Академический Документы
Профессиональный Документы
Культура Документы
PCI DSS
That's The Way It Is!
Didier Godart
CONTENTS
Introduction.......................................................................... 7
About the author.................................................................. 9
PCI, what are you talking about?.........................................11
Payment processing terminology and workflow...................15
Distributing Roles...............................................................19
Merchant levels: What, Who and How...............................23
Whats your type?.............................................................27
DSS in a nutshell.................................................................31
Defining the Scope of the PCI assessment..........................35
Certification programs, striving for quality..........................41
The Validation Toolbox........................................................45
The Prioritized Approach....................................................51
Tokenization........................................................................55
Mind The Gap.....................................................................59
Compensating Controls: Magic Trick or Mirage?...............63
The World Isnt Perfect........................................................69
Nice Look!...........................................................................75
Is your organization behaving like
P C I
D S S
What to do if compromised?...............................................93
Your PCI Logbook - What is required
INTRODUCTION
journey would tell you how it could turn rapidly into a long,
laborious, tedious and challenging journey.
H OW ?
Well by anatomizing various PCI related ambiguous areas,
P C I
D S S
D i di e r
G oda rt
ECOGNIZED ACTOR
AND contributor of the
PCI community from its
P C I
D S S
REFERENCES
Didier Company Website: DGOZONE.COM
Didiers PCI-GO sites: Blogs, Papers, Policies, procedures,
G E T I N TO U C H
Feel free to contact the author for clarification, suggestions
and amendements.
Didier Godart
d@dgozone.com
Twitter: @DGodart
LinkedIn: http://www.linkedin.com/in/didiergodart
D i di e r
G oda rt
10
1
PCI, WHAT ARE YOU
TALKING ABOUT?
W H AT I S P C I ?
11
P C I
D S S
D i di e r
G oda rt
12
P C I D S S I S N T A R E G U L AT I O N
B U T A C O N T R AC T
PCI DSS is a contract that starts at payment card brands and
13
P C I
D S S
2
PAYMENT PROCESSING
TERMINOLOGY AND
WORKFLOW
NE CANNOT MOVE through the PCI ecosystem without basic understandings of the payment processing terminology and workflow. So
T H E PAY M E N T
P R O C E S S I N G T E R M I N O LO GY
In a nutshell, the payment transaction could be depicted
as follow:
15
P C I
D S S
Note:
Visa and MasterCard never will issue cards. Their cards are
D i di e r
G oda rt
16
issue
T H E PAY M E N T P R O C E S S I N G WO R K F LOW
It encompasses the following operations:
1. Authorization
2. Clearing
3. Settlement
Authorization: At the time of purchase, the merchant requests
and receives authorization from the issuer to allow the purchase
to be conducted, and an authorization code is provided.
The process includes:
1. The cardholder swipes or dips card at the merchant location.
17
P C I
D S S
the processor.
bank
(Issuer)
sends
payment
to
D i di e r
G oda rt
18
3
DISTRIBUTING ROLES
R E G U L ATO R S ( S C R I P T W R I T E R S
A N D D I R E C TO R S )
They are writing the scenarios and directing the play.
The PCI council whose main responsibilities are:
Maintain the standards and supporting documentation
Qualify assessors and perform quality assurance checks
of their work
19
P C I
D S S
TA R G E T E D E N T I T I E S ( L E A D I N G R O L E S )
They take the lead role by following the directors instructions.
Merchants: Business entities directly involved in the
D i di e r
G oda rt
20
21
P C I
D S S
SCRIPT
N OT E S
D i di e r
G oda rt
22
4
MERCHANT LEVELS:
WHAT, WHO AND HOW
23
P C I
D S S
H OW D O T H E Y D E T E R M I N E T H E
A P P L I CA B L E L E V E L ?
Acquirers qualify the applicable level mainly based on
action volume
D i di e r
G oda rt
24
Side notes:
No Level 4 merchant for American Express
No Level 3 and Level 4 merchants for JCB International
Payment brands reserve the right to escalate a merchants
level dependent on risk such as previous compromise
where PCI requirements were not in place.
25
P C I
D S S
5
WHATS YOUR TYPE?
D O N OT M I S TA K E L E V E L S
FOR TYPES!
27
P C I
D S S
W H AT I S I T A L L A B O U T ?
If levels are associated with the number of transactions
W H AT A R E T H E 9 T Y P E S ?
If levels are independently defined by each payment brand,
D i di e r
G oda rt
28
above descriptions.
29
P C I
D S S
R E F E R E N C E:
For more information about the way to determine your
type, please review the PCI Data Security Standard SelfAssessment Questionnaire.
D i di e r
G oda rt
30
6
DSS IN A NUTSHELL
31
P C I
D S S
layers of requirements:
G OA L S
The six goals, sections or domains are:
G1:
G2:
D i di e r
G oda rt
32
G3:
G4:
G5:
G6:
R2:
R3:
R4:
R5:
R6:
R7:
R8:
R9:
R10:
33
P C I
D S S
R11:
R12:
S I D E N OT E S:
1. Why 6 domains and 12 requirements? Actually the
R E F E R E N C E S:
Link The PCI DSS V3 to https://www.pcisecuritystandards.org/
documents/PCI_DSS_v3.pdf
D i di e r
G oda rt
34
7
DEFINING THE SCOPE OF
THE PCI ASSESSMENT
NTITIES SUBJECTED TO
the PCI program have the ultimate responsibility for defin-
According to the rules, the PCI scope must encompass all sys-
W H AT I S T H E C D E ?
