PCI DSS in Europe: An Overview

Jonathan Care jonc@lacunae.org COSAC 2010

The Payment Card Industry Data Secur ty Standard !PCI DSS" s a#out to enter terat on 2.0 and s ncreas ngly #e ng seen as a #asel ne $or n$ormat on secur ty controls n #us ness sectors that h therto ha%e seen l ttle regulatory dr %er $or control o$ n$ormat on assets and threats. It s adm n stered #y the Payment Card Industry Secur ty Standards Counc l !PCI SSC" . The PCI DSS addresses o&erat onal r s' ssues $aced #y &rocessors o$ &ayment card data and s shortly to enter a ne( terat on) PCI DSS 2.0.

Who's who in the PCI world Payment Card
S m&ly &ut) th s s the card ssued to the consumer. A &ayment card under the sco&e o$ PCI DSS can #e a de# t or cred t card) and ( ll #e #randed #y the card schemes that o%ersee the PCI SSC. Payment cards are ssued #y #an's that are not go%erned #y the PCI SSC) such as *aser Cards n Ireland) se%eral n +astern +uro&e) (h ch are not go%erned #y the PCI DSS. ,Store- cred t cards ( thout a &ayment card ndustry #rand are not n sco&e o$ the PCI DSS.

Payment Card industry
The Payment Card ndustry s de$ ned as the card schemes that go%ern the PCI SSC. These are. •/ISA Inc. and ts reg onal assoc ates. In &art cular /ISA +uro&e 0 &art o(ned #y / sa Inc. and a consort um o$ mem#er #an's. •1astercard •Amer can +2&ress •D sco%er •JC3 These #rands com# ne strategy on &ayment card secur ty although there ha%e #een occas onal d $$erences n r s' acce&tance le%els.

Acquiring Bank
The Ac4u r ng 3an' s the one that s res&ons #le $or clear ng the &ayment made #y a consumer nto the merchant organ sat on5s #an' account. Ac4u rers are cons dered to #e ult mately l a#le $or the &ayment secur ty and com&l ance o$ the merchants under the r care. 6 nes $or non7com&l ance and #reach are le% ed #y the Payment Card Industry mem#er #rands to the ac4u r ng #an') (ho then may n turn ssue $ nes to the r merchant organ sat ons.
1 See htt&.88(((.&c secur tystandards.org

PCI DSS n +uro&e

COSAC 2010


Issuing Bank
An Issu ng 3an' s one that creates and ssues a consumer ( th a &ayment card ndustry #randed &ayment card. Ty& cally these are ssued to customers ( th an e2 st ng #an' ng relat onsh & ( th the Issuer ho(e%er there are #an' ng organ sat ons that $ocus e2clus %ely on the ssu ng o$ &ayment cards) o$$er ng no other $ac l t es. It s &erha&s (orth not ng that Amer can +2&ress act as an ssuer d rectly) (h ch / sa and 1astercard do not.

The merchant s de$ ned as the rece % ng &arty n a &ayment card transact on. 1erchants can ty& cally #e trad t onal reta lers rece % ng &ayments n &erson) #y ma l order8tele&hone order !1OTO") or % a an e7commerce channel. In add t on) merchants can nclude go%ernment organ sat ons such as the Dr %er and /eh cle * cens ng Agency !D/*A") char ta#le organ sat ons such as Cancer 9esearch) and ndeed any organ sat on that ta'es &ayment cards n settlement s cons dered a merchant under the terms o$ PCI DSS. 6or the &ur&oses o$ PCI DSS) merchants are categor sed nto r s' le%els) &r mar ly de&endent on num#er o$ card transact ons &rocessed regardless of value) although the sector !e.g. gam ng) money ser% ces" and ndeed) the o& n on o$ the &ayment card ndustry ( ll &lay a $actor. 1erchants (ho ha%e su$$ered a #reach are normally categor sed at the h ghest le%el o$ r s'. It s the res&ons # l ty o$ the ac4u r ng #an' to determ ne the merchant le%el) although :SAs are commonly as'ed to %er $y t. ;h le the %ar ous &ayment #rands occas onally d $$er o%er the num#er o$ transact ons re4u red to ma'e t nto a &art cular r s' category) the re&ort ng re4u rements are &retty constant. I$ you are categor sed as a *e%el 1 merchant !ty& cally o%er < m ll ons transact ons a year" then an ons te assessment $rom a :SA s re4u red) together ( th 4uarterly scans $rom an AS/. *e%el 2 and = merchants must com&lete an annual sel$7assessment 4uest onna re) and &ro% de 4uarterly AS/ scans. *e%el > merchants) the lo(est r s' category !as de$ ned #y num#er o$ transact ons" must com&lete the r SA: and

Service Provider
A ser% ce &ro% der s an organ sat on that stores) &rocesses or transm ts cardholder data on #ehal$ o$ another organ sat on !e ther a merchant or another ser% ce &ro% der". Ser% ce &ro% ders e ther (or' as an ntermed ary #et(een the merchant and the ac4u r ng #an') or else ( ll &ro% de a ser% ce to the merchant that s not % s #le to the ac4u r ng #an'.

Participating Organisations
Part c &at ng Organ sat ons are ones (h ch &ay a $ee to the PCI SSC n order to &ro% de n&ut and sha&e to the e%ol% ng PCI Standards. Ty& cal &art c &at ng organ sat ons nclude so$t(are %endors) large merchants) and some #an's.

Qualified Security Assessors
:ual $ ed Secur ty Assessor com&an es !:SACs" are nstructed to &ro% de gu dance and assessment o$ com&l ance ( th the PCI DSS. In add t on) some :SACs are accred ted to assess &ayment so$t(are a&&l cat ons under the Payment A&&l cat on Data Secur ty Standard !PA7DSS".

Approved Scanning endors
A&&ro%ed Scann ng /endors are accred ted to &er$orm %ulnera# l ty scans o$ merchant and ser% ce &ro% der n$rastructure n order to meet com&l ance ( th PCI DSS. It s ncreas ngly common to $ nd :SACs o$$er ng th s as a ser% ce) (h ch h therto had #een &ro% ded #y s&ec al st &enetrat on PCI DSS n +uro&e COSAC 2010 2

test ng ser% ce &ro% ders.

What's the standard all about?
The PCI DSS s made u& o$ t(el%e re4u rements) each ( th su#7re4u rements totall ng o%er 200 control &o nts n all. These re4u rements are sect oned as $ollo(s.

