Вы находитесь на странице: 1из 68

The Shortcut Guide To

tm
tm

PCI Compliance
and How SSL
Certificates Fit
Dan Sullivan

TheShortcutGuidetoPCIComplianceandHowSSLCertificatesFit

DanSullivan

IntroductiontoRealtimePublishers
by Don Jones, Series Editor

Forseveralyearsnow,Realtimehasproduceddozensanddozensofhighqualitybooks
thatjusthappentobedeliveredinelectronicformatatnocosttoyou,thereader.Weve
madethisuniquepublishingmodelworkthroughthegeneroussupportandcooperationof
oursponsors,whoagreetobeareachbooksproductionexpensesforthebenefitofour
readers.
Althoughwevealwaysofferedourpublicationstoyouforfree,dontthinkforamoment
thatqualityisanythinglessthanourtoppriority.Myjobistomakesurethatourbooksare
asgoodasandinmostcasesbetterthananyprintedbookthatwouldcostyou$40or
more.Ourelectronicpublishingmodeloffersseveraladvantagesoverprintedbooks:You
receivechaptersliterallyasfastasourauthorsproducethem(hencetherealtimeaspect
ofourmodel),andwecanupdatechapterstoreflectthelatestchangesintechnology.
Iwanttopointoutthatourbooksarebynomeanspaidadvertisementsorwhitepapers.
Wereanindependentpublishingcompany,andanimportantaspectofmyjobistomake
surethatourauthorsarefreetovoicetheirexpertiseandopinionswithoutreservationor
restriction.Wemaintaincompleteeditorialcontrolofourpublications,andImproudthat
weveproducedsomanyqualitybooksoverthepastyears.
Iwanttoextendaninvitationtovisitusathttp://nexus.realtimepublishers.com,especially
ifyouvereceivedthispublicationfromafriendorcolleague.Wehaveawidevarietyof
additionalbooksonarangeoftopics,andyouresuretofindsomethingthatsofinterestto
youanditwontcostyouathing.WehopeyoullcontinuetocometoRealtimeforyour
educationalneedsfarintothefuture.
Untilthen,enjoy.
DonJones

TheShortcutGuidetoPCIComplianceandHowSSLCertificatesFit

DanSullivan

IntroductiontoRealtimePublishers.................................................................................................................i
Chapter1:OverviewofPaymentCardIndustryDataSecurityStandards......................................1
TheNeedforPaymentCardIndustryDataSecurityStandards......................................................1
WellPublicizedAttacksonPaymentCards........................................................................................3
DataBreachataMerchant.....................................................................................................................4
DataBreachataPaymentProcessor................................................................................................4
DataBreachatanIssuingBank...........................................................................................................4
MorethanIsolatedIncidents................................................................................................................4
IdentityTheft....................................................................................................................................................5
ProfessionalMarketsforStolenCreditCards....................................................................................6
CostofFraudtoPaymentCardIndustry..............................................................................................7
WhatDoesPCIDSSComplianceRequire?................................................................................................8
NetworkSecurity............................................................................................................................................8
ProtectingCardholderData.......................................................................................................................9
VulnerabilityManagement.........................................................................................................................9
AccessControls.............................................................................................................................................10
MonitoringandAuditing..........................................................................................................................11
SecurityPoliciesandProcedures..........................................................................................................11
FocusonSSLCertificates..........................................................................................................................11
TheNeedforSSLCertificates......................................................................................................................12
NetworkandServerSecurity.................................................................................................................12
EncryptingPaymentCardData.............................................................................................................14
AccessControls.............................................................................................................................................15
Summary..............................................................................................................................................................15
Chapter2:OverviewofSSLCertificates......................................................................................................16
ComponentsofanSSLCertificate..............................................................................................................16
AuthenticatingServerswithSSLCertificates.......................................................................................20
EncryptionandSSL..........................................................................................................................................23

ii

TheShortcutGuidetoPCIComplianceandHowSSLCertificatesFit

DanSullivan

DifferentUsesofSSLCertificates..............................................................................................................24
DomainLevelCertificates........................................................................................................................25
OrganizationLevelCertificates.............................................................................................................25
ServerGatedCryptographyCertificates............................................................................................27
EVSSLCertificates......................................................................................................................................27
ContentsofanEVSSLCertificate.....................................................................................................27
RequirementstoAcquiringanEVSSLCertificate....................................................................28
UserExperiencewithanEVSSLCertificate................................................................................28
ChoosingtheRightTypeofSSLCertificate..................................................................................29
TrustandSSLSecurity...................................................................................................................................29
Summary..............................................................................................................................................................30
Chapter3:WhatIsRequiredbyPCIDataSecurityStandards?.........................................................31
DataCollectionandStoragePractices.....................................................................................................32
DataStorageandRetentionRegulations...........................................................................................32
EncryptingStoredData.............................................................................................................................33
EncryptingTransmittedData.................................................................................................................34
ImplementingLogicalAccessControls..............................................................................................35
ImplementingPhysicalAccessControls............................................................................................37
AccessControlsandRemovableMedia..............................................................................................38
InfrastructureSecurityandthePCIDSS.................................................................................................38
MaintainingaSecureNetwork...............................................................................................................39
ServerHardeningtoMeetPCIDSSRegulations.............................................................................40
DeployAntivirusApplications...............................................................................................................41
DevelopandEnforceSecurityPolicies...............................................................................................41
VulnerabilityAssessmentandManagement........................................................................................42
PCIDSSMonitoringandAuditing..............................................................................................................44
Summary..............................................................................................................................................................45
Chapter4:PCIDSSComplianceChecklist...................................................................................................46

iii

TheShortcutGuidetoPCIComplianceandHowSSLCertificatesFit

DanSullivan

SelfAssessmentActivities............................................................................................................................46
DataCollectionandStoragePractices.....................................................................................................47
NetworkSecurityPractices.....................................................................................................................48
ServerandApplicationSecurityPractices........................................................................................49
MonitoringPractices..................................................................................................................................50
PoliciesandProcedures............................................................................................................................51
SecuringServersandDataTransmissionwithSSL...........................................................................52
UseStrongEncryption...............................................................................................................................52
UseStrongProtocols..................................................................................................................................53
CharacteristicsofWeakProtocols...................................................................................................54
CharacteristicsofStrongProtocols.................................................................................................54
BewareofWeaknessesinProtocols....................................................................................................55
EssentialSecurityPoliciesRelatedtoSSLCertificates.....................................................................56
EncryptionPolicy.........................................................................................................................................56
UsingEncryptionforDataatRest...................................................................................................56
UsingEncryptionforTransmittedData........................................................................................57
TypesofAlgorithmsandKeyLengths...........................................................................................57
KeyManagement.....................................................................................................................................57
AccessControlPolicy.................................................................................................................................57
DataClassificationPolicy..............................................................................................................................58
MonitoringandAuditingPolicy............................................................................................................59
SSLCertificateLifeCycleManagement...................................................................................................59
ChoosingtheRightSSLCertificate.......................................................................................................60
RenewingSSLCertificates.......................................................................................................................60
TrackingSSLCertificateInventory...........................................................................................................62
Summary..............................................................................................................................................................62

iv

TheShortcutGuidetoPCIComplianceandHowSSLCertificatesFit

DanSullivan

Copyright Statement
2012 Realtime Publishers. All rights reserved. This site contains materials that have
been created, developed, or commissioned by, and published with the permission of,
Realtime Publishers (the Materials) and this site and any such Materials are protected
by international copyright and trademark laws.
THE MATERIALS ARE PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND,
EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE,
TITLE AND NON-INFRINGEMENT. The Materials are subject to change without notice
and do not represent a commitment on the part of Realtime Publishers its web site
sponsors. In no event shall Realtime Publishers or its web site sponsors be held liable for
technical or editorial errors or omissions contained in the Materials, including without
limitation, for any direct, indirect, incidental, special, exemplary or consequential
damages whatsoever resulting from the use of any information contained in the Materials.
The Materials (including but not limited to the text, images, audio, and/or video) may not
be copied, reproduced, republished, uploaded, posted, transmitted, or distributed in any
way, in whole or in part, except that one copy may be downloaded for your personal, noncommercial use on a single computer. In connection with such use, you may not modify
or obscure any copyright or other proprietary notice.
The Materials may contain trademarks, services marks and logos that are the property of
third parties. You are not permitted to use these trademarks, services marks or logos
without prior written consent of such third parties.
Realtime Publishers and the Realtime Publishers logo are registered in the US Patent &
Trademark Office. All other product or service names are the property of their respective
owners.
If you have any questions about these terms, or if you would like information about
licensing materials from Realtime Publishers, please contact us via e-mail at
info@realtimepublishers.com.

TheShortcutGuidetoPCIComplianceandHowSSLCertificatesFit

DanSullivan

[EditorsNote:ThisbookwasdownloadedfromRealtimeNexusTheDigitalLibraryforIT
Professionals.AllleadingtechnologybooksfromRealtimePublisherscanbefoundat
http://nexus.realtimepublishers.com.]

Chapter1:OverviewofPaymentCard
IndustryDataSecurityStandards
Databreachesandcybercrimeareroutinelyreportedinthepopularpress.Popular,well
knowncompaniessuchasSonyandCitibankhavejoinedtheranksofsecurityandpayment
cardindustryfirmssuchasRSAandHeartlandPaymentSystemsasvictimsofcyber
attacks.Thesetypesofattacksarenotnew,andovertime,businesseshaverespondedby
developingandenforcingminimalstandardsforprotectingpaymentcarddata.The
PaymentCardIndustryDataSecurityStandards(PCIDSS)defineprotectionsforcreditand
debitcarddataandholdsmerchantsandpaymentprocessorsresponsibleformeeting
thesestandards.
TheShortcutGuidetoPCIComplianceandHowSSLCertificatesFitprovidesanoverviewof
PCIDSSandSSLcertificates,outlineswhatisrequiredbyPCIDSS,andprovidesaPCI
compliancechecklist.Westartinthischapterbydiscussingthreefundamentalquestions:

WhydoweneedPCIstandards?

WhatisrequiredbyPCIstandards?

WhatistheroleofSSLcertificatesinPCIcompliance?

WebeginbyexaminingthebusinessdriversthatleadtothedevelopmentofPCIDSS.

TheNeedforPaymentCardIndustryDataSecurityStandards
ThePCIDSSareneededtoprotectconsumers,merchants,andbanksfromcreditcardfraud
andotherformsofcybercrime.Tounderstandwhatdrovebusinessestoselfregulatethe
paymentcardindustry,itcanhelptolookatseveralfactorsthathaveimpactedthe
industry:

Wellpublicizedattacksonpaymentcardbusinesses

Impactofidentitytheft

Emergenceofprofessionalmarketsforstolencreditcarddata

Costofcreditcardfraudontheindustry

Tounderstandhowthesefactorshelptoshapetheneedfordataprotectionstandards,itis
importanttounderstandthebasicrelationshipbetweenthedifferentactorsinthepayment
cardbusiness.

TheShortcutGuidetoPCIComplianceandHowSSLCertificatesFit

DanSullivan

Thepaymentcardindustryisahighlydistributednetworkofmerchants,banks,and
serviceprovidersthatsupportanearlyubiquitouspaymentprocessingsystem.Whether
youareshoppingonline,travelingtoanothercountry,ordiningoutatyourfavorite
restaurant,chancesareyoucanpayforyourgoodsandservicesusingacreditordebit
card.Thepaymentcardindustryhassetupproceduresthatallowustouseacreditcardor
debitcardwereceivefromanyoneofalargenumberofissuingbanksatalargenumberof
merchantsaroundtheglobe.Thesystemisdesignedsothatmerchantsdonothavetohave
separaterelationshipswithallbanksthatissuecards.Canyouimagineasmallbusiness
havingtotrackhundreds,perhapsthousandsofcardissuingbanks?Thepaymentcard
industrywouldcollapseundertheweightofsomuchneedlessadministrativeoverhead.
Insteadofhavingonetoonerelationshipsbetweenmerchantsandbanks,thepayment
cardindustrymakesuseofpaymentprocessors(seeFigure1.1).

Figure1.1:Thepaymentcardauthorizationprocessinvolvesmultiplebusinesses
thatreceiveandprocesscreditcarddatasuchascardnumberandexpirationdate.

TheShortcutGuidetoPCIComplianceandHowSSLCertificatesFit

DanSullivan

Whenacustomermakesapurchaseandpaysforitwithacreditcard,aseriesofsteps
follows;thefirststepsroutepaymentcardinformationtothebankthatissuedthecard:

Themerchantswipesthecardorcollectsthecreditcardinformationandkeysitinto
apointofsaledevicethattransmitsthedatatoapaymentprocessor.

Thepaymentprocessordetermineswhichbankissuedthecreditcardandroutes
theauthorizationrequestdatatotheissuingbank.

Thebankvalidatesthecreditcard,checksthecustomersavailablecredit,and
performsotherstepslikeriskanalysis.(Ifyoudonotroutinelybuythousandsof
dollarsworthofelectronicequipmentonlineandshipittoaddressesotherthan
yourbillingaddress,thereisagoodchancesuchachargewouldbedeclined).

Afterthebankdetermineswhethertoauthorizeordeclineacharge,thefollowingsteps
occur:

Theissuingbanksendsanauthorizationresponsetothepaymentprocessor

Thepaymentprocessorforwardstheauthorizationresponsetothemerchant

Themerchantconcludesthesalewiththecustomerifthecardwasapproved

Thisdistributedmethodofroutinginformationisthekeytoefficientandcosteffective
paymentcardprocessing.Thedrawbackofsuchasystemisthatcreditcardinformation
passesthroughseveraldistinctprocessingsteps.Eachstepintheprocessisapotential
targetforcriminalsthatwouldtrytostealcreditcarddata.
Thereisanobviousriskofashopperlosinghiscreditcard.Ifsomeonefoundit,thatperson
mightbeabletomakefraudulentpurchases.Ifthemerchantkeepsacopyofcreditcard
numbers,expirationdates,andcardsecuritycodes,thatinformationcouldbelostorstolen
potentiallyexposingmultiplecustomerstofraud.Thepossibilityforevenlargerscalefraud
occursatthepaymentcardprocessorandtheissuingbankswherelargeamountsofcredit
carddataareprocessed.Thesearenotjusttheoreticalrisks;therehavebeenlargescale
databreachesinvolvingpaymentcards.

WellPublicizedAttacksonPaymentCards
Merchants,paymentcardprocessors,andbankshaveallbeentargetsofcybercriminals
lookingtocashinonstolenpaymentcarddata.Victimshaveincluded:

HannafordBrothers,amerchant

HeartlandPaymentSystems,apaymentprocessor

Citigroup,anissuerofpaymentcards

Theseincidentsarechosenasexamples,buttheyarenottheonlycaseswecouldconsider.

TheShortcutGuidetoPCIComplianceandHowSSLCertificatesFit

DanSullivan

DataBreachataMerchant
HannafordBros.isasupermarketchainbasedinMainewith170storesinNewEngland
andNewYork.Inlate2007,thecompanystartedtosufferadatabreachaftercompany
serverswereinfectedwithmalware.Attackersinstalledmalicioussoftwarethatwas
designedtostealdatafromthepointofsalesystemswherecreditanddebitcardswere
swiped.Overthecourseof4months,approximately4.2millionpaymentcardnumbers
werecompromised.Estimatesputthetotalcostatapproximately$252million(Source:
http://www.businesspundit.com/10mostcostlycyberattacksinhistory/).
DataBreachataPaymentProcessor
HeartlandPaymentSystemsprovidescreditanddebitcardprocessingformorethan
250,000businesslocationsacrosstheUnitedStates.Inlate2008,attackerswereableto
installmalicioussoftwareonHeartlandPaymentSystemsserversandcollectdataon100
millionindividualcardnumbers.Thecostofrecoveringfromthisbreachwasestimatedto
be$140millionUSD(Source:http://www.businesspundit.com/10mostcostlycyber
attacksinhistory/).
DataBreachatanIssuingBank
Inthespringof2011,Citigroupreportedahackingattackthatexposedcreditcarddataon
morethan200,000customers.Attackerswereabletogainaccesstocustomernames,
accountnumbers,andcontactinformation.Thistypeofabreachisparticularlyconcerning
becauselargebankshavemoreresourcestodedicatetosecuritythandosmallmerchants.
Uptothattime,merchantsweremorelikelytobetargetedbyattackers.Reutersreports
somesecurityexpertsseethisincidentasapotentialwatershedafterwhichbankswill
becomemorefrequenttargetsforattackers(Source:MariaAspan,RegulatorsPressure
BanksafterCitiDataBreach,June9,2011).
MorethanIsolatedIncidents
Examplesliketheseillustratepartoftheproblem.Evenlargecompanieswiththeresources
toapplyappropriatesecuritymeasurescanfallvictimtocyberattacks.Couldthesejustbe
anomalousoutliersthatarenotrepresentativeoftheexperienceofmostcompanies?
Perhapsthatisthecase,butastudybythePonemonInstitutefindswidespreadandsevere
impactofcybercrime.Theresearcherssurveyed50largeenterprisesandfoundthat
cybercrimecoststheseorganizationsamedianof$5.9millionUSDperyearwitharangeof
$1.5millionto$36.5millionUSD.Thecompaniesinthe2011Ponemonstudycollectively
experienced72successfulattacksperweek,a44%increaseoverthepreviousyear
(Source:
http://www.arcsight.com/collateral/whitepapers/2011_Cost_of_Cyber_Crime_Study_Augu
st.pdf).TheincidentsatHannafordBrothers,HeartlandPaymentSystems,andCitibankare
notisolatedincidentsthreatstothepaymentcardindustryaresystemic.

