PCI Compliance Understand and Implement Effective PCI Data Security Standard Compliance Fourth Edition Branden R. Williams Anton A. Chuvakin Technical Editor Derek Milroy AMSTERDAM • BOSTON • HEIDELBERG • LONDON NEW YORK • OXFORD • PARIS • SAN DIEGO SAN FRANCISCO • SINGAPORE • SYDNEY • TOKYO Syngress is an Imprint of Elsevier Syngress is an imprint of Elsevier 225 Wyman Street, Waltham, MA 02451, USA Copyright © 2015 Elsevier Inc. All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or any information storage and retrieval system, without permission in writing from the publisher. Details on how to seek permission, further information about the Publisher’s permissions policies and our arrangements with organizations such as the Copyright Clearance Center and the Copyright Licensing Agency, can be found at our website: www.elsevier.com/permissions. This book and the individual contributions contained in it are protected under copyright by the Publisher (other than as may be noted herein). Notices Knowledge and best practice in this field are constantly changing. As new research and experience broaden our understanding, changes in research methods, professional practices, or medical treatment may become necessary. Practitioners and researchers must always rely on their own experience and knowledge in evaluating and using any information, methods, compounds, or experiments described herein. In using such information or methods they should be mindful of their own safety and the safety of others, including parties for whom they have a professional responsibility. To the fullest extent of the law, neither the Publisher nor the authors, contributors, or editors, assume any liability for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions, or ideas contained in the material herein. Library of Congress Cataloging-in-Publication Data Application Submitted British Library Cataloguing in Publication Data A catalogue record for this book is available from the British Library For information on all Syngress publications visit our web site at http://store.elsevier.com/ ISBN: 978-0-12-801579-7 This book has been manufactured using Print On Demand technology. Each copy is produced to order and is limited to black ink. The online version of this book will show color figures where appropriate. Foreword APT. Cybercrime. Hacktivism. PCI. Those are a few of the subjects that keep security leaders up at night. If you are wondering how PCI ended up on that short list and why it may cause bouts of insomnia, simply ask someone who has to deal with PCI DSS (Payment Card Industry Data Security Standard) assessments on a regular basis and you are guaranteed to receive strong responses. Yelling matches between security leaders and their PCI assessors over terms such as “segmenta- tion,” “isolation,” “unrecoverable,” and “significant change” have become all too commonplace. There is little argument that the prescriptive nature and detailed requirements of the DSS are a good guide for security professionals to benchmark and improve im- mature information security programs. However, the PCI DSS presents a paradox for mature programs. The narrow focus of the DSS on credit card data requires artificial boundaries and duplicate control investments. This can lead to more complex net- work and security architectures as well as increased hardware, software, and labor costs. It can, in certain situations, also lead to bad business risk decisions in order keep non-PCI systems out of scope of the annual assessment. It is for these reasons that PCI has become a controversial, disruptive, and insomnia-inducing influence inside many large (and some medium/small) organizations. Even if PCI DSS assessments are nothing new to you, it would probably be a good time for a refresher course in not only the basics of the PCI standard but also the changes that will be going into effect with PCI DSS 3.0. Obviously familiar- izing yourself with the changes in the standard from 2.0 to 3.0 is a great start but most likely not enough. One of the best things you can do to prepare yourself for the updated standard is to read this book cover to cover. Then re-read sections on managing the assessment scope, running the PCI assessment project as an ongoing program, and how to work well with your assessors (they’re not the enemy!). Once you’ve read the book I would suggest keeping it handy as a reference guide. I know that I will have this book in my office, highlighted, bookmarked, and within easy reach over the next few years as conflicts between business requirements and PCI compliance arise. Dan Glass Senior Manager Information Systems Security American Airlines xiii Acknowledgments PCI DSS 3.0 is here, and boy is it a doozy! Both Anton and I are very thankful that you continue to support our efforts and read our work. This book is dedicated to my family for supporting the effort to make this work the central tome for the industry. When we started this journey, my youngest wasn’t even a year old. Now she’s going into Kindergarten. Once again, we need to give a HUGE thanks to Derek Milroy for stepping up and providing great content around Windows, vulnerability management, and being the sole technical editor for this book. You will find his influence in every chapter of this edition. And finally, to you, the reader. Whether you are in internal audit, a QSA, or simply someone responsible for some portion of PCI DSS, you live in the trenches implementing solutions every day. The bad guys will never stop, so remember to build securely! — Dr. Branden R. Williams xv CHAPTER 1 About PCI DSS and this book INFORMATION IN THIS CHAPTER: • Who should read this