IT PCI Complaince
IT PCI Complaince
PCI:
REQUIREMENTS
TO ACTION
Practical guidance for more
efficient, effective compliance
TRUTH TO POWER
ASSOCIATION
PCI REQUIREMENTS TO ACTION
TABLE OF CONTENTS
Contents
Risk Management................................................................................................................. 4
Operational Security............................................................................................................ 8
Secure Development.......................................................................................................... 11
ProvEnance.................................................................................................... 33
notes................................................................................................................ 34
LEGAL NOTICE................................................................................................... 37
Largely because of these assumptions, PCI has since its first release in 2005 sparked both skepticism and
criticism. Critics call the standard a money pit: a mandate of checklist compliance that diverts capital, re-
sources, and strategic focus for only a topical guarantee of card-data protection. Meanwhile, the ongoing
evolution of information security as a corporate practice has only served to highlight PCI’s limitations as
a relatively static programmatic standard
Is PCI fatally flawed? The answer hangs as much on companies’ approach to compliance—and security as
a risk management practice—as on the rule itself.
Much undue risk, unnecessary work, and excessive costs associated with PCI compliance spring from
misconceptions or misapplication of the standard. PCI is primarily a tactical, technical standard; but it
is not comprehensive guidance. Nor does it constitute a risk or security management framework.7
• Too much compliance, not enough security. Companies that focus on PCI as a compliance goal,
rather than a security means, are bound to miss significant risks that can come back to haunt them.
As a security checklist, PCI is not sufficiently detailed to provide comprehensive coverage, even in
compliant entities. A letter-of-the-law approach to compliance, such as penetration tests focused
only on financial systems, the omission of social engineering vectors, and fix-it-and-forget-it annual
assessments, leaves companies exposed. In fact, confusing compliance with security can increase
risk potential, since companies may assume more risk than they should when they believe they’re
protected by a bullet-proof skin of PCI compliance.
Companies that fail to properly assess and account for the security-risk impact of internal changes—
or that fail to keep security controls, such as antivirus definitions, up to speed with external threats—
are risk magnets. Every change, from new server purchases to new virus outbreaks, multiplies the
likelihood of a breach. Annual security is simply not adequate to protect covered systems, to say
nothing of enterprise systems as a whole.
• Bad self-assessment, bad assumptions, and/or bad reporting. Most merchants are not subject
to external audits and may exercise significant discretion in both their internal assessments and
the self-assessments they remit to their banks. This aspect of the standard leaves plenty of room
for honest mistakes, corner cutting, fudging, and blatant dishonesty. PCI’s compliance costs are
significant and should be approached with an efficiency posture; however, cost constraints do not
justify compliance program that pay only lip service without validation. Companies (and auditors)
must, as Ronald Reagan famously said, “Trust, but verify.”
In fact, almost all of these failures are allowed under PCI—a perfect indicator of why compliance with the
standard cannot rationally be used as either the alpha or omega of security efforts.
PCI lives in a murky twilight of security management. While it provides some concrete milestones, these
can be effective only if companies 1) provide a managerial context of appropriate scope, risk relevance,
operational integration, and continual improvement; and 2) ensure that more granular controls are
working more frequently than the rule absolutely requires. Companies must support PCI from both the
ENTERPRISE
RISK MANAGEMENT INFORMATION SECURITY CONTROLS
PCI COMPLIANCE
INFORMATION SECURITY MANAGEMENT
top down and the bottom up, according to their unique risk profiles and risk vectors. Above all, compa-
nies must accept managerial responsibility for security decisions.
Given context and structure, PCI can be a critical component of an effective security practice. While the
effectiveness of any security investment is notoriously difficult to quantify (what is the cost of a breach
that never happened?), the obverse of increased risk in the absence of compliance has been document-
ed. According to the 2009 Data Breach Investigations Report issued by the Verizon Business RISK Team,
more than 75 percent of companies that reported experiencing a breach had been deemed noncompli-
ant in the preceding 12 months.8 This is a statistically significant correlation between control failures and
breach events. In light of this finding, the question is not whether PCI can represent effective security,
but how to make compliance make sense in the enterprise context. As indicated earlier, the answer lies
in approaching PCI compliance from both the top down and the bottom up:
• Top-down approach: Integrate PCI as an assurance checklist within strategic risk- and security-
management programs. In general, the only way to do accomplish this efficiency is to integrate
security values and procedures into typical operational processes.
• Bottom-up approach: Use PCI as a lever to build and advance the overall organizational security
program—with the understanding that PCI compliance is not an end goal. Companies can leverage
the requirement for changes and process development to improve the entire organization
wherever possible rather than only applying these methods and tools to the smaller cardholder
environment.