Build and Maintain a Secure !et"ork Requirement 1: Install and maintain a firewall configuration to rotect cardholder data
On the $ace o$ t) th s re4u rement (ould seem s m&le. Install a state$ul $ re(all) and com&l ance (ould seem assured. In $act) se%eral controls are ment oned n re4u rement 1 that can e2&ose &rocedural $la(s n the organ sat on) such as. •9egular re% e(s o$ all $ re(all and router con$ gurat ons and rulesets. •Documented #us ness just $ cat on $or all o&en rulesets •?&7to7date net(or' d agrams sho( ng the $lo( o$ cardholder data throughout the net(or' •+nsur ng a (ell7de$ ned D1@) and remo% ng cardholder $rom D1@ re&os tor es. •+nsur ng change control s n &lace $or all $ re(all and router con$ gurat on changes..

Requirement !: "o not use vendor#su lied defaults for s$stem asswords and other securit$ arameters
It s a (ell 'no(n $act that any attac'er !(hether so$t(are or human" ( ll try to attac' us ng &ass(ords nstalled #y the %endor as a de$ault !$or e2am&le) the ,sa- account $or 1S S:*". In an attem&t to &rom&t a mo%e a(ay $rom these %ulnera# l t es) l sts are &u#l shed on the nternet #y secur ty researchers . It s a so#er ng thought that com&rom ses can #e so eas ly accom&l shed s m&ly us ng an automated tool (h ch attem&ts to ga n access to a cr t cal system us ng manu$acturer5s de$aults. PCI DSS &o nts th s out #y em&has s ng that de$ault account) &ass(ord and any other secur ty controls $or any de% ce carry ng cardholder data must #e changed.

Protect Cardholder #ata Requirement %: Protect stored cardholder data
In many (ays) re4u rement = can #e seen as the heart o$ the PCI DSS) n that t s concerned ( th the &rotect on o$ stored cardholder data. One e2cellent (ay o$ reduc ng the sco&e o$ PCI DSS on the organ sat on s to ta'e a long hard loo' at the cardholder data stored 0 as' the honest 4uest on ,Do you need th s n$ormat on) and ho( (ould you do your jo# $ t (ent a(ay-. One o$ the hallmar's o$ an e$$ect %e :SA s that they ( ll (or' ( th the organ sat on to reduce the amount o$ cardholder data stored #e$ore engag ng n costly and com&le2 &re%entat %e measures. 6re4uently seen #reaches are caused #y re&os tor es o$ cardholder that are not ro#ustly &rotected It s (orth cons der ng at th s &o nt (hat const tutes cardholder data under the terms o$ the PCI DSS. T(o classes o$ cardholder data e2 st) Protected Storage Data and Sensitive Authentication Data !SAD". ;e ( ll cons der &rotected storage data $ rst.
2 See htt&.88c rt.net8&ass(ords as an e2am&le.

PCI DSS n +uro&e

COSAC 2010


6 rstly) there s the &r mary account num#er !PAA". Th s s the long num#er $ound on any &ayment card. The $ rst s 2 d g ts are the 3an' Ident $ cat on Aum#er !3IA") and together ( th the other d g ts $orm a un 4ue dent $ er that can #e %al dated us ng the Luhn Formula . *uhn s not ntended to #e cry&togra&h cally secure) has #een &laced n the &u#l c doma n and s ntended to &rotect aga nst acc dental errors n trans&os t on) not mal c ous attac's.

;hen stored ( th the PAA) the $ollo( ng are also cons dered cardholder data. •Cardholder Aame •+2& rat on Date •Ser% ce Code !6ound on the magnet c str &) and nd cates the acce&tance re4u rements and l m tat ons $or the card" Sens t %e Authent cat on Data cons sts o$ secur ty7related n$ormat on on the card) and ncludes. •Card /er $ cat on Codes8/alues •1agnet c Card trac' data •PIAS •PIA 3loc's SAD must not #e stored $or any reason (hatsoe%er once an author sat on code has #een rece %ed $or the transact on. Ty& cally) unless &ayment term nals or POS systems are n a de#ug mode) these deta ls ( ll not #e stored. Bo(e%er) s nce the C/C8C// s used dur ng a customer not &resent transact on to %er $y that the card s n &ossess on o$ the customer) t s ty& cally g %en o%er the &hone to a customer ser% ce re&resentat %e) or entered nto a (e#s te at &o nt o$ &ayment. Th s $rag le = d g t authent cat on to'en s ty& cally one o$ the 'ey &a n &o nts 0 es&ec ally (hen one cons ders that many call centres ( ll record the r calls) (h ch d rectly % olates the re4u rement not to store SAD. There are many (ays to ensure the secur ty o$ &rotected storage data) nclud ng. •Encryption 0 ensur ng that the cardholder s stored ns de a data re&os tory us ng strong encry&t on methods such as A+S or =D+S) and that the 'eys are &rotected us ng good &ract ce 'ey management &rocesses. It seems a&&arent ho(e%er that th s a&&roach mo%es the ssue o$ stor ng one sens t %e data set (h ch the end user organ sat on struggles ( th to... stor ng another sens t %e data set !(h ch the end user organ sat on then struggles ( thC"

= htt&.88en.( ' &ed a.org8( ' 8*uhnDalgor thm > ISO11E<F mandates a set o$ &r nc &les $or 'ey management (h ch P n +ntry De% ce !P+D" %endors must com&ly ( th. These are. a" Geys H(hose d sclosure ( ll e$$ect mult &le &art esI shall only e2 st ( th n a Tam&er 9es stant Secur ty 1odule) or as $ull length com&onents. #" Pla nte2t 'eys shall #e ma nta ned under dual control 8 s&l t 'no(ledge. c" Secret8&r %ate 'eys must #e &rotected aga nst d sclosure. d" Secret8&r %ate 'eys shall #e random. e" Geys shall only #e used $or the r ntended &ur&ose. $" Systems shall detect the unauthor Jed use 8 mod $ cat on o$ 'eys. g) h) " Geys shall #e changed #e$ore the r use s com&rom sed. j" *og cal se&arat on ( ll #e ma nta ned #et(een 'eys o$ d $$erent use. '" A &re% ously com&rom sed 'ey shall not ena#le the determ nat on o$ ts re&lacement. l" Geys shall not #e loaded nto com&rom sed de% ces. Ao(. Th s all a&&ears $a rly stra ght $or(ard) #ut there are some s m&le errors that seem to occur all the t me. +2am&le o$ these errors are. • Geys hard coded nto a&&l cat ons !% olates a) #) c) l) and &ro#a#ly $ de&end ng $ the a&&l cat on s authent cated or not" • Geys se&arated nto hal%es) not com&onents !eg 12F # t 'ey se&arated nto t(o <> # t hal%es 7 % olates a) and #" • Gey u&dates &er$ormed under the old 'ey !% olates e 7 us ng the 'ey $or t(o &ur&oses 7 and '"

PCI DSS n +uro&e

COSAC 2010


•Hashing 0 us ng a strong cry&togra&h c algor thm to ensure a one7(ay translat on #et(een the cardholder data and an dent $ er. •Truncation 0 remo% ng d g ts $rom the cardholder data PAA. ?& to the $ rst s 2 and last $our d g ts may #e reta ned) lead ng to the term ,<K>-. Th s o&t on s s m&le $or most merchants and greatly reduces the sco&e o$ PCI DSS) as ,><EL>=KKKKKK>=12- s n actual ty no longer cardholder dataC Th s method can meet res stance $rom nternal $raud and $ nance o$$ cers (ho are used to ha% ng the ent re card num#er. At t me o$ (r t ng) no &recedent has #een esta#l shed n +uro&e (hether the <K> dent $ er together ( th a transact on ID does un 4uely dent $y a transact on.