TheShortcutGuidetoPCIComplianceandHowSSLCertificatesFit

DanSullivan

IdentityTheft
Identitytheftisacrimethatusesavictimsidentitytocommitfraudorgainaccesstothe
victimspersonalresources,andcreditcardfraudisanobvioustargetforidentitytheft.The
USgovernmenthastrackedstatisticsonidentitytheftforatleast10years.Someoftheir
findingsinclude:

TheUSFederalTradeCommissionreceived250,854identitytheftcomplaintsin
2010,thelargestcategoryofcomplaints.

Creditcardfraudwasthesecondmostcommonformofidentitytheftin2010,
surpassedonlybygovernmentdocuments/benefitfraud.

Creditcardrelatedidentitytheftdecreasedby5%between2008and2010

(Source:USFederalTradeCommission,ConsumerSentinelNetworkDataBookfor
JanuaryDecember2010,March2011).

350,000
300,000
250,000
200,000

NumberofIdentityTheft
IncidentsReported toU.S.
FederalTradeCommmission

150,000
100,000
50,000
0
2001

2002

2003

2004

2005

2006

2007

2008

2009

2010

Figure1.2:Reportedidentitytheftincidentsincreasedfrom2001to2008before
beginningaslightdecline(Source:http://www.ftc.gov/sentinel/reports/sentinel
annualreports/sentinelcy2010.pdf).
Thecostofidentitytheftwas$54billionintheUnitedStatesin2009;worldwide,thecost
tobusinesseswas$221billion.Victimsofidentitytheftlostonaverage$4841(Source:Jolie
ODellHowMuchDoesIdentityTheftCost?).Theextentofidentitytheft,thecostto
individualsandbusinesses,andthesignificanttargetingofcreditcardsbyidentitytheft
thievesallcontributetotheneedtoprotectandsecurepaymentcarddata.

TheShortcutGuidetoPCIComplianceandHowSSLCertificatesFit

DanSullivan

ProfessionalMarketsforStolenCreditCards
Astheexamplecasesofcreditcardbreachesshow,asinglegroupofattackerscan
sometimesnettensorhundredsofthousandsofcreditcards.Theattackerscanonlymake
useofsomanyofthesecards.Therealvaluetotheattackersisthatthestoleninformation
canbesoldoncybercrimemarkets.Theseundergroundmarketsshowsurprisingsimilarity
tolegitimatemarketswithspecializationsoflabor,marketdrivenpricing,andaproduction
andsupplychain.
TheUSFederalBureauofInvestigations(FBI)hasidentifiedawiderangeofprofessional
roleswithincybercrimemarketsaslistedinTable1.1.
Roles
Programmers
Distributors

Responsibilities
Creatorsofmalwaretostealcreditcardandother
information
Brokerswhomediatethesaleofstoleninformation

TechExperts

Systemsadministratorsofthecybercrimeworldwhokeep
theinfrastructureupandrunning.

Hackers

R&Dguyswhosearchfornewvulnerabilitiestoexploit

Fraudsters

Criminalswithpeopleskillswhocancraftphishingluresand
othermethodstotrapvictims

HostedSystem
Providers

"Businesses"thatofferinfrastructureservices,suchas
servers

Cashiers

Thosewhoprovideaccountsformoneyprocessing

MoneyMules

Laborerswhomovemoneyandcompletetransactionswith
bankstodepositthecriminalprofits

Tellers

Moneylaundererswhoputmoneythroughvarious
channels,likecurrencyexchanges

OrganizationLeaders

Clevelexecsofthecybercrimeworldwhobuildand
manageteamsofcybercriminals

Table1.1:Rolesandresponsibilitiesofcybercriminalsinspecializedcybercrime
marketsaccordingtotheFBI(Source:PandaSecurity,TheCyberCrimeBlack
Market:Uncovered,January2011).

Thekeytakeawayfromthistableisthatcybercriminalsarewellorganizedandhave
createdamarketsystemwithallitsbenefits.Newproviderscanenterandinnovatorswill
berewardedwithmorebusiness.Inaddition,thismarkethascustomerswhomakeuseof
theseservicesandhaveachoiceofproviders.Incasethereisanydoubtaboutthe
formidablechallengewefacetoprotectagainsthighskilledandhighlymotivated
cybercriminals,letstakealookatthekindsofrevenuescreditcardfraudandrelated
crimescangenerate.

TheShortcutGuidetoPCIComplianceandHowSSLCertificatesFit

DanSullivan

CostofFraudtoPaymentCardIndustry
Thenumberofpaymentcardsinusehasgrownsteadilyoverthepastdecade.TheUS
CensusBureauestimatesthattherewere159millioncreditcardholdersin2000and173
millionin2006,andareprojectedtoreach181millionby2010(Source:BenWoosleyand
MattSchulz,CreditCardStatistics,IndustryFacts,DebtStatistics).Withsomanycredit
cardsincirculation,thereisboundtobesignificantfraud.Whenthathappens,whopays
thecosts?
Consumersdonothavetobearthebruntofcreditfraud,atleastnotdirectly.Bylaw,
consumersareliableforonly$50offraudulentchargesunlessthecreditcarddatawas
stoleninadatabreach,inwhichcasetheyhavenoliabilityatall.Thatmeansthatcard
issuersandmerchantsarelefttopickupmostofthecostofcreditcardfraud.Whoendsup
payingdependsonwhetherthemerchantcompliedwithPCIDSS.Whenmerchantsfollow
safepractices,theyarenotliableforthefraudandthebankabsorbsthecost.Theaggregate
costsofcreditcardfraudaresubstantial.
A2010studybyLexisNexisfoundretailerslost$139billiontofraudin2009.Thestudy
alsonotedthatforevery$100infraudulenttransactions,thetotalcostoffraud,including
suchthingsascardreplacements,reached$310.Althoughconsumersmaynotbeliablefor
morethan$50iftheyreportfraudwithin60daysofreceivingtheirstatement,thereport
foundconsumerssufferedfroma$5.5billionlossfromunreimbursedexpenses,legal
expenses,andothercharges(Source:RetailersLost$139BilliontoFraudintheLastYear,
AccordingtoLexisNexisRiskSolutionsStudy,September2010).Thereismoretothestory
though.Weallpaymoretocoverthecostoffraud;byoneestimate,wepayanadditional2
to4%tocoverthecostoffraud(Source:EvaNorlykSmith,Ph.D.TheHiddenCostsof
CreditCardFraudAugust2011).
Therehavebeenalotofstatisticsinthisdiscussion,andtheyarenecessarytocapturethe
scopeandmagnitudeoftheproblem.Wellpublicizedattacksonmerchantsmakefor
compellingnewsstoriesandmakeusawarethataproblemexists,butitdoesgiveagood
pictureoftheextentoftheproblem.Whenwedigintothenumberofincidentsofidentity
theftandconsiderthecostoffraudtoconsumers,merchants,andbanks,wecanseethese
arenotisolatedincidents.Weshouldnotbesurprisedatthemagnitudeoftheproblem.
HundredsofmillionsofcreditcardsareinuseintheUSalone.Thevalueofcreditcarddata
isenoughtolureandmaintainsophisticatedcybercrimeorganizationstothepointwhere
undergroundmarketswithdivisionoflaborandspecializationsarecommonplace.
Onewaytomitigatetheriskofpaymentcardfraudistoimplementinformationsecurity
controlsthatprovideabaselevelofprotectionforthatdata.ThePCIDSSisanattemptto
defineminimumstandardprotectionsthatshouldbeinplaceinthepaymentcardindustry.

TheShortcutGuidetoPCIComplianceandHowSSLCertificatesFit

DanSullivan

WhatDoesPCIDSSComplianceRequire?
ThePCIDSSisdesignedtosetminimalprotectionsforcreditcardinformationacrossthe
industry,soitisbroadinitsscope.Thetopicsaddressedbythestandardinclude:

Networksecurity

Paymentcarddataprotection

Vulnerabilitymanagement

Accesscontrols

Monitoringandauditing

Securitypoliciesandprocedures

Eachoftheseareashasspecificrequirementsdefinedbythestandard.

NetworkSecurity
ThePCIDSSrequirestheuseoffirewallsandrouterconfigurationstoprotectthenetwork
transmittingcreditcarddata.Thisisbrokendownintoseveraltasks:

Establishingaformalprocedurefortestingandapprovingnetworkconnectionsand
changestofirewallsandrouters

Maintainingaccuratenetworkdiagrams

Implementingfirewallsbetweeninternalnetworksanddemilitarizedzone(DMZ)
segments

Defininggroupsandrolesresponsiblefornetworkmanagement

Restrictinginboundandoutboundtraffictothatrequiredforthecardprocessing
operations

Installingfirewallsbetweenwirelessnetworksandcardholderdatanetworks

Deployingstatefulinspectionofnetworktraffic

Deployingpersonalfirewallsonmobiledeviceswithaccesstothecardholder
network
Resource
Thisisnotafulllistofrequirementsforfirewallsandrouters;itisa
representativesample.SeethePCIDSSdocumentationforacompletelistat
PaymentCardIndustry(PCI)DataStandard:RequirementsandSecurity
AssessmentProceduresversion2.0.

TheShortcutGuidetoPCIComplianceandHowSSLCertificatesFit

DanSullivan

Anothersetofrequirementsfornetworksecuritydictatethatoneshouldneveruse
vendorsupplieddefaultpasswords.Also,serversshouldbehardenedby:

Usingoneserverperfunction(forexample,nothavingaDNSserveronthesame
hostasanapplicationserver)

Executingonlyrequiredprocess,service,daemon,etc.onservers

Removingunnecessaryscripts,tools,drivers,etc.

Encryptingnonconsoleadministrativeaccesstoserversonthecardholdernetwork

Inadditiontoserverandnetworkconfigurations,onemustimplementcontrolstoprotect
cardholderdata.

ProtectingCardholderData
Asageneralrule,youdonotwanttostoreanymorecardholderdatathanyouneedto,and
whenyoudostoreit,makesureitisencryptedandgetridofitassoonaspossible.That
wastheshortversionofwhatisinvolvedinprotectingcardholderdata;amoredetailed
explanationincludesspecificssuchas:

Defineandimplementstorageretentionpoliciesforcardholderdata

Donotstoresensitivecardholderdatasuchasdatafromacardsmagneticstrip,
cardverificationcode,orapersonalidentificationnumber

Displayonlythefirstsixorlastfourdigitsofacardnumberunlessthefullnumberis
neededbyanemployeewithlegitimateneedforthedata

Ifanaccountnumberisstored,makesureitisunreadableusingstrongencryption
orsomeotherequallyprotectivemeasure

Protectkeysusedinyourencryptionprocesssothattheyarenotcompromised

Documentkeymanagementprocedures

Inadditiontokeepingcardholderdatasafewhenthedataisatrest,wehavetoattendto
protectingitduringtransmission.Thisrequiresthatanytimecardholderdatais
transmitted,itisstronglyencrypted.

VulnerabilityManagement
ThesectionofthePCIDSSrequirementsthatdealswithvulnerabilitymanagementcovers
endpointsecurity,antivirus,andvulnerabilityremediation.Itcallsfordeployingantivirus
solutionsandensuringtheyarecurrent,active,andloggingappropriatelyaswellas
patchingforknownvulnerabilities.

TheShortcutGuidetoPCIComplianceandHowSSLCertificatesFit

DanSullivan

BusinessessubjecttoPCIDSSregulationsmustalsomaintainpatchestoreducetheriskof
aknownvulnerabilitybeingexploited.Specificstepsinclude:

Keepingapplicationspatchedwiththelatestvendorpatches

Assessingandrankingnewlydiscoveredvulnerabilities

Followingchangecontrolprocedureswithapplicationdevelopmentand
deployment

Followingsecurecodingguidelineswhendevelopingapplications

UsingautomatedvulnerabilityscanningforpublicfacingWebapplications

Vulnerabilityscanningtoolscanhelpidentifyvulnerabilitiesinyoursystems.Vulnerability
scannersaredesignedtodetectweaknessesinapplicationsandoperatingsystems(OSs)
thatcanbeexploitedbyanattacker.Vulnerabilitiescanarisefromthewayapplications
handleimproperinput(forexample,inputstringsthataretoolong),fromweakencryption
mechanisms,andimproperlyconfigurednetworkports.Sometoolsincludeprepackaged
scansdesignedforPCIDSS.

AccessControls
WhocanhaveaccesstocreditcarddataisanotherissueaddressedbythePCIDSS.The
requirementsinthisareainclude:

Usingtheleastprivilegeprinciplesothatusershaveonlyasmuchaccesstocredit
carddataastheyneedtodotheirjobs

AssigninguniqueIDsandpasswords,tokens,orbiometricstousersaccessing
cardholderdata

Implementingtwofactorauthenticationforremoteaccess

Authenticatingaccesstoanydatabasecontainingcardholderdata

Usingautomatedaccesscontrolsystemstoenforcetheotherrequirements

Usingphysicalcontrolsandmonitoringtolimitaccesstosystems.

Trackingvisitorsandusinglogstotrackphysicalactivities

Maintainingcontrolsoverthedistributionofmediawithprotecteddata

Thesesecuritycontrolscanlimitaccesstousers,butwealsoneedstoensurethesecontrols
areinplaceandworking.Monitoringandauditingarealsorequired.

10

TheShortcutGuidetoPCIComplianceandHowSSLCertificatesFit

DanSullivan

MonitoringandAuditing
ThemonitoringandauditingsectionsofthePCIDSSrequirementsdefinemeasurestohelp
ensureothercontrolsareworkingproperly.Someoftherequirementsinthisareaare:

Implementingaudittrailsinsufficientdetailtobeabletorecreaterootlevelactions,
accesstocardholderdata,initializationofauditlogs,andothersignificantevents

Usingtimeencryptiontechniquestoensuretimestampsarecorrectandconsistent
acrossdevices

Ensuringaudittrailscannotbetamperedwithbypreventingunauthorized
modificationsandusingfileintegritycheckingapplications

Performingdailyreviewoflogs

Maintainingaudittraildataforatleast1year

Inadditiontoimplementingallofthecontrolsjustmentionedandauditingthemtomake
suretheyareoperatingasexpected,tobePCIDSScompliant,wealsoneedtohavepolicies
andproceduresinplacethatdocumenthowandwhenthesemeasuresareexecuted.

SecurityPoliciesandProcedures
ThePCIDSSrequiresdocumentationandtrainingtoensurethatthoseinvolvedwith
cardholderdataareawareofrequirements.Thestandardalsocallsfortrainingand
communicationprograms.SecuritypoliciesthatcomplywithPCIDSSmustbeinplace.
ThePCIDSSaddressesawiderangeofsecuritycontrolsandpractices.Complianceisnot
trivial.RunningOSsandapplicationsindefaultconfigurationswillnotmeetcompliance
requirements.Insufficientdocumentationandtrainingwillnotmeetcompliance
requirements.Lackofauditingandreviewwillleadtofailuretocomply.Thestandardsand
controlsspecifiedinthePCIDSSshouldbeconsideredminimalrequirements.Companies
thathavebeeninPCIDSScompliancehavesuffereddatalosses.ImplementingthePCIDSS
willhelpmitigatesecurityrisks,itwillnoteliminatethem.

FocusonSSLCertificates
ThefullPCIDSSwarrantsmultiplefullbooklengthdiscussions.Fortherestofthisguide,
wewillfocusontheroleofSSLcertificatesinmeetingPCIDSSrequirements.ThePCIDSS
emphasizesanumberofareas,suchasencryptionandauthentication,whereSSL
certificatesplayacrucialrole.Fornow,wewillfocusourattentiononthosetopics.

11

TheShortcutGuidetoPCIComplianceandHowSSLCertificatesFit

DanSullivan

TheNeedforSSLCertificates
SSLcertificatesareversatiledigitalassetsthatareusedinarangeofsecuritymeasures:
Networkandserversecurity
Encryptingpaymentcarddata
Accesscontrols
EachoftheseareasisaddressedinthePCIDSS,soyoucanexpecttoroutinelyworkwith
SSLcertificatesaspartofyourcomplianceefforts.

NetworkandServerSecurity
Letsconsiderahypotheticalattackonthecardpaymentprocessingsystem.Anattacker
decidestocreateaserverthatappearstobealegitimateserverrunbyapayment
processor.TheattackerusesemailscamsandTrojansoftwaretoinjectcodethataltersthe
wayIPpacketsareroutedsothatinsteadofgoingtothelegitimatepaymentprocessor
server,carddataisroutedtoarogueservercontrolledbytheattacker.