book? • How to use the book in your daily job • What this book is not • Organization of the book • Summary The Payment Card Industry Data Security Standard (PCI DSS) celebrated its ninth year (December 15, 2004) and the PCI Security Standards Council its eighth birthday (September 7, 2006) as of this writing. Most of you reading these words have prob- ably heard about PCI DSS, worked on a project tied to PCI DSS compliance, or said a few words out loud about PCI DSS that would have earned at least one of the au- thors a big smack across the face from his mother. For those of you just starting with PCI DSS, we authors hope this book can be your guide to a successful end result—a sustainable compliance program that exceeds the baseline security standards set forth in PCI DSS 3.0. If you are like most professionals, the idea of becoming compliant with PCI DSS, or countless other regulations, does not sound fun. Information technologists and information security professionals aren’t the only ones who share this feeling. Not only have C-Level individuals and other non-information technology (IT) (business) personnel had to deal with compliance and regulation around payments at some point in the last 8 years of their career, but we have even given rise to a new C-Suite position—the Chief Compliance Officer (CCO). While the CCO is not a new p osition with articles dating back to the mid-1970s referencing the moniker, the challenging landscape that companies must navigate necessitated more focus upon this function in the wake of Sarbanes–Oxley (SOX), PCI DSS, Health Insurance Portability and Accountability Act (HIPAA), and others. Compliance efforts are rarely described as fun among those working with them. Painful is probably a better description. Whether it is the pain of not knowing what to do, pain of failing the assessment, or pain of “doing compliance” without an ad- equate budget, there are plenty of challenges that compliance—PCI DSS compliance in particular—have in common with pain. Thus, we face the seemingly impossible challenge to write a fun and insight- ful book about PCI DSS. We realize the near impossible task ahead, and we are 1 2 CHAPTER 1 About PCI DSS and this book committed to the challenge. We’d like to invite you, our reader, to travel with us in the hopes that when you turn the last page, you would come to realize that PCI DSS compliance can indeed be (YES) fun! There are many standards and regulations out there. If your company’s stock is publicly traded in the United States, you must adhere to the SOX mandates. Financial companies fall under the Gramm–Leach–Bliley Act. Those in the energy sector work toward North American Electric Reliability Corporation, Federal Energy Regulatory Commission, or Critical Infrastructure Protection standards. If you are in the health care industry, your network must comply with the HIPAA standards as updated re- cently in legislation focused on electronic health records. Other countries have their own “alphabet soup” of standards such as British Science Institute (BSI), Russian GOST (Russian for “gosudarstvennyy standart” or “state standard”), worldwide Inter- national Organization for Standardization/International Electrotechnical Commission, and so on. PCI DSS occupies a special place among the standards for two reasons: broad, worldwide applicability, and the presence of enforcement mechanism that is seen as imminent and unavoidable, unlike for some other mentioned regulations. The overarching theme of all these standards, laws, and regulations is that orga- nizations need to secure data and protect their networks to keep citizens’ data safe. In some cases, weak information security may only affect one company. However, when the data on the corporate network contains personal information about patients, customers, or employees, a breach of security can have implications far beyond the victimized company. A breach dealing with hundreds of millions of customers, such as a payment card processor, will have implications touching nearly every family; thus, decreasing such occurrences is in the public interest. Recent breaches have brought this concept back to the forefront as malware authors have advanced their capabilities and tenacity; thus, even subverting some of the very basic controls de- signed in many of these compliance initiatives. Visa, MasterCard, American Express, Discover, and JCB developed PCI DSS together to ensure that credit card customer information and the associated payment systems are adequately protected from fraud. Breaches of customer information lead to financial loss and damaged reputations. The credit card industry wants to protect itself from financial loss or eroded consumer confidence in credit cards, which could lead to expensive and invasive governmental regulation. We will use our experience with PCI DSS, both from the PCI Qualified Security Assessor (QSA) side and the information security side, to explain the most up-to- date PCI DSS guidelines to you (version 3.0 as of this writing). The objective of this book is not only to teach you about the PCI DSS requirements but to help you understand how the PCI DSS requirements fit into an organization’s information se- curity framework and how to effectively implement information security controls so that you can be both compliant and secure. In addition, we will cover ways to do this in the easiest and most pain-free way without compromising security in the process. This book will make constant reference to the PCI DSS. PCI DSS, and its related standards, is owned by the PCI Security Standards Council, sometimes known in the industry as PCI Co. Before you start reading this