Table Of ContentPCI Compliance
Understand and Implement
Effective PCI Data Security
Standard Compliance
Fourth Edition
Branden R. Williams
Anton A. Chuvakin
Technical Editor
Derek Milroy
AMSTERDAM • BOSTON • HEIDELBERG • LONDON
NEW YORK • OXFORD • PARIS • SAN DIEGO
SAN FRANCISCO • SINGAPORE • SYDNEY • TOKYO
Syngress is an Imprint of Elsevier
Syngress is an imprint of Elsevier
225 Wyman Street, Waltham, MA 02451, USA
Copyright © 2015 Elsevier Inc. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or by any means,
electronic or mechanical, including photocopying, recording, or any information storage and
retrieval system, without permission in writing from the publisher. Details on how to seek
permission, further information about the Publisher’s permissions policies and our
arrangements with organizations such as the Copyright Clearance Center and the Copyright
Licensing Agency, can be found at our website: www.elsevier.com/permissions.
This book and the individual contributions contained in it are protected under copyright by the
Publisher (other than as may be noted herein).
Notices
Knowledge and best practice in this field are constantly changing. As new research and experience
broaden our understanding, changes in research methods, professional practices, or medical treatment
may become necessary.
Practitioners and researchers must always rely on their own experience and knowledge in evaluating and
using any information, methods, compounds, or experiments described herein. In using such information
or methods they should be mindful of their own safety and the safety of others, including parties for
whom they have a professional responsibility.
To the fullest extent of the law, neither the Publisher nor the authors, contributors, or editors, assume any
liability for any injury and/or damage to persons or property as a matter of products liability, negligence
or otherwise, or from any use or operation of any methods, products, instructions, or ideas contained in
the material herein.
Library of Congress Cataloging-in-Publication Data
Application Submitted
British Library Cataloguing in Publication Data
A catalogue record for this book is available from the British Library
For information on all Syngress publications
visit our web site at http://store.elsevier.com/
ISBN: 978-0-12-801579-7
This book has been manufactured using Print On Demand technology. Each copy is produced to
order and is limited to black ink. The online version of this book will show color figures where
appropriate.
Foreword
APT. Cybercrime. Hacktivism. PCI. Those are a few of the subjects that keep
security leaders up at night. If you are wondering how PCI ended up on that short
list and why it may cause bouts of insomnia, simply ask someone who has to deal
with PCI DSS (Payment Card Industry Data Security Standard) assessments on a
regular basis and you are guaranteed to receive strong responses. Yelling matches
between security leaders and their PCI assessors over terms such as “segmenta-
tion,” “isolation,” “unrecoverable,” and “significant change” have become all too
commonplace.
There is little argument that the prescriptive nature and detailed requirements of
the DSS are a good guide for security professionals to benchmark and improve im-
mature information security programs. However, the PCI DSS presents a paradox for
mature programs. The narrow focus of the DSS on credit card data requires artificial
boundaries and duplicate control investments. This can lead to more complex net-
work and security architectures as well as increased hardware, software, and labor
costs. It can, in certain situations, also lead to bad business risk decisions in order
keep non-PCI systems out of scope of the annual assessment. It is for these reasons
that PCI has become a controversial, disruptive, and insomnia-inducing influence
inside many large (and some medium/small) organizations.
Even if PCI DSS assessments are nothing new to you, it would probably be a
good time for a refresher course in not only the basics of the PCI standard but also
the changes that will be going into effect with PCI DSS 3.0. Obviously familiar-
izing yourself with the changes in the standard from 2.0 to 3.0 is a great start but
most likely not enough. One of the best things you can do to prepare yourself for
the updated standard is to read this book cover to cover. Then re-read sections on
managing the assessment scope, running the PCI assessment project as an ongoing
program, and how to work well with your assessors (they’re not the enemy!). Once
you’ve read the book I would suggest keeping it handy as a reference guide. I know
that I will have this book in my office, highlighted, bookmarked, and within easy
reach over the next few years as conflicts between business requirements and PCI
compliance arise.