Figure1.3:Withouttheabilitytoauthenticatetheserversthatreceivecardholder
data,anattackercouldlaunchanattackusingaserverthatappearstobea
legitimatepartofthecardprocessingsystembutactuallyjustcapturesdatasentto
it.Therealpaymentprocessororissuingbankwouldneverprocessthetransaction
inthisscenario.

12

TheShortcutGuidetoPCIComplianceandHowSSLCertificatesFit

DanSullivan

Inthisscenario,themerchantsystemisdependingoneitheradomainname,forexample,
AcmePaymentProcessor.com,oranIPaddresstoidentifythepaymentprocessorsserver.
Underidealconditions,theDNSnameorIPaddresswouldroutetransactionstotheproper
server.Iftherewereabreachinanypartoftheroutingprocess,youmightnotknowwhere
yourdataisgoing.
OnewayanattackermightimplementthisscenarioistouseDNScachepoisoning.DNS
servicesmapdomainnamestoIPaddresses.Internetserviceproviders(ISPs)canprovide
DNSservices;youmightuseaspecializedDNSserviceproviderorevenmaintainaDNS
serverinyourownorganization.IfanattackerisabletoexploitavulnerabilityintheDNS
systemandchangetheaddressassociatedwithadomainname,yourtrafficmaybe
reroutedtoamalicioussite.DNSisanessentialservice,butitshouldnotbeusedasa
substituteforauthenticatingaserveryouareabouttosendconfidentialdatato.
Dependingonnetworkingservicestoalwaysroutetransactionssecurelyandproperlyto
yourbusinesspartnersisinsufficientwhenyouneedtoprotecttheconfidentialityofyour
data.Youneedtoauthenticatedevicesbeforeyousendbusinesspartnersdata,anddoing
sorequiresanSSLcertificate.SSLcertificatesareprovidedbytrustedthirdpartiesand
designedforspecificserversordomains.Ratherthanassumingthenetworkwillsendyour
transactiontotherightdestination,youcanverifythattheserveryouarecommunicating
withholdsacertificatethatatrustedthirdpartywouldgrantonlytothepartydescribedin
thatcertificate.
Verifyingtheidentityoftheserverorotherdeviceattheotherendofacommunications
channelisjustonepartofcreatingasecureandtrustedcommunicationchannel(see
Figure1.4).Wealsoneedtoensurethatnoonecaninterceptcommunicationsasdatais
sentfromonedevicetoanother.

13

TheShortcutGuidetoPCIComplianceandHowSSLCertificatesFit

DanSullivan

Figure1.4:Communicationpartnersaretrustedwhendevicesareauthenticated
usingSSLcertificates.Datamustbeencryptedaswelltopreventeavesdropping
attacks.

EncryptingPaymentCardData
SSLcertificatesalsosupporttheuseofencryptedcommunication.Therearemultipleways
toencryptdata;onewayistouseasystemknownaspublickeycryptography.Thismethod
usestwokeys,onetoencryptdataandonetodecryptit.Theformerisknownasapublic
keyandthelatterisknownasaprivatekey.ThepublickeyismadeavailableintheSSL
certificateusedtoauthenticatethedevice.Onceadevicehasbeenauthenticated,thetwo
devicescannegotiateanagreeduponprotocolforencryptingdataforthissession.The
agreeduponencryptionmethodisthenusedtoencryptdatasuchasacreditcardnumber,
expirationdate,andsecurity.Themessagewilllooknothingliketheoriginaldata,soifitis
interceptedintransit,itwontbeofmuchvaluetoanyoneelse.Intheory,someonewith
enoughtimeandcomputingpowercouldbreaktheencryptionanddiscovertheoriginal
data,butstrongencryptiontechniquesmakethatimpracticalinmostcases.
Note
TherehavebeenexceptionswitholderversionsoftheSSL/TLSstandardin
whichimplementationvulnerabilitieshavebeenexploited;seeTheRegisters
reportingonrecentresearchfindings.

14

TheShortcutGuidetoPCIComplianceandHowSSLCertificatesFit

DanSullivan

AccessControls
WehaveseenhowSSLcertificatescanbeusedtoauthenticateserversandsupport
encryption.Theycanalsobeusedtocontrolaccesstoservices.Forexample,apayment
cardprocessingapplicationmayonlyacceptincomingconnectionsfromatrusteddeviceor
onbehalfofsomeoneloggingwhocanverifytheiridentity.SSLcertificatescanbeusedto
ensurethatbothpartiesateitherendofacommunicationsessionarevalidatedbefore
accesstodataorservicesisgranted.
SSLcertificatesenableacombinationofauthenticationandencryptionservicesthatare
requiredbythePCIDSS.Inthefollowingchapters,wewilldelveintoimplementation
detailsandpracticestohelpyouplan,deploy,andmanageSSLcertificatesincompliance
withrequirements.

Summary
Thepaymentcardindustryisthetargetofsubstantialfraud.Organizedcybercrimegroups
aresophisticatedandwellestablishedtothepointofhavingcreatedundergroundmarkets
forcreditcardfraudsoftware,data,andsupportingservices.Legitimatebusinesseshave
respondedwitheffortstoimprovethesecurityofahighlydistributedanddecentralized
paymentcardsystem.SSLcertificatesplaykeyrolesinpreservingtheconfidentialityand
integrityofpaymentcarddata.

15

TheShortcutGuidetoPCIComplianceandHowSSLCertificatesFit

DanSullivan

Chapter2:OverviewofSSLCertificates
SSLcertificatesareanimportantelementofthesecurityinfrastructurethatprotects
systemsandcommunications.Inthatrole,theyalsoenablecustomerstotrustbusinesses
thatcustomersmightotherwisebeunfamiliarwith.WhatisitaboutSSLcertificatesthat
enabletheseproperties?Toanswerthisquestion,wemustunderstandthecomponentsof
anSSLcertificateandhowtheyareusedforauthenticationandencryption.Wealsoneedto
understanddifferentusesofSSLcertificatesandhowtheyenabletheformationoftrust.
Thischapterisorganizedintofivesectionsthatwilladdresstheseissues:

ComponentsofanSSLcertificate

AuthenticatingserverswithSSLcertificates

EncryptionandSSL

DifferentusesofSSLcertificates

TrustandSSLsecurity

WestartwiththebasicbuildingblocksofSSLcertificates.

ComponentsofanSSLCertificate
AnSSLcertificateisafile.AtleastthatisthebasicimplementationofanSSLcertificate.The
fileiswellstructuredandcontainsavarietyofdifferenttypesofinformationallofwhich
areneededtomeetthebasicfunctionalrequirementsofanSSLcertificate.SSLcertificates
useaformatoutlinedintheX.509standard,andthemaincomponentsinclude:

Versionandserialnumber

Signaturealgorithm

Issuer

Validitydates

Subject

Subjectspublickey

DigitalsignatureoftheissuingCertificateAuthority(CA)

16

TheShortcutGuidetoPCIComplianceandHowSSLCertificatesFit

DanSullivan

TheX.509standardwasdefinedbytheInternationalTelecommunicationUnion(ITU)to
provideaformatforpublickeycertificates,suchasSSLcertificates,aswellastodefine
ancillaryfunctions,suchascertificaterevocationlists.Theversionattributespecifiesthe
versionoftheX.509standardthatwasusedtogeneratethecertificate.Theserialnumber
isauniquenumberassignedbytheissuertothecertificate.Thecombinationoftheissuer
andtheserialnumberisuniqueacrossallcertificates.
Thealgorithmattributeisanidentifierthatindicatesthealgorithmusedbytheissuing
partytodigitallysignthecertificate.TheissuerattributedescribestheCAthatissuedthe
certificate.Theissuerattributeactuallyincludesanumberoffeaturesaboutanissuer,such
asthenameoftheissuer,thecountrywhereitislocated,andtheorganizationalunitwithin
thecompanythatissuedthecertificate.
Note
Anyoneoranyorganizationcanissueacertificate.Allthatisneededissome
freelyavailablesoftwaretogeneratetheX.509certificatefile.Inpractice,
however,mostcertificatesusedinonlinecommercearecreatedbytrusted
organizationsinthebusinessofprovidingSSLcertificates.Althoughwecan
allcreatecertificates,farfewerpeoplewouldactuallytrustourcertificates
thanthosegeneratedbywellknowncertificateproviders.
ValiditydatesareimportantattributesofanSSLcertificatebecausethesedatesindicatethe
timeperiodwhichacertificateisvalid.Likecreditcardsanddebitcards,SSLcertificates
haveexpirationdates.Thisfeatureensuresthatacertificatecannotbeusedindefinitely
withouttheholderofthecertificatedemonstratingthatitstillhaslegitimateuseofthe
certificate.Forexample,aretailerthatacquiresanSSLcertificatemaygooutofbusiness.
Oncethevaliditydatepasses,thecertificatewillnolongerbevalidandthebusinesswould
nolongerexisttogetanothercertificatefromalegitimatecertificateprovider.
Thesubjectattributeidentifiestheentityassociatedwiththecertificate.Insomecases,this
attributeisaserveroradomain,butitcouldbeabusinessorotherorganization.SSL
certificatesaresometimescategorizedbythetypeofentityinthesubjectattribute.When
anSSLcertificateisissuedforaserver,thefullyqualifieddomainnameisspecified,suchas
server1.example.com.Ifsomeoneweretoplacethiscertificateonanotherserver,aWeb
browserwouldbeabletodetectthemismatchbetweenthesubjectnameandthenameof
theserverhostingthecertificate.
ThekeysinanSSLcertificatearecryptographickeys.Keysarebinarystrings.Thetypesof
keysusedinSSLcertificatesarepublickeycryptographykeys.Thesekeyshavea
particularlyusefulproperty:Theyarecreatedinpairsandonekeyisusedtoencrypt
(lock)dataandtheotherisusedtodecrypt(unlock)theencrypteddata.AsFigure2.1
depicts,data,suchasamessage,isencryptedusingonekeyfromthekeypairbutis
decryptedusingtheother.Thekeyusedtoencryptamessageisknownasthepublickey
andtheotheriscalledtheprivatekey.Publickeys,asthenamesimplies,arefreelyshared.

17

TheShortcutGuidetoPCIComplianceandHowSSLCertificatesFit

DanSullivan

AnyonewhowantstosendanencryptedmessagetothesubjectoftheSSLcertificatecan
encryptamessageusingthepublickeythatisincludedinSSLthecertificate.Theprivate
keyiskeptsecretbythesubject,soonlythesubjectcandecryptamessagesentusingits
publickey.

Figure2.1:Publickeycryptographyusestwokeys,onetoencryptdataandoneto
decryptit.Itisnotpossibletodecryptamessageusingthesamekeythatwasusedto
encryptit.

18

TheShortcutGuidetoPCIComplianceandHowSSLCertificatesFit

DanSullivan

Signaturesareencryptedformsofdatainthecertificatethataregeneratedusingmessage
authenticationfunctions.Signaturesareusedtohelpdetecttampering.Ifsomeonewereto
trytoaltersomepartofthecertificate,suchasthesubjectname,thetamperingcouldbe
detectedbyrecomputingthesignatures.Messageauthenticationfunctionsaredesignedin
suchawaythatevenasmallalteration,suchaschangingserver1.example.comto
server2.example.comwouldresultinadifferentsignature.
ThedatawithinanSSLcertificatecanberenderedindifferentforms.Forexample,a
commonlyusedformatisknownastheprivacyenhancedmail(PEM)Base64format,
whichisatextbasedrepresentation(seeFigure2.2).Suchformatsareusefulfor
exchangingcertificatesbuttoviewthemithelpstouseutilitiessuchastheMicrosoft
ManagementConsole(MMC)snapinforcertificates(seeFigure2.3).

BEGINCERTIFICATE
HASDFasfjlksdjfui384389U;jJfEEoMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
BAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBX
aWRnaXRzIFB0eSBMdGQwHhcNMDgwNjI2MTgxNTUyWhcNMDkwNjI2MTgxNTUyWjBF
+bo2UEYIzN7cIm5ImpmyW/2z0J1IDVDlvR2xJ659xrE0v5c2cB6Tf9lnNTwpSoeK
24Nd7Jwq4j9vk95fLrdqsBq0/KVlsCXeixS/CaqqduXfvwIDAQABo4GnMIGkMB0G
MQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50
ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
gQC89ZNxjTgWgq7Z1g0tJ65w+k7lNAj5IgjLb155UkUrz0XsHDnHFlbsVUg2Xtk6
A1UdDgQWBBTctMtI3EO9OjLI0x9Zo2ifkwIiNjB1BgNVHSMEbjBsgBTctMtI3EO9
OjLI0x9Zo2ifkwIiNqFJpEcwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUt
U3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJAOqYOYFJ
fEEoMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAQwa7jya/DfhaDn7E
usPkpgIX8WCL2B1SqnRTXEZfBPPVq/cUmFGyEVRVATySRuMwi8PXbVcOhXXuocA+
43W+iIsD9pXapCZhhOerCq18TC1dWK98vLUsoK8PMjB6e5H/O8bqojv0EeC+fyCw
eSHj5jpC8iZKjCHBn+mAi4cQ514=
ENDCERTIFICATE

Figure2.2:ExampleSSLcertificateinPEMBase64format.

19

TheShortcutGuidetoPCIComplianceandHowSSLCertificatesFit

DanSullivan

Figure2.3:ThecontentsofSSLcertificatescanbedisplayedusingtheMMC
CertificateSnapin.
SSLcertificatesarefrequentlyusedforserverauthenticationandencryption.Nowthatwe
havereviewedthestructureofanSSLcertificate,wecanmoveontoreviewtheprocessby
whichtheyareusedforauthenticationandencryption.

AuthenticatingServerswithSSLCertificates
WhenaconsumervisitsaWebsitetomakeapurchase,howwouldheknowforsureheis
dealingwiththevendorhebelievesheisdealingwith?Afterall,someonecould
conceivablycopythecontentsofaWebsite,suchaslogos,images,text,etc.and
masqueradeasthelegitimatebusiness.Clearly,thelooksofaWebsitearenotagood
methodtoidentifyandauthenticateabusiness.SSLcertificatesarenotsubjecttosimple
copyingattacksthewayWebsitesare,whichisoneofthereasonstheyaresoimportantto
onlinecommerce.
ModernWebbrowsersaredesignedtoworkwithserversthatuseSSLcertificatesfor
authentication.Whenausernavigatestoasiteandattemptstoauthenticatethesite,the
usersdevice,whichwewillrefertoastheclient,executesahandshakeprotocol,to
establishsecurecommunicationswiththeserver.

20

TheShortcutGuidetoPCIComplianceandHowSSLCertificatesFit

DanSullivan

TheprocessstartswiththeclientdevicesendingwhatisknownasaClientHellomessage.
ThismessageincludesinformationaboutthehighestversionoftheSSLprotocoltheclient
supports,asetofalgorithmsforauthenticationandencryptionknownasaciphersuite,a
setofpossiblecompressionmethods,andarandomnumber.
OldTerminologyforNewProtocols
Onceterminologyisadopted,itissometimeshardtochangetonew
terminology.WhatweknowofastheSSLstandardtodaywasformally
knownastheTransportLayerSecurity(TLS)protocol.TLSisthesuccessor
totheSSLprotocolsdevelopedinthelate1990s.Theprotocoldescribedhere
isactuallytheTLSversion1.2protocolbutwewillusethetermSSL
throughoutthisebooktorefertoboththeolderSSLprotocolsandtheTLS
protocols.
WhentheserverreceivestheClientHellomessage,itselectsthemostsecureprotocolthat
boththeserverandtheclientsupport,themostsecureciphersuitetheybothsupport,and
acompressionmethodfromthesetofferedbytheclient.Theserveralsogeneratesa
randomnumberandsendsitalongwiththeotherinformationinaServerHellomessage.
Next,theserversendsaCertificatemessagefollowedbyaServerHelloDonemessageto
informtheclientthattheserverisdonewiththisinitialstep.TheCertificatemessage
containsalistofcertificatesthatstartswithitsowncertificate.Now,itstheclientsturnto
sendinformationbacktotheserver.Assumingtheciphersuiteselectedbytheclientand
serverusesencryptionandtheserverhasnotrequestedacertificatefromtheclient,the
nextstepistosendtheClientKeyExchangeMessage.Thismessageincludesdataknownas
thepremastersecret.TheTLSprotocolsupportsmultiplewaysofcreatingapremaster
secret;wewilldescribejustone,theRSAencryptedpremastersecret.
Onewaytocreateapremastersecretisfortheclienttogeneratea48bytemessageand
encryptitwiththeserverspublickey.(ThepublickeyisprovidedbytheserversSSL
certificate).ThispremastersecretisthensenttotheserverusingtheRSAPremasterSecret
Message.Theclientandtheserverusethepremastersecretalongwithrandomnumbersto
calculateamastersecret,whichisusedtoencryptcommunicationsfromthispoint
forward.
TheclientthensendsaChangeCipherSpecmessagetotheserverindicatingthatallfurther
communicationwillbeencryptedandauthenticated.TheclientsendsaFinishedmessage,
whichincludesencrypteddatathatmustbesuccessfullydecryptedbytheserverotherwise
thehandshakewillfail.Theserversendssimilarmessagestotheclienttofinishthe
handshake.