book, you should go to the Council’s Who should read this book? 3 Web site at www.pcisecuritystandards.org and download PCI DSS version 3.0 and the Report on Compliance Reporting Instructions. You can find the relevant docu- ments by clicking on “PCI Standards & Documents,” then “Documents Library.” As of this publication, PCI DSS is at version 3.0. This book will highlight any significant changes between the previous version 2.0 and this version, and give you compliance tips as someone complying with the standard. WHO SHOULD READ THIS BOOK? Every company that accepts card payments, processes credit- or debit card transac- tions, stores payment card data, or in any other way touches personal or sensitive data associated with payment card processing is affected by the PCI DSS. Nowadays, it means that virtually all businesses, no matter how big or small, need to understand their scope of PCI DSS and how to implement PCI controls to reduce their compli- ance risk, or face penalties potentially to the point of losing their ability to cost- effectively and legally process payments. Even with such a broad audience compelled to comply with PCI DSS, this book had to be written for a specific technical level. This book could have been written in very simple terms to educate the general population about PCI DSS. We could have written an in-depth technical tome providing every bit of detail a network engineer or security administrator might need to configure and implement all controls mandated by PCI DSS. This book aims in the middle and is more of a strategic guide to help management and practitioners understand the implications of PCI DSS and what it takes to be compliant. Ultimately, our goal in writing this book was to demystify some of the challenges with PCI DSS and allow readers to understand the right ques- tions to ask of their peers to work toward compliance. Overall, the book is useful for every stakeholder in an organization dealing with credit cards. This would include executive management, IT and IT secu- rity management, network, server, application developers, database managers, legal, marketing, sales, HR, front-line managers, and anyone interested in pay- ment security. Because of the wide impact that PCI DSS has on any organization, this book is like the small business with five employees—it can wear multiple hats and will appeal to multiple audiences. This book is for the IT managers and company managers who need to understand how PCI DSS applies to their organizations. This book is for the small- and medium-size businesses that don’t have an IT department to delegate to. This book is also for large organizations whose PCI DSS project scope is immense. It is for all organizations that need to grasp the concepts of PCI DSS and how to implement an effective security framework that is also compliant. This book is intended as an introduction to PCI DSS, but with a deeper and more technical understanding of how to put it into action. Finally, even PCI (and anti-PCI) “literati” will benefit from the stories and case studies presented by us! 4 CHAPTER 1 About PCI DSS and this book HOW TO USE THE BOOK IN YOUR DAILY JOB You can use the book during the entire lifecycle from complete PCI unawareness to ultimate security and compliance enlightenment. Specifically, you can use it as provided in the following: • Learn what PCI DSS is and why it is here to stay, • Understand how it applies to you and your organization, • Learn what to do about each of the 12 main requirements, • Learn how to deal with PCI assessors and internal auditors, • Learn how to plan and manage your PCI DSS project, • Understand all the technologies referenced by PCI DSS, • Learn how to form strategies for removing portions (or indeed all) of your company from scope, • Get the best experience out of what can be seen as a painful assessment and remediation process. WHAT THIS BOOK IS NOT While reading the book, remember that this is not the book that will unambiguously answer every esoteric PCI DSS question. There is simply no way to create a book with every use case in it with the goal of answering PCI DSS questions as the regu- lation applies to your own environment. Indeed, there is similarity in how networks and systems are deployed, but given the broad applicability of PCI DSS—from small e-commerce sites to huge worldwide retailers—there is no way to have a book “cus- tomized” for your networks, systems, and applications. It is not meant to be the final authority for all issues related to PCI DSS, and it is not the unabridged guide to all things of PCI DSS. Finally, even though the book is written using one of the authors’ QSA1 and consulting experiences, your Acquiring Bank is the ultimate judge of most PCI “puzzles” you will face on your journey to compliance and your QSA (or other similarly credentialed and experienced individual) should be your guide to lead you to top of PCI Compliance Mountain. ORGANIZATION OF THE BOOK Each chapter of the book is designed to provide you the information you need to know in a way that you can easily understand and apply. The chapters in this book follow a common structure which, wherever possible, includes the description of the PCI DSS requirement, the value of the requirement for PCI DSS and security, com- mon tips and select tools useful for satisfying the requirement, as well as common mistakes and pitfalls. 