•Index tokens and pads 0 many %endors are no( o$$er ng a to'en sat on ser% ce (here the %endor underta'es to manage the storage o$ cardholder data) and &ro% des the merchant ( th a to'en nde2 to man &ulate. Arch tecturally) th s s a non7tr % al ser% ce) as t must g %e e2tremely $ast res&onse t mes) great rel a# l ty) and must ntegrate ( th the e2 st ng enter&r se arch tecture. • asking 0 su#tly d $$erent to Truncat on) n that the change s to the d s&layed data. Th s s actually co%ered n re4u rement =.=) the ntent o$ (h ch s to a%ert the r s' o$ cardholder data #e ng d sclosed to those ( thout a need7to7'no(. Bo(e%er) e$$ect %e use o$ mas' ng does not remo%e the re4u rement $or sa$e cardholder storage. 9e4u rement = s usually a source o$ great concern $or merchants. The PCI SSC ha%e ta'en the &ro#lem o$ data class $ cat on out o$ the hands o$ secur ty arch tects n end7user organ sat ons) and ha%e not only class $ ed the n$ormat on they cons der cr t cal) #ut also la d do(n re4u rements $or the usage o$ that n$ormat on

Requirement &: 'ncr$ t transmission of cardholder data across o en( ublic networ)s
The other s de o$ the store7and7$or(ard co n) s o$ course the transm ss on o$ cardholder data) (h ch s co%ered n re4u rement >. In essence) (hene%er cardholder data s sent o%er a net(or' not n control o$ the merchant !or ser% ce &ro% der" t must #e &rotected us ng strong encry&t on. S nce the merchant5s nternal reta l net(or' can normally #e cons dered &r %ate #y de$ n t on) then the re4u rement e2tends only to net(or's such as the nternet. 9e4u rement > does conta n mandates regard ng ( reless. It &roh # ts (ea' encry&t on es&ec ally (hen de&loyed n ( reless net(or's.

Maintain a ulnera$ility Management Program Requirement *: +se and regularl$ u date anti#virus software
One (ould not e2&ect th s to #e a challenge as commerc ally a%a la#le solut ons normally co%er th s n ent rety) and the %ar ous control su#7re4u rements can eas ly #e act %ated n most enter&r se ant 7 % rus &ac'ages. Bo(e%er) r ght at the end s a re4u rement to ensure that central sed logg ng s n &lace as &er the s&ec $ cat ons o$ 9e4u rement 10. Th s can u&7t lt the other ( se clean # ll o$ health that many organ sat ons e2&ect to ach e%e n th s area.

• Geys $ormed $rom &ass&hrases or us ng a non7secure P9AM !% olates d" • Geys used d rectly #y PC a&&l cat ons !% olates a" (Grateful thanks to the PCI Communit at !cians"ers.com for this in!ut# E Aot my cred t card num#er.

PCI DSS n +uro&e

COSAC 2010


Requirement ,: "evelo and maintain secure s$stems and a


?&on encounter ng re4u rement <) many organ sat ons #reathe a s gh o$ rel e$) &o nt ng out that they do no so$t(are de%elo&ment (hatsoe%er. Care$ul 4uest on ng ho(e%er can re%eal some m&ortant &o nts (h ch ma'e PCI DSS re4u rement < someth ng that all merchants and ser% ce &ro% ders must cons der. !"I# you hire a third party to do your we$ deve%op&ent #or you' then this deve%op&ent is under the scope o# PCI" DSS re4u rement <. The e2ce&t on to th s s $ you &urchase a commerc ally a%a la#le ,o$$ the shel$- &ac'age !or so$t(are modules that are COTS" (h ch $ t s used $or &ayment card &rocess ng) storage) or transm ss on can #e %al dated #y the %endor under the PA7 DSS. In +uro&e) ne( &ayment a&&l cat on de&loyments must no( #e %al dated as PA7DSS com&l ant #y the %endor) and merchants and ser% ce &ro% ders should see th s as a &os t %e mo%e as they ( ll ha%e a degree o$ assurance that the a&&l cat on ( ll hel& and not harm the r PCI DSS com&l ance e$$orts. ("I# your we$ site stores' processes or trans&its cardho%der data' then it is in scope" 1any organ sat ons see' to remo%e the r (e#s te $rom sco&e #y us ng a &ayment ser% ce &ro% der to &rocess &ayments) as recommended #y most #an's and :SAs. Bo(e%er) $ the data$lo( o$ the card tra%erses the (e#s te then th s st ll #r ngs the (e#s te tsel$ nto sco&e) re4u r ng &ro&er so$t(are de%elo&ment l $ecycles . Its also m&ortant to note that as many attac's are a med at the a&&l cat on layer) PCI DSS recommends #est &ract ces such as O;ASP) the O&en ;e# A&&l cat on Secur ty Project) and s&ec $ cally ment ons $re4uently seen attac' %ectors such as S:* Inject on) Cross S te Scr &t ng) un%al dated n&ut) Insecure con$ gurat on management) #u$$er o%er$lo(s) m&ro&er error handl ng) and nsecure storage.

)"Patch critica% syste& vu%nera$i%ities within thirty days' and others within three &onths" One o$ the gu lty l ttle secrets o$ the IT ndustry s that the most cr t cal systems are the ones that rarely get &atched. Com&le2 +9P systems tend to #e %ery & c'y regard ng the underly ng &lat$orms that they o&erate on) and ts a normal IT o&erat ons mandate to ns st that cr t cal mach nes should not #e touched. Th s can #e a major ssue $or &atch managers) and $re4uently I5%e seen old o&erat ng systems runn ng ( th e2&lo ta#le #ac'doors that could lead to a total com&rom se o$ the system) (h ch o$ course can mean the loss o$ cardholder data) and tough con%ersat ons $ollo( ng that ( th the #an'. *"Proper change contro%. I$ you can5t control changes to your a&&l cat on) you aren5t n control o$ the secur ty. Th s means ensur ng that de%elo&ers do not ha%e access to l %e systems) and th s can e2&ose other de$ c enc es n the so$t(are de%elo&ment l $ecycle. +"Proper testing" As $ar as PCI DSS s concerned) th s means not us ng l %e cardholder data to test systems ( th. It also means not lea% ng the test accounts) code) and data on a l %e system . A &ro#lem ( th many +uro&ean #an's s that they are not al(ays set u& to &ro% de end7to7end &ayment test ng $or l %e systems) (h ch means t can #e hard $or that all7 m&ortant ,go7l %e- test to #e e$$ect %ely carr ed out ( thout us ng a real &ayment card) (h ch s &roh # ted under the PCI DSS.