Dan Glass
Senior Manager Information Systems Security
American Airlines
xiii
Acknowledgments
PCI DSS 3.0 is here, and boy is it a doozy! Both Anton and I are very thankful that
you continue to support our efforts and read our work.
This book is dedicated to my family for supporting the effort to make this work
the central tome for the industry. When we started this journey, my youngest wasn’t
even a year old. Now she’s going into Kindergarten.
Once again, we need to give a HUGE thanks to Derek Milroy for stepping up and
providing great content around Windows, vulnerability management, and being the
sole technical editor for this book. You will find his influence in every chapter of this
edition.
And finally, to you, the reader. Whether you are in internal audit, a QSA, or
simply someone responsible for some portion of PCI DSS, you live in the trenches
implementing solutions every day. The bad guys will never stop, so remember to
build securely!
— Dr. Branden R. Williams
xv
CHAPTER
1
About PCI DSS and
this book
INFORMATION IN THIS CHAPTER:
• Who should read this book?
• How to use the book in your daily job
• What this book is not
• Organization of the book
• Summary
The Payment Card Industry Data Security Standard (PCI DSS) celebrated its ninth
year (December 15, 2004) and the PCI Security Standards Council its eighth birthday
(September 7, 2006) as of this writing. Most of you reading these words have prob-
ably heard about PCI DSS, worked on a project tied to PCI DSS compliance, or said
a few words out loud about PCI DSS that would have earned at least one of the au-
thors a big smack across the face from his mother. For those of you just starting with
PCI DSS, we authors hope this book can be your guide to a successful end result—a
sustainable compliance program that exceeds the baseline security standards set forth
in PCI DSS 3.0.
If you are like most professionals, the idea of becoming compliant with PCI DSS,
or countless other regulations, does not sound fun. Information technologists and
information security professionals aren’t the only ones who share this feeling. Not
only have C-Level individuals and other non-information technology (IT) (business)
personnel had to deal with compliance and regulation around payments at some point
in the last 8 years of their career, but we have even given rise to a new C-Suite
position—the Chief Compliance Officer (CCO). While the CCO is not a new p osition
with articles dating back to the mid-1970s referencing the moniker, the challenging
landscape that companies must navigate necessitated more focus upon this function
in the wake of Sarbanes–Oxley (SOX), PCI DSS, Health Insurance Portability and
Accountability Act (HIPAA), and others.
Compliance efforts are rarely described as fun among those working with them.
Painful is probably a better description. Whether it is the pain of not knowing what
to do, pain of failing the assessment, or pain of “doing compliance” without an ad-
equate budget, there are plenty of challenges that compliance—PCI DSS compliance
in particular—have in common with pain.
Thus, we face the seemingly impossible challenge to write a fun and insight-
ful book about PCI DSS. We realize the near impossible task ahead, and we are
1
2 CHAPTER 1 About PCI DSS and this book
committed to the challenge. We’d like to invite you, our reader, to travel with us in
the hopes that when you turn the last page, you would come to realize that PCI DSS
compliance can indeed be (YES) fun!
There are many standards and regulations out there. If your company’s stock is
publicly traded in the United States, you must adhere to the SOX mandates. Financial
companies fall under the Gramm–Leach–Bliley Act. Those in the energy sector work
toward North American Electric Reliability Corporation, Federal Energy Regulatory
Commission, or Critical Infrastructure Protection standards. If you are in the health
care industry, your network must comply with the HIPAA standards as updated re-
cently in legislation focused on electronic health records. Other countries have their
own “alphabet soup” of standards such as British Science Institute (BSI), Russian
GOST (Russian for “gosudarstvennyy standart” or “state standard”), worldwide Inter-
national Organization for Standardization/International Electrotechnical Commission,
and so on. PCI DSS occupies a special place among the standards for two reasons:
broad, worldwide applicability, and the presence of enforcement mechanism that is
seen as imminent and unavoidable, unlike for some other mentioned regulations.
