PCI DSS Illuminating the Grey 25 August 2010 Roger Greyling +64 21 507 522 roger.greyling@security-assessment.com
Lightweight Intro Dark Myths of PCI 3 Shades of Grey
The Payment Card Industry Data Security Standard represents a common set of industry tools and measurements to help ensure the safe handling of sensitive information. Source: https://www.pcisecuritystandards.org/
PCI = Payment Card Industry PCI SSC = PCI Security Standards Council PCI DSS = PCI Data Security Standard PAN = Primary Account Number QSA = Qualified Security Assessor CHD = Cardholder Data SAD = Sensitive Authentication Data CVV2 or CAV2 / CVC2 / CID ( Visa JCB / MasterCard / Discover & AmEX)
The Payment Card Industry Security Standards Council (PCI SSC) representing the major credit card brands: VISA MasterCard American Express Discover JCB Ensures a consistent standard of care for protection of Cardholder Data (CHD)
Anyone who transmits, processes or stores CHD This includes Debit Cards! All merchants must comply Some require onsite validation Two categories Merchants (e.g. Supermarkets) Service Providers (e.g. Payment Gateways) Source: PCI-SSC website Asia-Pac Participating Organisations
1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks 5. Use and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications
7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security for employees and contractors
The standard is not perfect. There are some grey areas. However, each requirement or control is based on one of two intents: Prevention: Protect CHD from disclosure Detection: Identify the events leading up to a data disclosure
Compliance isn t simply an expensive pile of technology There is not a single product solution Achieving and maintaining compliance is not just a technical issue it relies heavily on people, policy and processes UNFORTUNATELY NOT
The point is CHD is exposed by: Theft of documents Poor document disposal Skimming / fake PoS terminals Theft of computers laptops, desktops and servers Web site compromises WiFi attacks Rogue employees and careless trusted third parties Configuration errors Unencrypted data being stored
MYTH PCI takes time, money, effort away from core security Misguided priority on protecting IP and thwarting insiders MYTH BUSTED PCI is all about core security Prioritise network control, anti-malware, logging etc. This is a lament uttered by those with a weak security program
MYTH Do minimum to comply and send QSA away Evade the assessor MYTH BUSTED Checklist Security Risk-based Security Protect the CHD Checklists have their place in security A successful security program cannot be reduced to a checklist
MYTH Semblance of security with no real risk reduction MYTH BUSTED Possible to follow the letter and not the intent of the Standard Procure hardware and create documents See PCI as a compliance point and not a starting point Following the letter = letter (email) notifying you of a breach PCI = antithesis of security theatre
MYTH Heartland Breached ஃ PCI Ineffective MYTH BUSTED Heartland breached despite being compliant Security professionals believe following external guidance = 100% safety We accept that patients may die after seeing a doctor. Medicine = Faulty Science? Complexity is enemy of payment systems and networks Basic PCI Compliance not enough
SAQ A: SAQ B: SAQ C: SAQ D: Card-Not-Present with all functions outsourced (e-commerce or MO/TO) 11 Q Imprint only/individual dial-up terminals (no card data storage) 21 Q Payment apps connected to Internet (no card data storage) 38 Q All other merchants and all service providers defined by payment brand as eligible Full DSS!
PCI DSS inherently onerous (if unprepared) Merchants can define their own scope Merchants not required to attend PCI DSS merchant training Merchants can (and do) answer the SAQ unaided ஃ Merchants can and often do, find themselves inexplicably overestimating their level of compliance. This will satisfy the Acquirers until a breach occurs..
* Merchant: Defined by Payment Brand Levels 1-4 Determined by Acquiring Bank (transaction volume) Merchant must confirm with Acquirer Service Provider: Defined by Payment Brand Levels 1-2 May be determined by any party! *VISA levels used as a guide
PCI applies to all network components, servers or applications in or connected to the CHD environment CHD environment contains cardholder or sensitive authentication data This is the point at which the drops (mostly)
Remediate the entire environment Segment the network Outsource the handling of CHD Cease to accept credit cards
To reduce the cost of compliance: Reduce the SCOPE The more places you store CHD, the more compliance will cost Mask / truncate CHD Accept but do not store data if not needed! Question existing business processes Why is CHD being stored?
PAN Primary Account Number 4000 0012 3456 7899 It must be unreadable when stored Encrypted (FFwEQ129AbaCS) Hashed (as above) Truncated (4000 00** **** 7899) Masking Is not secure storage SAD Sensitive Authentication Data Storage is forbidden at all times
Do not try and invent new truncation methods The intent of truncation is that only a portion (not to exceed the first six and last four digits) of the PAN is stored 4000 00** **** 7899 4000 1023 **** **** How about 4000 1*** **** 7899? Might be problematic for merchant, but is acceptable.
1. Store & Forward/Posting Card Data touches server Server transmits CHD to SP 1 3 2 ஃ The Web Server will be considered In Scope!
1 3 2 4 2. Redirection Card Data does not touch the server pre/post-authorisation ஃ The Web Server may be considered OUT of Scope! The QSA has an important role to play in advising the merchant
It may feel like an audit, but it s NOT about getting a tick in a box!
Identify and document the gap between "where you are" and the standard. It provides the foundation for determining time, budget and resources required.
Achieving PCI compliance is not the end of the journey, it s the start. A compliant state must be maintained at all times. This compliant state must be revalidated annually and after any significant change to the CHD Environment. Information security threats emerge faster than any standards committee can keep up with.
Reduce the scope Prioritise remediation activities based on risk Complying to the standard is a minimum requirement, not an end goal You cannot outsource the consequences of a breach
No standard can address every risk for every business Be pragmatic. The only effective solution is to combine policies, procedures and technologies to meet the risks specific to your organisation