,"Code reviews' Penetration testing' and -e$ App%ication .irewa%%s" The ad% ce on th s s a l ttle con$l ct ng) t seems to suggest that you can &urchase a get7out7o$7&en7test ng7$ree (e# a&&l cat on $ re(all and then you5re ready to go. Ignor ng re4u rement 11 loom ng $urther do(n th s &a&er) ho( ( ll you 'no( $ your ;A6 s u& to the jo#O The #est dea s to get &enetrat on test ng 0 $ you cons der your code may #e h gh r s') $ nd a secur ty ser% ce &ro% der that s ca&a#le o$ &ro% d ng source code re% e(s 0 and then your ;A6 ( ll $orm a &art o$ an n$ormed) threat7a(are secur ty arch tecture. A ;A6 that s &oorly con$ gured s at #est another & ece o$ ' t that re4u res
< To sa%e you money on e2&ens %e consultants) 1 croso$t ha%e released an e2em&lar secure so$t(are de%elo&ment l $ecycle) a%a la#le at htt&.88msdn.m croso$t.com8en7us8l #rary8msLLE=>L.as&2 . N Bo( to (orry your :SA. A $asc nat ng e2am&le o$ th s (as the test manager (ho called me u& to tell me that he (as una#le to #uy &etrol on the (ay home #ecause he had #een ma' ng a ser es o$ test &ayments and re$unds all day on h s &ersonal cred t cardC

PCI DSS n +uro&e

COSAC 2010


management .

/ISA Inc. has m&lemented a set o$ mandates $or &ayment a&&l cat on secur ty ( th deadl nes as $ollo(s .

Phase Compliance Mandate Newly boarded merchants must not use known vulnerable payment applications, and VisaNet Processors VNPs! and a"ents must not certify new payment applications to their platforms that are known vulnerable payment applications VNPs and a"ents must only certify new payment applications to their platforms that are P'(D))(compliant Newly boarded ,evel + and - merchants must be PC. D)) compliant or use P'( D))(compliant applications/ VNPs and a"ents must decertify all vulnerable payment applications// 'c2uirers must ensure their merchants, VNPs and a"ents use only P'(D)) compliant applications

Effective Date





+ 1

1$#1#$% 1$#1#$0 $*#$1#1$

/ .n(house use only developed applications 3 stand(alone P4) hardware terminals are not applicable // VisaNet Processors VNPs! and a"ents must decertify vulnerable payment applications within 1& months of identification

O$ note s the last &o nt. PA7DSS no( has some edge to t) and $ de&loy ng a ne( &ayment a&&l cat on) t must #e PA7DSS com&l ant. +2 st ng a&&l cat ons ( ll re4u re an u&grade &lan to mo%e to a com&l ant %ers on. I ha%e seen many a&&l cat on %endors (ho see th s as an o&&ortun ty to e2tract large u&grade $ees $rom the r customers. S nce PA7DSS com&l ance s a re4u rement $or the &roduct to #e o$ merchanta#le 4ual ty) then there s the o&&ortun ty to re% e( %endor 4ual ty should th s occurC

Implement Strong Access Control Measures Requirement -: Restrict access to cardholder data b$ business need#to# )now
6a rly s m&ly) and n al gnment ( th the PCI SSC ta' ng the ste& o$ class $y ng (hat cardholder data s and (hy t s m&ortant) s the need7to7'no( restr ct on. It s a 'ey &r nc &le o$ secur ty that sens t %e assets should rema n con$ dent al) and that there should #e a (ay o$ controll ng (ho can ha%e access to them) (hether that #e read) (r te) or some com# nat on. Aga n) th s seem ngly s m&le re4u rement can land an organ sat on n hot (ater. 1ost d rectory7 #ased author sat on systems can #e set u& to control and l m t access) ho(e%er) (hen one loo's at a&&l cat on &erm ss ons) t may #e d $$ cult to ensure that the a&&l cat on des gners $ollo( the access control rulesets set out #y the arch tects. +%en more m&ortant) so$t(are #ugs can allo( a determ ned attac'er to ele%ate &r % lege and #rea' the des gned access control l m tat ons.

The cho ces seem to #e to &rogress do(n the road o$ $ull7$ledged dent ty and access management solut ons) or entrust each a&&l cat on ( th the res&ons # l ty o$ author s ng users. The com&le2 ty o$ IA1 a&&ears to scale geometr cally de&endent on the num#er o$ a&&l cat ons and users rely ng u&on t) and the rel a# l ty re4u rements are h gh.
F 1ore (ays to (orry your :SA. Tell them that no one really 'no(s ho( to con$ gure a ;A6 as the one guy that d d (as do(ns Jed months agoC L See htt&.88% sa.com8&a#& $or more deta ls and related n$ormat on 10 A (h le #ac' I &er$ormed a &enetrat on test o$ an o l e2&lorat on data#ase ( th a (ell des gned h erarch cal author sat on system #ased on #us ness rules and role ( th n the com&any. Bo(e%er a l ttle tra$$ c sn $$ ng $ollo(ed #y 'noc' ng on the door o$ the data#ase and us ng some manu$acturer5s de$ault credent als led me around the author sat on system) and nto the dataC Although th s s not PCI DSS) ts an e2am&le o$ ho( the s m&le controls n th s standard can really u&l $t an organ sat on5s secur ty matur ty.

PCI DSS n +uro&e

COSAC 2010


Requirement .: /ssign a unique I" to each erson with com uter access
Along ( th the re4u rement to esta#l sh need7to7'no() so$t(are 4ual ty) and e$$ect %e mon tor ng and logg ng ! n re4u rement 10) yet to come" (e ha%e to #e a#le to esta#l sh "ho &er$ormed an act on. Th s means esta#l sh ng e%eryone ( th the r o(n ID) and #e ng to trac' #ac' act % t es to the or g nal user) nclud ng ,adm n-) ,root-) or D3A &r % leged act ons. PCI DSS goes nto some deta l a#out ho( to ma'e a &ass(ord secure) nclud ng e2& ry) &ass(ord h story) and com&le2 ty. 1ost organ sat ons are &retty a(are o$ th s and can meet or e2ceed these re4u rements !although #ear n m nd that your a&&l cat ons &er$orm ng the r o(n authent cat on must su&&ort th s as (ell". ;here the com&le2 ty can l e s the ,un 4ue- re4u rement. I (or' ( th many cl ents (ho $or the #est o$ reasons ha%e set u& gener c or shared accounts 0 hotel $ront des's) $ nance o&erat ons) reta l sta$$. PCI DSS e2&l c tly $or# ds these ty&es o$ accounts $or user access.