21

TheShortcutGuidetoPCIComplianceandHowSSLCertificatesFit

DanSullivan

Figure2.4:StepsintheSSL/TLShandshakingprotocoltoauthenticateservers.
Note
Whenaserversendsitscertificateandthelistofcertifyingcertificates,that
listischeckedagainstCAstrustedbytheclient.Asimplelistmaycontaintwo
certificates,theserverscertificateandthecertificateoftheCA.IftheCA
certificateisknowntotheclientasatrustedCA,theauthenticationwill
succeed(assumingallotherstepssucceedasdescribedearlier.)IftheCAis
notrecognized,thebrowserwilldisplayanerrormessagesuchasthat
showninFigure2.5.

22

TheShortcutGuidetoPCIComplianceandHowSSLCertificatesFit

DanSullivan

Figure2.5:Awarningmessagegeneratedwhenaserverreturnsacertificatethat
wasissuedbyanuntrustedCA.
TheTLSSpecification
Theprocessdiscussedearlierdescribesthemajorstepsinthehandshake
protocol.TheTLSprotocolsupportsanumberofmethodsandlevelsof
securityforthingssuchasexchangingkeysandencryptingdata.Italso
supportstheuseofclientauthenticationaswellasserverauthentication.For
moreinformationontheseandotherdetailsabouttheprotocols,seethe
InternetEngineeringTaskForce(IETF)RequestforComment(RCF)onTLS
athttp://tools.ietf.org/html/rfc5246.
Inadditiontotheexchangebetweentheclientandtheserver,theclientexchanges
informationwiththeCAtoverifythatthecontentsofthecertificatearevalidandapplyto
theparticularservertheclientiscommunicatingwith.

EncryptionandSSL
Partoftheprotocoldescribedearlierincludedagreeingonaciphersuite.Aciphersuite
includesabulkdataencryptionalgorithm.Therelativesecurityofanencryptionschemeis
afunctionofboththealgorithmyouchooseandthelengthofthekeyusedforencryption.
TheTLSversion1.2standard(thelatest)supportsthefollowingalgorithms:

RC4

3DES

AES

23

TheShortcutGuidetoPCIComplianceandHowSSLCertificatesFit

DanSullivan

RC4isasymmetrickeyalgorithm,thatis,itusesasinglekeyforbothencryptionand
decryption.TheRC4algorithmworksbycombiningtheplaintextofamessagewitha
randomstreamofbits.TheRC4algorithmissimpletoimplementandefficientandthis
makesitacommonchoiceforbulkdataexchangewhenencryptionisrequired.
3DES,orTripleDataEncryptionStandard(DES),differsfromRC4inthatitworksonblocks
ofdataratherthanstreamsofdata.TheoriginalDESalgorithmuseda56bitkeywhichwas
sufficientlylongtoprotectmessagesatthetimethealgorithmwasdeveloped.As
computingcapabilitiesincreased,sodidtheabilitytobreakDESencryption.TripleDES
improvesonDESbyusingthree56bitkeys,whichprovidestheequivalentprotectionofa
112bitkey.
TheAdvancedEncryptionStandard(AES)replacedDESastheUSgovernmentencryption
standardin2002.AEScanusethreedifferentkeylengths:128bits,196bits,or256bits.
The196bitand256bitkeylengthencryptionisconsideredsufficientfortopsecret
classifieddataoftheUS.
TheSSL/TLSprotocolsupportsdifferentalgorithmsthathavedifferentproperties.RC4isa
goodchoiceformanyapplications,includingonlinecommerce.Forthegreatestlevelof
security,theAESalgorithmwithalongkeyisabetteroption.

DifferentUsesofSSLCertificates
CAshaveadoptedSSLcertificatestomeetarangeofrequirementsthatbusinessesface.
ThemostbasicuseofanSSLcertificateistoauthenticateasingleserver.Suchasimple
modeliseasytounderstandbutasisoftenthecasewithinformationtechnology,simple
thingscanbedifficulttomanage.Inothercases,simplesolutionsmaynotprovideallthe
functionalitythatbusinessesorotherorganizationsmayrequire.Thissectionwilllookat
severalusesandspecializationsoftheSSLcertificate:

Domainlevelcertificates

Organizationlevelcertificates

ServerGatedCryptography(SGC)certificates

Extendedvalidation(EV)certificates

TheunderlyingSSLtechnologyandprotocolsarethesame,butthewaythesefunctionwith
browserscanvary.

24

TheShortcutGuidetoPCIComplianceandHowSSLCertificatesFit

DanSullivan

DomainLevelCertificates
Earlier,wenotedthatacertificateincludesasubjectidentifier,suchasthefullyqualified
nameofaserver,forexample,server1.example.com.Thespecificationofasingleserver
nameisnotrequiredbytheSSLcertificatestandard.Infact,CAsareabletogeneralizethe
subjectofacertificatesothatasingleSSLcertificatecanbevalidformultiplesubdomains.
Forexample,abasicSSLcertificatemustspecifythatitisvalidonlyforwww.example.com.
SuchacertificatecanonlybeusedonaWebserverfortheexample.comorganization.If
example.comalsosupportedanftpsiteatftp.example.comoramailserverat
mail.example.com,eachofthesesiteswouldneedtheirowncertificateunlessthecertificate
providergeneratedsubjectalternatenames(SAN)inthecertificate.Domainlevel
certificates,sometimescalledwildcardcertificates,alloworganizationstopurchaseasingle
SSLcertificateanduseitformultiplesubdomains.

OrganizationLevelCertificates
DifferentCAsmayrestrictwildcardSSLcertificatestoworkwithasinglelevelof
subdomains,suchas:

www.example.com

ftp.example.com

collaboration.example.com

db.example.com

Thesamedomainlevelcertificatemaynotworkwithmultiplesubdomainlevelsthatmight
befoundinlargeorganizations.Forexample,afullyqualifiedservernamemightinclude
multiplelevelssuchas:

ftp.marketing.example.com

ftp.research.example.com

mail.newyork.example.com

mail.london.example.com

WhenchoosingasingleSSLcertificateoption,besuretodeterminewhethertheCA
provideswildcardcertificatesthatmeetyoursubdomainrequirements.
Wildcardcertificateshelpreducemanagementoverheadbecauseasinglecertificatecanbe
usedformultipledomains.Thismeansonlyasinglecertificateneedstoberenewed.Italso
makesiteasiertodeployadditionalvirtualmachinesinthedomainwithSSLcertificates.If
youdetermineyouneedmorevirtualserversinyourenvironment,youcanrapidlydeploy
anothervirtualmachinebecauseyoudonothavetowaitforapprovaltoprocure,
download,andinstallanewSSLcertificate.

25

TheShortcutGuidetoPCIComplianceandHowSSLCertificatesFit

DanSullivan

Figure2.6:Whenserverlevelcertificatesareused,eachservermusthavean
individualSSLcertificate(a);whendomainlevelcertificates,orwildcardcertificates,
areused,asinglecertificatecanbeusedformultipleservers(b).

26

TheShortcutGuidetoPCIComplianceandHowSSLCertificatesFit

DanSullivan

ServerGatedCryptographyCertificates
Inthe1990s,theUSgovernmentlimitedtheexportofstrongcryptography.Encryption
technologythatwasdestinedforexportoutsidetheUSwasrequiredtouseweak
encryptionalgorithmsandshortkeys.Asaresultofthisrestriction,thereexistedusers
whowerelimitedto40bitencryptionthatneededtoconnecttoserversusing128bit
encryption.ServerGatedCryptography(SGC)certificateswerecreatedtoallowbrowsers
withtheweakerencryptiontoconnecttosuchservers.Thelimitsonexportingstrong
cryptographyinbrowsershavebeenremoved,sothereislessneedforSGCcertificates.

EVSSLCertificates
SometimesgettinganSSLcertificaterequiresjustsomebasicchecks,forexample,aCA
mightverifythatyouaretheownerofadomainbeforeissuingyouacertificateforthat
domain.Thislevelofidentityverificationissufficientformanypurposes,suchassettingup
anemailserveroracollaborationserverforagroupofremotetelecommuters.Inboth
cases,thereisrelativelylowriskthatsomeonewouldbemotivatedtospoofusersinto
workingwithanattackercontrolledemailorcollaborationserver.Afterall,whatwouldbe
thevalue?Theattackermayhopetogetsomeemailsanddocuments.Unlessthose
documentscontainsignificantintellectualpropertyorhaveinsightstohighvalue
competitivebids,itprobablyisntworththeeffortthatwouldberequiredtosuccessfully
setupasitemasqueradingasalegitimatesite.Thatisnotalwaysthecase,though.
Considerabankoranonlinepaymentservice.Thesearehighvaluetargets.Ifsomeone
couldsuccessfullyspoofusersintoworkingwithfakeWebsitesforevenashortperiodof
time,theattackercouldcollectauthenticationinformationandaccountdatathatcould
ultimatelyresultinidentifytheft,creditcardtheft,orotherformsoffinancialgainforthe
attacker.Whenthereisthatmuchmotivationtomasqueradeasalegitimatesite,thereis
comparablemotivationtoprotectagainstitandthisiswhyEVSSLcertificateswere
created.
ContentsofanEVSSLCertificate
EVSSLcertificatesincludeseveralpiecesofinformationabouttheentityreceivingthe
certificate:

OrganizationnameThefulllegalnameoftheorganizationasitwouldappearin
legaldocuments,suchasincorporationrecords.Itmayalsoincludeadditional
informationsuchasadoingbusinessas(DBA)name.

DomainnameOneormoredomainnamescontrolledbytheentitynamedinthe
certificatesubject.Itshouldbenotedthatdomainnamesmustbeexplicitlylisted;
wildcardsarenotallowedinEVSSLcertificates.

27

TheShortcutGuidetoPCIComplianceandHowSSLCertificatesFit

DanSullivan

JurisdictionofincorporationThisisnameofthegovernmentjurisdiction,suchasa
stateorcountry,inwhichtheentitywasincorporated.

RegistrationnumberAregistrationnumberassignedtotheentitybythe
incorporatingagency,suchasastatecorporationcommission.

AddressofplaceofbusinessThisistheaddressofthephysicallocationofthe
business.

BeforeanEVSSLcertificateisissued,theCAmustperformvariouschecksoverandabove
thoserequiredfortypicalorganizationlevelcertificatestoverifytheidentityofthe
organizationreceivingthecertificate.Thesestepsaredefinedbyanindustryworking
group,theCA/BrowserForum(http://www.cabforum.org/).AllCAsissuingEVSSL
certificatesareexpectedtofollowtheseguidelines.
RequirementstoAcquiringanEVSSLCertificate
Theguidelinesforprivateorganizationsinclude:

Theorganizationmustberecognizedandcreatedbyanincorporatingorregistering
agency.Theincorporatingorregisteringentitymustbecharteredbyastateor
federalgovernment.

Theorganizationmusthavenamedaregisteredagentorregisteredofficeoran
equivalentphysicalfacility.

Theorganizationmustnotbedesignatedasinactive,invalid,notcurrent,orsimilar
designationbytheincorporatingorregisteringentity.

Theorganizationmusthaveaphysicalplaceofbusinessthatcanbeverifiedbythe
CA.

TheCAmustbeabletolegallyconductbusinessinthelocationwherethebusiness
islocated.

Thebusinessmustnotbelistedonagovernmentdeniallistorprohibitlist,suchasa
tradeembargo.

TheseguidelinesensurethattheorganizationreceivinganEVSSLcertificateisatleast
recognizedbysomelevelofgovernmentasalegitimateorganizationandthatthe
organizationhasaphysicalpresence.Undertheseguidelines,forexample,someone
interestedincommittingfraudcouldnotsimplyincorporateashellcompanyandgetanEV
SSLcertificatewithoutalsoinvestinginaphysicalpresencesomewhere.Comparable
guidelinesexistforissuingEVSSLcertificatestogovernmentagenciesorother
subdivisions.
UserExperiencewithanEVSSLCertificate
TheadditionalinformationtrackedinanEVSSLcertificateandtheadditionalstepstaken
toverifytheidentityofasubjectbothcontributetoreducingtheriskthatanillegitimate
operationwouldbeabletoacquireanEVSSLcertificate.Sofar,wehavenotdescribedhow
atypicaluserwouldbenefitfromanEVSSLcertificate.

28

TheShortcutGuidetoPCIComplianceandHowSSLCertificatesFit

DanSullivan

TodaysmajorbrowserscanrecognizeEVSSLcertificatesandchangetheirdisplaystogive
usersvisualcuesthattheyareworkingwithasitethathasanEVSSLcertificate.

(a)GoogleChrome

(b)InternetExplorer
Figure2.7:Browsersprovidevisualcues,suchasthegreenbartoindicatewhena
userisviewingasiteauthenticatedbyanEVSSLcertificate.
ChoosingtheRightTypeofSSLCertificate
SSLcertificatesareusedinmanysituationsandwithvaryingrequirements.Some
requirementsarerelativelysimpleandarebasedontheneedsofasingleapplication
runningonasingleserver.Inothercases,abusinessmayhavealargenumberofservers
thatarefairlygeneric,inwhichcaseakeyconsiderationiseaseofmanagement.Inother
cases,businesseswanttoconveytocustomersanadditionallevelofsecuritywhileatthe
sametimemitigatingtheriskofanattackerspoofingtheirsitewithadditionalcontrols,
suchasthebrowsergreenbar.

TrustandSSLSecurity
SSLcertificatespromotetrustbetweenpeopleandbusinessesthatmightotherwisenot
trusteachother,ormorespecifically,nottrusttheirWebsites.Manyofuswhoshoponline
trustonlineretailersbecauseweseethelockiconintheWebbrowserthatindicatesour
communicationsareencrypted(andpresumably,ourcreditcardinformationissafefrom
simpleeavesdropping).WetrustthatweareatourbanksWebsiteandnotsomespoofed
versionofthesitebecauseweseethegreenbardisplayindicatingtheuseofavalidEVSSL.
WetrustthesethingsbecausewetrusttheCAsbehindthem.
NowimagineifwedidnottrusttheCAs.SowhatifabusinesshasanEVSSLfrom
CertificatesAreUs,aflybynightoperationthatwasjustsetupbyateenagerinher
parentsbasementwouldthatbeofmuchvalueorassurancetoyou?Probablynot.

29

TheShortcutGuidetoPCIComplianceandHowSSLCertificatesFit

DanSullivan

OurtrustinCAscomeswithanumberofassumptionsabouthowtheywillbehave:

CAswillprotectencryptionkeysandtheirownrootcertificatessothatothers
cannotgeneratefakecertificatesasiftheywerefromtheCA

CAswillfollowreasonablepracticestoverifytheidentityofanentityseekinganSSL
certificatewithadditionalprotectionsforEVSSLcertificates

CAswillprotecttheirinformationinfrastructuretopreventbreachesthatwould
compromisetheintegrityoftheircertificategenerationprocess

ThoseofusthatuseSSLcertificatesalsobearsomeresponsibility.Weneedtomanageour
certificatesandensurethatprivatekeysarekeptprivate.Weshouldusetheappropriate
typeofcertificatetomeetourrequirements,butalsocontrolthemsothattheyarenot
abused.Thiscanrequireadditionalcontrolsandmanagementprotocolstotrackthe
numberandtypesofserversusingadomaincertificate.
Awordofcaution:CAsaretargetsforcyberattacks.AEuropeanCAwasrecently
compromised,whichultimatelyledtofakecertificatesbeingissuedtoseveraldomains,
includingGoogleandaUSgovernmentagency.(Formoredetails,seeMikeLennon,
InfrastructureCompromisePutFraudulentSSLCertificatesintheHandsofAttackers,
SecurityWeek,August30,2011.)

Summary
SSLcertificatesareessentialtothewaywesecureonlinebusinessandsupporttrust
betweenbusinessesandtheircustomers.SSLcertificatesusewellestablishedtechnologies
andprotocols,suchastheX.509standardandstrongencryptionalgorithms,tosupport
serverauthenticationandencryption.CAshaveadaptedtotheneedsofbusinesses,
particularlywithregardtoeasingthemanagementburdenofmultipleSSLcertificateswith
theintroductionofdomainlevelcertificates,andfortheneedforadditionallevelsof
verificationwithEVSSLcertificates.ThetrustengenderedwiththeuseofSSLcertificatesis
basedontrustofCAsaswellastheabilityofthosewhouseSSLcertificatestoprotectthem
fromimproperuse.