The PCIco defines the CDE as the people, processes and
35
P C I
D S S
Side note:
There is a simple way to understand the difference between
card, such as the full PAN, cardholder name, and expiration date.
The sensitive authentication data is generally printed on the
W H AT I S M E A N T
BY SYSTEM COMPONENTS?
By system components one must understand:
Network components such as firewalls, switches,
routers, wireless access points, network appliances and
other security appliances.
D i di e r
G oda rt
36
H OW D O YO U D E T E R M I N E T H E S C O P E ?
The scope of PCI compliance could be extremely difficult to
H OW D O YO U R E D U C E T H E S C O P E ?
The scope of a PCI assessment could reveal quite large for
37
P C I
D S S
1 . R E D U C I N G T H E N E E D F O R DATA
S TO R AG E
2 . N E T WO R K S E G M E N TAT I O N
D i di e r
G oda rt
38
Side notes:
PCI defers to the QSA (for organizations subjected to
3 . T H E U S E O F T H I R D PA R T Y S O LU T I O N S
39
P C I
D S S
bank) does not require the full PAN but generally only the last
four digits. So you could reduce the scope via that mechanism
as well.
Side notes:
1. Speak to your acquirer or processors to know what
they would need from your organization to handle
chargeback and disputes.
D i di e r
G oda rt
40
8
CERTIFICATION
PROGRAMS, STRIVING
FOR QUALITY
fraud. As a consequence, we have seen a demand for new security-related solutions and services emerging.
41
P C I
D S S
ASVs. The PCIco does not certify products; this is not their
core competency and never will be, so the aim of the ASV
D i di e r
G oda rt
42
Having led this program for about 5 years I can tell you how
Since April 2011, the PCIco has been pushing their quest
43
P C I
D S S
and qualification though. One area were we could see the PCIco
adopting a certification program in the future is penetration
testing, though at present this is occupying a kind of no mans
land for ambigueous reasons.
D i di e r
G oda rt
44
9
THE VALIDATION TOOLBOX
CI IS PROBABLY
one of the few compliance programs out
A S V N E T WO R K V U L N E R A B I L I T Y S CA N S
This tool has been specifically designed to help organizations
45
P C I
D S S
D i di e r
G oda rt
46
Side notes:
A passing result is obtained when the scan report does
S E L F-A S S E S S M E N T
The self-assessment questionnaire often referred to as the
type (see newsletter #5). Each SAQ covers only PCI sections
47
P C I
D S S
O N -S I T E AU D I T
This tool is a thorough assessment performed within
D i di e r
G oda rt
48
2. Verification
of
documentation
all
technical
and
procedural
W H I C H TO O L S A R E R E L E VA N T F O R M Y
O R G A N I Z AT I O N ?
If the validation rules are specific to each payment brand,
they are all based on the merchant levels (see newsletter #4).
49
P C I
D S S
D i di e r
G oda rt
50
10
THE PRIORITIZED
APPROACH
S INTRODUCED IN
our newsletter #7 - DSS
in a nutshell, organiza-
51
P C I
D S S
W H AT I S I T ?
A tool to help and guide organizations establish a roadmap for
compliance, and demonstrate progress to key stakeholders.
WHO IS IT FOR?
The prioritized approach is suitable for merchants who
H OW D O E S I T WO R K ?
Any roadmap is composed of milestones. The prioritized
D i di e r
G oda rt
52
53
P C I
D S S
D i di e r
G oda rt
54
11
TOKENIZATION
THE CONCEPT
The concept of tokenization is quite simple to understand:
TO K E N I Z AT I O N F O R P C I: K I L L I N G T WO
B I R D S W I T H O N E S TO N E
PCI isnt really concerned by the protection of artworks, cash
55
P C I
D S S
of 3.1:
D OW N S I D E
As tokens are replacing the sensitive PANs, any components
D i di e r
G oda rt
56
G U I DA N C E A N D R E G U L AT I O N
The council quickly understood the urgency of establishing
57
P C I
D S S
12
MIND THE GAP
OBJECTIVE
Identify gaps between where we stand and where we want
59
P C I
D S S
H OW LO N G D O E S I T TA K E TO P E R F O R M
S U C H A N A LY S I S ?
Dont underestimate it! A gap analysis process could last
D i di e r
G oda rt
60
THE PROCESS
A gap analysis process should encompass the following actions:
Identify the DSS requirements pertaining to the entities
(see merchant types).
Identify
areas
of
remediation plans.
non-compliance
and
develop
61
P C I
D S S
O U TC O M E
I generally see the outcome of a gap analysis as a compliance
D i di e r
G oda rt
62
13
COMPENSATING
CONTROLS: MAGIC TRICK
OR MIRAGE?
meet the requirements as they are written. This is not the case.