Requirement 0: Restrict h$sical access to cardholder data
1ost reta lers are all to $am l ar ( th the r s's o$ &hys cal secur ty 0 the case o$ (h s'y that d sa&&ears out o$ the #ac' door) e2&ens %e small tems such as raJor heads that esca&e n the &oc'ets o$ d shonest sta$$ and customers) and o$ course the r s's that come ( th handl ng any amount o$ cash. The change aga n comes ( th the $act that cardholder data has a %alue to the attac'er) and so must #e &rotected. I5%e seen #reaches ha&&en to com&an es o$ %ar ous s Jes #ecause a &r ntout conta n ng cardholder data s le$t around) and then s( &ed #y an unscru&ulous &erson) (h ch n the &ast has ncluded secur ty guards) cleaners as (ell as d sa$$ected sta$$. *et5s also &ay attent on to merchant t ll rece &ts. As most o$ us 'no() (hen (e get our rece &t $rom the chec'out the card num#er on the co&y (e get s truncated 0 ty& cally the last > d g ts only are d s&layed. Bo(e%er) most merchant rece &ts conta n the $ull PAA on d s&lay. M %en that Martner ha%e est mated the cost o$ #reach reco%ery at a&&ro2 mately P=00 &er tem o$ cardholder lost !as o&&osed to P1L to &rotect t" then each o$ those merchant rece &ts can #e thought o$ as a &otent al che4ue made &aya#le to the attac'er 0 and dra(n on the account o$ the careless organ sat onC One o$ the odd e$$ects o$ :SAs can come nto &lay es&ec ally n th s sect on. :SAs tend to ha%e the r &re$erences $or &art cularly controls #ased on the r career e2&er ence) and I recall meet ng a ne( cl ent (ho (ere $rant cally s&end ng thousands on h gh7s&ec $ cat on shredders that turned cardholder rece &ts nto &a&er dust. Sect on L states that mater als should #e cross7cut shredded) nc nerated or &ul&ed so that they cannot #e reconstructed. It5s m&ortant that your :SA g %es you ad% ce that s ne ther under the com&l ance standard) or o%er t 0 #ut e2actly #ang on (hat s re4u red $or com&l ance. 3est &ract ces that e2ceed that re4u rement can o$ course #e suggested) ho(e%er ma'e sure you understand (hether someth ng s necessary) or a #est7&ract ce.

%egularly Monitor and &est !et"orks Requirement 11: 2rac) and monitor all access to networ) resources and cardholder data
One o$ the real t es s that PCI com&l ance does not assure n%ulnera# l ty $rom a #reach. Aor s t &er$ect secur ty. PCI DSS s ntended as a #asel ne) a med at a %ery #road aud ence 0 th n' o$ all the d $$erent reta lers that are out there) $rom corner sho&s to glo#al mega7mar'ets) and not $orgett ng all the #an's) &ayment &ro% ders) and other ser% ce &ro% ders that are also under the sco&e o$ the standard. So (hen a #reach occurs) the #an's as' the merchant to nstruct an nde&endent ,:ual $ ed 6orens c In%est gator- to understand (hat cardholder data has #een lost) (hat s at r s') ho( t ha&&ened) and PCI DSS n +uro&e COSAC 2010 F

o$ course the PCI com&l ance status o$ the #reached organ sat on at the t me o$ the #reach . One o$ the 'ey tools that n%est gators need s to see clear aud t tra ls) (h ch s the &ur&ose o$ re4u rement 10 0 to s&ec $y (hat good logg ng s) and ho( to &rotect the aud t tra ls aga nst tam&er ng. It also s&ec $ es that PCI DSS com&l ant organ sat ons should ha%e a da ly &ract ce o$ re% e( ng the logs !(h ch can #e done #y ha% ng an automated &rocess &roduce an e2ce&t on re&ort (h ch humans loo' at". A num#er o$ com&an es sell COTS logg ng systems) #ut the des gn o$ a really good central sed secur ty nc dent e%ent management !SI+1" system s one that I al(ays enjoy as t n%ol%e ntegrat on) &rocess analys s) nc dent res&onse) and thorough net(or' secur ty re% e(s n order to ma'e t $ly.

Arch tecturally) SI+1 should allo( you to ach e%e the $ollo( ng. • • • • • • • • • • • • Ident $y (h ch log sources and automated tools you can use dur ng the analys s. Co&y log records to a s ngle locat on (here you ( ll #e a#le to re% e( them. 1 n m Je ,no se- #y remo% ng rout ne) re&et t %e log entr es $rom % e( a$ter con$ rm ng that they are #en gn. Determ ne (hether you can rely on logs5 t me stam&sQ cons der t me Jone d $$erences. 6ocus on recent changes) $a lures) errors) status changes) access and adm n strat on e%ents) and other e%ents unusual $or your en% ronment. Mo #ac'(ards n t me $rom no( to reconstruct act ons a$ter and #e$ore the nc dent. Correlate act % t es across d $$erent logs to get a com&rehens %e & cture. De%elo& theor es a#out (hat occurredQ e2&lore logs to con$ rm or d s&ro%e them. Ser%er and (or'stat on o&erat ng system logs A&&l cat on logs !e.g.) (e# ser%er) data#ase ser%er" Secur ty tool logs !e.g.) ant 7% rus) change detect on) ntrus on detect on8&re%ent on system" Out#ound &ro2y logs and end7user a&&l cat on logs

;hen select ng your SI+1 ma'e sure that t can & c' u& the $ollo( ng.

Also) remem#er to cons der other) non7log sources $or secur ty e%ents. SI+1 s #ased on the a# l ty to correlate e%ents $rom mult &le sources and #u ld a t mel ne o$ act % ty $or use n an nc dent res&onse n%est gat on. 9esearch organ sat ons such as Martner class $y SI+1 technolog es and &ro% de the usual ,1ag c :uadrant- o$ (ho5s (ho. O&en Source solut ons e2 st) nclud ng OSS+C and OSSI1.