30

TheShortcutGuidetoPCIComplianceandHowSSLCertificatesFit

DanSullivan

Chapter3:WhatIsRequiredbyPCIData
SecurityStandards?
ThePCIDataSecurityStandardsCouncilpublishesanumberofdocumentsforbusinesses,
ITprofessionals,softwaredevelopers,andotherswhoparticipateinimplementingthePCI
DataSecurityStandard(PCIDSS).Oneofthese,theRequirementsandSecurityAssessment
Procedures(version2.0),describesasetofrequirementsforbusinessesworkingwith
paymentcarddata.Thedocumentdescribesasetofhighlevelrequirementsorganizedinto
sixfunctionaltasks:

Buildandmaintainasecurenetwork

Protectcardholderdata

Maintainavulnerabilitymanagementprogram

Implementstrongaccesscontrolmeasures

Regularlymonitorandtestnetworks

Maintainaninformationsecuritypolicy

Thischapterwilldescribetheserequirementsinaslightlydifferentstructure,organized
morearoundclustersofrequirementsthatwouldbeaddressedbydifferentgroupswithin
anITdepartment,forexample,developersandsystemsadministrators.Thesearenothard
andfastdivisions.Someoftherequirementsnecessitatecollaborationbetweendevelopers,
systemsadministrators,applicationarchitects,andapplicationmanagers.Keepinginmind
theneedformultipleskillsets,wewilldiscusstherequirementsorganizedaround:

Datacollectionandstoragepractices

Infrastructuresecurity

Vulnerabilityassessment

Monitoringandreporting

Webeginwiththemostbasicoftasks:collectingdata.

31

TheShortcutGuidetoPCIComplianceandHowSSLCertificatesFit

DanSullivan

DataCollectionandStoragePractices
ThePCIDSSincludesasubstantialnumberofrequirementsaboutstoringpaymentcard
data.Thereisnowaytosufficientlysummarizealltheserequirementsinabriefstatement
butacrudeapproximationofthespiritoftherequirementsis:
Dontstorepaymentcarddataifyoudonthaveto,butifyoudostorepayment
carddata,lockitdownanddontkeepitanylongerthannecessary.
Lockingdowndatainthiscasecallsforstrongencryptionandcomprehensiveaccess
controls.Asweshallseelaterinthechapter,keepingpartialpaymentaccountinformation
isanothermethodforprotectingPCIDSSrelevantinformation.

DataStorageandRetentionRegulations
Theamountofpaymentcarddatastoredinyourapplicationsanddatabasesshouldbe
minimized.ThePCIDSSrecognizestheremaybebusiness,legal,andregulatoryreasons
thatpaymentcarddatahastobestored.Insuchcases,thereasonsforstoringthedata
shouldbedefinedaspartofapolicy,andthatpolicyshouldincludeajustificationfor
storingthedataandaspecificdataretentionperiod.ThePCIDSSalsorequiresthatyou
haveaprocedureinplacetoactuallydeletedatawhentheretentionperiodpasses.That
processshouldbeexecutedquarterly.
Althoughtherearereasonstostoresomepaymentcarddata,sensitivedatashouldnotbe
storedaftertheauthorizationprocessiscomplete.Thekindsofdatathatmayberetained
include:

Nameofcustomeronpaymentcardaccount

Theaccountnumber

Expirationdateonthecard

Servicecode

ThePCIDSSrequirementsspecifythatthefullcontentsofanyofthetracksonthepayment
cardshouldnotbestored.Magneticstripesusedinpaymentcardscontainmultipletracks
withdifferentinformationstoredoneachtrack.Notstoringthefullcontentsofpayment
cardtrackshelpsreducetheriskthatsomeonecouldcreatefraudulentduplicatecards.
Thereareatmostthreetracksonapaymentcard.Track2wascreatedbythebanking
industryandincludesthefollowingdataelements:

Startsentinel,whichisasinglecharacter

Primaryaccountnumber

Onecharacterseparator

Expirationdate

Servicecode,whichindicatesinterchangerules,authorizationprocessing,andrange
ofservices

32

TheShortcutGuidetoPCIComplianceandHowSSLCertificatesFit

DanSullivan

Discretionarydata,whichmayincludeacardverificationvalue(CVV)

Endsentinel,whichisasinglecharacter

Longitudinalredundancycheck,whichisusedbythecardreadertoverifydatawas
readcorrectly

TheCVVcode,alsoknownastheCVCcode,isonepieceofdatathatshouldneverbestored.
Thiscodeisusedtovalidateatransactionwhenthecardisnotpresentatthepointofsale;
forexample,ifsomeoneisenteringacardnumberonlineorprovidingitoverthephoneto
asalesperson.Thisinformationisonlyusedforthecardauthorizationprocess,sothere
shouldbenoreasontostoreitafterthatprocesscompletes.
Theprimaryaccountnumber(whichmayormaynotbethesameasthecardnumber)is
protectedinanumberofwaysbythePCIDSS.Unlesssomeonehasaneedtoseethefull
primaryaccountnumber,itshouldbemaskedwhendisplayed.Forexample,areceipt
mightdisplayjustthelastfourdigitssuchas************1234.Thisisenoughtohelp
thoseofusthathavetotrackreceiptsfrommultiplecardswithoutdisclosingfullaccount
numbers.

EncryptingStoredData
Whentheprimaryaccountnumberisstoredinpersistentdigitalform,itmustbeprotected
bysomeformofstrongencryption,hashfunction,orbytruncatingtheprimaryaccount
number.Withstrongencryption,youcouldretrievetheprimaryaccountnumberifyou
havethedecryptionkey,soobviouslythosemustbecarefullyprotectedaswell.Inthecase
ofahashfunction,thereisnowaytoretrievetheoriginalaccountnumberfromthehash
value,butgivenaprimaryaccountnumber,youcouldapplythehashtodeterminewhether
itisthesamevalueasonepreviouslycalculated.
Paymentcarddatamaybestoredondevicesthatusefulldiskencryption.Insuchcases,the
PCIDSSrequiresthattheaccesscontrolsystemisseparatefromtheoperatingsystem(OS)
accesscontrols.Cryptographickeysusedforfulldiskencryptionmustbesecuredproperly.
Thisentailscommonsenseprocedures,suchaslimitingthenumberofpeoplewhohave
accesstothekeysandthenumberoflocationswherethekeysarestored.Ofcourse,you
willneedtobalancethiswiththeneedtoensureavailabilityofthekeysintheeventofa
failureonadevicewherethekeysarestored.Someredundancyisallowed,butthe
requirementsspecifythatkeysarestoredinthefewestpossiblelocationsandforms(PCI
DSSRequirement3.5.2).

33

TheShortcutGuidetoPCIComplianceandHowSSLCertificatesFit

DanSullivan

Clearly,cryptographickeysareanimportantpartofPCIDSScompliantprocesses.
Managingthemcanbechallenging.ThePCIDSSincludesanumberofrequirementsrelated
tomanagingcryptographickeys:

Documentingproceduresforgeneratingkeys

Securingcryptographickeydistribution

Securingstoragemechanismsforcryptographickeys

Settingvalidperiodsforcryptographickeysandupdatingkeyswhennecessary

Retiringkeyswhentheintegrityofthekeyhasbeencompromised

Notusingretiredorcompromisedkeysforencryptionoperations

Incaseswherekeysaremanuallycontrolled,thePCIDSSrequiresthattheprocessdepend
uponmultipleindividuals.Forexample,twopersonsmayhavetoentertheirindividual
codestoreconstructakey.Thisseparationofknowledgehelpstomitigatetheriskofa
singleemployeecompromisingthekeymanagementsystem.Collusionbetweenemployees
isstillpossible,butthatcanbemitigatedinotherways,suchasrotatingthepairsof
employeesorrequiringthreepeopletoreconstructakey.
HelpwithImplementingKeyManagement
TheNationalInstituteofStandardsandTechnology(NIST)hasmany
resourcesforsecurityprofessionals,includingframeworksformanaging
cryptographickeys.SeetheCryptographicKeyManagementProjectfor
resourcesoncryptographickeymanagement.

EncryptingTransmittedData
Whenpaymentcarddataistransmittedoverapublicnetwork,suchastheInternet,orover
awirelessnetwork,itmustbeencryptedusingstrongencryption.Strongencryptioncanbe
usedinprotocolssuchasIPSecandSSL/TLS.Neitherprotocolguaranteesstrong
encryption,though.Clientsandserversnegotiatethetypeofencryptionandkeylength
theywilluseforasession.Itisimportantthatyouensurestrongencryptionisusedwhen
encryptingtransmittedpaymentcarddata.
WhenpaymentcarddataiscollectedfromaWebsite,theWebapplicationshoulduseSSL.
TheuseofSSLisindicatedbythepresenceofhttps://intheURLaswellasthrough
indicatorssuchaslockicons.

34

TheShortcutGuidetoPCIComplianceandHowSSLCertificatesFit

DanSullivan

ImplementingLogicalAccessControls
Accesstopaymentcarddatashouldberestrictedtothosewhohaveaneedtoknowsuch
informationtoperformtheirjobresponsibilities.Itfollowsfromthisideathattheaccess
controlsshouldenforce:

Onlytheleastprivilegesrequiredtoperformthejob

Privilegesaredeterminedbyapersonsroleandfunctionintheorganization

Theneedforproperapprovalbeforeprivilegesaregranted

Theprivilegesthataregrantedareenforcedbyanautomatedaccesscontrolsystem

Accesscontrolsshouldbeappliedtoallsystemcomponents.Forexample,application
functions,directoryaccess,andsoonshouldbelimitedbyaccesscontrolprivilegestiedto
ausersfunctionintheorganization.
Itisnotenoughtorestrictaccesstoafunctionalrole.Forexample,youshouldnotcreatea
singleapplicationadministratorusersuchasAPPADMINthatisusedbymultiple
applicationadministrators.Thispracticemakesitdifficulttotrackwhichoftheapplication
administratorsperformsaparticularoperation.ThePCIDSSspecificallystatesthatall
usersmusthaveuniqueIDsbeforebeinggrantedaccesstopaymentcarddataorany
componentofthecardholderdataenvironment,regardlessofwhetherthatpersonhas
actualaccesstocardholderdata.

Figure3.1:Usingasingleaccountformultipleusers,asin(a),isnotallowedbyPCI
DSS;instead,eachusermusthaveindividualaccounts,asshownin(b).

35

TheShortcutGuidetoPCIComplianceandHowSSLCertificatesFit

DanSullivan

Inadditiontohavingauniqueidentifier,usersarerequiredtoauthenticateusinga
password,asmartcard,orabiometricdevice.(Whenpasswordsarestoredortransmitted,
theymustbestronglyencrypted.)Incaseswhereusersaccesspaymentcarddataremotely,
thePCIDSSrequiresthattheuserpresenttwoformsofauthentication,suchasapassword
andtoken.Thetwofactorsmustbedifferenttypes,thatis,promptingtheuserfora
passwordandasecurityquestionisnotconsideredavalidcombinationfortwofactor
authentication.Abetteroptionistouseacombinationofsomethingyouknow(for
example,apassword),somethingyouhave(forexample,atoken),orsomethingyouare
(forexample,afingerprint).
Proceduresmustbeestablishedtomanageuserswhoaregrantedaccesstopaymentcard
data.Thisincludessoundproceduresforexaminingapersonscredentialsandidentifying
materialbeforegrantingaccessorresettingauserspassword.Terminatedemployees
musthavetheiraccessprivilegesrevokedimmediately.Incaseswhereuseraccountsare
inactivefor90days,theaccountsshouldbedisabled.
Whenauserisfirstgrantedaccess,theirpasswordshouldbesettoprompttheuserfora
newpasswordduringtheinitialuseoftheaccount.Whentemporaryaccessisgrantedtoa
vendorforremoteaccess,thoseaccountsshouldbemonitoredduringuse.Theyshould
alsoberemovedordisabledafterthetimeperiodtheyareneeded.
Usersshouldbemadeawareofpoliciesandproceduresregardingaccesscontrols:

Limitsontheiraccessprivileges

Passwordpolicies,suchaspasswordstrengthandthelifetimeofapassword(90
daysatmost)

Nottosharetheirusernameandpassword,orotherauthenticationdevice,with
anyoneelse

Passwordsonaccountswithaccesstopaymentcarddatashouldbeatleastseven
characterslongandincludebothalphabeticandnumericcharacters.Whenpasswordsare
reset,thenewpasswordcannotbethesameasanyofthepreviousfourpasswordsonthe
account.
Loginattemptsshouldbelimitedtoatmostsixfailedattempts.Aftersixfailedattempts,
theaccountshouldbelockedoutforatleast30minutesoruntilanadministratorresets
accesstotheaccount.
Onceauserhasloggedintoasystem,theusershouldremainloggedinonlyaslongas
neededtoperformrequiredtasks.Ifauserisloggedinbutidleformorethan15minutes,
theusershouldbeloggedoffthesystemorpromptedtoreauthenticate.

36

TheShortcutGuidetoPCIComplianceandHowSSLCertificatesFit

DanSullivan

Formostusers,accesstoinformationindatabasesshouldberestrictedtoaccessthrough
applications.Onlydatabaseadministratorsshouldhavedirectaccesstodatabasequeries.
Databasesandapplicationsshouldbeconfiguredtoenforcethispolicy.Inanextensionto
theoneuseroneaccountprinciple,applicationsshouldhaveuniqueidentifiersfor
accessingdatabasesaswell.IndividualuserIDsshouldnothaveapplicationaccessto
databases;theseshouldbeseparateapplicationuseraccounts.

ImplementingPhysicalAccessControls
Someonewithphysicalaccesstosystemscanpresentasecurityriskevenwhenlogical
accesscontrolsareinplace.Someonewithoutlogicalaccesstoanapplicationmaystillbe
abletostealremovablemediaorpickuphardcopiesofcardholderdata.ThePCIDSS
specifiesseveralphysicalaccesscontrolrequirementstoaddresstheserisks.
Thephysicalaccesscontrolsbeginwithaccesstobuildingsorroomswithinformation
systemshousingpaymentcarddata.ThePCIDSSspecifiesthatsensitiveareasshould
implementacontrolledaccessmechanism,suchasmagneticbadges,andmonitorthose
areaswithvideosurveillance.Sensitiveareasaredefinedtoinclude:

Serverrooms

Datacenters

Roomswithequipmentthatstoreorprocesscardholderdata

Roomswithequipmentthattransmitcardholderdata(withtheexceptionofpointof
salessystems)

Accesstonetworksornetworkequipmentoutsideofsensitiveareasshouldbeprotectedas
well.Forexample,accessnetworkjacksshouldberestrictedtopreventunauthorized
accesstonetworksthatmighttransmitpaymentcarddata.Similarly,physicalaccessto
wirelessaccesspointsshouldberestrictedtomitigatetheriskoftampering.
Ofcourse,therewillbetimeswhenvisitorswillbepresentinsensitiveareasorwillhave
physicalaccesstonetworkingequipmentoutsideofsensitiveareas.Anumberofpractices
mustbeinplaceforsuchsituations,accordingtothePCIDSS:

Developingprocedurestograntingvisitorbadgesandtrackingtheiruse

Revokingbadges

Changingaccessprivilegesgrantedtovisitors

Ensuringtheintegrityofthebadgesystembylimitingaccesstosuchsystemstoonly
thosewhoneedaccess

Designingbadgestoallowvisitorstobereadilydistinguishedfromregular
employees

37

TheShortcutGuidetoPCIComplianceandHowSSLCertificatesFit

DanSullivan

Visitorsshouldbeauthenticatedandgrantedbadgesbeforetheyaregivenphysicalaccess
tosensitiveareas.Thisshouldincluderecordinginformationaboutthevisitorinavisitor
log.Thelogshouldinclude:

Visitorsname

Theorganizationrepresentedbythevisitor

Theonsitepersonnelwhoisrequestingthevisitorbegrantedaccess

ThePCIDSSrequiresvisitorlogstoberetainedforatleast3months.

AccessControlsandRemovableMedia
Physicalaccesscontrolsaredefinedforremovablemediasuchasbackuptapes.Backup
mediashouldbestoredinasecureoffsitelocation.Whensensitivedataissenttoanoff
sitelocation,itshouldbemovedbyasecurecourier.Logsshouldbekeptdescribingthe
movementofmediawithsensitivepaymentcarddata.Thesecurityproceduresatthe
offsitelocationshouldbereviewedannually.
Whenstoragemediawithsensitiveinformationisnolongerneeded,itshouldbedestroyed.
Inthecaseofpapercopiesofsensitivedata,thepapershouldbeshred,burned,or
otherwisedestroyedsothatthedatacannotbereconstructed.Whenthedataisstoredon
digitalmedia,themediacanberenderedunreadablebyeliminatingmagneticfields
(degaussing)orusingadiskwipingproceduretooverwritedataonthedevice.
Note
Thenameofthepopularopensourceoverwritingprogram,DariksBootand
Nuke(DBAN),givesanindicationofhowthoroughsomeoverwriting
programscanbe.
MuchofthePCIDSSdealswithdatacollectionandstoragepractices.Formoreonthese
topics,seetheprimarysourceforthischapter,thePaymentCardIndustryDataSecurity
Standard:RequirementsandSecurityAssessmentProcedures,version2andinparticular,
Requirements3,4,7,8,and9.AnotherareathatreceivessignificantattentioninthePCI
DSSisinfrastructuresecurity.

InfrastructureSecurityandthePCIDSS
ThePCIDSSrequirementswithregardstoinfrastructuresecurityaddresstheneedto
maintainasecurenetwork,deployantivirusprograms,andmaintainpoliciesthataddress
informationsecurityissues.