The overarching theme of all these standards, laws, and regulations is that orga-
nizations need to secure data and protect their networks to keep citizens’ data safe.
In some cases, weak information security may only affect one company. However,
when the data on the corporate network contains personal information about patients,
customers, or employees, a breach of security can have implications far beyond the
victimized company. A breach dealing with hundreds of millions of customers, such
as a payment card processor, will have implications touching nearly every family;
thus, decreasing such occurrences is in the public interest. Recent breaches have
brought this concept back to the forefront as malware authors have advanced their
capabilities and tenacity; thus, even subverting some of the very basic controls de-
signed in many of these compliance initiatives.
Visa, MasterCard, American Express, Discover, and JCB developed PCI DSS
together to ensure that credit card customer information and the associated payment
systems are adequately protected from fraud. Breaches of customer information lead
to financial loss and damaged reputations. The credit card industry wants to protect
itself from financial loss or eroded consumer confidence in credit cards, which could
lead to expensive and invasive governmental regulation.
We will use our experience with PCI DSS, both from the PCI Qualified Security
Assessor (QSA) side and the information security side, to explain the most up-to-
date PCI DSS guidelines to you (version 3.0 as of this writing). The objective of
this book is not only to teach you about the PCI DSS requirements but to help you
understand how the PCI DSS requirements fit into an organization’s information se-
curity framework and how to effectively implement information security controls so
that you can be both compliant and secure. In addition, we will cover ways to do this
in the easiest and most pain-free way without compromising security in the process.
This book will make constant reference to the PCI DSS. PCI DSS, and its related
standards, is owned by the PCI Security Standards Council, sometimes known in the
industry as PCI Co. Before you start reading this book, you should go to the Council’s
Who should read this book? 3
Web site at www.pcisecuritystandards.org and download PCI DSS version 3.0 and
the Report on Compliance Reporting Instructions. You can find the relevant docu-
ments by clicking on “PCI Standards & Documents,” then “Documents Library.”
As of this publication, PCI DSS is at version 3.0. This book will highlight any
significant changes between the previous version 2.0 and this version, and give you
compliance tips as someone complying with the standard.
WHO SHOULD READ THIS BOOK?
Every company that accepts card payments, processes credit- or debit card transac-
tions, stores payment card data, or in any other way touches personal or sensitive data
associated with payment card processing is affected by the PCI DSS. Nowadays, it
means that virtually all businesses, no matter how big or small, need to understand
their scope of PCI DSS and how to implement PCI controls to reduce their compli-
ance risk, or face penalties potentially to the point of losing their ability to cost-
effectively and legally process payments.
Even with such a broad audience compelled to comply with PCI DSS, this book
had to be written for a specific technical level. This book could have been written in
very simple terms to educate the general population about PCI DSS. We could have
written an in-depth technical tome providing every bit of detail a network engineer or
security administrator might need to configure and implement all controls mandated
by PCI DSS. This book aims in the middle and is more of a strategic guide to help
management and practitioners understand the implications of PCI DSS and what it
takes to be compliant. Ultimately, our goal in writing this book was to demystify
some of the challenges with PCI DSS and allow readers to understand the right ques-
tions to ask of their peers to work toward compliance.
Overall, the book is useful for every stakeholder in an organization dealing
with credit cards. This would include executive management, IT and IT secu-
rity management, network, server, application developers, database managers,
legal, marketing, sales, HR, front-line managers, and anyone interested in pay-
ment security.
Because of the wide impact that PCI DSS has on any organization, this book
is like the small business with five employees—it can wear multiple hats and
will appeal to multiple audiences. This book is for the IT managers and company
managers who need to understand how PCI DSS applies to their organizations.
