PCI DSS 101 - An introduction to the Payment Card Industry Data Security Standard

PCI DSS 101 –All the background you need for understanding the PCI DSS - Part 1

This is the first of a two part article intended to provide a backgrounder in understanding the PCI DSS.

What is it, and why is it important?

The Payment Card Industry Data Security Standard was designed as a comprehensive list of best practice measures and processes for handling, processing, storing and transmitting payment card data.

The PCI DSS was formulated by the payment card companies such as Visa and MasterCard in response to the growing number of instances of theft and misuse of payment card details. The first version of the PCI DSS was released in December 2004 and mandates a wide range of measures required to ensure the protection of payment card data.

The measures are summarized in the 12 section PCI DSS but a high-level overview can be broken down into 3 main areas

• Active Technological Security Measures (firewalls, intrusion detection systems, anti-virus, file-integrity monitoring, data encryption)
• IT Security Best Practices (masking of card data within applications, configuration ‘hardening’, regular updates to password and security keys, regular vulnerability scans and penetration tests , review of all security and audit logs)
• General Security Best practices (such as physical building security measures and personnel awareness of IT Security measures)

Today, the PCI Security Standards Council has been established by the major payment card brands and is the body “responsible for the development, management, education, and awareness of the PCI Security Standards”.

The 12 Point PCI DSS

The latest version of the PCI DSS is Version 2.0. It retains the same 12 Core requirements as previous versions of the standard, which in turn branch into more than 250 controls – the full standard can be accessed at https://www.pcisecuritystandards.org/security_standards/documents.php but the following is a summarized ‘plain English’ version

1. Use a firewall – typically the core ‘Card Data Processing’ systems are segregated from the Corporate Network using an internal firewall in addition to any external internet-facing firewall
2. Secure system access through configuration hardening – use non-default passwords, SSL/TLS and SSH for any system access, disable unnecessary services and protocols to minimize accessibility
3. Use masking and encryption of cardholder data to ensure that data is unreadable if stolen, but only ever store as little data as possible
4. Use encryption for any cardholder data when being transferred over public networks
5. Use anti-virus software, regularly updated
6. Increase the inherent security of all systems through configuration hardening i.e. remove known vulnerabilities through patching and configuration settings
7. Use Identity and Access Management controls to minimize access to cardholder data system on a strict ‘need to know’ basis
8. Assign a unique ID to each user and enforce strong authentication
9. Lock your doors – utilize physical security measures to restrict access to systems such as door locks, badge readers and video cameras
10. Track and monitor all access to all network resources and cardholder data – centrally backup event and audit log trails, especially for logons
11. Get a Vulnerability Scan and Penetration Test by an Approved Scanning Vendor performed every 3 months and after any significant network change. Use file-integrity monitoring to protect critical system and configuration files
12. Adopt an Information Security Policy to ensure there is an appreciation of the PCI DSS objectives by all employees and contractors

So who exactly is subject to the PCI DSS?

Regardless of what the tangible cost of payment card fraud actually is, there is no alternative for any card merchant but to comply with the PCI DSS. However, the burden of proving your compliance with the standard does vary according to the volume of transactions being processed.

Any merchant storing, processing or transmitting Primary Account Numbers (PAN) must comply with the PCI DSS.

Processing is often one of the key qualifiers in that, a PC used to access a secure on-line payment portal can still be defined as ‘within scope’ of the PCI DSS which means even small organizations are still subject to the PCI DSS. For instance, card ‘skimming’ techniques are widespread, generally targeting the card reader or PIN entry device, or via software installed on the PC making the transaction.

The PAN must be rendered unreadable while the Cardholder Name, Service Code and Expiration date can be stored in readable format.

Card data that absolutely must not be stored comprises

• the Track 1 and Track 2 data (all the cardholder and card data is stored within two tracks on the card magnetic stripe and chip embedded on chip and pin cards)
• the Card Verification Value (CVV – typically the three digits printed onto the card signature strip) and of course
• the PIN data (the card PIN number used to authorize a transaction on a Chip and PIN card)

All card transactions represent a risk, including ecommerce transactions. For Visa Merchants,

• Level 1 - Merchants processing more than 6 million transactions annually are required to have an on-site PCI Data Security Assessment and quarterly network scans. On-site assessments may be completed internally or by an outside Qualified Security Assessor or QSA.
• Level 2 - Merchants processing 1 million to 5,999,999 transactions annually are required to complete a Self-Assessment and perform quarterly network scans.
• Level 3 - Merchants processing 20,000 to 1,000,000 e-commerce transactions annually are required to complete a Self-Assessment and perform quarterly network scans.
• Level 4 Merchants process less than 20,000 e-commerce transactions annually and all merchants across channel up to 1,000,000 VISA transactions annually and are required to complete an annual self assessment and annual security scans.