38

TheShortcutGuidetoPCIComplianceandHowSSLCertificatesFit

DanSullivan

MaintainingaSecureNetwork
Withheadlinenewsstoriesaboutretailersandonlineserviceproviderscompromising
millionsofcardholderaccountsindatabreachesrelatedtonetworkintrusions,itisno
surprisethatsignificantrequirementsaddressnetworksecurityissues.ThePCIDSSstarts
withrequirementsspecifyinghowfirewallsandroutersshouldbeconfiguredinnetworks
thattransmitpaymentcarddata.Theserequirementsincludedevelopingformal
proceduresforconfiguringandchangingfirewallsandrouters.Proposedchangesshould
betestedanddocumented.
FirewallsmustbedeployedbetweenaninternalnetworkandaDMZaswellasbetweena
DMZandtheInternet.

Figure3.2:FirewallsarerequiredtopartitiontheDMZfromthetrustedinternal
network.
DMZsshouldbeinplacetopreventdirectaccessbetweentheInternetandnetworks
processingcardholderdata.TrafficfromtheInternetshouldbelimitedtonetwork
addressesintheDMZ.TrafficfromthetrustedinternalnetworktotheInternetshouldbe
limitedtoauthorizedtrafficthatisneededforwelldefinedbusinessrequirements.
Databasesandotherdevicesthatstorepaymentcarddatashouldonlybelocatedina
trustedinternalnetworkandnotintheDMZ.IPaddressesofdevicesontheinternal
trustednetworkshouldnotbedisclosed.

39

TheShortcutGuidetoPCIComplianceandHowSSLCertificatesFit

DanSullivan

Documentationaboutfirewallsandroutersshouldspecifythebusinessjustificationforthe
particularconfigurationused(forexample,whyparticularportsareopen).Itshouldalso
includemitigationstrategiesforinsecureprotocols,suchasFTPandTelnet.Firewalland
routerconfigurationshouldbereviewedatleastonceevery6months.
Ingeneral,firewallsshouldbeconfiguredtopreventinboundtrafficfromexternal,
untrustednetworks,suchastheInternet,tonetworkshousingsystemsworkingwith
cardholderdata,unlessthattrafficisrequired.Firewallsshouldbeplacedbetween
wirelessnetworksandnetworkssupportingcarddataprocessingaswell.Networkdevices
shouldbeconfiguredwithdenialrulesforallunnecessaryinboundandoutboundtraffic.
Configurationfilesforfirewallsandroutersshouldbeconsistentacrossthosedevices.
Consumerdevicesownedbyemployees,suchasmobiledevicesandlaptops,thathave
accesstotheorganizationsnetworkshouldrunpersonalfirewallsconfiguredtomeetthe
organizationsrequirements.Inadditiontoprotectingyournetworkwiththeseandother
measures,itisimportanttosecureserversandotherdevicesontheorganizations
network.

ServerHardeningtoMeetPCIDSSRegulations
Serverhardeningisamultistepprocessthatincludes:

Changingdefaultaccesscontrolsettingsprovidedbyavendor

Minimizingfunctionalityonservers

Encryptingadministrativeoperationsperformedonnonconsoledevices

Applicationsanddevicessometimesarrivepreconfiguredwithdefaultpasswords.Wireless
routers,forexample,maybroadcastthedefaultnameofthewirelessnetworkasthe
vendorname.(Howmanytimeshaveyoulistedavailablewirelessnetworksinyourarea
onlytofindaneighborwhoneverbotheredtochangetheirwirelessaccesspoint
configuration?)Installingwirelessandotherdeviceswithdefaultvendorconfigurationsis
rarelyagoodidea,eveninahomeenvironment.Itdefinitelyshouldnotbedoneina
professionalenvironmentandcertainlynotoneinwhichpaymentcarddataisprocessed.
Serversandotherdevicesonanetworkprocessingpaymentcarddatashouldminimize
theirattacksurfaces.Thismeansthatunnecessaryprograms,daemons,andservicesare
shutdownandtheirapplicationcoderemoved.Serversshouldbedeployedtoservea
singlefunction,suchasadatabaseserverorafiletransferserverbutnotboth.Software
componentsnotneededforthatpurposeshouldberemoved.Besuretominimize
applicationsinstalledwiththeOS.Forexample,onlydevelopmentserversshouldhave
compilersinstalled.

40

TheShortcutGuidetoPCIComplianceandHowSSLCertificatesFit

DanSullivan

VirtualServersvs.PhysicalServers
Whenvirtualizationisusedtorunmultiplevirtualserversonasingle
physicalhost,eachvirtualservershouldperformasinglefunction.Multiple
virtualserversrunningdifferentfunctionscanberunonthesamephysical
server.Besuretohardenthevirtualserversaswellasthehostsystem
providingthevirtualizationenvironment,forexample,WindowsServer
runningHyperVorVMwarevirtualizationenvironments.
ThestepsrequiredtohardenaserverwillvarybyOSandapplications.Minimizingthe
attacksurfaceonLinuxwillrequiredifferentstepsthandoingsoonaWindowsserver.
Applicationswithamodularstructure,suchasaWebserver,oracomplexsetoffeatures,
suchasadatabaseserver,canalsobehardened.Again,differenttypesofapplicationswill
requiredifferentsteps.MicrosoftInternetInformationServices(IIS)serverandtheApache
WebServerbothsupportoptionalmodulesthatshouldbereviewedandminimized.
Databases,suchasMicrosoftSQLServerortheOraclerelationaldatabase,shouldhaveonly
thecomponentsrequiredtomeetbusinessrequirements.Whenserversareadministered
remotely,allcommunicationsshouldbeoverasecureprotocolsuchasSSH.

DeployAntivirusApplications
Malwaresuchasviruses,Trojans,worms,keyloggers,androotkitscanfindtheirwayintoa
networkthroughvariousentrypoints,includingemail,removablemedia,and
compromisedWebsites.Itisimportanttodeployantivirussoftwarecapableofdetecting,
removing,andprotectingagainstknownmalwarethreats.Sincemalwaredevelopersare
frequentlychangingexistingmalwareanddevelopingnewmaliciouscodetoexploitnewly
discoveredvulnerabilities,itisimportanttokeepantivirusprogramsuptodate.
ThePCIDSSrequiresverificationthatantivirusprogramsareconstantlyrunning,sobe
suretogeneratelogsfromtheseapplications.Thesoftwareshouldbeconfiguredto
performperiodicscansaswell.

DevelopandEnforceSecurityPolicies
Securitypracticeslikethosedescribedheretoprotectinformationinfrastructurehaveto
beorganizedandcoordinated,otherwiseweriskmissingimportantelementsorlosing
trackofwhatisdoneinpractice.ThePCIDSSdefinesanextensivesetofpoliciesthat
shouldbeinplacetoprotectpaymentcarddata.Theseincludepoliciesthat:

AddressPCIDSSrequirements

Ensureformalriskassessmentsareperformed

Defineoperationalsecurityprocedures

Defineacceptableusepoliciesfortechnologiesthatareusedtoprocessorcould
compromisepaymentcarddata,suchaswirelesscommunications,consumer
devices,andemail

Defineauthentication,authorization,andrelatedpoliciesforthesetechnologies

Assigninformationsecurityresponsibilitiestoapersonorteam

41

TheShortcutGuidetoPCIComplianceandHowSSLCertificatesFit

DanSullivan

Definesecurityresponsibilitiesforindividualsintheorganization

Developsecurityawarenesstraining

Screenpersonneltomitigatetheriskofaninsiderbasedattackordatabreach

Employadequatesecurityprocedureswithbusinesspartnersworkingwith
paymentcarddata

Developincidentresponseprocedurestodealwithdatabreachesorother
compromisedsecurityincidents

Thecombinationofmaintainingasecurenetwork,deployingantivirusapplications,and
developingacomprehensivesetofsecuritypoliciesandproceduresconstitutethegroupof
requirementsrelatedtoinfrastructuresecurity.Formoreonthesetopics,seetheprimary
sourceforthischapter,thePaymentCardIndustryDataSecurityStandard:Requirements
andSecurityAssessmentProcedures,version2andinparticular,Requirements1,2,5,and
12.

VulnerabilityAssessmentandManagement
Thewidearrayofapplicationsthatrunintodaysbusinessenvironmentspresentample
opportunitiesforattackers.Everyprogramisapotentialpointofentryforanattack,ifthe
applicationhasavulnerabilitythatcanbeexploitedtoprovideunauthorizedaccesstodata
orfunctions,allowstheattackertoelevatehisorherprivilegesintheenvironment,allows
theattackertoinstallmalicioussoftware,orallowshimorhertocollectadditional
intelligenceaboutthenetworkanditsapplications.Thisisquitealistandthatiswhythe
PCIDSSputssomuchemphasisondevelopingandmaintainingsecureapplications.
ThePCIDSSrequiresthatbusinessesapplyvendorprovidedpatchesandthatsecurity
patchesbeappliedwithinamonthoftheirrelease.ITprofessionalsshouldalsomonitor
newlydiscoveredvulnerabilitiesandassesstheirimportance.Publicvulnerability
databasesoftenspecifyaseveritylevelwhenvulnerabilitiesarediscovered,soyoucan
identifytoppriorityvulnerabilitiesusingtheseassessments.
Softwareshouldbedevelopedfollowingindustrybestpractices.Thesepracticesinclude:

Removingcustomaccounts,passwords,andrelatedinformationandaccesspoints
beforereleasingcodeforuse

Performingcodereviewsoncustomcodetomitigatetheriskofbackdoorcodeor
othermaliciouscodeintheapplication

Keepingdevelopment,test,andproductionenvironmentsseparate

Followingapolicyofseparationofdutieswithdevelopersandapplication
administrators

Usingrealisticbutnotrealdatafortesting

42

TheShortcutGuidetoPCIComplianceandHowSSLCertificatesFit

DanSullivan

Formalizingchangecontrolprocedurestomanagesecuritypatchestocustom
software

Followingcodingguidelinestoavoidcommoncodingpatternsthatleadto
vulnerabilities,suchasinjectionattacks,bufferoverflows,crosssitescripting,
improperaccesscontrols,andimpropererrorhandling

Usingvulnerabilityscanningtools,especiallyonpublicWebsites,totestfor
emergingthreats

Insecurecustomapplicationsarenotuncommon.Therearemanywaystocompromisean
application.Fortunately,thereareguidesdocumentingbestpracticesfordevelopingsecure
Webapplications.TheOpenWebApplicationSecurityProjecthasdevelopedsecurity
guidelinesfordevelopersandarchitects.Thelatestversionisunderdevelopment;it
includesawiderangeofadvicecoveringtopicssuchas:

Securityarchitecture

Authentication

Sessionmanagement

Accesscontrol

Inputvalidation

Outputencoding

Cryptography

Errorhandling

Dataprotection

Communicationsecurity

HTTPsecurity

Securityconfiguration

Maliciouscodesearch

Internalsecurity

Theseguidelinescanhelpnewandongoingdevelopmenteffortstoreducetheriskof
developingvulnerablecode.Forexistingapplications,especiallythoserunningin
production,usevulnerabilityscannerstoprobeforknownvulnerabilitiesinyour
applications.SomecommonlyusedvulnerabilityscannersnowincludesupportforPCI
DSSorientedvulnerabilityscanningandreporting.
Formoreonthesetopics,seetheprimarysourceforthischapter,thePaymentCard
IndustryDataSecurityStandard:RequirementsandSecurityAssessmentProcedures,
version2andinparticular,Requirement6.

43

TheShortcutGuidetoPCIComplianceandHowSSLCertificatesFit

DanSullivan

PCIDSSMonitoringandAuditing
AkeyelementofthemonitoringprocessforthePCIDSSistheabilitytotrackusers
activity,includinglogginginanddetectingunusualevents.Logsshouldprovidesufficient
datatolinkactivitiesinsystemstospecificusers.Thisisespeciallyimportantwhen
monitoringadministerswithelevatedprivileges.
ThePCIDSSspecificallyrequiresloggingandmonitoringthatincludestheabilityto
reconstructsequencesofsignificantevents,suchas:

Accesstopaymentcarddata

Operationsperformedwithadministratororrootprivileges

Accessoperationstoaudittrailfiles

Attemptstoaccessresourcesinviolationoflogicalaccesscontrols

Loginattemptsandotherusesoftheauthenticationsystem

Initializationofauditlogs

Creationanddeletionofsystemlevelobjects

Whencapturingtheseeventsinauditlogs,theentriesinthelogsshouldincludesufficient
informationabouttheeventtoallowareviewertodevelopareasonablycomprehensive
understandingofwhoperformedtheaction,whenitoccurred,andwhatwasdone.The
attributesthatshouldbeloggedinclude:

Usernameorotheridentification

Thetypeofeventthatoccurred,forexample,attempttoaccessafile

Dateandtimeoftheevent

Anindicationofthesuccessorfailureoftheevent

Asmanyapplicationsaredistributedoverseveralmachines,itisimportanttokeepthe
systemtimessynchronizedacrossserverssothattimestampsindifferentlogscanbe
compared.
Obviously,audittrailsmustbesafefromtamperingtobeofuse.Audittrailfilesshould
havelimitedaccessandshouldbeprotectedagainsttampering.Audittrailfilesshouldbe
backedupandfilelevelmessagedigestshouldbecalculatedtohelpidentifytampering
shoulditoccur.
Logfileshouldbereviewdaily.Auditfilesshouldbekeptforayear.

44

TheShortcutGuidetoPCIComplianceandHowSSLCertificatesFit

DanSullivan

ThePCIDSSalsorequiresregulartestingintheproductionenvironmenttomitigatethe
riskofasecuritybreach.Specifically,theserequirementsinclude:

Testingtodetectunauthorizedwirelessaccesspointsonthenetwork

Runningvulnerabilityscannersatleastonceevery3months;thisincludesinternal
scansaswellasscansbyanapproved,externalscanningvendor

Runningvulnerabilityscannersaftermakingsubstantialchangestothe
environment

Performingapplicationandnetworklevelpenetrationtestingatleastonceperyear
oraftermakingsubstantialchangestotheenvironment

Monitoringforintrusionswiththeuseofintrusiondetectionsystems

Usingfileintegritymonitoringapplicationstodetectfiletampering

Formoreonthesetopics,seetheprimarysourceforthischapter,thePaymentCard
IndustryDataSecurityStandard:RequirementsandSecurityAssessmentProcedures,
version2andinparticular,Requirements10and11.

Summary
ThePCIDSSrequiresabroadarrayofcontrols,procedures,andpoliciestoensurethat
paymentcarddataisprotected.Therequirementsincludespecificationsonhowtomanage
datacollectionandstoragepractices,howtosecureinfrastructure,waystomanage
vulnerabilities,andhowtomonitor,report,andauditthestateofsystemsprocessing
paymentcarddata.

45

TheShortcutGuidetoPCIComplianceandHowSSLCertificatesFit

DanSullivan

Chapter4:PCIDSSComplianceChecklist
ThePaymentCardIndustryDataSecurityStandard(PCIDSS)containsmorethanjust
recommendedbestpracticestheyarerequiredpolicies,procedures,andtechnical
requirementsforbusinessesthatusepaymentcards.ThePCISecurityStandardsCouncil
providesanumberofdocumentsthatdescriberequirementsindetailalongwithFAQsand
guidelines;theseareavailableinthecouncilsdocumentslibrary.Thischapterhighlights
keycomplianceareaswithafocusontheuseofSSLcertificates,including:

Selfassessmentactivities

SecurityofserversanddatatransmissionwithSSL

EssentialsecuritypoliciesrelatedtoSSLcertificates

SSLcertificatelifecyclemanagement

BeforedelvingintothedetailsofhowtouseSSLcertificatestomeetPCIDSSrequirements,
wewilldiscusstheselfassessmentprocess.

SelfAssessmentActivities
Forallbutthesmallestmerchants,selfassessmentsarerequiredannually,andtheyare
highlystructuredandmustincludethedetailedtestingproceduresprescribedinthePCI
documentation.Inthischapter,wewillconsiderelementsofselfassessments.Thisisnota
completediscussionbutconsidersfivebroadareas:

Datacollectionandstoragepractices

Networksecuritypractices

Serverandapplicationsecuritypractices

Monitoringpractices

Policiesandprocedures

Thegoalofthefollowingdiscussionistoconsiderthemainrequirementsineacharea.
Thesechecklistsarenotasubstituteforanaudit;insteadtheyareintendedasaguideto
importanttopicsthatwillbetestedduringanaudit.

46

TheShortcutGuidetoPCIComplianceandHowSSLCertificatesFit

DanSullivan

DataCollectionandStoragePractices
Datacollectionandstoragepracticescoverhowyouhandlepaymentcardinformation,
includingaccountnumbersandauthenticationdata.Thegeneralruleisthatyoushouldnot
storedataunlessitisneededforawelldefinedbusinessreasonandwhendataisstored,it
shouldbeencrypted.
Aspartoftheselfassessment,youshouldverifythefollowingrequirementsforstoring
paymentcarddata:

Determineifanyauthenticationdataisstoredforextendedperiodsoftime.If
authenticationdataisstoredforextendedperiods,storagemustonlybedoneby
paymentcardissuersorcompaniesthatsupportissuers.Merchantsmayneverstore
authenticationinformationafterauthorization.