This book is for the small- and medium-size businesses that don’t have an IT
department to delegate to. This book is also for large organizations whose PCI
DSS project scope is immense. It is for all organizations that need to grasp the
concepts of PCI DSS and how to implement an effective security framework that
is also compliant. This book is intended as an introduction to PCI DSS, but with
a deeper and more technical understanding of how to put it into action. Finally,
even PCI (and anti-PCI) “literati” will benefit from the stories and case studies
presented by us!
4 CHAPTER 1 About PCI DSS and this book
HOW TO USE THE BOOK IN YOUR DAILY JOB
You can use the book during the entire lifecycle from complete PCI unawareness
to ultimate security and compliance enlightenment. Specifically, you can use it as
provided in the following:
• Learn what PCI DSS is and why it is here to stay,
• Understand how it applies to you and your organization,
• Learn what to do about each of the 12 main requirements,
• Learn how to deal with PCI assessors and internal auditors,
• Learn how to plan and manage your PCI DSS project,
• Understand all the technologies referenced by PCI DSS,
• Learn how to form strategies for removing portions (or indeed all) of your
company from scope,
• Get the best experience out of what can be seen as a painful assessment and
remediation process.
WHAT THIS BOOK IS NOT
While reading the book, remember that this is not the book that will unambiguously
answer every esoteric PCI DSS question. There is simply no way to create a book
with every use case in it with the goal of answering PCI DSS questions as the regu-
lation applies to your own environment. Indeed, there is similarity in how networks
and systems are deployed, but given the broad applicability of PCI DSS—from small
e-commerce sites to huge worldwide retailers—there is no way to have a book “cus-
tomized” for your networks, systems, and applications. It is not meant to be the final
authority for all issues related to PCI DSS, and it is not the unabridged guide to all
things of PCI DSS. Finally, even though the book is written using one of the authors’
QSA1 and consulting experiences, your Acquiring Bank is the ultimate judge of most
PCI “puzzles” you will face on your journey to compliance and your QSA (or other
similarly credentialed and experienced individual) should be your guide to lead you
to top of PCI Compliance Mountain.
ORGANIZATION OF THE BOOK
Each chapter of the book is designed to provide you the information you need to
know in a way that you can easily understand and apply. The chapters in this book
follow a common structure which, wherever possible, includes the description of the
PCI DSS requirement, the value of the requirement for PCI DSS and security, com-
mon tips and select tools useful for satisfying the requirement, as well as common
mistakes and pitfalls.
1The term QSA and the role of QSAs in PCI DSS assessments will be explained in Chapter 3.
Summary 5
In simple and direct terms, we will first explain the control or concept we are talk-
ing about in a way that illustrates its intent. Then, we explain where this concept sits
in PCI DSS and why it is needed for information security, that is, how it reduces risk.
Next, we explain what you should do with this concept to be secure and compliant
using examples and common practices. Most chapters have detailed and entertain-
ing case studies. When we said that we will make PCI DSS fun, we really mean it!
Most chapters have a summary that provides a brief recap of the concepts discussed
to reinforce what you read or to help you identify areas that you may need to re-read
if you feel you don’t understand them yet. Where possible, we also try to highlight
common mistakes and pitfalls with these requirements or PCI concepts.
SUMMARY
This section provides a brief description of the information covered in each chapter:
• Chapter 1: About PCI and This Book—This chapter explains why PCI DSS is
special and what this book is about.
• Chapter 2: Introduction to Fraud, Identity Theft, and Regulatory Mandates—
This chapter explains cybercrime and regulations and is a brief look at payment
card fraud, cybercrime, Identity theft, and other things around PCI DSS.
• Chapter 3: Why Is PCI Here?—This chapter gives an overview of PCI DSS and
why the card industry was compelled to create it. This chapter also includes
some discussion about the benefits of PCI DSS compliance and the risks of
noncompliance.