The balance of this paper supports both initiatives by providing an analytical perspective on PCI require-
ments, references to useful resources that support an integrated compliance approach, and practice-
based recommendations for implementing PCI controls that makes sense in terms of operational risk,
compliance obligations, and business justification. Although this guidance will not allow you to develop
a security and risk management program overnight, it supports the first and most critical step: under-
standing what you need to do to turn PCI compliance from an expensive, pro forma proposition into a
comprehensible, pragmatic, and programmatic effort.
Risk Management
A risk management approach is not required for PCI compliance. That said, savvy security professionals
will tell you that risk management is an essential precursor to efficient compliance, sound security strat-
egy, and effective security operations.
In reality, there’s no good way to short-cut the development of a risk management process and approach.
You can, however, leverage one or more frameworks to jumpstart your strategy. Robust risk management
frameworks like those cited in this section generally cover, to a greater or lesser degree, the categoriza-
tion and/or rating of information systems or assets; the identification and measurement of security risk;
and the selection, implementation, assessment, monitoring, and continual improvement of security con-
trols for risk mitigation. Comprehensive and widely used frameworks include9:
As you can see in the descriptions above, each given framework approaches risk management in its own
way. Organizations should choose a framework and approach that melds well with corporate culture and
values. Following OCTAVE, for example, requires time and input from many high-level managers, which
may be unavailable in some organizations, but preferred in others. NIST and FAIR, by contrast, rely more
heavily on the collection and analysis of data that might or might not be readily available.
Risk and security managers should also be sensitive to cultural factors that might indicate one approach
over another. For example, executives and other organizational stakeholders in one organization might
see a more quantitative, data-dependent framework as divisive; an “ivory tower” approach to risk man-
agement. In another organization, a quantitative approach might be preferred. After all, the insurance
industry, which is rooted in actuarial science, provides ample evidence of organizational faith in quantita-
tive risk management methodologies.
Note that, when it comes to choosing a framework, one size does not always fit all—even within a single
organization. Managers should plan to assess various frameworks, identify at least one framework that
seems like a good fit for the organization, and customize a risk management approach that fits the orga-
nization’s unique characteristics.
In fact, many companies pursue a hybridized risk management methodology based on multiple frame-
works. While this approach can provide the best fit and coverage, managers should also be aware of
potential stumbling blocks a hybridized approach can present in risk management practice. Some frame-
works are tied to licensed methodologies; training, assessment, and certification programs; tools; and
specialized professional services. Integrating disparate methodologies can complicate the organization’s
ability to use or benefit from such supplementary resources down the road. Instead of applying hybrid-
ization across the entirety of enterprise, managers should instead look at a tiered approach that ranges
from risk-based decision processes to hands-on risk assessment to in-the-trenches risk mitigation.
The real cost of compliance with PCI’s logging requirements lies in management, security, and review.
If you have several systems defined as in-scope for PCI—and particularly if some are externally facing
hosts—you must maintain fairly detailed logs for them. On top of this, PCI’s specification of daily log
review for “all system components” is one of its most onerous requirements—more so, because manual
review and processing of audit logs is a mind-numbing and time-intensive task.
For these reasons, many companies opt to use commercial log-management tools for the collection and
analysis of log data. Organizations that cannot budget for log management software can still reduce (but
not eliminate) the review burden by instituting scanning scripts that automatically scan logs for new
events, system events, suspicious user activities, and known attack indicators. Such scripts can usually
be configured to write their findings to a separate log or recording mechanism and/or email findings to
designated staff.
Even absent this level of coordination, however, meeting PCI’s log management requirements requires
both planning and managerial strategy. Standards such as NIST Special Publication 800-92 (PDF) can
help companies define good-practice steps for log collection, correlation, and realtime analysis. Most of
these process steps can be automated, allowing companies to proactively detect information confiden-
tiality and integrity risks, as well as use patterns, server loads, and other trends that might indicate risks
to information availability.
Don’t forget incident response management in your log management planning. Engaging skilled, com-
petent employees who can perform risk, performance, or forensic analyses on logs is a managerial—not
technical—activity. This is another way that PCI can end up costing you more than you might expect.
However, omission can be still more costly.
Operational Security
Operational security controls help reduce risks introduced by IT operations themselves. These controls
can be simple actions, such as hardening servers. Or they can be more involved activities, such as defin-
ing and following good antivirus, patch management, vulnerability management, configuration man-
agement, and change management practices. In terms of compliance cost, however, these efforts are
usually one of the more nominal areas.
Patching servers can be straightforward, as long as you don’t break your applications in the process.
