time data is restricted to business need to access. Changes to time settings on critical systems are logged. Logging events should be reviewed daily Retain audit logs for at least an year with three months immediate restoration Requirement 11 Requirement 11.1 Detection and identification of wireless access points at least on quarterly basis. Inventory of authorized wireless access points should be maintained Incident Response Plan to verify incase of unauthorized WAP Run Internal & External Vulnerability scan at least quarterly Review of last four quarter s internal scans Review of last four quarter s external scans performed by ASV Internal and external pen test should be carried out with a scope of all CDE & critical systems at least annually. If Segmentation is in place, Pentest on segmentation controls at least annually

7 Change Detection Mechanisms (FIM) should alert any changes to critical components & configure the software to perform critical file composition at least weekly Requirement 12 Requirement 12.1 Information Security policy must be reviewed at least annually Requirement 12.2 Perform Risk assessment annually Requirement 12.3 Develop usage policies for critical technologies Requirement 12.6 Security awareness program should be conducted at least annually Maintain a list of SP with description of service provided Requirement Maintain & test Incident response plan annually Appendix A.1 A.1.2: Process should run using the unique ID of the individual entity A.1.2: User IDs of application process are not a privileged user A.1.2: View log entries is restricted to the owning entity Appendix A.3 A.3.1: Implement a PCI DSS compliance program PCI DSS charter A.3.2: Document & Validate PCI DSS Scope A.3.3: Validate PCI DSS is incorporated into BAU activities A.3.2: Review the PCI DSS Scope at least quarterly A.3.2: Pen testing at least 6 months A.3.2.2: Perform at least annual review of hardware & software Technologies A.3.4: User accounts & access privileges should be reviewed at least every six months.

8 Quick Bytes - Router &Firewall configuration review- at least every 6months - Process to identify and securely delete CHD exciding Retention period- at least Quarterly review - Critical patches implementation timeline- 30days - Low-Risk patches implementation timeline- 2-3 months - Training of secure coding Techniques- Annually - Inactive accounts - accounts inactive older than 90 days should be identified and deleted - Account lock out attempts- 6 times - Session time-out/ authenticate session- After 15 minutes inactivity - Minimum password length- 7 characters - Password should not be same as- Last 4 passwords - Video recording tape storage- for 3 months - Review offsite storage location- Annually - Retain Visitor logs for 3 months - Audit logs availability- 1 year/ 365 days - Immediate availability of Audit Logs- 3 months - Internal/ External Wireless Scans- Quarterly - External Pen-testing- At least Annually - Service Provider External Pen testing- every 6 months - DESV scope review- at least Quarterly - Review of Hardware/ Software technologies- Annually - Review of BAU activities- Quarterly

9