• Chapter 4: Determining and Reducing Your PCI Scope—Every successful
project around PCI DSS hinges on correctly scoping the environment. Expect
that you should learn exactly how to scope your environment, learn ways to
reduce it, and get tips for planning your PCI DSS projects.
• Chapter 5: Building and Maintaining a Secure Network—This chapter explains
fundamental steps in protecting PCI DSS and other electronic data: making your
network secure in the first place. This chapter discusses the basic components of
a secure network and lays the foundation for building the rest of your PCI DSS
compliance.
• Chapter 6: Strong Access Controls—This chapter covers one of the most
important aspects of PCI DSS compliance: access control. The information in
this chapter includes restricting access to only those individuals who need it, as
well as restricting physical access to computer systems.
• Chapter 7: Protect Cardholder Data—This chapter explains how to protect the
card data stored in your systems, as well as how to protect data while it is in
transit on your network.
• Chapter 8: Using Wireless Networking—This chapter covers wireless security
issues and wireless security controls and safeguards managed by PCI DSS.
We include concepts that can be widely applied to Wi-Fi, Bluetooth, cellular,
satellite, and emerging standards like Zigbee.
6 CHAPTER 1 About PCI DSS and this book
• Chapter 9: Vulnerability Management—This chapter explains performing
vulnerability assessments to identify weaknesses in systems and applications,
and how to mitigate or remediate the vulnerabilities to protect and secure
your data.
• Chapter 10: Logging Events and Monitoring the Cardholder Data
Environment—This chapter discusses how to configure logging and event
data to capture the information you need to be able to show and maintain PCI
compliance, as well as how to perform other security monitoring tasks.
• Chapter 11: Cloud and Virtualization—This chapter is a long time in the
making, and we hope will serve as a fantastic guide to the rather challenging
topic of leveraging these technologies in a PCI DSS environment.
• Chapter 12: Mobile—We are increasingly becoming reliant on mobile devices
in our interactions with the world from our customers to our employees. You
can safely use Mobile technologies, and we will discuss how.
• Chapter 13: PCI for the Small Business—PCI DSS isn’t just for big box retailers
and large banks. Whether you handle millions or hundreds of cards per year, you
must comply with the DSS. This chapter includes tips on how to achieve PCI
Compliance in a small business, subsidiary, or satellite office setting.
• Chapter 14: Managing a PCI DSS Project to Achieve Compliance—This chapter
gives an overview of the steps involved and tasks necessary to implement a
successful PCI compliance project. This chapter includes a discussion of the
basic elements that should be included in future projects and to proactively
ensure they are PCI compliant.
• Chapter 15: Don’t Fear the Assessor—This chapter makes you understand that
an assessor is there to work with you to validate your compliance and help you
with security. They are only your enemy if you treat them this way. This chapter
explains how to use the findings from a failed assessment to build ongoing
compliance and security.
• Chapter 16: The Art of Compensating Control—This chapter explains how
compensating controls are often talked about and misunderstood. This chapter
will help build understanding and confidence in the reader when dealing with
this tricky and often ambiguous component of PCI DSS, and most importantly,
give you tips on creating your own controls.
• Chapter 17: You’re Compliant, Now What?—This chapter covers the details
you need to keep in mind once you have achieved compliance. Security is not as
simple as just getting it implemented. You have to monitor and maintain it. This
chapter contains information about ongoing training and periodic reviews, as
well as how to conduct a self-assessment to ensure continued compliance.
• Chapter 18: Emerging Technologies and Alternative Payment Schemes—This
chapter looks to the future of payments and how they will impact your PCI DSS
strategies.
• Chapter 19: PCI DSS Myths and Misconceptions—This final chapter explains
common but damaging PCI myths and misconceptions, as well as the reality
behind them.
Description:Identity theft and other confidential information theft have now topped the charts as the leading cybercrime. In particular, credit card data is preferred by cybercriminals. Is your payment processing secure and compliant? The new Fourth Edition of PCI Compliance has been revised to follow the new P