See Part 2 of this article for the following

• Sounds like a lot of work and expense – what is the cost justification for the PCI DSS?

• What happens in the event of us being breached?Is PCI-DSS Compliance Required by Law?

For more information go to www.newnettechnologies.com

All material is copyright New Net Technologies

References –

https://www.pcisecuritystandards.org

http://en.wikipedia.org/wiki/PCI_DSS

http://corporate.visa.com

http://www.linkedin.com/PCI DSS Compliance Specialist Group

Psst - Want to know how you can save $thousands on PCI DSS Vulnerability Scanning costs? Read this...

AF Blakemore run over 220 Spar stores around the UK. In common with other retailers around the world, PCI DSS has been a significant headache during the last few years since its introduction in 2004.

Retail is a business sector that always works on tight margins and cost control for any IT investment is subject to close scrutiny with value for money and return on investment carefully assessed.

There are seldom any shortcuts when it comes to security, especially when under PCI DSS Validation Requirements, Tier 1 Merchants (those transacting more than 6 million transactions each year) must be independently audited for compliance with the standard by an authorized Qualified Security Assessor (QSA).

AF Blakemore needed to balance the need to fully observe all sections of the PCI DSS mandate, while maintaining the highest levels of security and integrity of IT Systems, whilst at the same time minimizing expenditure and resource requirements - this is where NNT have been able to help.

“When we looked at ASV scanning cost projections for our estate the numbers were potentially huge” says Jim Curtis, PCI DSS Consultant for AFB. “The other requirements for PCI DSS such as reviewing and backing up event logs, file integrity monitoring and device hardening were already looking to be expensive too, but the NNT solution solved everything for us”

“NNT Change Tracker was recently awarded a maximum 5 out of 5 in Secure Computing’s Group Test and combined with NNT Log Tracker, provides PCI DSS Merchant’s with the most cost-effective and easy to use Compliance Management solution available” Russell Willcox Chairman NNT

Using built-in PCI DSS device hardening templates and continuous configuration state tracking ensures that EPoS and Back Office servers remain ‘hardened’ at all times. Crucially, this means that in terms of their PCI DSS vulnerability scanning obligations, AFB need only scan a small percentage of store sites, saving money and time without any compromise to security.

Jim Curtis concludes “We have easily saved in excess of £200K a year this way”

"How much money could you save?" - FOR MORE INFORMATION AND TO REQUEST AN EVALUATION OF NNT PCI DSS SOFTWARE VISIT www.newnettechnologies.com

PCI DSS Section 11.5 - Deploy file-integrity monitoring software to alert personnel to unauthorized modification of critical system files - what the?!

As a mandated dimension of the PCI DSS, FIM verifies that program and operating system files have not been compromised (see section 11.5 of the PCI DSS)

"11.5 Deploy file-integrity monitoring software to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly"

Why is this important? The principal benefit of using FIM technology is to ensure that malicious code has not been embedded within critical application and operating system files. The insertion of a ‘backdoor’ or Trojan into core program files is one of the more audacious and elegant forms of hacking, and also one of the most dangerous.

The PCI DSS (Payment Card Industry Data Security Standard) specifies the following “Deploy file-integrity monitoring software to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly” and also that for log files “Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert)”.

Contemporary compliance management technology will provide pre-defined templates for all folders and files that should be tracked for File-Integrity, also allowing you to specify additional program folders and files unique to your environment, for instance, your core business applications.

File Integrity Monitoring technology conducts an initial inventory of all filesystems specified and ‘fingerprints’ all files using secure hashing technology, generating a unique checksum for each file. The system will then audit all files being tracked on a scheduled basis every 24 hours (even though the PCI DSS calls only for weekly checks) with any changes, additions, deletions or modifications being reported to you.

The latest generation of File Integrity Monitoring software also operate in a ‘live tracking’ mode for ultra-secure environments where file changes are detected and reported in real-time.

Other options to consider are to track and identify actual changes to file contents, useful when tracking configuration files to provide you with a complete audit trail of change history. The latest version of NNT Change Tracker includes a File Content Tracker – this can be applied to any form of files such as text, xml, php, javascript, aspnet etc

It's easy to set up and you can get results within minutes of downloading a trial version - here