Determinewhetheranyauthenticationdataisstoredtemporarilyandisthen
deleted.Ifso,verifythatdataisunrecoverable.Thistaskcanincludeverifyingthat
datablocksthatcontaintemporarydataareoverwrittensufficientlytoprevent
recovery.Ifrelationaldatabasemanagementsystemsareusedtotemporarilystore
authenticationdata,verifythedataisunrecoverablefromrollbacksegments,
transactionlogs,andotherdatastructuresusedtoimplementdataintegrityand
availabilityservicesofthedatabase.

Verifythatthefullcontentsofthemagneticstripofapaymentcardarenotstored.
Alloutputfromapplicationsthatprocesspaymentcarddatashouldbechecked.

Verifythatthecardverificationcode(CVV2,CVC2,CID,orCAV2)forpaymentcards
isnotstored.Alloutputfromapplicationsthatprocesspaymentcarddatashouldbe
checked.

Verifythatthepersonalidentificationnumbers(PINs)arenotstored,eitherin
nativeformorasencryptedPINblocks.Alloutputfromapplicationsthatprocess
paymentcarddatashouldbechecked.

Limittheuseofsensitivepaymentcarddataindebuggingandtroubleshooting.

Defineretentionperiodsforsensitivedatathatisstoredforestablishedbusiness
purposes.

Verifythatdataretentionpoliciesareenforcedandexecuteaccordingtoschedule.

47

TheShortcutGuidetoPCIComplianceandHowSSLCertificatesFit

DanSullivan

Whensensitivedataisstored,itshouldbeprotectedwithencryption,andwhenitis
displayed,subsetsofthedatashouldbemaskedinordertopreventinadvertentdisclosure.
Aspartoftheselfassessment,youshouldverifythefollowingrequirementsforencrypting
andmaskingsensitiveinformation:

Verifythatthepaymentaccountnumber(PAN)ispartiallymaskedunlessthereisa
businessneedtoviewthefullPAN.

VerifythatPANsarestoredusingoneoftheapprovedPCIDSSmethods,which
includeonewayhashesandencryptionwithstrongcryptography.

VerifyPANsareunreadableinapplicationoutput,suchastracefiles,andexported
copiesofdata,suchasbackupfiles.

Verifycryptographickeysaresecurelystored.Acceptablemethodsincludestoring
cryptographickeysonremovablemediaprotectedwithaccesscontrols.Incases
wherefulldiskencryptionisused,theencryptionmechanismmustbeindependent
oftheoperatingsystem(OS).

Verifyaccesstokeysisrestrictedtotheminimumnumberofpeoplenecessary,and
thatthekeysarestoredintheminimumnumberoflocationspractical.

Verifykeymanagementproceduresareinplacetogenerate,store,anddistribute
keys.

Verifyproceduresareinplacetogeneratenewkeystoreplaceexistingkeysatthe
endoftheirusefullifeorinthecaseofsuspectedcompromise.
Resource
Fordetailsondatastoragerequirements,seePCIPaymentApplicationData
SecurityStandard:RequirementsandSecurityAssessmentProceduresv2,
Requirements3.

NetworkSecurityPractices
Networkssupportingpaymentcardapplicationsmustbesecuredusinganumberof
securitycontrols.Thefollowingchecklisthighlightsmajorrequirements:

Verifythatdefaultconfigurationsarenotusedonwirelessaccessdevices.Thistask
includeschangingencryptionkeys,SimpleNetworkManagementProtocol(SNMP)
communitystrings,andpasswords.

Verifythatfirewallsareinplacebetweenwirelessaccessdevicesandpaymentcard
applications.Networktrafficbetweenwirelessaccessdevicesandthepaymentcard
applicationshouldbeblockedunlessthedataexchangeisrequiredbythepayment
cardapplication.

VerifythatpaymentcarddataisneverstoredintheDMZ.

Limitremoteaccesstopaymentcardapplicationsforapplicationvendorsonly
duringtimesremoteaccessisrequiredbythevendor;forexample,toupdatethe
application.

48

TheShortcutGuidetoPCIComplianceandHowSSLCertificatesFit

DanSullivan

Ifusershaveremoteaccesstothepaymentcardapplication,verifythatsecure
controlsareinplace,suchasaccessoveravirtualprivatenetwork(VPN),restricted
accessavailableonlytoknownMACaddresses,andotherapprovedmethods.

Verifythatnetworktrafficisencryptedusingstrongencryption,especiallyifdatais
sentoverpublicnetworks.

Verifythatwirelessaccessdevicesareupdatedtosupportstrongencryption.

Verifythatnonconsoleadministrativeaccesstopaymentcardapplicationsis
encrypted.

Itshouldbenotedthatmanynetworksecuritypractices,suchasencryptionbetween
clientsandservers,utilizeSSLcertificates.ThebroaduseofSSLcertificatesoffersan
exampleofacommonoccurrenceinIT:Atechnologyorservicecriticaltothe
implementationofahigherlevelfunctionisoftenoutofsightand,potentially,outofmind.
Itisimportanttomaintainanawarenessoftheunderlyingtechnologiesthatenable
security,suchasSSLcertificates,sothatweplanforandmanagetheiruseproperly.

ServerandApplicationSecurityPractices
Paymentcardapplicationsrunonserversthatmustbesecured.Thissecurityentailsa
combinationofapplicationconfiguration,OSconfigurations,andsecurityservices,suchas
antivirusandfirewalls.Aspartoftheprocessofensuringpaymentcardapplicationsand
theirserversaresecure,considerthefollowingchecklistitems:

Testpaymentcardapplicationsforvulnerabilitiesbeforedeployingandwhilein
production.Vulnerabilitiesthatcancompromiseanapplicationinclude
susceptibilitiestoSQLinjectionattacks,bufferoverflows,impropererrorhandling,
crosssitescriptingattacks,andinsecurecryptographicstorage.

MinimizethenumberofOSservicesanddaemonsrunningonpaymentcard
applicationsandotherservers.

VerifythatOSservicesanddaemonsrunningonpaymentcardandotherapplication
serversaresecurelyconfigured.

Establishprocedurestoidentifynewvulnerabilitiesandtoacquireandinstall
securitypatchesasnecessary.Criticalsecuritypatchesmustbeappliedwithin1
monthofrelease.

Ensurethatdefaultadministrativeaccountsarenotusedbythepaymentcard
application.

Ensureuniqueuseraccountsareassignedtoallpaymentcardapplicationusers.
Sharedaccountsmustnotbeused.

Ensurethatusersareauthenticatedtothepaymentcardapplicationusing
somethingtheyknow(forexample,apasswordorpassphrase),somethingthey
have(forexample,asmartcard),orsomethingtheyare(forexample,abiometric
measuresuchasafingerprint).

49

TheShortcutGuidetoPCIComplianceandHowSSLCertificatesFit

DanSullivan

Verifypasswordsarechangedevery90days,ensuretheyconformtominimal
requirementsregardinglengthanduseofalphanumerics,andverifythatpasswords
aredifferentfromfourpreviouspasswords.

Verifyuseraccountsarelockedafteratmostsixfailedloginattempts,andensure
thataccountsremainlockeduntilunlockedbyanadministratororforaperiodofat
least30minutes.

Verifyantimalwareapplicationsareproperlyconfiguredonallserversandclient
devicesthatareusedtoaccessorsupportpaymentcardapplications.

Evenwithestablishedprocedurestoprotectdata,securenetworksandservers,and
applications,itisimportanttomonitorthefunctionoftheseprocedures.

MonitoringPractices
Monitoringapaymentcardapplicationlargelydependsontheabilitytocollectinformation
aboutsignificanteventsinapplicationlogs.Thefollowingchecklisthighlightsstepsyoucan
taketoensurecompliancewithloggingrequirements:

Verifypaymentcardapplicationsareenabledtologevents.

Ensurethatdetailsaboutindividualaccesstocardholdersdataarerecordedinthe
applicationlog.

Ensurethatactivitiesperformedbyuserswithelevatedprivilegesarerecordedin
theapplicationlog.

Verifythatthepaymentapplicationlogseventsrelatedtoaccesstotheaudittrail.

Verifythatalluseoftheapplicationsauthenticationandauthorizationsystemsis
logged.

Ensurethatlogentriesincludeatleastthefollowing:useridentification,thetypeof
eventthatoccurred,thedateandtimeoftheevent,thepointoforiginoftheactivity,
anindicationofthedataorsystemcomponentaffectedbytheactivity,andan
indicationofwhethertheattemptedactivitysucceeded.

Usecentralizedloggingtoconsolidatelogsfrommultipleservers.

Inadditiontothesechecklistitems,youshouldmakesurethatlogfilesaresecuredandthe
riskoftamperingismitigatedthroughtheuseofstrongaccesscontrolsandthe
transmissionoflogentriestoacentralserverassoonaspossible.

50

TheShortcutGuidetoPCIComplianceandHowSSLCertificatesFit

DanSullivan

PoliciesandProcedures
Policiesspecifywhatabusinessdoesasamatterofpractice,andinthecaseofsecurity,
whatisrequiredtomeetbusinessobjectivesregardingprotectingdataandITresources.
ThePCIDSShasanumberofrequirementswithregardstopolicies.Thefollowingchecklist
highlightsimportanttopicsaddressed:

VerifythatapolicyexiststhataddressestherequirementslistedinthePCIDSS
documentation.

Verifythatapolicyhasbeendefinedthatdocumentstheneedforannualrisk
assessmentstoidentifythreatsandvulnerabilities.

Ensurethecompanyssecuritypolicyisreviewedandrevisedasneedatleastonce
peryear.

Defineoperationalsecurityproceduresinlinewithsecuritypolicies.

Defineusagepoliciesthataddresswhoisallowedtousepaymentcardapplications
andwhatauthenticationstepsarerequired.

Ensurepoliciesareinplacethatspecifyhowdevicesarelabeledandcorrelatedto
theirowners.

Ensureacceptableusepoliciesareinplace.

Verifypoliciesaddressissuessuchinactivitytimeoutsandremoteaccess
restrictions.

Verifyapolicyexiststhatdefinesapproveddevicesandapprovedlocationsforthose
devices.

Ensureapolicyexiststhatprohibitscopyingsensitivecardholderdatatoremote
drivesorremovablemedia.

Definepoliciesthatspecifysecuritypersonnelsrolesandresponsibilities.These
shouldincludedetailsaboutwhohasresponsibilitiesforauthenticationand
authorization,incidentresponse,andlogreview.

VerifythatasecurityawarenesstrainingpolicyisinplaceandcomplieswithPCI
DSSrequirements.

Thedetailsofmostofthesepoliciesarebeyondthescopeofthisguide,butseveralare
relatedtotheuseofSSLcertificatesandwillbeconsideredinmoredetailinalatersection.
ThenextsectionwilldelvedeeperintochecklistitemsspecificallyrelatedtotheuseofSSL
certificates.

51

TheShortcutGuidetoPCIComplianceandHowSSLCertificatesFit

DanSullivan

SecuringServersandDataTransmissionwithSSL
ThePCIDSSstandardsdocumentationmentionstheuseofstrongencryptioninseveral
places.Whatdoesthismeanfromanoperationalperspective?Inpartitmeans:

Usingencryptionalgorithmsandkeylengthsthatareconsideredstrongbythe
cryptographiccommunity

Usingstrongprotocols

ConfiguringSSLsoftwaretoavoidvulnerabilitiesandweaknessesinprotocols

Letslookateachoftheseinmoredetail.

UseStrongEncryption
Strongencryptionisasomewhatimprecisetermbutitisgenerallyusedtodescribean
algorithmthatishighlyresistanttodecipheringwithoutanencryptionkey.Inthesimplest
sense,anencryptionalgorithmisstrongifthenumberofpossiblekeysissolargethereis
nopracticalwaytouseabruteforcesearchofallpossiblekeystofindthedecipheringkey.
Strongcryptographyisnotasvulnerabletoanalytictechniqueseither.
Cryptanalysiscanbedoneinmanyways.Forexample,anearlyformofcryptanalysis
lookedatthefrequencywithwhichcharactersappearedintheencryptedtextinorderto
correlatethosewiththefrequencyofcharactersonewouldfindinplaintext.Usingamore
advancedtechniqueknownasdifferentialcryptanalysis,someonecouldapplyan
encryptionalgorithmtoalargenumberofinputtextsandstudytheresultingoutputinan
efforttodetecthowdifferencesininputaffecttheresultingoutput.Strongencryption
algorithmsareconsideredlesslikelythanweakencryptionalgorithmstobecompromised
bysuchtechniques.
Note
Thestrengthofanencryptionalgorithmisaproductofthekeylengththatis
used.Whenconsideringthestrengthofanencryptionalgorithm,besureto
includethelengthoftheencryptionkey.
ThePCIDSSGlossaryincludesthefollowingexamplesofstrongcryptography:

AESwithatleast128bitkeys

TripleDES(TDES)withminimumdoublekeylength

RSAwith1024bitkeys

ECCwith160bitkeys

ElGamalwith1024bitkeys

52

TheShortcutGuidetoPCIComplianceandHowSSLCertificatesFit

DanSullivan

Advancesincryptanalysismayonedayeliminateoneormoreofthesealgorithmkey
lengthpairsfromthelistofacceptedstrongcryptography.TheDigitalEncryptionStandard
(DES),forexample,wasonceastandardencryptionalgorithminwidespreadusestarting
inthemid1970s.However,by1999,agroupofcryptographyresearchersdemonstrated
DESencryptioncouldbebrokeninlessthan24hoursusingabruteforcesearchona
custombuiltdevicedubbedDeepCracker.Itisalsopossiblethatcryptanalysiswill
discoverweaknessesinanyofthesealgorithmsthatmaybecompensatedforwiththeuse
oflongerkeys.Insuchcases,thealgorithmsmaystillbeusedinapplicationsrequiring
strongcryptographyaslongaskeysaresufficientlylong.
Usingstrongencryptionrequirestheuseofsoundkeymanagementpractices.Key
managementisacomplexprocessthatincludes:

Distinguishingdifferenttypesofkeysaccordingtotheiruse,suchaspublic/private
keys,symmetricauthenticationkeys,symmetrickeywrappingkeys,andsoon

Definingvalidtimeperiodsforcryptographickeys,alsoknownascryptoperiods

Consideringprivatekeypossession

Addressingcompromisedkeys
Resource
Forguidanceonkeymanagement,seetheNationalInstituteofStandardsand
Technologys(NIST)RecommendationsforKeyManagementPart1:
General(Publication80057).

UseStrongProtocols
Protocols,inthisdiscussion,areagreeduponproceduresforexchangingdata.Manyofthe
widelyusedprotocolsaredefinedbytheInternetEngineeringTaskForce(IETFseethe
listofOfficialInternetProtocolStandardsexamples).Someoftheprotocolsaredesigned
withlessconcernforsecuritythanothers.Insomecases,thisisnotanissuebecausethe
protocolsarelowlevelnetworkprotocolsdesignedforminimumoverhead;theUser
DatagramProtocol(UDP)isacaseinpoint.Inothercases,lesssecureprotocolsare
coupledwithmoresecureversions,suchastheinsecureFTPandthemoresecureversions
FTPSorthealternativeprotocolSSHFileTransferProtocol.Whenassessingnetwork
communicationsforusewithpaymentcardapplications,strongprotocolsarepreferableto
weakprotocols.

53

TheShortcutGuidetoPCIComplianceandHowSSLCertificatesFit

DanSullivan

CharacteristicsofWeakProtocols
Weakprotocolsdonotemploysecuritymeasuresfoundinstrongprotocols.Strong
measuresinclude:

Encryptingcontents

Enablingauthentication

Providingevidenceformessageintegrity

TheproblemwithweakprotocolscanbeseenwithbasicHTMLformauthenticationin
whichpasswordsarepassedinplaintext.Anapplicationusernavigatestothe
authenticationpageofanapplicationandentersausernameandpassword.Theusername
andpasswordmaybepassedtotheapplicationserverincleartextorencodedusinga
simpleschemesuchasbase64encoding.Thereisnoencryption,sotheusernameand
passwordareavailableforcapturebysomeonesniffingnetworktraffic.Thereisnowayto
authenticatewheretheusernameandpasswordoriginated,sotheusernameandpassword
maybeusedbysomeoneotherthanthelegitimateuser.Inaddition,asthereisnowayto
verifytheintegrityofthedatathatispassed,thedatamaybechangedbysomeoneusinga
maninthemiddleattack.
AnotherexampleofaweakprotocolisauthenticatingbasedonthecontentsofanHTTP
referrer,whichismetadataaboutanHTTPrequestthatidentifiestherequestor.Likethe
exampleprovidedearlier,thereisnoencryption,reliableauthentication,orabilitytodetect
tamperingwiththecontentsoftheHTTPreferrerdata.
Strongprotocolsshouldbeusedwhentransmittingpaymentcarddata.
CharacteristicsofStrongProtocols
Notsurprisingly,strongprotocolsavoidthevulnerabilitiesofweakprotocolsusing
cryptographictechniques,including:

Strongencryptionalgorithmsandkeylengths

Supportforauthentication,typicallyusingSSLcertificates

Supportformessageintegrityusingmessagedigests

OftenwhenSSLcertificatesareusedforauthentication,itisonlyserversthatare
authenticated.Thissetupisunderstandablewhentheobjectiveistoassureusersthatthey
arecommunicatingwithlegitimateserversbelongingtothebusinesstheusersare
attemptingtoworkwith.Inthecaseofpaymentcarddataprocessing,itisimportantto
authenticateanydevicethatreceivespaymentcarddata.Evenwhenyouusestrong
protocols,youshouldkeepinmindthatsomeconfigurations,earlyversionsofthe
protocols,orimplementationsmayharborweaknesses.