1The term QSA and the role of QSAs in PCI DSS assessments will be explained in Chapter 3. Summary 5 In simple and direct terms, we will first explain the control or concept we are talk- ing about in a way that illustrates its intent. Then, we explain where this concept sits in PCI DSS and why it is needed for information security, that is, how it reduces risk. Next, we explain what you should do with this concept to be secure and compliant using examples and common practices. Most chapters have detailed and entertain- ing case studies. When we said that we will make PCI DSS fun, we really mean it! Most chapters have a summary that provides a brief recap of the concepts discussed to reinforce what you read or to help you identify areas that you may need to re-read if you feel you don’t understand them yet. Where possible, we also try to highlight common mistakes and pitfalls with these requirements or PCI concepts. SUMMARY This section provides a brief description of the information covered in each chapter: • Chapter 1: About PCI and This Book—This chapter explains why PCI DSS is special and what this book is about. • Chapter 2: Introduction to Fraud, Identity Theft, and Regulatory Mandates— This chapter explains cybercrime and regulations and is a brief look at payment card fraud, cybercrime, Identity theft, and other things around PCI DSS. • Chapter 3: Why Is PCI Here?—This chapter gives an overview of PCI DSS and why the card industry was compelled to create it. This chapter also includes some discussion about the benefits of PCI DSS compliance and the risks of noncompliance. • Chapter 4: Determining and Reducing Your PCI Scope—Every successful project around PCI DSS hinges on correctly scoping the environment. Expect that you should learn exactly how to scope your environment, learn ways to reduce it, and get tips for planning your PCI DSS projects. • Chapter 5: Building and Maintaining a Secure Network—This chapter explains fundamental steps in protecting PCI DSS and other electronic data: making your network secure in the first place. This chapter discusses the basic components of a secure network and lays the foundation for building the rest of your PCI DSS compliance. • Chapter 6: Strong Access Controls—This chapter covers one of the most important aspects of PCI DSS compliance: access control. The information in this chapter includes restricting access to only those individuals who need it, as well as restricting physical access to computer systems. • Chapter 7: Protect Cardholder Data—This chapter explains how to protect the card data stored in your systems, as well as how to protect data while it is in transit on your network. • Chapter 8: Using Wireless Networking—This chapter covers wireless security issues and wireless security controls and safeguards managed by PCI DSS. We include concepts that can be widely applied to Wi-Fi, Bluetooth, cellular, satellite, and emerging standards like Zigbee. 6 CHAPTER 1 About PCI DSS and this book • Chapter 9: Vulnerability Management—This chapter explains performing vulnerability assessments to identify weaknesses in systems and applications, and how to mitigate or remediate the vulnerabilities to protect and secure your data. • Chapter 10: Logging Events and Monitoring the Cardholder Data Environment—This chapter discusses how to configure logging and event data to capture the information you need to be able to show and maintain PCI compliance, as well as how to perform other security monitoring tasks. • Chapter 11: Cloud and Virtualization—This chapter is a long time in the making, and we hope will serve as a fantastic guide to the rather challenging topic of leveraging these technologies in a PCI DSS environment. • Chapter 12: Mobile—We are increasingly becoming reliant on mobile devices in our interactions with the world from our customers to our employees. You can safely use Mobile technologies, and we will discuss how. • Chapter 13: PCI for the Small Business—PCI DSS isn’t just for big box retailers and large banks. Whether you handle millions or hundreds of cards per year, you must comply with the DSS. This chapter includes tips on how to achieve PCI Compliance in a small business, subsidiary, or satellite office setting. • Chapter 14: Managing a PCI DSS Project to Achieve Compliance—This chapter gives an overview of the steps involved and tasks necessary to implement a successful PCI compliance project. This chapter includes a discussion of the basic elements that should be included in future projects and to proactively ensure they are PCI compliant. • Chapter 15: Don’t Fear the Assessor—This chapter makes you understand that an assessor is there to work with you to validate your compliance and help you with security. They are only your enemy if you treat them this way. This chapter explains how to use the findings from a failed assessment to build ongoing compliance and security. • Chapter 16: The Art of Compensating Control—This chapter explains how compensating controls are often talked about and misunderstood. This chapter will help build understanding and confidence in the reader when dealing with this tricky and often ambiguous component of PCI DSS, and most importantly, give you tips on creating your own controls. • Chapter 17: You’re Compliant, Now What?—This chapter covers the details you need to keep in mind once you have achieved compliance. Security is not as simple as just getting it implemented. You have to monitor and maintain it. This chapter contains information about ongoing training and periodic reviews, as well as how to conduct a self-assessment to ensure continued compliance. • Chapter 18: Emerging Technologies and Alternative Payment Schemes—This chapter looks to the future of payments and how they will impact your PCI DSS strategies. • Chapter 19: PCI DSS Myths and Misconceptions—This final chapter explains common but damaging PCI myths and misconceptions, as well as the reality behind them.
Description: