PCI stands for “Payment Card Industry”. which is comprised of representatives from the major card brands (Visa, MasterCard, American Express, Discover, JCB etc.) who came together to set minimum security requirements for protecting cardholder data.
To achieve this, they wrote a framework of security controls known as the PCI DSS. They wrote a number of other directives but this is the main one that applies to the majority of businesses.
The PCI DSS consists of six goals, 12 requirements and 286 controls and must be implemented by any business that processes, stores or transmits credit or debit card holder data. The requirement for PCI DSS compliance is stated in your agreement with the bank that issues you a merchant identification. Your business is required to certify compliance to your bank upon achieving it and annually thereafter. The banks report your compliance to the PCI SCC and can issues fines for non-compliance.
4. THE STRUCTURE
The PCI DSS standard is based upon the following 6 core principles and 12 requirements: 288 controls
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect Cardholder Data
Requirement 3: Protect stored cardholder data.
Requirement 4: Encrypt transmission of cardholder data across open, public networks.
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software.
Requirement 6: Develop and maintain secure systems and applications.
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know.
Requirement 8: Assign a unique ID to each person with computer access.
Requirement 9: Restrict physical access to cardholder data.
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data.
Requirement 11: Regularly test security systems and processes.
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security
5. THE APPROACH
• Risk-based prioritisation of
implementation of the controls
• Milestone 1: Identify what you
have, where you have it and write
policies to protect it.
• Milestone 2: Network integrity
• Milestone 3: Code integrity
• Milestone 4: Logs & records
• Milestone 5: Incidents
• Miles 6: Auditing & testing
6. THE SCOPE
• Any systems that process, store or transmit
cardholder data (credit or debit)
• Any systems that connect to them
8. IDENTIFY LEAKAGE
Endpoint
Social Engineering
Data-In-Motion
Data-At-Rest
Physical
Data Loss
Laptop / Desktop
Server
CD / DVD
USB iPod
MemoryStick
PCMCIA
MemoryCard Readers
Communication
Bluetooth
Infrared
Firewire
Serial / Parallel Ports
Virtual Machine
Other Threat Vectors
Screen Scrapers
Trojans
KeyLoggers
Phishing / Spear Phishing
Piggybacking
Dumpster (Skip) Diving
Contractors
Road Apple
Eavesdropping
E-Mail
HTTP/S
SSH
FTP
IM
VoIP
P2P
Blogs
Databases
File Systems
File Servers
NAS
SANs / iSCSI Storage
Voice Mail
Video Surveillance
Printers
Backup Tapes / CD / DVD
Laptop / Desktop / Server
Fax
Photocopier
Mobile Phone / PDA
Digital Camera (incl. Mobile Phone Cameras)
Incorrect Disposal
Printed Reports
9. #2 DESTROY & DE-SCOPE
Both hard & soft copies
If you don’t need it – delete it.
Take your time. Use your CDE map.
Stakeholders sign off
Remember: VoIP & mail servers, MS Outlook archives,
fax, scanner & copier memory cards
Include 3rd parties & back up systems
Be ruthless (without Ruth)
10. #3 OUTSOURCE & OVERSIGHT
• What can you outsource?
• Risk transference vs. risk mitigation
• Compliance requirement in SLA
• Should not be cost plus
• See proof (ask for copy of their RoC)
• Conduct annual onsite audit
• Still need program
• The liability is still yours
11. #4 SEPARATE & SEGMENT
Led by “need to know”
Always ask: Why?
Should not be vendor led
Firewall, VLAN, software…
Subnets
Wireless networks
3rd party suppliers!
“Any systems connected” to the CDE
13. ENCRYPTION
• Card brand specific technology requirements
• PoS configuration requirements
• Bank-owned vs. Merchant-owned devices
• Compliance requirement in contract & SLA
• Who’s responsible for a breach?
• Still have compliance validation requirement
14. #5 TOKENISE
• Can significantly downsize scope
• Card data replaced by “token” (surrogate value)
• Card data stored in centralised vault
• Servers processing, storing or transmitting card holder data in
scope
• Servers processing, storing or transmitting surrogate values not
in scope
16. TOKENISATION
• Where tokens and card data meet = in scope
• Tokenisation hosting solution critical
• Be careful of “hybrid” solutions
• See PCI Standards Council site for guidance
• Test the solution!
• This is no silver bullet
• Validation still required
17. 5 WAYS TO REDUCE PCI
Discover & Document
Destroy & De-scope
Outsource & Oversight
Separate & Segment
Tokenisation