The important thing is that the inherent security objectives
behind each requirement are met. The PCIco and the Payment
63
P C I
D S S
W H AT I S A C O M P E N S AT I N G C O N T R O L ?
A compensating control is a work-around for a security
D i di e r
G oda rt
64
W H AT I S A VA L I D C O M P E N S AT I N G
CONTROL?
To potentially be considered valid, a compensating control
must fulfill the same intent and objective of the requirement its
65
P C I
D S S
H OW D O YO U D O C U M E N T A
C O M P E N S AT I N G C O N T R O L ?
Every compensating control must be supported by a risk
W H O S H O U L D VA L I DAT E A
C O M P E N S AT I N G C O N T R O L ?
According to the standard, QSAs are the ones responsible
D i di e r
G oda rt
66
C O N C LU S I O N
My interviews with the Council, the Brands and the QSAs
67
P C I
D S S
14
THE WORLD ISNT PERFECT
Lets illustrate this by taking our body and soul as the system.
69
P C I
D S S
Examples:
1. As a first example, imag-
is movement sensitive.
Ahh I can see the fear in
your eyes... Suddenly I
the street. Here you are the system. What could have
caused this awful scenario? Bad luck maybe? There are
iPod on; the car driver didnt see you, you had a bad day
and you were deep in thought; you are blind, deaf or
both. The environment is also playing a role: Crossing
D i di e r
G oda rt
70
V U L N E R A B I L I T I E S I N I N F O R M AT I O N
SYSTEMS
The world isnt perfect and certainly not as pertains to
Vendor-originated:
this
includes
software
bugs,
System
administration-originated:
this
includes
downloading
party software.
71
and
installing
P C I
D S S
third
programming
oversights or mutual
misunderstandings
made by a software
more time and effort finding and fixing bugs than writing new
code support. On some projects, more resources can be spent
on testing than in developing the program.
D i di e r
G oda rt
72
73
P C I
D S S
15
NICE LOOK!
the city. While the bridge was supposed to resist this intensity,
it failed and collapsed, sweeping along a dozen cars and their
passengers into the river.
75
P C I
D S S
had a huge impact for the city. This is related to the decision
process and is the subject of another newsletter.
Lets take a second example...
Imagine that you stand in a
from would not replace your gear, but suggests you sew it up or
stick on a small piece of material to patch the hole.
T H E C O N S E Q U E N C E S O F S O F T WA R E
BUGS IN OUR ENVIRONMENT
The presence of software bugs or holes within our
D i di e r
G oda rt
76
server and a test server. The same bugs will have the same
consequence on both servers such as leading to crashes, but the
criticality would be more important for the production server
Ill let you decide how you would look if your clothes
77
P C I
D S S
D i di e r
G oda rt
78
16
IS YOUR ORGANIZATION
BEHAVING LIKE A FASHION
VICTIM OR A CLOWN?
W H AT CA N W E D O A B O U T
S O F T WA R E D E F E C T S ?
Software is buggy. This is a fact (See newsletter #14).
pants with rips and holes is actually the fashion and I should
accept it. Nevertheless, I find it quite weird that the price of a
79
P C I
D S S
D i di e r
G oda rt
80
applications
W H AT I S I N VO LV E D I N A V U L N E R A B I L I T Y
M A N AG E M E N T P R O G R A M ?
81
P C I
D S S
D i di e r
G oda rt
82
prioritization
and
the
assign responsibilities.
more
appropriate
action
plan,
83
P C I
D S S
17
WHY ARE MY SCAN
REPORTS SO THICK? IMPACT OF POTENTIAL
VULNERABILITIES
My PCI scan report has more pages than the NASA report
related to the crash of the space shuttle Columbia.
85
P C I
D S S
W H Y A R E E X T E R N A L S CA N N I N G
REPORTS SO THICK?
The major causes of the thickness of a PCI scan report are:
1. The extent of the scan fields.
I wouldnt surprise anyone by stating that the more targets
you have to scan the more thick your report would be.
2. The structure of the scan report
D i di e r
G oda rt
86
that is far away from being what one would expect from an
executive summary: short and straight to the point. The PCIco
87
P C I
D S S
about it and for good reason as this term is absent from the PCI
into the causes of scan failure and workload associated with the
vulnerability management.
D i di e r
G oda rt
88
C O N F I R M E D V E R S U S P OT E N T I A L ?
For a neophyte it could
In
the
same
way
could
be
89
P C I
D S S
the accuracy of the scans, the thickness of the reports and the
I WA S B L I N D B U T N OW I S E E !
As a suggestion to decrease the level of blindness of external
D i di e r
G oda rt
90
91
P C I
D S S
18
WHAT TO DO IF
COMPROMISED?
shelter
organizations
93
P C I
D S S
incident reporting.
A S A M E R C H A N T O R S E RV I C E
P R OV I D E R W H AT D O I H AV E TO D O ?
Upon occurrence of a security breach and/or suspicion
D i di e r
G oda rt
94
W H AT A R E T H E P R O C E D U R E S ?
Its important to note that the payment brand reporting
95
P C I
D S S
D i di e r
G oda rt
96
I S I T M A N DAT E TO U S E A P F I ( P C I
F O R E N S I C I N V E S T I G ATO R ) ?
When deemed necessary by the payment brands, an
from this list and support the cost. The role of such a company
97
P C I
D S S
19
YOUR PCI LOGBOOK
- WHAT IS REQUIRED
IN TERMS OF LOG
MANAGEMENT?
P>D+R is a well-known
principle in security.
99
P C I
D S S
their own problems. They are useless if too quiet or too talkative,
and without adequate monitoring. In other words, monitoring
D i di e r
G oda rt
100
W H AT I S S I E M T E C H N O LO GY ?
SIEM
stands
Event Management.
for
Security
Information
and
101
P C I
D S S
W H AT D O E S S I E M T E C H N O LO GY D O ?
SIEM technology allows event logs to be automatically
H OW D O E S Q S A VA L I DAT E
COMPLIANCE?
To validate implementation, Qualified Security Assessors
D i di e r
G oda rt
102
20
PCI DSS AND SANS TOP
20 CRITICAL SECURITY
CONTROLS:
THE SUMO MATCH.
YO U S A I D M I N I M U M. R E A L LY ?
OW CAN WE be sure that the PCI DSS requirements are sufficient and stay aligned with the evolu-
103
P C I
D S S
of this analysis.
D i di e r
G oda rt
104
O N M Y R I G H T, P C I D S S
The bible, as I used to call it, is considered by the security
105
P C I
D S S
O N M Y L E F T, S A N S TO P 2 0 S E C U R I T Y
SECURITY CONTROLS
SANS identified a subset of security control activities that
D i di e r
G oda rt
106
T H E P C I D S S V E R S U S S A N S TO P 2 0
C R I T I CA L S E C U R I T Y C O N T R O L S
PERSPECTIVE
40% Is the value of PCI DSS along the SANS Top 20
107
P C I
D S S
T H E TO P T H R E E C O N T R O L S B E S T
C OV E R E D I N P C I D S S A R E:
#18- Incident Response Capability (100% of matches)
#16- Account Monitoring and Control (58%)
#14- Maintenance, Monitoring, and Analysis of Audit Logs.
T H E L E A S T C OV E R E D C O N T R O L S I N
P C I D S S A R E:
#1-Inventory of authorized and unauthorized devices and
software
software
D i di e r
G oda rt
108
T H E S A N S TO P 2 0 C R I T I CA L S E C U R I T Y
CONTROLS VERSUS PCI DSS
PERSPECTIVE
49% Is the value of SANS Top 20 Critical Security Controls
109
P C I
D S S
T H E B E S T C OV E R E D R E Q U I R E M E N T S I N
S A N S TO P 2 0 A R E:
#5 - Use and regularly update anti-virus software or
programs (100%)
passwords (88%)
D i di e r
G oda rt
110
T H E L E A S T C OV E R E D R E Q U I R E M E N T S I N
S A N S TO P 2 0 A R E:
#3 - Protect stored sensitive data (4%)
#9 - Restrict physical access to sensitive data (10%)
#12 - Maintain a policy that addresses information security
know (28%).
an average of 61%.
111
P C I
D S S
start security programs. I have used PCI for this purpose because
technologist can understand PCIs simplistic requirements and
can self-assess and self-correct easily where PCI is concerned. If
confronted with security controls (i.e. SANS, etc.), however, the eyes
D i di e r
G oda rt
112
21
QUALIFIED INTERNAL
SCANNING STAFF USING
APPROPRIATE SCANNING
TOOLS - WHAT DOES
THAT MEAN?
VERY
CUSTOMER,
(MERCHANTS,
Service
113
P C I
D S S
Q UA L I F I E D S TA F F , A P P R O P R I AT E
TO O L S , W H AT D O E S T H AT M E A N ?
So far the PCI Council has been sparing with clarification
Q UA L I F I E D S TA F F
Ive never laid an egg in my life.
D i di e r
G oda rt
114
Scope determination
Management of false positives/false negatives,
Determination of CVSS scoring and their exceptions
Determination of the severity levels based on the NVD
and CVSS scoring
Quality Assurance
115
P C I
D S S
A P P R O P R I AT E TO O L S
A bad workman always use bad tools - Quebec quote.
The scanning tools are as important
Report
vulnerabilities
that
have
reasonable
D i di e r
G oda rt
116
117
P C I
D S S
detailed
perspective
should
include
all
D i di e r
G oda rt
118
REFERENCE
ASV program guide
119
P C I
D S S
22
DONT GET LOST IN
TRANSLATION WITH
EXECUTIVES.
GET THEM LISTENING.
I need people and I need funding to do my job properly.
Executives dont get it - They want me to bulletproof their
systems but dont want to listen.
Of
course,
121
P C I
D S S
camps closer?
I N VO LV E E X E C U T I V E S I N K E Y S E C U R I T Y
G OV E R N A N C E AC T I V I T I E S.
According to a study from the Carnegie Melon Cylab on
D i di e r
G oda rt
122
A D O P T T H E I R L A N G UAG E A N D
P R OTO C O L S.
Executives DO listen but people responsible for IT Security
123
P C I
D S S
D i di e r
G oda rt
124
The
principles
application
could
of
be
these
quite
in
your
individual
125
P C I
D S S
23
INTRODUCTION TO
RISK ASSESSMENT
weekend, you were engaging in activities that involve an element of chance something intimately connected with risk.
127
P C I
D S S
THE BEGINNINGS
The term risk seems to take its source from a navigation term
D i di e r
G oda rt
128
DEFINITIONS
Here is how NIST defines Risk, Information Security
129
P C I
D S S
Information security risks are those risks that arise from the
the scientist who developed the rocket that launched the first
Apollo mission to the moon said: You want a valve that doesnt
leak and you try everything possible to develop one. But the real
world provides you with a leaky valve. You have to determine how
much leaking you can then tolerate. Without a command of risk
assessment, engineers could never have designed the great
bridges that span our widest rivers, homes would still be heated
D i di e r
G oda rt
130
T H E I M P O R TA N C E O F T I M E
Risk and time are opposite sides of the same coin, for if there
risk, and the nature of risk is shaped by the time horizon: the
future is the playing field.
G U I D E L I N E S & M E T H O D O LO G I E S
A number of risk assessment guidelines and methodologies
131
P C I
D S S
Operationally
Critical
C O R E AC T I V I T I E S
In the context of PCI, organizations are free to select any
D i di e r
G oda rt
132
133
P C I
D S S
D i di e r
G oda rt
134
135
P C I
D S S
24
PCICO STRENGTHENS THE
SCOPING RULES
137
P C I
D S S
A D E Q UAT E S E G M E N TAT I O N
PCI SSC recently clarified that to be considered, adequate,
cardholder data from those that do not in such a way that the
latest ones (out of scope systems), even if compromised, cannot
impact the security of the former ones (in scope systems).
and at any level the security of the CDE, this system component
must be considered in scope for the PCI DSS assessment.
D i di e r
G oda rt
138
of scope for a particular entity if, and only if, it is validated that
the entity does not have the ability to decrypt it, meaning:
139
P C I
D S S
D i di e r
G oda rt
140
25
A NEW STANDARD IS BORN.
certification
program
on
141
P C I
D S S
THE CONTEXT
As you can imagine, your cards do not appear in your wallet
details located on such sites and you will have a good sense of
the associated risks. In term of data the standards focus on the
protection of:
D i di e r
G oda rt
142
T H E S TA N DA R D S
Logical standard
This standard describes the logical security requirements
143
P C I
D S S
this standard.
D i di e r
G oda rt
144
145
P C I
D S S
D i di e r
G oda rt
146
P H Y S I CA L S TA N DA R D
The Physical Standard manual is a comprehensive source
pre-personalizers,
chip
embedders,
data
Card manufacturing
Magnetic-stripe card encoding and embossing
Card personalization
147
P C I
D S S
D i di e r
G oda rt
148
26
PCIP IS IT WORTH IT?
WHY?
Firstly, to answer a valid concern from the QSA and ISA
that travels along with you and your career. This doesnt change
the fact that independently of their PCIP status, former QSAs
149
P C I
D S S
W H AT I S T H E V I E W O F P C I c o ?
The PCIP sale pitch lists the following advantages to
become certified.
customers ongoing
D i di e r
G oda rt
150
W H AT I S T H E V I E W O F T H E S E C U R I T Y
COMMUNITY?
People who do not have a QSA or ISA certification, see
151
P C I
D S S
However QSAs and ISAs who may apply for the PCIP
H OW TO G E T Q UA L I F I E D ?
The qualification process is straightforward.
You apply (Submit online application). Make sure to
fee + Exam fee). This fee could range from $790 to $ 3635
D i di e r
G oda rt
152
back to them with the final 30 minutes for best guess selections.
Here is what some people say about the test.
153
P C I
D S S
and virtualization, etc, you should have no problem passing the test.
Its a fairly easy test for someone who is familiar with the
vs WPA (i.e. which is secure and which is not), but that is covered
in the requirements as well. What is not necessarily covered in the
minutes. Eliminating two options out of four was rather easy to do.
My own sense was that 3 to 6 questions were quick kills for every
QSA would take each year. I modeled my study for that exam from
such training materials, and this worked well.
D i di e r
G oda rt
154
R E Q UA L I F I CAT I O N
PCIPs must re-qualify every two years in order to continue
155
P C I
D S S
27
SHOULD I DISABLE MY
PROTECTION SYSTEM FOR
ASV SCANS?
N THE CONTEXT of
intrusion detection and pre-
implementation/configuration
of Firewalls (Req 1), Anti-virus
157
P C I
D S S
D i di e r
G oda rt
158
W H AT I M PAC T I S T H E R E O N Q UA R T E R LY
S CA N S ?
11.2.2 requires quarterly external vulnerability scans by an
159
P C I
D S S
to calm down the game, PCI SSC brought them around the
table in order to find a way to perform quarterly scans that do
not unnecessarily expose the scan customers network but also
do not limit the final results of the scans.
D i di e r
G oda rt
160
A S V O B L I G AT I O N S
active device, ASVs are required to fail the scans, report the scan
as inconclusive and clearly describe the conditions resulting
in an inconclusive scan under Exceptions, False Positives, or
161
P C I
D S S
O R G A N I Z AT I O N S O B L I G AT I O N S
Organizations subjected to compliance must continue
the ASV scan but only for active protection devices. Static
filtered traffic, the scan customer may work with the ASV
D i di e r
G oda rt
162
163
P C I
D S S
28
THE PCI LIBRARY - WHAT
DOCS ARE REQUIRED FOR
COMPLIANCE?
OMPLIANCE
PROGRAMS
ARE heavily based
165
P C I
D S S
D i di e r
G oda rt
166
29
DO ALL PCI DSS
REQUIREMENTS APPLY?
F R E Q U E N T LYA S S I S T
MEDIUM SIZE organi-
167
P C I
D S S
the PCI bible are applicable all rules within these sections are
applicable whatever the entity environment, nature and size.
This fact is enforced by the Council in such terms:
Decisions about applicability of PCI DSS requirements are not
D i di e r
G oda rt
168
T H E P E N T E S T CA S E
One of the points argued by this organization was the need
169
P C I
D S S
PCI this is the case. There are far too many shoddy pen
testers who have brought down entire networks and/
In the current context, (PCI rules), running a pen test just for
testers with the associated risks. Pen tests are however a serious
D i di e r
G oda rt
170
above picture: Oh Yes Mr. QSA, I tested several pens this year
and they are all working perfectly!
171
P C I
D S S
30
TRAININGS YOUR
ORGANIZATION MUST
DELIVER TO COMPLY
WITH PCI DSS
CI-DSS REQUIRES
ORGANIZATIONS
subjected to compli-
173
P C I
D S S
S E C U R I T Y AWA R E N E S S
Associated PCI DSS requirement: 12.6
Audience: Any individual having access to data or system
D i di e r
G oda rt
174
Associated
QSA
Validation
processes:
Compliance
awareness sessions are quite boring! They dont talk the users
language and dont address THEIR concerns. Its then not a
175
P C I
D S S
the rules? For me, the best way is to make sure that have they
have fun, enjoying the moment, spending a good times and
D i di e r
G oda rt
176
SECURE CODING
Associated Requirement: 6.5 - Develop applications based
PCI scope.
177
P C I
D S S
training
in
secure
coding
techniques
D i di e r
G oda rt
178
INCIDENT RESPONSE
Associated requirements: 12.10.4 - Provide appropriate
incident response.
179
P C I
D S S
D i di e r
G oda rt
180
A F T E R WO R D S
Strangely enough, one could have expected that the PCI-
181
P C I
D S S
31
PCI DSS
CRYPTO-FRAMEWORK
183
P C I
D S S
W H AT I S M E A N T B Y S T R O N G
C RY P TO G R A P H Y ?
Cryptography is the art of
transforming information so
is meant to be resistant to
attacks so that you can have
D i di e r
G oda rt
184
W H AT I S M E A N T B Y P R O P E R K E Y
M A N AG E M E N T A N D K E Y P R OT E C T I O N ?
This is covered by:
3.5 Document and implement procedures to protect
185
P C I
D S S
best practices.
when the integrity of the key has been weakened or keys are
suspected of being compromised
cryptographic keys.
3.6.7
Prevention
cryptographic keys.
D i di e r
G oda rt
of
unauthorized
186
substitution
of
sign a form stating that they understand and accept their keycustodian responsibilities.
W H AT I S A C RY P TO - F R A M E WO R K ?
A crypto-framework is a set of rules, principles and tools
WHY IS IT NEEDED?
PCI DSS does not explicitly mention it; however reading
187
P C I
D S S
W H AT S H O U L D B E PA R T O F A
C RY P TO - F R A M E WO R K ?
A
crypto-framework
following components:
should
at
least
include
the
D i di e r
G oda rt
188
of algorithms that can be used with the key; Key usage; Key
length; Key custodians who have access to the key; Key validity
period also called crypto period;
training
W H AT A R E T H E M I N I M U M D O C U M E N T S
YO U S H O U L D H AV E R E A DY F O R YO U R
P C I AU D I T ?
If you dont opt for the crypto-framework approach, here are
the minimum documents you should have ready for your audit:
189
P C I
D S S
D i di e r
G oda rt
190
32
MONEY FOR NOTHING
TARTING
THIS
NEWSLETTER with
two
famous
songs
supporters and the PCI critics. The former emphasize the cost
191
P C I
D S S
T H E C O S T O F P C I I M P L E M E N TAT I O N
Implementing PCI is certainly not free even for a smallest
(optional), Central log management, patch management, file integrity, encryption technology, access management, anti-virus technology.
D i di e r
G oda rt
192
193
P C I
D S S
Level
Initial
Becoming
scope
compliant
Maintenance
Level1
$250,000
$550,000
$250,000
Level 3 & 4
$50,000
$81,000
$35,000
Level 2
$125,000
$260,000
$100,000
T H E C O S T O F A B R E AC H
Direct cost
Here are the direct costs generally associated with a breach:
Forensics cost. Once an organization subjected to PCI
D i di e r
G oda rt
194
Council defended the standard, claiming that the average cost per
195
P C I
D S S
D i di e r
G oda rt
196
ADDITIONAL RESOURCES
Free Cost breach calculator - Beta from Netvigilance
The True Cost of Compliance: A Benchmark Study of
Multinational Organizations
197
P C I
D S S
33
KEY TAKE-AWAY FROM THE
PCI COMMUNITY
MEETING 2013
For your eyes only, here are my key take-away from the 2013
199
P C I
D S S
W H AT H A S B E E N S A I D
Its all about education, education and education - Tony
Blare
D i di e r
G oda rt
200
201
P C I
D S S
T H E S TAT E O F P C I
According to J. King, the state of PCI is really good.
The importance of PCI continues to grow with the
rising of global card usage and associated risks.
W H AT S N E W I N D S S V 3 . 0 ?
The 3 key focuses within the DSS V3.0 standard are
Education, Flexibility and Shared responsibilities.
D i di e r
G oda rt
202
W H AT S N E W I N R O C V 3 . 0
Testing procedures aligned with DSS V3.0
New options for finding at the sub-requirement level: In
place, not in place, in place with compensating control.
203
P C I
D S S
W H AT S E X P E C T E D I N A S V VA L I DAT I O N
REQUIREMENTS 3.0
The ASV qualification requirements will be updated
to include:
Terminology alignment
Requirement for internal separation of duties
Additional Insurance coverage
Requirement for manual quality assurance process
Requirement for protection of the scan solution
P E N E T R AT I O N T E S T I N G
V3.0 requires a penetration testing methodology that
is followed
D i di e r
G oda rt
204
I N -S C O P E A N D O U T- O F-S C O P E
C O N S I D E R AT I O N
PCIco clarified that to be considered out of scope a
component must be isolated from the CDE and would
not compromise the security of cardholder data.
Applicable
requirements
system functions.
may
vary
based
on
205
P C I
D S S
MOBILE
Mobile is one of the next big things for PCI. Mobile
environment is changing so fast. Mobile phone is
not secure.
D i di e r
G oda rt
206
TO K E N I Z AT I O N
For PCIco tokenization is used in the context of PAN
C LO U D
Business relationship is complex in cloud. We see
hosting provider outsourcing to other providers
207
P C I
D S S
F O R E N S I C I N V E S T I G AT I O N
Forensic investigation is used to identify common
factors or trends in attacks.
AT M S
ATM is a recognized attack vector from organized
crime
D i di e r
G oda rt
208
34
PCI DSS VERSION 3
CHANGES AND IMPACT SHOULD YOU CARE?
In this newsletter, you will learn what has changed and what
209
P C I
D S S
SCOPE
Merchant websites that redirect the customer to payment
providers are now explicitly in scope of PCI DSS as of
D i di e r
G oda rt
210
211
P C I
D S S
N OT E S T R A N S F O R M E D I N TO
R E Q U I R E M E N T S ( I M PAC T: M E D I U M )
Some requirements in V2 incorporate guidance notes that
have been transformed into specific requirements in V3. As
F L E X I B I L I T Y ( I M PAC T: LOW TO
MEDIUM)
V3 adds some flexibility in the choice of the solution by
adapting the requirements.
D i di e r
G oda rt
212
1.3.4 Prevent Internal IP into the DMZ -> Implement antispoofing measures (Low)
213
P C I
D S S
D i di e r
G oda rt
214
N E W R E Q U I R E M E N T S F O R CA R D PRESENT MERCHANTS
These new requirements are related to the protection of
payment devices:
215
P C I
D S S
D i di e r
G oda rt
216
35
PATCH MANAGEMENT, HOW
TO COMPLY WITH PCI.
W H AT S A PATC H ?
In the same way a needlewoman would apply a piece of
217
P C I
D S S
W H Y I S I T I M P O R TA N T ?
Like we lock our home doors and windows to prevent
H OW TO I D E N T I F Y A P P L I CA B L E
PATC H E S ?
The most trustworthy source of information related to
D i di e r
G oda rt
218
W H AT A R E T H E A S S O C I AT E D P C I
REQUIREMENTS?
PCI DSS V3.0 - 6.2 requires that you ensure that all system
219
P C I
D S S
W H AT I S M E A N T B Y C R I T I CA L ?
According to PCI DSS 6.1 A patch should be considered
H OW TO A S S E S S T H E C R I T I CA L I T Y O F
A PATC H ?
The best source for the determination of the level of criticality
D i di e r
G oda rt
220
S H O U L D A L L PATC H E S B E
IMPLEMENTED?
PCI requires to install ALL vendor-supplied patches
It must be noted that PCI doesnt let the door open for
221
P C I
D S S
W H E N S H O U L D A PATC H B E D E P LOY E D ?
As mentioned above PCI requires installation of patched
associated activities within the usual well known constraints limited resources, budget and time. The complexity of patching
is narrowly linked to the size of the environment. In some
W H AT A R E T H E Q S A C H E C K S ?