PCI v1.2 Requirement 6.1 requires organizations to apply “critical” patches within one month of their
release and allows organizations to prioritize patch installation according to system criticality. While
PCI stops short of recommending risk-based patch
prioritization (“An organization may consider apply-
While PCI stops short of ing a risk-based approach to prioritize their patch
installations.”),10 the language in v1.2 at least gives
recommending risk-based managers a defensibility “hook” for defending patch-
ing decisions to their auditors. To be safe, however,
it is advisable to document a patch scoring system—
patch prioritization, the such as the one recommended by the The Security
Content Automation Protocol (SCAP) from NIST—to
language in v1.2 at least your environment, combined with a risk-based ap-
proach to scheduling patch implementation.
gives managers a “hook” for
PCI requirements for configuration management and
defending patching decisions change management also fall under operational secu-
rity and have a rather greater potential to give technical
staff major headaches. Change review and approval—
to their auditors. as well as associated requirements such as versioning,
rollback procedures, and segregation of duties—can
add time and process to developer and administrator
responsibilities. Companies are likely to incur costs n the short term, with respect to performance effi-
ciency and overall staff morale. These “people” costs should be factored into the overall costs of PCI com-
pliance. Managers should also be sensitive to “techie” tendencies to shortcut procedural requirements.
However, change and configuration management should increase operational efficiency over the longer
term.
Automated workflows and configuration management tools can help reduce some of the process bur-
dens and risks associated with change and configuration management. A good configuration manage-
ment system can save your bacon if an upgrade goes awry or if a key piece of networking equipment
gives up the ghost.
Encryption of data at rest is by far the more complex requirement. In many cases, developers believe they
can write custom code for encryption algorithms and functional key management. In reality, however, such
practices can introduce tremendous unmitigated and unmanaged risk to the enterprise. Writing code for
encryption and key management is a tricky venture at best, and downright dangerous on average.
Managers should also consider the process requirements of key management, in addition to the techni-
cal aspects. Specifically, PCI requires the application of split knowledge, dual control, and separation of
duties in the management of encryption keys. These requirements are meant to ensure that no single
person can control all of the keys or the key environment. A person who generates keys may not also in-
stall them. And a person who installs keys must not be able to generate and install their own key, in order
to prevent insertion of an unauthorized key. All of these controls must be supported by periodic checks
to ensure that the key system has the highest integrity possible.
Secure Development
Bolting security onto applications and projects is not only ineffective, it doesn’t meet compliance require-
ments. Security must be integrated into development process, per PCI Requirement 6. In most cases,
companies must institute changes in development practices in order to meet this demand.
The best approach to this requirement is to align development processes with a software development
lifecycle. Managers should also encourage developers to engage in programs, such as the Open Web Ap-
plication Security Project (OWASP),11 which is recommended in the PCI standard. However, as with risk
management, companies can leverage available management models to accelerate integration of security
practices within development programs. OWASP’s Software Assurance Maturity Model (SAMM) and the
Building Security In Management Model (BSI-MM), an open resource released by vendors Cigital and For-
tify, both represent robust, free resources that can jumpstart secure-development initiatives.
In many cases, developers will need to modify their practices to incorporate security functions, such as input
and output validation, elimination of common vulnerabil-
Where development staff ities, and use of stored procedures. Where development
staff lack experience with secure coding, a team-mentor
approach to education can encourage more rapid adop-
lack experience with secure tion. In this approach, managers identify team members
who are interested in application security, encourage skill
coding, a team-mentor development, and support these early adopters in lead-
ing other team members to improve overall security prac-
approach to education tices. Sending developers to training courses or engaging
external training services that specialize in secure devel-
can encourage more rapid opment can further accelerate the absorption of secure
coding concepts and practices.
adoption. Companies should also ensure that application security
is integrated into QA processes. Basic security testing
should accompany standard code and functionality test-
ing. QA staff should look for common application vulnerabilities12 and validate that code functions as
expected. QA should also stress-test interfaces that might be subject to brute-force attacks; including,
but not limited to, login, registration, and billing screens.
Commercial products and services can help If you’re not entirely confident in your company’s ability to
achieve secure development objectives. Some consultants and service vendors specialize in secure cod-
ing and static code analysis, and several software vendors offer products for secure-code analysis.