54

TheShortcutGuidetoPCIComplianceandHowSSLCertificatesFit

DanSullivan

BewareofWeaknessesinProtocols
Oneofthetargetsofcryptanalysisisweaknessesincryptographicalgorithms,butthose
algorithmsareonlypartoftheprocessofestablishingsecurecommunications.Thereare
othersteps,suchasstartingasession,decidingwhichalgorithmstouseforencryptionand
messagedigests,acknowledgingresponsestorequests,andsoon.Thesestepsareall
definedinprotocols,suchastheSSL/TLSprotocols,andthesequencesofstepsdefinedin
theprotocolsmaybevulnerabletoattack.
AnexampleofaprotocolweaknessistheSSLrenegotiationvulnerability,whichcreatesa
vulnerabilitythatcouldbeexploitedforamaninthemiddleattack.Renegotiationisthe
processofcarryingouttheSSLhandshakeoveranestablishedSSLconnection.Priorto
2010whenthevulnerabilitybecamewidelyknown,commonlyusedSSLimplementations
allowedforunsecurerenegotiationsbydefault.Itisnowconsideredasafepracticetouse
securerenegotiationbydefault.SSLprotocolsshouldbeconfiguredbydefaulttouse
securerenegotiation.
Resource
SeeTransportLayerSecurity(TLS)RenegotiationIndicationExtensionfor
moredetailsonsecurerenegotiation.
Morerecently,securityresearchershavedemonstratedhowtoexploitavulnerabilityinthe
TLS1.0protocol.Theattack,knownasBrowserExploitAgainstSSL/TLS(BEAST)exploits
aweaknessinthewayacipherisimplemented.Version1.1ofTLSintroducedmore
randomizationintothewayCBCsareusedandisnotvulnerabletotheBEASTattack.
Thekeypointtorememberhereisthatevenstrongencryptionalgorithmscanbeusedin
vulnerableprotocols.Inordertoprotectsensitiveandconfidentialinformation,itis
importanttobeawareofvulnerabilitiesinprotocolsandinparticularimplementationsof
thoseprotocols.TheBEASTattacktookadvantageofaweaknessintheTLSprotocolthat
couldbeexploitedinanyimplementationoftheTLS1.0protocol.Inadditionto
vulnerabilitiesinprotocols,whichaffectallimplementations,theremaybevulnerabilities
introducedbythewayaprotocolisimplemented.Forexample,theremaybeabugina
programthatimplementspartoftheSSL/TLSprotocolinabrowser.Thisrequiresapatch
tothebrowserbutdoesnotwarrantchangingtheprotocol.Fromanoperations
perspective,itisimportanttobeawareofbothprotocolandimplementation
vulnerabilities.
TrackingVulnerabilities
AnumberofresourcesontheWebareavailabletohelpyoutrack
vulnerabilities,includingtheNationalVulnerabilityDatabaseandthe
CommonVulnerabilitiesandExposureswebsite.

55

TheShortcutGuidetoPCIComplianceandHowSSLCertificatesFit

DanSullivan

EssentialSecurityPoliciesRelatedtoSSLCertificates
Securitypoliciesdefinerulesthatmustbefollowedwithregardstoimplementing
informationsecurity.Therangeofsecuritypoliciesincludesacceptableuse,physical
security,wirelesssecurityanddesktopsecurity.PoliciesthatinfluencetheuseofSSL
certificates,andPCIDSScompliance,include:

Encryptionpolicy

Accesscontrolpolicy

Dataclassificationpolicy

Monitoringandauditingpolicy

Policydocumentstypicallyincludebriefdefinitionsofthescope,intendedaudience,and
purposeofthepolicy.Thecoreofanypolicydocumentisthepolicystatementthatdefines
therulestobefollowedwithregardtothesubjectofthepolicy.

EncryptionPolicy
Encryptionpoliciesshoulddefineseveralaspectsofencryptionusewithinabusiness
setting,including:

Useofencryptionfordataatrest

Useofencryptionfortransmitteddata

Typesofencryptionalgorithmsallowedandkeylength

Keymanagement

Withineachofthesesections,thepolicyshoulddefinehighlevelrequirements,perhaps
referencinggovernmentorindustrystandards.Policydocumentstendtobebriefbecause
theyonlyspecifywhatneedstobedone,theydonotdescribehowtoimplementthese
requirementsorelaborateonwhyaparticularchoicewasmadeabouteachrule.However,
policywriterssometimesincludeabriefdescriptionofthemotivationfortheneedfora
particularsetofrules.
UsingEncryptionforDataatRest
Dataatrestisdatathatisstoredonfixedormobilestoragedevices.Thedataatrestsection
ofthepolicyshouldspecifyunderwhatconditionsdataneedstobeencryptedandcan
include:

Encryptingbydataclassification(seelaterdiscussionformoreondataclassification
schemes)

Encryptingdatabyapplicationtype,suchaspaymentcardprocessingapplications

Encryptingdatabybusinessfunction;forexample,humanresourcesandlegal
departmentsmayencryptalldatabydefault

56

TheShortcutGuidetoPCIComplianceandHowSSLCertificatesFit

DanSullivan

Thepolicymayspecifyiffulldiskencryptionisrequiredandifsohowauthentication
shouldbeimplemented.ThisspecificationisparticularlyimportantwithrespecttothePCI
DSSbecauseitexplicitlystatesthattheauthenticationsystemforfulldiskencryption
shouldbeseparatefromtheOSsauthenticationmechanism.
Thepolicymayalsoincluderulesfortheuseofencryptiononmobiledevices,particularly
howaccesscontrolsareimplementedonmobilestoragedevices.Forexample,apolicymay
specifythatapassphrasemustmeetseveralcriteria(forexample,length,combinationof
charactertypes,andsoon)foracceptableuse.Itmayalsoincluderulesabouthowlong
confidentialdatacanremainonamobiledevice,whomayphysicallypossessmobilemedia
withconfidentialinformation,limitsonwherethemobiledevicemaybetaken,etc.
UsingEncryptionforTransmittedData
EncryptingdataduringtransmissionisclearlyanimportantaspectofthePCIDSS
regulations.PoliciesonthisareashouldmeettheminimalstandardsspecifiedinthePCI
DSS.Inadditiontostatingtheneedforstrongencryptionanytimepaymentcarddatais
transmitted,thepolicymayexplicitlystatetheneedforadditionalmeasurestoensurethe
standardsaremet.Forexample,thepolicymayspecifythatSSLsoftwarebeconfiguredto
negotiatetheuseofonlystrongciphersuites.ThisisimpliedinthePCIDSSrequirement
andboardersonanimplementationissue,butitisanimportantpointandexplicitlystating
itinthepolicycanhelpeducatetheaudienceaboutapotentialweaknessinanSSL
configuration.
TypesofAlgorithmsandKeyLengths
ThePCIDSSdocumentationprovidesexamplesofstrongcryptographyalgorithmsandkey
lengths.Theycanbeincludedintheencryptionpolicy.Thelistmaychangeovertime,so
partoftheregularreviewsofsecuritypoliciesshouldincludeareviewofthelistof
algorithmsandkeylengthsconsideredacceptablebythePCISecurityStandardsCouncil.
KeyManagement
Thekeymanagementsectionoftheencryptionpolicyshouldincluderulesaboutwhois
allowedtogeneratenewkeys,separationofdutyandjobrotationrequirementsfor
personnelwithkeymanagementresponsibilities,andtheneedforseparatekeysfor
separatefunctions.Keymanagementissuchacomplextaskthatthissubjectisagood
candidateforreferencingexternalguidelines,suchastheNISTguidelinesonkey
management.

AccessControlPolicy
Businessesneedtocontrolwhohasaccesstotheirdataandapplications,andaccess
controlpoliciesspecifytherulesforthis.Inpractice,youmayfindtheneedformultiple
accesscontrolpolicies,suchasremoteaccesscontrol,applicationaccesscontrol,and
physicalaccesscontrolpolicies.Ingeneral,thesepoliciesdefinetheactionsthatpeoplein
particularrolescanperformonthenetwork,withdata,orwithregardtophysicalaccessto
ITinfrastructure.

57

TheShortcutGuidetoPCIComplianceandHowSSLCertificatesFit

DanSullivan

Someofthetopicsthatmaybeincludedare:

Descriptionofbusinessroles

Specificationofwhoisallowedtomakedecisionsaboutgrantingandrevoking
access

Minimalrequirementsforaccesscontrols,suchaslogicalaccesscontrolsfordataor
theuseofmagneticcardsforphysicalaccesstodatacenters

Loggingrequirementsforaccessevents

Aswithotherpolicies,theremaybeadiscussionofseparationofdutiesandjobrotation
requirements.

DataClassificationPolicy
ThePCIDSSregulationsmakereferencetopaymentcarddataandcardholderdatawhen
specifyingthetypesofcontrolsthatmustinplacetoprotectthisinformation.Thiskindof
datawarrantsaparticularsetofcontrols.EvenwithinthePCIDSSstandard,authentication
data,suchascardnotpresentverificationdata,issubjecttoevenstricterlimitsonstorage
thanotherdata,suchasthepaymentaccountnumber.Theseruleshighlightanimplicit
dataclassificationschemewithinthePCIDSSregulations,butthedataclassificationis
generallyapplicabletoallbusinessdata.
Adataclassificationpolicydefinesthedifferenttypesofdataandthetypesofsecurity
controlsthatshouldbeinplacetoprotectthedifferenttypes.Abasicdataclassification
schememightincludefourcategories:

Private

Confidential

Sensitive

Public

Privatedatamaybedataaboutcustomers,employees,orothers.Thebusinessmaintains
thisdataaspartofnormalbusinessoperations,butitisnotconsideredtobedataaboutthe
business.Privatedatacanincludename,address,healthrecords,creditscores,etc.The
dataclassificationpolicymayspecifythatprivatedatamustnotbereleasedto
unauthorizedusers;italsodefinesrulesfordeterminingwhatconstitutesanauthorized
user.
Confidentialdataissimilartoprivatedatainthatitisnottobedisclosedunlessnecessary.
Unlikeprivatedata,confidentialdataisaboutbusinessoperationsandincludestopicssuch
asstrategicplans,nonpublicfinancialstatements,legalopinions,etc.Thedata
classificationshouldincluderulesforprotectingthistypeofdata,suchastheneedfor
usingencryptiontotransmitdataandonlytransmittingdatabetweendevicesthatare
mutuallyauthenticatedusingSSLcertificates.

58

TheShortcutGuidetoPCIComplianceandHowSSLCertificatesFit

DanSullivan

Sensitivedataisbusinessdatathatshouldnotbedisclosedbutifitwereitwouldnotcause
substantialharmtothebusiness.Thiscategorymightincludemidlevelmanagers
schedulesandHRpolicydocuments.Thedataclassificationpolicymightindicatethatsuch
documentsdonotneedtobeencryptedwhenatrestbutshouldbeencryptedwhen
transmittedoverpublicnetworks.
Publicinformationisanyinformationthatcanbedisclosedoutsidethecompanywithout
harm.Pressreleases,productcatalogs,andmarketingmaterialareexamplesofpublicdata.
Thedataclassificationpolicymaynotrequireanysecuritycontrolsonthisdata.

MonitoringandAuditingPolicy
Policiesgoverningmonitoringandauditingdescribethescopeofloggingactivityrequired,
including:

Typesofapplicationsthatshouldgeneratelogs

Typesofinformationcapturedinthelogs

Retentionperiodsforlogs

Requirementsforcentralizedlogmanagement

Reportingofeventscapturedinlogs

ThePCIDSSdocumentationincludesrequirementsforloggingactivitythatshouldbe
addressedinthemonitoringandauditingpolicy.
AnotheraspectofPCIDSScomplianceisensuringthatsecuritycontrolsbuiltonSSL
certificatesaremaintainedbyprocedures,includingSSLcertificatelifecyclemanagement.

SSLCertificateLifeCycleManagement
SSLcertificatesareassetsthatmustbemanagedlikeanyother.ThebasicoperationsinSSL
certificatelifecyclemanagementare:

ChoosingtherightSSLcertificate

RenewingSSLcertificates

TrackingSSLcertificateinventory

ThefirststepinthelifecyclemanagementprocessisselectingtherighttypesofSSL
certificatesforyourrequirements.

59

TheShortcutGuidetoPCIComplianceandHowSSLCertificatesFit

DanSullivan

ChoosingtheRightSSLCertificate
SSLcertificatevendorsofferanumberoftypesofSSLcertificatesfordifferentneeds.Some
SSLcertificatesaredesignedforasingleserverorotherdevice,somearedesignedtobe
usedwithmultipledevicesonthesamedomain,andstillotherscanbeusedonmultiple
serverswithdifferentnames.(ThelatterareknownasSubjectAlternateNameSANSSL
certificates).Determiningwhichoptionisbestforyouwilldependonafewfactors:

IsthenumberofserversthatrequiresSSLcertificatessmallenoughthatyoucan
manageseparatecertificatesforallofthem?

Doyoufrequentlystartnewvirtualserversthatarepartofonedomainandwould
benefitfromadomainlevelcertificate?

Doyouhavemultipleserversthathavedifferentdomainnamesbutaremanagedas
asinglelogicalunit?

YouranswerstothesequestionscanhelpguidetheselectionofthetypeofSSLcertificate
youshoulduse.
InadditiontothedifferentwaysSSLcertificatescanbeassociatedwithservers,thereare
twolevelsofverificationandassurancethatSSLcertificatevendorsprovide.A
conventionalSSLcertificateisgrantedtoabusinessorotherentitythatdemonstratesitis
actuallythatentityaccordingtothecriteriaestablishedbythevendor.Thesecriteriacould
beassimpleashavinganemailaddressatthedomainspecifiedintheSSLcertificate
requestoritcouldbemuchmorerigorous.TheSSLcertificateindustryestablished
standardsforanalternativeverificationregimeandcreatedtheExtendedValidation(EV)
SSLcertificate.Theindustryestablishedcommonstandardsforverifyingtheidentityofan
EVSSLcertificaterequestorandensuringitisalegitimatebusiness.EVSSLcertificatesare
designedtogivecustomers,businesspartners,andothersadditionalassurancethatthey
aredealingwithalegitimateandauthenticatedbusiness.

RenewingSSLCertificates
SSLcertificatesarevalidforapredefinedperiodoftimeandattheendofthatperiod,the
SSLcertificatemustberenewed.TrackingSSLexpirationdatescanbedoneeitherona
serverbyserverbasisusingOStools,suchasMicrosoftWindowsManagementConsole
(Figure4.1)orwithSSLcertificatemanagementconsolesprovidedbySSLcertificate
vendors(Figure4.2).

60

TheShortcutGuidetoPCIComplianceandHowSSLCertificatesFit

DanSullivan

Figure4.1:MicrosoftWindowsOSprovidesacertificatemanagementsnapinforthe
MicrosoftManagementConsole(MMC).

Figure4.2:ExampleconsoleformanagingmultipleSSLcertificatesacrossan
enterprise.

61

TheShortcutGuidetoPCIComplianceandHowSSLCertificatesFit

DanSullivan

TrackingSSLCertificateInventory
AnothergeneraltaskintheSSLcertificatelifecyclemanagementprocessistracking
inventoryofSSLcertificates.Enterprisemanagementconsolesarehelpfulforthistask,
especiallyinbusinesseswithWindows,Linux,Unix,andotherOSseachofwhichhaveits
ownmethodsandproceduresformanagingSSLcertificates.BytrackingSSLcertificates,
youmightbeabletobetterunderstandyourneeds.Thisunderstandingcanleadtomore
efficientuseofdomaincertificates,SANcertificates,andotheroptionsforreducing
managementoverheadandreducingthecostofpurchasinglargenumbersofSSL
certificates.

Summary
ThePCIDSSdefinesarangeofsecurityrequirementsforprotectingpaymentcardand
cardholderdata.SSLcertificatesplayimportantrolesinanumberofPCIDSSrequirements,
includingauthenticationandencryptionservices.Thischapterhasprovidedahighlevel
checklistforassessingcompliancewithkeyrequirements.Italsoprovidedamoredetailed
lookatpoliciesandSSLmanagementpracticesthatsupportyoureffortstomeetPCIDSS
requirements.

DownloadAdditionalBooksfromRealtimeNexus!
RealtimeNexusTheDigitalLibraryprovidesworldclassexpertresourcesthatIT
professionalsdependontolearnaboutthenewesttechnologies.Ifyoufoundthisbookto
beinformative,weencourageyoutodownloadmoreofourindustryleadingtechnology
booksandvideoguidesatRealtimeNexus.Pleasevisit
http://nexus.realtimepublishers.com.

62