Requirement 11: Regularl$ test securit$ s$stems and rocesses
3ecause threat landsca&es change o%er t me) the PCI DSS re4u res that regular secur ty test ng o$ n$rastructure and a&&l cat ons s carr ed out #y su ta#ly 4ual $ ed &ro$ess onals. Th s ncludes. !"Interna% and externa% vu%nera$i%ity scans o# the network" Scann ng s a sem 7automated act % ty that s des gned to act as an early7(arn ng to the secur ty adm n strator. A good scan ( ll detect m ss ng &atches) %endor de$ault &ass(ords) and (ea' con$ gurat on sett ngs that could #e e2&lo ted #y an attac'er. +2ternal scans must #e &er$ormed #y a PCI SSC accred ted a&&ro%ed scann ng %endor as descr #ed &re% ously. Internal scans can #e carr ed out #y an nternal em&loyee (ho s ,su ta#ly 4ual $ ed- 0 n other (ords) someone (ho can con$ gure and run the scans
11 The PCI SSC state that no #reached organ sat on has #een com&l ant at the t me o$ #reach. 6rom my e2&er ence as a :6I th s s true) ho(e%er there5s al(ays a catch. Organ sat ons (ho ha%en5t m&lemented PCI DSS as #us ness7as7 usual tend to $ nd that they dr $t o$$ s gnal once com&l ant) #ut I5%e &ersonally n%est gated #reaches (here the :SA has le$t s te ( th n days 0 ho( s that &oss #leO

PCI DSS n +uro&e

COSAC 2010


a&&ro&r ately) and can then analyse the results and recommend changes. ("Per#or& app%ication and network %ayer penetration tests at %east year%y' and a#ter a signi#icant change in the cardho%der data environ&ent" In the (ords o$ the ad%ert. Just Do It. Mood 4ual ty &enetrat on tests are a 'eystone o$ e$$ect %ely measur ng (here your secur ty threats l e) and ho( your secur ty arch tecture res&onds and m t gates those threats. Penetrat on test ng com&lements %ulnera# l ty scann ng and does not re&lace t) and % ce %ersa. )".i%e integrity &onitoring on critica% syste& co&ponents" The &ur&ose o$ th s re4u rement s to ensure that $ someone changes an m&ortant $ le thatRs not su&&osed to change) thatRs a # g red $lag as $ar as secur ty s concerned. 6or e2am&le) ;IA*OMOA.+S+ should ne%er change a&art $rom a&&ro%ed &atch u&dates $rom the manu$acturer. I$ t does change) thatRs &ro#a#ly a s gn that an attac'er has mod $ ed t) and n th s &art cular case s loo' ng $or usernames and &ass(ords to ca&tureC *"/uarter%y wire%ess scanning at every %ocation to identi#y a%% wire%ess devices" ItRs $a r to say that th s re4u rement s the one that causes the most consternat on and con$us on among &eo&le I s&ea' to. ?sually the source o$ $rustrat on s #ased on d $$ culty n understand ng ho( haJardous a rogue ( reless access &o nt can #e) and ho( easy t can #e $or a d sgruntled ns der to set one u&. ; reless net(or' ng re4u res care and % g lance to manage &ro&erly) and should ne%er #e connected to the core cardholder data en% ronment. Se%eral nota#le #reaches ha%e occurred (here attac'ers ha%e &enetrated a ( reless *AA set u& n a store) and ha%e $rom the sa$ety o$ a near#y locat on) ha%e gone o%er the ent re net(or'. O$tent mes) these ( reless net(or's are set u& #y (ell mean ng store managers to $ 2 a short term &ro#lem) $or e2am&le) need ng a concess on stand out n the mall centre) or to sa%e runn ng ca#l ng through a (all. ItRs m&ortant to real se that one can use ( reless *AAs to connect &ayment term nals) se%eral %endors o$$er th s as a solut on to merchants) es&ec ally those n the hos& tal ty ndustry. The (ay to ma'e th s (or' s to treat the ( reless segment as an untrusted net(or') and there$ore to o%erlay encry&t on #et(een the &ayment &o nt and the central ser%er. Payment ser% ce &ro% der solut ons o$$er th s no( !mostly" and ( ll underta'e the tas' o$ 'ey management) remo% ng th s #urden $rom the merchant. Test ng can co%er re4u rements n sect on < !s&ec $ cally sect on <.<" as (ell as sect on 11. The &enetrat on test &rocess s (ell understood n most IT del %ery organ sat ons) ( th most organ sat ons see' ng to de%elo& a com# nat on o$ n7house s' lls augmented #y e2ternal s&ec al st &ro% ders.

Maintain an Information Security Policy Requirement 1!: 3aintain a olic$ that addresses information securit$
Although th s sect on s ent tled ,Pol cy-) (hat t actually re4u res s e$$ect %e go%ernance and ro#ust &rocess control around the non7techn cal as&ects o$ &ayment card secur ty. Poss #ly the # ggest tem n th s s the re4u rement to ensure that any ser% ce &ro% der that stores) &rocess or transm ts cardholder data on your #ehal$ needs to ac'no(ledge the r res&ons # l ty $or &rotect ng the cardholder data you entrust to them. O$ course) your ser% ce &ro% der ( ll most l 'ely ha%e encountered th s re4u rement #e$ore ( th other customers) ho(e%er e2&ect a dra(n7out argument o%er l a# l ty and ndemn ty. Tou should also e2&ect your ser% ce &ro% ders to #e a#le to comm t to PCI com&l ance) and to 'ee& you n$ormed o$ the r com&l ant status. Other than that) re4u rement 12 states that you should 'no( (hat s go ng on n your net(or'. It mandates an nc dent res&onse &lan that s regularly u&dated !es&ec ally a$ter an nc dent" and that you should ensure your em&loyees are &ro&erly tra ned and that some %ett ng s &er$ormed. The 3r t sh Standards Inst tute &roduce 3SNFEF) (h ch s a ,gold standard- $or commerc al %ett ng. I$ you don5t (ant the e2&ense o$ a $ull 3SNFEF #ac'ground chec') then ensure that your B9 de&artment &er$orm the $ollo( ng. •C93 3as c D sclosureQ PCI DSS n +uro&e COSAC 2010 10

•/er $y ng &re% ous 2 em&loyment re$erencesQ •Cred t SearchQ •County Court Judgement SearchQ •Insol%ency SearchQ •3an'ru&tcy Search (h ch should sat s$y the re4u rements o$ PCI DSS.