To assess your compliance with this control QSAs will verify
D i di e r
G oda rt
222
your
policies
and
procedures
related
to
scope
223
P C I
D S S
Patches
Identification
Vendor bulletins)
(i.e.
list
of
D i di e r
G oda rt
224
Installation
and
validation
documentation
for exception)
(I.e
(Logs,
scan)
rationals
225
P C I
D S S
36
CONTROL YOUR
PRIVILEGED ACCOUNTS
- HOW TO CONTAIN THE
KEYS TO THE KINGDOM
PROBLEM
W H AT S A P R I V I L E G E D AC C O U N T ?
HE TERM PRIVILEGED
account, also known as High
Privileged account or Super
227
P C I
D S S
T H E K E Y TO T H E K I N G D O M P R O B L E M
According to Verizon, many organizations do not have
the ones who are in their possession. Beside the accidental and
disastrous damages resulting from erroneous usages of highly
D i di e r
G oda rt
228
their privileges for their own profits. After all, arent we all
229
P C I
D S S
A S S O C I AT E D P C I R E Q U I R E M E N T S
The following requirements are associated to the control of
privileges accounts:
D i di e r
G oda rt
230
related need.
W H AT TO D O A N D H OW TO C O M P LY ?
Complying with the above PCI requirements is a brainteaser
231
P C I
D S S
D i di e r
G oda rt
232
PA M P R O D U C T S
Such product class has experienced explosive growth in
233
P C I
D S S
37
AND PCI SAID GET
PEN-TESTED!
W H Y I S P E N -T E S T N E E D E D ?
In the same way that wellness checks support a doctors
235
P C I
D S S
W H Y S CA N N I N G I S N OT E N O U G H ?
Scanners are used to identify potential anomalies or
P E N E T R AT I O N T E S T I N G F O R P C I
COMPLIANCE
Conduction of penetration testing is a pre-requisite for
D i di e r
G oda rt
236
following perspectives:
237
P C I
D S S
DSS 1.3.4.
W H AT H A P P E N S D U R I N G A P E N T E S T ?
Penetration testers will try to get unauthorized access to
D i di e r
G oda rt
238
qualified for such job. The term qualified being left to the
QSA appreciation.
H OW D O YO U P R OV E C O M P L I A N C E ?
Make sure to have the following materials ready:
Documented penetration methodology covering the
various sections listed in the standard;
Documented
evidences
testers qualifications.
239
of
the
P C I
penetration
D S S
38
THE HOLY GRAIL VS ROCFISSION: THE ONLY WAY TO
REACH COMPLIANCE
Director,
Managing
Europe
and
241
P C I
D S S
one for the Holy Grail, an endless day, a money- and timeconsuming black hole. This sounds quite pessimistic but it
is realistic. The quest is so time-, effort- and money-consuming
that organizations decide to give up and accept the risk of
non-compliance.
to live, sleep and eat with their customers? And what relevance
could we possibly expect from a several-hundred page ROC?
approach just doesnt work. Its long, if not endless and tedious,
and leads to unmanageable projects, poor outcomes, and lots
T H E R O C - F I S S I O N A P P R OAC H
In physics, fission is the act of splitting a nucleus of an atom
D i di e r
G oda rt
242
PCI scope, into smaller objects (parts of the scope). Each part
being more manageable nearly independent of each other and
associated to its own ROC (nuclei).
I S T H I S A P P R OAC H VA L I DAT E D B Y
PCICO?
Although not specifically advertised by PCIco, the payment
contributor to this article), splitting the ROCs is the only way for
large organizations to reach compliance. Andy also mentioned
one of his customers having up to 16 different ROCs (nuclei).
W H AT A R E T H E P R E- R E Q U I S I T E S ?
This approach requires that:
The global CDE scope be documented
Each portion ROC(nuclei) be clearly documented in
terms of the scope/ object of the assessment and what
is excluded from it (from the original scope).
243
P C I
D S S
H OW TO AC H I E V E R O C - F I S S I O N ?
Most of the large service providers uses this approach to
D i di e r
G oda rt
244
W H AT A R E T H E B E N E F I T S ?
In the same way than the fission releases energy, ROC-
fissioning
compliance projects.
245
P C I
D S S
A R E T H E R E C O N S TO T H I S A P P R OAC H ?
Andy doesnt see any cons to this approach. Of course, it
D i di e r
G oda rt
246
39
THE 7 GOLDEN RULES FOR
MAINTAINING COMPLIANCE
247
P C I
D S S
W H E N T H E CAT S AWAY T H E M I C E W I L L
P L AY
Research
conducted
by
D i di e r
G oda rt
248
T H E G U I DA N C E F O R M A I N TA I N I N G
COMPLIANCE
For organizations that want to protect themselves and their
G O L D E N R U L E S F O R M A I N TA I N I N G
COMPLIANCE
Rule 1 - Commitment to Maintaining Compliance
Executive sponsorship is critical if organizations want
249
P C I
D S S
security activities
Needs
D i di e r
G oda rt
250
effectively, and
251
P C I
D S S
D i di e r
G oda rt
252
architecture or infrastructures -
RESOURCES
PCI Best Practices for maintaining Compliance
253
P C I
D S S