Pentesting can be another thing entirely. While vulnerability scanning is passive in the sense that it
seeks only to identify potential security weaknesses, pentesting actively explores the extent of the
damages that would be allowed by found weaknesses. These efforts can include both technical and
non-technical methods. Although application and network testing are often viewed as technical process-
es, the SSC’s Information Supplement: Requirement 11.3
The key to efficiency is to Penetration Testing13 (PDF) also puts social engineering
within the pentesting scope.
keep your scope refined, This broad range of activities requires very diverse skill
sets. Obviously, individuals who are qualified to perform
document what you do and software-based application testing might not be equally
adept at social engineering tests. Companies should fac-
what you find, and define a tor the potential cost of multiple staff resources into PCI
compliance budgets.
remediation plan to address Unlike external vulnerability scanning, pentesting does
not require hiring an ASV or Qualified Security Assessors
negative findings in a timely (QSA). Instead, the only requirement is to use “compe-
tent staff” to perform these tests on an annual basis. It’s
fashion. important, however, to note that the use of skilled pene-
tration testers (“pentesters”) is essential to the success of
an internal testing program, even if that means engag-
ing an outside resource or hiring additional staff. For this
reason, pentesting can represent a significant line-item expense associated with PCI; however, as with
encryption, pentests are a requirement for which it’s dangerous to cut corners. Having your local curious
hacker/admin do the job can leave a lot to be desired, fall short of compliance, and fail to meet the secu-
rity objective of pentesting requirements. In particular, it is important to work with an experienced pro-
fessional who will write a useful, usable report and who isn’t afraid to tell you what’s broken—hopefully,
without breaking your systems in the process.
Because automated pentests are designed to closely approximate hacker methods, application and net-
work pentesting are two of the few areas of compliance where automation is a de facto requirement.
Overall, the key to efficient security testing and auditing is to keep your scope refined, document what you
do and what you find, and define a remediation plan to address negative findings in a timely fashion. The
strong backing of senior management is another implicit need in all of these stages, and on the technical
side you may need to build out a toolkit that combines multiple testing applications and procedures.
Incidentally, when implementing an in-house security testing and audit program, be sure that you take the
time to properly define different risk levels for your environment (as noted in the previous Risk Manage-
ment section). NSA’s INFOSEC Assurance Training and Rating Program—more specifically, IAM and its asso-
ciated INFOSEC Evaluation Methodology (IEM)—provides an excellent reference for defining an assessment
program, as does the Open Source Security Testing Methodology Manual (OSSTMM) from the Institute for
Security and Open Methodologies (ISECOM)
considers to be imperative The bottom line in all of these cases is that, while
defining role-based access controls (RBAC) is nec-
Standards provide more detailed rules for essary and vital to the success of PCI compliance
and an IAM program, it can also be a nightmare,
implementing the broader policies absorbing great swaths of time that might bet-
ter be spent elsewhere. Choosing the right tools
Procedures describe the steps or actions and assigning the right staff are the keys to meet-
ing IAM goals, while minimizing the unnecessary
required to comply with policies and
burn of resources
standards
Truth to Power’s IT Policy Templates Wiki Accordingly, the greatest costs associated with
Project is a free repository of structured this requirement area are time and staff resourc-
es. Most policy development projects bog down
IT policy models that you can copy,
somewhere along the line, typically during ap-
print, customize, and use for your own proval rounds. Plan appropriately—and plan on
information governance efforts. exercising a lot of patience—when you start on
these efforts. In addition, remember that periodic
review and maintenance are part of the policy
management process. Policy reviews should be
On the bright side, many freely available policy-development resources reduce the need to develop gov-
ernance documents from scratch. There are many non-commercial and commercial sources of policy
models that can expedite internal drafting processes. Appendix A: Security Policy, Standard, and Proce-
dure Models provides pointers to several robust resources.
In developing security awareness training, it is important to involve more than just technical resources
in the development and approval of the training materials. You may even be able to piggyback PCI train-
ing on existing human resources and new-employee training programs, if you can keep course material
concise and on-point. For longer training classes, be sure to schedule breaks if the class runs much longer
Courses that are developed and delivered internally tend not to incur much in the way of cost, although
it can be beneficial to have the training staff themselves trained on presentation skills and/or course
development techniques. You can also incur additional costs related to the use of specialized technolo-
gies (such as software and infrastructure for online training); and the cost of course development, trainer
training, training vendors, and class infrastructure (even if it’s all outsourced) must also be factored into
compliance budgets.
Unfortunately, PCI Version 1.2 is not written for implementers; rather, it’s structured more like an audit-
procedures guide. While this might make the requirements easier to comprehend from a goals stand-
point, it would be helpful to have an implementation guide that sets forth action items against which the
organization’s employees can execute.
This section seeks to provide one form of implementation guide by summarizing the actionable require-
ments of the PCI standards. All of the statements and action items listed hereafter are derived directly
from PCI DSS 1.2.14
The PCI supporting document PCI DSS Security Audit Procedures (PDF) includes a section that clarifies
which systems and components are covered by PCI requirements. Check your assumptions. On the one
hand, cardholder data has a nasty habit of finding its way into unauthorized caches and uses. On the
other hand, PCI itself does not necessarily or explicitly cover all enterprise systems.
PCI’s privacy and security requirements apply mainly, but not exclusively, to cardholder data. Some non-
cardholder data is also considered in the PCI standard; notably:
CARDHOLDER ENVIRONMENT
• Card data applications
• Point-to-point rules (ingress & egress)
POS • Internet access allowed
Satellite • Two-factor authentication for remote access
systems office
Vendor / systems
outsourcer/
supply chain systems
Stateful
firewall
CRM system
Internet
Partner
systems
Sales DB
NT
ME Marketing DB
IR ON
V E
L EN HER
TE RNA T BE Business
O
Z: IN N
DM ULD apps & DBs
A RY SHO
PRI
M
DAT
A Call center DBs
L DER
HO
RD
CA
Human Resources /
payroll DBs
Data warehouse
Finance /
accounting DBs
Email servers,
local files & archives
IT log data Finance /
accounting DBs
IT operational
Desktops, servers IT development
Laptops & & testing data
Work stations
ddata.
ro h ibite
forp
ion CARDHOLDER DATA ENVIRONMENT
l ocat
mon • Generally just databases
Com
• Contains Primary Account Numbers (PANS)
• RFC1918 IP affress Cardholder data
• Access only to Cardholder Environment
• Point-to-point rules (ingress & egress)
• No direct Internet access
• Out-of-scope data on PCI-covered systems. PCI requirements apply to systems that contain,
access, or interface with cardholder data. These systems may contain out-of-scope data that is
nevertheless covered by PCI.
Where does your PCI data live? Diagramming data flows can be a good first step in defining the in-scope
environment. Map where card data enters the enterprise, which systems it touches and where the data
flows between organizational applications, databases, and other systems. The discovery (and eradica-
tion) of rogue card-data in departmental systems is one of the most valuable potential outcomes of the
mapping process. Make a particular effort to think of the less-than-obvious organizational consumers of
cardholder data within your organization. Marketing spreadsheets, sales databases, activity reports, log
files, and development testing files are common culprits in the unwanted and unnecessary expansion of
PCI-covered environments.
System segmentation is another common, cost-driven scoping strategy. This entails the logical or even
physical isolation of the systems to which you are required to apply the most intensive and expensive
controls. The approach can be particularly effective when it’s too expensive to execute PCI-required secu-
rity controls on an enterprise scale, or when those controls would hobble legitimate and materially-sig-
nificant business functions (for example, cross-site scripting used for a Web-based marketing function).
Unfortunately, PCI v1.2 still leaves wiggle room for Level 1 merchants and their Qualified Security Asses-
sors to variously define network segmentation; however, the recommended practices of using routers
with stateful ACLs, switches with virtual local area network (VLAN) configurations, and firewalls to seg-
ment networks reduces the chance that you and your QSA will disagree.
Management should be aware that scoping for the wrong reasons—usually just to get as much informa-
tion as possible out from under PCI’s contractual thumb—can defeat compliance, cost-containment, and
organizational objectives. Network segmentation should be planned cautiously and intelligently to sup-
port maximum ongoing alignment of segmented systems. Without this strategic constraint, siloed PCI
implementations are much more likely to introduce redundant, inconsistent, and incompatible controls
and technologies that are expensive to implement and nearly impossible to scale or sustain. Companies
should also consider the cost and risks associated with managing and enforcing a separate strain of poli-
cies, standards, and procedures for PCI silos.
Merchants can also reduce the in-scope environment by outsourcing or engaging vendors for transac-
tional processing and card-data storage. Many companies choose this route simply to offload the risk and
complexity of PCI compliance. It should, however, be noted that PCI enforcers still theoretically hold mer-
chants responsible for the failures of processing vendors. Although this enforceability of this provision
is questionable, it is nevertheless in the best interest of merchants to validate and enforce to whatever
Finally, it must be noted that segmenting PCI systems does not relieve the organization of its general
obligations to protect and secure sensitive customer and business data. Managers taking a strategic ap-
proach to PCI scoping should evaluate the cost of architecting and enforcing segmentation against the
benefits of the control requirements that are inconsistent or incompatible with the organization’s general
information security regime—not the costs and benefits of PCI as a whole. Bottom line: mapping data
flows is an essential step in understanding enterprise risk, even irrespective of the impact on scoping.
Summary:
Companies must implement a DMZ for cardholder environments. A DMZ is effectively a security bubble
that contains the database wherein cardholder data is stored. Protection for the DMZ includes formal
processes for approval and testing all firewall and router configurations and changes that impact the
integrity of the DMZ. From an architectural best practice perspective, it is highly recommended that a
secondary DMZ be embedded within the primary DMZ, with tightly restricted communication between
the two. The secondary DMZ holds the cardholder data, separating it from the applications,
As part of this process, the company must develop and maintain a current network diagram; documenta-
tion of roles and responsibilities for PCI compliance; and documentation of all authorized services and
ports that are exposed, along with a justification and description of the security measures that protect
covered systems. In general, all “untrusted” network connections—including access from the Internet,
partner networks, and wireless environments15—must pass through firewalls. Firewall rules must be nar-
rowly focused, limiting both ingress and egress traffic.
Access controls into the cardholder environment must be IP-specific and must not expose internal ad-
dresses (per RFC191816). Servers should not be allowed to open new egress connections; users must
not be able to bypass firewalls to get to the Internet; and the firewalls must perform stateful inspection,
evaluating the state, context, and content of data packets. All rule sets must be reviewed at least every
six months.
Summary:
PCI requires companies to change all default passwords, SSIDs, SNMP strings, and other security elements
on vendor-provided software that could be used to expose cardholder data. Additionally, companies
should develop system configuration standards based on known good practices, as described below.
Action Items:
Change default passwords, wireless SSIDs, and SNMP strings prior to production deployment.
Develop system configuration standards based on known good practices that address the
following:
One primary function per server
Disable unnecessary and insecure services and protocols
Configure security parameter as appropriate
Remove unnecessary files and components
Remote administration must use a secured protocol.
Summary:
Wherever possible, do not store cardholder data. Some types of data— including the full magnetic strip
(also known as magstripe) data, the card-verification code/value, and the PIN or encrypted PIN block—
may not be stored at all. Although companies may store the cardholder’s name, the primary account
number (PAN), the expiration date, and the service code, the storage and display of such data must be
secured in the ways described below.
Action Items:
Minimize the storage of cardholder data through the development and enforcement of a data
retention policy.
Strictly limit the data that is stored and displayed.
You may store cardholder names, Primary Account Numbers (PANs), expiration data, and
service codes
Summary:
Cardholder data must be protected with strong encryption when transmitted across public networks,
such as Internet, wireless, GSM, and GPRS networks. Industry best practices for wireless networks must be
applied. Unencrypted PANs must never be transmitted using end-user messaging technologies (includ-
ing email, instant messaging, and chat).
Action Items:
Implement strong cryptography20 to protect the transmission of cardholder data over public
networks, including the Internet, wireless networks, GSM, and GPRS.
Use industry best practices for securing wireless networks (WEP21 is no longer a trusted
standard).
Summary:
AV software from a reputable vendor must be installed and working on any systems that are commonly
afflicted with malware. AV and AV audit logs must be addressed in security policy, in accordance with PCI
Section 10.7.
Action Items:
Ensure that AV installations are current, active, and generating audit logs in accordance with relevant
security policies and standards.
Ensure that at least three months of logs are immediately accessible through online interfaces.
Summary:
Companies must build security and privacy controls into development lifecycles. These controls gener-
ally fall into the broad categories of patch management, secure coding practices, separation of duties,
segregation of development environments, configuration management, change management, access
management, and vulnerability management. Public-facing Web applications, which are presumed to
run in more hostile security environment than internal applications, are subject to special security mea-
sures.
Action Items:
Summary:
Companies must limit access to cardholder data to only those individuals with a legitimate and recog-
nized business need. Access management should be automated, be based on user roles, and cover all
system components.
Configure access controls for “default deny,” allowing only individuals with explicitly authorization
to access covered systems. Authorization should be granted only to individuals with a legitimate
business need to access cardholder data.
Access management should conform to role-based permissions (a user account must be
assigned an authorized role to gain access to covered systems) and the principle of least-
privilege access (the user must be able to access only such information and resources that
are necessary to their legitimate business purpose).
The role-based access control systems must cover all system components.
Summary:
Companies must be able to uniquely identify, authenticate, and control access for all users of covered
systems. Access rights and privileges should reflect the current role or status of a user, such as termina-
tion of employment or a change in role that impacts the user’s need for access.
This PCI section indicates fairly stringent password management requirements. Passwords must be ob-
fuscated in backend systems and kept current through required rotation. Each individual password must
be unique within four rotations and consistent with secure-format criteria.
Action Items:
Summary:
Companies must implement controls to protect physical devices from unauthorized access and retain,
unless otherwise restricted by law, records of access. Control and monitoring mechanisms must them-
selves be physically protected.
Companies should correlate physical access logs (video records and physical sign-in logs, for example),
and log content must be periodically reviewed for evidence of breach attempts or events.