3isconce tions around PCI "44
!" PCI DSS doesn0t app%y to us1 It does. I$ you store) &rocess or transm t &ayment cards) t a&&l es to your #us ness. (" PCI DSS is con#using and non speci#ic1 PCI DSS s %ery s&ec $ c on (hat controls must #e &ut n &lace) (hat &rocesses must #e m&lemented) and (hat documentat on s re4u red. 6urthermore t class $ es the n$ormat on that s rele%ant to PCI DSS com&l ance) and de$ nes the a&&l ca# l ty. )" PCI DSS is too hard1 PCI DSS s com&le2) and a lot o$ organ sat ons $ nd that the num#er o$ changes re4u red n%ol%e res stance. Bo(e%er each ste& s relat %ely s m&le) and $or an organ sat on that has loo'ed at a mature secur ty model such as ISO 2N001 there ( ll #e %ery $e( sur&r ses. *" PCI DSS is irre%evant 2 3ust %ook at a%% those $reaches1 Ao #reached organ sat on (as com&l ant at t me o$ #reach. One o$ the th ngs that has come to # te organ sat ons (ho are e2tremely cost $ocused s that the lo(est7cost ad% ce s not necessar ly the #est. I$ your :SA tells you they can aud t your organ sat on n a $e( days) then tread care$ully. +" PCI DSS is achieva$%e with a scan' and this $right $ox #ro& &y #avourite vendor1 1ost organ sat ons are deluged #y %endors &rom s ng to ta'e PCI DSS a(ay. In real ty) $ you are a merchant you cannot remo%e yoursel$ $rom PCI DSS. Anyone (ho tells you other( se s sell ng sna'e o l. Scans are only use$ul $ you act on the results) $ 2 the &ro#lems) and then em#ed th s &ract ce nto the (ay you run your IT systems. ," PCI DSS is security1 Sadly not. PCI DSS s #asel ne com&l ance $or &re%ent on o$ reta l $raud. It doesn5t &rotect aga nst. • • • Tour secret rec &e #e ng stolen. !In one &enetrat on test) I $ound that the ser%er ( th the secret sauce rec &e (as ( de o&en) #ut the &ayment channel (as encry&ted securely". ?nscru&ulous &ersons steal ng money) stoc') and other tems. Aon7PCI DSS data lea' ng out. PCI DSS doesn5t care $ your loyalty card customer deta ls get &u#l shed. Tou m ghtC

4" PCI DSS 2 i# I get $reached' it0s the $ank0s pro$%e&1 The o&erat ng contract that merchants s gn ( th the r #an' ncludes a l a# l ty acce&tance and loss (a %er that means any losses due to a #reach n your &ayment secur ty s do(n to you. I ha%e had organ sat ons &rotest th s e%en (hen I am on s te n%est gat ng a #reachC

PCI DSS n +uro&e

COSAC 2010


Com ensating control 5u#5itsu
Ju7j tsu s 'no(n as ,the gentle art- or e%en ,the art o$ com&l ance- de&end ng on the translat on. One o$ the r s'7#ased $actors n PCI DSS s (hen t s m&oss #le to meet a &art cular com&l ance re4u rement. A com&ensat ng control must. • • • • meet the ntent and r gor o$ the or g nal PCI DSS re4u rement &ro% de a s m lar le%el o$ de$ense as the or g nal PCI DSS re4u rement #e ,a#o%e and #eyond- other PCI DSS re4u rements #e commensurate ( th the add t onal r s' m&osed #y not adher ng to the PCI DSS re4u rement

Th s means that com&ensat ng controls are not a get7out clause that allo(s an organ sat on to e%ade PCI DSS. 9ather) a com&ensat ng control s l 'ely to #e more e2&ens %e n the long term) and re4u res regular re% e(s) and s used (here there s a leg t mate #us ness or techn cal constra nt .

Com&ensat ng controls must #e a&&ro%ed $ rst #y the :SA and ult mately #y the ac4u r ng #an'. It5s rare that a com&ensat ng control ( ll y eld lo(er cost and e$$ort than actually meet ng the com&l ance re4u rement n the $ rst &lace) there$ore ts a m sta'e to see them as a alternat %e to com&l ance. One o$ the ,@eroth7*a(- &o nts around com&ensat ng controls s at the start o$ a PCI &rogramme) ta'e an n%entory o$ e2actly (hat cardholder data you ha%e. $hen get rid of as much of it as !ossi%le. A ro#ust remo%al &roject to m n m se the cardholder data held ( th n the organ sat on can dramat cally reduce the costs o$ PCI DSS com&l ance. 1any merchants are turn ng to &ayment ser% ce &ro% ders n an attem&t to get cardholder data out o$ the r net(or') ado&t ng to'en sat on o$ cardholder data and ho&e$ully remo% ng nternal POS and &ayment systems $rom sco&e.

A #reach ha&&ens (hen cardholder data s lost $rom the merchant. One o$ the m&ortant &o nts a#out ensur ng that the agreement #et(een merchant and ser% ce &ro% der conta ns an ass gnment o$ l a# l ty s that other( se the merchant ( ll $ nd that the #uc' l terally sto&s ( th them (hen a #reach occurs. ;hen a #reach s d sco%ered #y the card #rands through the r $raud systems) the ac4u r ng #an' s not $ ed o$ a &otent al common &o nt o$ &urchase !CPP" or g nat ng merchant. The ac4u rer ( ll then commun cate ( th the merchant) and ad% se them o$ the ssue. The d $$erent card #rands currently ha%e %ary ng res&onse &rogrammes) ho(e%er n 2011 th s &rocess ( ll come under the go%ernance o$ the PCI SSC. It s l 'ely to ta'e on the name used #y /ISA +uro&e) the &ualified Forensic Investigator) !:6I". :6Is are nstructed to &ro% de a re&ort to the card #rands on (hat data has #een lost) (hat data s at r s') the method o$ the #reach) and the PCI com&l ance status at t me o$ #reach. PCI com&l ant organ sat ons 4ual $y $or ,Sa$e Bar#or- ) n other (ords) are not l a#le $or $ nes. It s at th s &o nt that the l a# l t es assumed #y the :SA $or accred t ng the com&l ant organ sat on come nto &layC

One &o nt o$ content on on the :6I n%ol%ement s that the re&ort ssued #y the :6I s sent to the card #rands as (ell as the #reached organ sat on. The #reached organ sat on s l a#le $or the :6I5s costs and th s can $re4uently #r ng much heated d scuss on n a s tuat on that s already $raught. Costs o$ a #reach can #e cons dera#le) and can dr %e an organ sat on nto #an'ru&tcy. 3y an o%er(helm ng $actor) most #reaches occur n small merchants !le%el = and >" and the commonest #reach channel s through the (e#.
12 Aot ,I don5t (ant to1= Bo&e$ully ,Sa$e Bar#our- n euro&eC

PCI DSS n +uro&e

COSAC 2010


3asterCard 4 ecific 4te s htt&.88(((.mastercard.com8us8merchant8su&&ort8rules.html 6rom the l n' a#o%e) cl c' on the l n' to the document ent tled Securit 'ules and Procedures ( )erchant *dition. Sect on 10.= deals ( th account data com&rom se e%ents. 7isa +848/8 4 ecific 4te s !+2cer&ted $rom / sa ?.S.A. Cardholder In$ormat on Secur ty Program !CISP") ;hat To Do I$ Com&rom sed) 128200F" htt&.88usa.% sa.com8do(nload8merchants8c s&D(hatDtoDdoD $Dcom&rom sed.&d$ "iscover Card 4 ecific 4te s htt&.88(((.d sco%ernet(or'.com8$raudsecur ty8data#reach.html /merican '9 ress 4 ecific 4te s htt&s.88(((20L.amer cane2&ress.com8merchant8s ngle%o ce8ds(86rontSer%letO re4uestDty&eUds(V&gDnmUmerch n$oVlnUenV$rmU?SVta##edU#reachV ntsearchctU==$0 NN$d#c00<NEecd1ccNdN2N=Ee$#d1 An o#ser%ed ssue currently s a certa n amount o$ role tens on n the ac4u r ng #an'. The ac4u rer currently has ult mate l a# l ty $or a #reached merchant) and also has res&ons # l ty $or nstruct ng the 4ual $ ed $orens c n%est gator. There$ore t s &otent ally n the ac4u rer5s nterest $or no ssues to #e $ound) or $or the #reach to #e the $ault o$ a com&l ant ent ty. In$ormal concerns ha%e #een e2&ressed #y card #rands along these l nes n the &ast.

