29/06/11

By Andrew Mason, co-founder and Technical Director at RandomStorm

The Payment Card Industry Data Security Standard (PCI DSS) is a set of internationally recognised guidelines for any company that processes, stores, or transmits customers' payment card details. The Standard was devised by the Payment Card Industry Security Standards Council, formed by Mastercard, Visa, American Express, JCB and Discover Financial Services. The guidelines are designed to prevent payment card fraud by educating companies on best practice when handling and storing payment card details.

Version 2.0 of the Standard came into force on 1st January 2011 and lists 214 security requirements that must be followed. While this sounds overwhelming, the Standard can be summarised into 12 core components for restricting access to payment card data and securing IT networks on which that data is stored.

Understandably, companies are very concerned about protecting customers' payment card details in the wake of the attack on Sony PlayStation Network.

In the following article I have provided some practical advice on how to comply with the 12 core requirements:

1 - Install and maintain a firewall configuration to protect cardholder data

Under PCI DSS guidelines, your Cardholder Data Environment (CDE) should be segmented from your corporate network. Therefore, it is important to ensure that firewalls are in place at all perimeter points where your computer is connecting with external networks, particularly the Web gateway. A firewall is a piece of software or hardware that protects computers on your internal network by restricting traffic and preventing certain transactions, based on a defined rule set.

The firewalls have to be configured following industry best practices, rather than vendor's default settings and policies and procedures have to be in place to protect the ongoing support and any changes to the firewall, including regular testing.

It is always advisable to pick one of the leading vendors for firewall technology to ensure ongoing support and the provision of timely security updates.

2 - Do not use vendor-supplied defaults for system passwords and other security parameters

Most network equipment comes with vendor supplied default credentials and configuration settings. It is astonishing how many companies we speak to that have not changed these default settings as these are a very effective attack vector for a potential hacker targeting your business. There are freely available lists of default passwords and default settings for most hardware available on the Internet. Every good penetration tester will use these default settings as part of their arsenal, to test whether your network is vulnerable. If they are available to the good guys, then thieves will use them too.

One example of this is an Oracle database. Oracle creates several default accounts at install time and more often than not, on a penetration test, the consultant will be able to connect to an Oracle database, posing as a user with escalated privileges, by using one of these default accounts that was not disabled before implementation.

Part of the commissioning plan for any new equipment should address the changing of vendor supplied defaults and testing the system before implementation to ensure these have been removed or changed.

3 - Protect stored cardholder data

If you have to store cardholder data within your CDE then you have a duty to ensure that it is protected in line with business, legal, or regulatory standards. Cardholder data should only be retained for as long as required and this should be specified in your data retention policy.

Cardholder data should be masked when displayed to employees who require visual access, such as in customer service departments, so that they cannot see the full Permanent Account Number (PAN) and all stored cardholder data should be encrypted to ensure that it cannot be read as clear text.

By encrypting cardholder data and masking off parts of the PAN, your company ensures that a hacker would not be able to extract usable cardholder data if they were successful in breaching your perimeter defences (physical and firewall) and a dishonest employee cannot compromise customers' details to commit fraud.

It is very important to implement a strong encryption method and to ensure the encryption keys are managed in line with industry best practices and this should be regularly reviewed and tested.


4 - Encrypt transmission of cardholder data across open, public networks

If you are a large organisation with branch offices, or if you work with several partner companies, you may have a business need to transmit cardholder data across your corporate network and some of your network may use public connections. It is therefore imperative to ensure that this data is encrypted with industry standard encryption protocols such as the IPsec protection suite. It is recommended that any corporate communication over public networks is encrypted as a default.

One area of common concern is the use of MPLS networks from service providers. Although the service provider classes these as private, they sometimes fail over to public connections, so it is advisable to either obtain written proof from the service provider that any MPLS network in use is fully private or to ensure that transport level encryption is used between the MPLS end points as an additional level of security.

5 - Use and regularly update anti-virus software

The use of anti-virus within the corporate environment is an accepted best practice. However, with the increase in cybercriminal activity, it is advisable to investigate new Web and email security solutions that can analyse the behaviour of network traffic, rather than just relying on anti-virus updates. What is important is to ensure that a central patch management capability is available to report on any viral activity on a network that stores cardholder data and to deliver all vendor supplied updates and patches to every single computer on your network. This also means having the ability to quarantine and supply anti-virus updates to any laptop or netbook that has been taken off the company premises before allowing it to reconnect to the network.

The most common entry point for a virus or Trojan is through an employees' computer and these machines are usually infected via the Web or through email. Cybercriminals often inject legitimate Websites with malicious code to increase the number of computers that they are able to infect. Therefore, the proactive and real-time scanning of these systems is very important.

6 - Develop and maintain secure systems and applications

Any system that holds cardholder data is under threat and you have to ensure that these systems have the latest vendor supplied security updates applied in a timely fashion.

A report by M86 Security, found that many cybercriminals were still exploiting well known vulnerabilities long after vendors had released updates and patches.

A process must be defined to identify newly discovered vulnerabilities that could impact the CDE. This has to be an ongoing process to ensure that any system component in use is tracked and patches for any vulnerabilities are identified and applied as soon as they are released. Any internally created applications, including Web applications, need to be based on secure coding guidelines and the code has to reviewed for coding vulnerabilities before the application is assessed as part of an application security audit.

7 - Restrict access to cardholder data on a business need-to-know basis

We have already mentioned that cardholder data is at risk from hackers and cybercriminals, it must also be protected from dishonest employees. Therefore, the PCI DSS stipulates that access to devices within the CDE must be limited on a business need to know basis. In other words, access to the cardholder data must only be granted to people who require it in order to do their jobs. So, if staff in your call centre require access, the PAN number must be masked. When members of staff leave the company, their access to your premises, networks and computers must be immediately revoked.