In addition to protecting data internally, companies must ensure that appropriate managers review and
approve all physical movement of cardholder data and at least annually inventory PCI-covered data stored
electronically and physically. When cardholder data is no longer required, the company must render it
unreadable and unrecoverable. Required practices must consider all types of media, including paper.
Action Items:
Summary:
Companies must monitor and retain audit logs for all access to and activity in the cardholder environ-
ment. Logs should record both who accesses the environment and what they do while within it. Logs
must be retained for at least a year, with 3 months of data immediately accessible. The minimum details
to be logged include user identification, type of event, date and time, event disposition (success/failure),
origination of the event, and identity of the name of the affected data, system component, or resource.
Action Items:
Summary:
Companies must assess the security of the PCI-covered environment both quarterly and annually. They
should quarterly check for rogue wireless access points and scan for external and internal vulnerabilities.
In addition, they should perform annual penetration testing (internal and external) that target both net-
works and applications. Note that companies are not required to engage a Qualified Security Assessor
(QSA) or Approved Scanning Vendor (ASV) for penetration testing, although engagement of an ASV is
required for external vulnerability scans.
Action Items:
Summary:
Although this requirement seems to demand just one policy, a policy framework or multiple policies
are often more effective in meeting security control objectives. In general, the goal is to draft, maintain,
and enforce security polices that cover all PCI DSS requirements. Policy development should include
formal risk assessment, risk management, and plans for annual review and update processes. Policies
must cover the development of daily operational security procedures and must clearly define roles and
responsibilities.
Managers must explicitly review and approve usage policies for individuals and devices, and they must
explicitly inventory and track what is approved for whom, including labeling devices with owner, contact,
and approved purpose(s). The policies themselves must set forth acceptable device uses and network
locations and codify the security requirements indicated in PCI’s other 11 sections.
The development of good usage policies that expressly prohibit remote users from copying, moving,
and locally storing cardholder data is particularly important, since the requirement cannot be enforced
through technological means.
Action Items:
Security Policies
Free Resources
• Computer and Network Security Taskforce IT Security Guide: Security Policies and Procedures
• SANS Security Policy Project
• IT Security Policy The Information Security Policies / Computer Security Policies Directory
• Truth to Power IT Policy Template Wikis
Commercial Resources
• IT Governance 2009 Policies & Procedures by Geraint H. Jenkins, Michael Wallace, Larry Webber.
Aspen Publishers, Inc. Sep 2008.
• Information Security Policies Made Easy, Version 10 by Charles Cresson Wood. Information Shield.
Feb 2009.
• Info-Tech Research Group: The Complete IT Policy Kit.
Security Standards
• NIST 800-Series of Special Publications (800-Series)
• The Center for Internet Security
• Common Criteria for Information Technology Security Evaluation
Security Procedures
• Computer and Network Security Taskforce IT Security Guide: Security Policies and Procedures
ProvEnance
Ben holds a Master of Science in Information Security Management from The George Washington University,
in addition to memberships in the American Bar Association Information Security Committee and eDiscovery
and Digital Evidence Committee, the OASIS EKMI and KMIP technical committee, ISSA, Infragard, and the IEEE
Computer Society.
Prior to his current position, Ben worked in a variety of information security roles for companies including
BT Professional Services, AOL, Wells Fargo, ICSA Labs, and Ernst & Young.
Ben may be reached at Truth to Power via his Knowledge Core at http://www.t2pa.com/cores/
security-and-privacy/practical-security. Registered T2P Members may also contact him directly via
his member profile under Ben Tomhave.
notes
1 The current iteration of the Payment Card Industry Data Security Standard (PCI, or PCI DSS) was origi-
nally released in the fall of 2008. Version 1.2 is the third iteration of PCI and represents the standard’s
continuing evolution. The official document is available at https://www.pcisecuritystandards.org.
2 Litan, Avivah “PCI Compliance Remains Challenging and Expensive.” Gartner. May 16, 2008.
3 Kindervag, John. “Confessions of a QSA: The Inside Story of PCI Compliance.” Forrester Research. Sep 11,
2008
4 For example, Heartland Payment Systems and RBS Worldpay reported massive data breaches in 2008,
although they were both recognized as PCI compliant. Following breach investigations, the PCI Security
Standards Council removed both companies from its list of compliant payment processors. (Kaplan,
Dan. “Visa: Heartland, RBS WorldPay no longer PCI compliant.” SC Magazine. Mar 13, 2009.) However
the implicit gaps between PCI compliance and complete information security have fueled resistance to
what some merchants see as an overbearing and overly expensive regulatory regime.
5 According to the 2009 Data Breach Investigations Report issued in April 2009 by the Verizon Business
RISK Team, almost 20% of companies reporting a breach had been found to be PCI compliant prior to
the breach.