/do tion of PCI "44 in 'uro e
PCI DSS co%ered organ sat ons are no( mostly a(are o$ the re4u rements o$ PCI DSS. Ty& cally th s a(areness s h ghest at the large ,le%el one- organ sat ons 0 those &rocess ng more than < m ll on card transact ons a year. *e%el > merchants are ty& cally least a(are o$ the ssue) and are also the ones most l 'ely to #e h t #y a #reach) &art cularly (hen they em#ar' on e7commerce. Ac4u r ng #an's no( ma'e e$$orts to strongly encourage small merchants to use an accred ted &ayment ser% ce &ro% der. Across +uro&e) a(areness s h gh n the ?G) and $alls o$$ as one &rogresses across. Its m&ortant to recogn se that PCI DSS s a glo#al standard 0 at a con$erence) I l stened to an angry $rench IT manager cry )ais non at ,someth ng that only a&&l ed to Amer ca- #ut the real ty s that th s s a standard that a&&l es e%ery(here. The go%ernance mechan sm s through trans$erra#le contract l a# l ty) &ass ng $rom the card #rand) through the ac4u rer and su#se4uent &rocessors) and e%entually to the merchant. Although the card #rands hold the r ac4u rers as $ nally and ult mately l a#le) merchants can $ nd themsel%es e2&osed at the &o nt o$ a #reach. An m&ortant &o nt to note s that (here a merchant outsources &art o$ the r &ayment &rocess to a th rd &arty) contractual language must re$lect a l a# l ty sh $t to match the &ayment &rocess. One $actor that may m&ro%e ado&t on o$ PCI DSS s $ more &u#l c d sclosure s made o$ #reaches n s m lar $ash on to the &u#l c d sclosures $ound n some states o$ the ?SA. Th s &ro% des m&etus to the #an's and merchant organ sat ons to sa$eguard aga nst re&utat on r s' as (ell as $ nanc al loss.

PCI DSS n +uro&e

COSAC 2010


What to e9 ect from the :4/
The role o$ the :SA s to assess the organ sat on $or com&l ance ( th the PCI DSS. 6re4uently :SAs are as'ed to g %e ad% ce to organ sat ons on (hat s re4u red to ach e%e com&l ance and other related n$ormat on secur ty to& cs. Putt ng t char ta#ly) the 4ual ty o$ ad% ce g %en #y :SA com&an es s %ar a#le. Common concerns e2&ressed nclude. •*ac' o$ a# l ty to translate techn cal %ulnera# l t es to #us ness r s' •*ac' o$ e2&er ence n assessment •Ind % dual :SA5s o%er7em&has s ng $a%our te techn cal measures (h ch do not str ctly meet the com&l ance re4u rements •:SA5s not &ro% d ng on7s te assessments) nstead us ng mostly cl ent7&ro% ded assert ons and remote nter% e(s. It5s m&ortant that (hen a :SA g %es ad% ce) they are o&erat ng $rom a &os t on o$ 'no(ledge not only n the n$ormat on secur ty doma n) #ut also (hat ( ll (or' $or the cl ent. Tou should e2&ect your :SA to #e a#le to nter&ret the PCI DSS and e2&la n ts a&&l ca# l ty to your organ sat on. Also) you should e2&ect your :SA to #e ready to nter$ace ( th your #an' and &art c &ate n the u&date &rocess to ensure your #an' understand and su&&ort your &rogress to(ard com&l ance. In add t on to doma n e2&ert se n the %ar ous sect ons o$ the standard) your :SA should #e a#le to ass st you n structur ng the remed at on &rogramme and mo% ng $rom the ,#rea'7 $ 2- cycle nto o&erat onal su&&ort and ma ntenance mode.

PCI DSS 2.0 s on the hor Jon) although the PCI SSC s 'ee& ng t5s cards close to the r chest) a statement has #een made that th s ne( terat on o$ the standard ( ll #e e%olut onary) and see' to #u ld acce&tance and clar $y uncerta nty ( th n organ sat ons. ;e can e2&ect to see the $ollo( ng changes. !" Clar $y &rocesses and ncrease $le2 # l ty $or cry&togra&h c 'ey changes) ret red or re&laced 'eys) and use o$ s&l t control and dual 'no(ledge. (" A&&ly a r s' #ased a&&roach $or address ng %ulnera# l t es. )" 1erge re4u rement <.=.1 nto <.E to el m nate redundancy $or secure cod ng $or nternal and ;e#7$ac ng a&&l cat ons. Include e2am&les o$ add t onal secure cod ng standards) such as C;+ and C+9T. *" ?&date re4u rement to allo( #us ness just $ cat on $or co&y) mo%e) and storage o$ CBD dur ng remote access. PCI DSS s ach e%a#le) ho(e%er to many organ sat ons t loo's l 'e an ntense tas'. O$ #ene$ t s a ro#ust structured &rogramme ( th the &ro&er e2ecut %e #ac' ng. I ha%e ne%er seen a com&l ance e$$ort succeed that d d not ha%e the $ nance d rector !or e4u %alent" ma' ng a $ rm) clear statement that ach e% ng com&l ance s necessary to the organ sat onRs sur% %al. ; th the a%a la# l ty o$ secur ty arch tectures such as SA3SA) PCI DSS should #e a relat %ely stra ght$or(ard challenge. 6or ISO2N002 al gned organ sat ons) %ery l ttle ( ll #e n the PCI DSS that ( ll #e un$am l ar. It can #e com&le2 and mult 7&art) #ut #y care$ul analys s) systemat c e2ecut on o$ remed at on act % ty) and a (ell7 n$ormed structured assessment #y the :SA) ts someth ng thats ach e%a#le and can lead to a ste&7change n the com&l ant organ sat ons secur ty matur ty.

PCI DSS n +uro&e

COSAC 2010


Sign up to vote on this title
UsefulNot useful

Master Your Semester with Scribd & The New York Times

Special offer for students: Only $4.99/month.

Master Your Semester with a Special Offer from Scribd & The New York Times

Cancel anytime.