Access to databases must be restricted and logged, to prevent unauthorised employees from viewing, changing, storing, copying or sending cardholder data. Using enterprise server software linked to role based access controls, such as Active Directory, access can be restricted and audited to prove compliance with this core requirement of PCI DSS. For highly sensitive environments, two factor authentication, coupled with physical security such as CCTV, biometrics and door entry system logs can be used to prove that access has been tightly restricted and audited.

8 - Assign a unique ID to each person with computer access

It is common for organisations to have shared accounts for front of office staff such as reception workers. However, any employee who has access to cardholder data must have their own unique user ID on the network. By assigning every authorised employee with their own authentication and access control measures (whether this is a one time password, a physical token, a keypad, or a biometric device) all database access undertaken by that individual can be tracked and logged, to prove compliance and minimise the "insider threat".

Assigning a unique ID reinforces the message that every employee is responsible for safeguarding customer data and makes every user accountable for their own actions. It also prevents rogue employees from using their colleagues' log in details to access restricted information and pass it off as someone else's activity.

This aspect of the PCI DSS standard requires companies to implement staff security training. Every employee should understand and accept their responsibility for protecting customers' payment card data before they are provided with access. Companies should have strong password polices that prevent people using easily guessed passwords; that prevent staff from writing passwords down and that prohibit passwords being shared between employees. Companies should also ensure that passwords are changed every month to prevent former employees from gaining access to applications and databases that could compromise cardholder data.

9 - Restrict physical access to cardholder data

All of the best infrastructure controls are useless if somebody can physically access the CDE and remove a server.

You have to ensure that the CDE is hosted in a secure environment that is protected using physical access controls, such as perimeter fencing; door entry systems and CCTV monitoring. This physical access control must be applied to employees and visitors to the CDE and can be logged as part of the PCI DSS audit trail.

Strict control of any removable storage media that may hold cardholder data also falls within this core requirement.

This can include backup media (such as tapes and drives) that are transported offsite for safe storage. Best practice dictates that cardholder data is encrypted before being transferred to removable storage media.

10 - Track and monitor all access to network resources and cardholder data

All users of the CDE will have a unique ID as outlined in requirement 8. Therefore, it is important that any authorised access to resources within the CDE is logged to a centralised logging server. By combining physical access control records, showing who has swiped into the building, with computer audits of who has accessed the customer database, companies can quickly pin point who was working in a particular area at the time of a security breach.

Using application control software that can set rules preventing access to the CDE at certain times can also prevent surreptitious access going unnoticed during quiet periods, overnight, or at weekends. Attempts to work around the control will create an event on the application log that can be used to spot and block fraudulent activity.

As a rule of thumb, if you are in doubt you are better to log activity, as if you ever suffer a breach, the availability of user generated logs are helpful for any forensics exercise.

11 - Regularly test security systems and processes

Cybercrime is now a highly organised and lucrative business. As a consequence, security researchers are identifying new vulnerabilities and Internet-borne threats on a continuous basis. New exploits may be able to circumvent your antivirus or firewall for example. It is therefore very important to assess the security of the network at frequent intervals.

Under PCI DSS, this security assessment takes the form of quarterly internal and external vulnerability scans and full penetration tests of the CDE, undertaken at least once a year. You must also check for any vulnerabilities after changes to the CDE, such as server upgrades or firewall rule changes.

External scans have to be performed by a PCI Approved Scanning Vendor (ASV). Internal scans can be run by qualified and experienced internal staff. However, in practice it is usual for companies to use an ASV or Qualified Security Assessor (QSA) company to perform this internal testing, owing to the scarcity of in-house employees who are qualified and experienced in vulnerability identification and penetration testing.

Companies are ranked according to the number of payment card transactions that they process each year, with tier 1 merchants processing more than 6 million annual payments and tier 4 merchants processing fewer than 20,000 card payments a year.

Tier 1 merchants must have their PCI DSS compliance assessed by a Qualified Security Assessor (QSA). Merchants that fail to comply with PCI DSS best practice, or suffer a security breach that exposes customers' payment card details, can be fined by the PCI Security Standards Council, be moved up to a higher tier requiring an annual QSA audit, or have their ability to process payment cards revoked until compliance has been proved.

12 - Maintain a policy that addresses information security

Although this is listed as the twelfth core requirement, it is in fact one of the most important requirements and cannot be overlooked. It is crucial to establish, publish, maintain and disseminate a security policy that addresses all of the PCI DSS requirements. This policy must include an ongoing process for identifying vulnerabilities and formally assessing risks and include a review of the CDE security at least once a year and whenever the IT environment changes.

This policy has to be available and understood by all employees and it is ideally provided through regular security awareness training sessions. Technology alone cannot keep payment card data safe, your employees have a vital role to play in protecting your customers' data and your company reputation. By following these 12 core requirements and working with a PCI Approved ASV or QSA to regularly test your physical and IT security defences you can minimise the risk to your customers' payment card information.

About the author:

Andrew Mason, co-founder and Technical Director at RandomStorm, www.randomstorm.com , a provider of vulnerability scanning services to retailers, football clubs and hoteliers, provides his advice on how companies can secure customers' payment card details in the wake of the recent attacks on Sony PlayStation Network, Nintendo, Sega and Citibank. Andrew is a Qualified Security Assessor for PCI DSS; a Cisco CCIE, CISSP and CESG CHECK Team Leader and has authored several books on Cisco Network and Internet Security. RandomStorm is a Payment Card Industry (PCI) Approved Scanning Vendor and Qualified Security Assessor as well as a CHECK approved company.