6 Many of these criticisms were encapsulated in a March 2009 US Congressional hearing held by a sub-
committee of the Department of Homeland Security. Recorded proceedings are available on demand
at http://www.homeland.house.gov/hearings/index.asp?ID=185.
7 While the PCI Security Standards Council (SSC) recommends a risk-based approach to information se-
curity, it acknowledges risk management is not a prerequisite for PCI compliance. Indeed, neither the
standard nor its supporting documents offer substantive guidance on either programmatic security
management or risk management. Thus, it comes as no surprise that many companies institute PCI con-
trols as they are presented: in a vacuum and as a checklist security program.
8 2009 Data Breach Investigation Report. Verizon Business RISK Team. Apr 19, 2009. http://www.
verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf (PDF)
9 This short list represents only a small subsample of information and risk management frameworks avail-
able through a variety of organizations. In fact, many documents that do not self-identify as informa-
tion or risk management frameworks offer relevant, complementary, or overlapping guidance. Truth
to Power catalogs many of these documents in it Rules & Standards Hub. See the Hub’s Information &
Operational Protection, Governance & Risk Management, and Maturity Models sections for more infor-
mation.
11 PCI v1.2 specifically references OWASP in its recommended testing procedures for Requirement 6.5.a:
“Obtain and review software development processes for any web-based applications. Verify that pro-
cesses require training in secure coding techniques for developers, and are based on guidance such as
the OWASP guide (http://www.owasp.org).”
12 For examples, see CWE/SANS TOP 25 Most Dangerous Programming Errors. http://www.sans.org/
top25errors
13 Information Supplement: Requirement 11.3 Penetration Testing. PCI Security Standards Council. Apr 15,
2008. https://www.pcisecuritystandards.org/pdfs/infosupp_11_3_penetration_testing.pdf (PDF)
14 The author is not a PCI Qualified Security Assessor (QSA). When in doubt, it is best to err on the side of
caution. If you’re subject to external assessment by a QSA, you should work closely with them to ensure
your questions are suitably answered, especially in the context of planned compensating controls.
15 In general, An untrusted network is any network not directly owned, controlled, or managed by your
organization.
17 For more information on stateful-inspection firewalls, see the Wikipedia entry at http://en.wikipedia.org/
wiki/Stateful_firewall
18 For more information on Network Address Translation (NAT) and IP masquerading, see the Wikipedia
entry at http://en.wikipedia.org/wiki/Network_address_translation.
19 This action is based on PCI Section 1.3.5, which states “Restrict outbound traffic from the cardholder
data environment to the Internet such that outbound traffic can only access IP addresses within the
DMZ.” Although the requirement seems to be poorly written, it is most likely intended to indicate that
database servers in the bubble within the overall cardholder DMZ should be allowed access only to
servers in the DMZ, and to nowhere else.
20 With PCI Version 1.2, the PCI Security Standards Council has clarified its definition of strong cryptograpy.
The full definition and further explanation are included in the “Payment Card Industry (PCI) Data Secu-
rity Standard Glossary, Abbreviations and Acronyms,” viewable at https://www.pcisecuritystandards.org/
security_standards/glossary.shtml.
22 The Open Web Application Security Project (OWASP) is an open source community that provides free
tools and guidance for application security. In particular, PCI recommends that all covered entities ad-
here to practiced recommended in the OWASP Top 10: a list of the most serious web application vul-
nerabilities, recommendations for protection, and additional support resources. The OWASP Top 10 for
2007 (the latest stable version) can be read online or downloaded at http://www.owasp.org/index.php/
Top_10_2007.
23 The official ISO site is one of the least useful resources for security managers seeking to interpret and ap-
ply the ISO/IEC 27000-series standards. Sites such as ISO 27001 Security (http://www.iso27001security.
com/) offer deeper insight and support.
LEGAL NOTICE
The information contained in this document does not constitute legal advice. When assessing any com-
pliance or legal matter, seek advice from your own corporate counsel or other qualified legal advisors
familiar with your unique situation and environment.
The information in this publication is provided by Truth to Power, LLC (T2P) for educational purposes on
an “as is” basis and without warranty of any kind. T2P disclaims any and all liability that might arise, di-
rectly or indirectly, from the access or reference to this work or the use or application of the information
it contains.
T2P seeks to provide accurate, timely, and complete information in all of our published content; however,
we cannot guarantee the accuracy or completeness of the content in this publication at any given time.
Further, we assume no responsibility for the quality of included content supplied by underwriters, spon-
sors, and other third-party organizations. Such content is clearly marked and is solely the responsibility
of its provider(s).