Chapter 6: Step 6 – Establish The Baseline – PCI DSS: A Practical Guide to implementing and maintaining compliance, Third Edition

CHAPTER 6: STEP 6 – ESTABLISH THE BASELINE

The following chapter details what needs to be done in order to comply with the Standard as a minimum; it is not intended to be complete and should be used in the context of the previous steps – gap analysis and risk management. It is important to note that whilst this book provides some guidance on the interpretations of the PCI Data Security Standard, it should in no way be used in isolation. Therefore, it should be used in conjunction with the Standard and its supporting documentation.

Build and maintain a secure network

Task 1 (Requirement 1) – Install and maintain a firewall configuration to protect data

One of the most critical elements of the PCI Standard is the concept of separating the network and the systems that are involved with the processing and storage of cardholder data. Such devices include: firewalls, routers and switches, operating systems, database management systems and applications.

Under this requirement, it is essential that firewall configuration standards are set and that cardholder data is protected. One recommendation is to consider using VLANs37 to physically isolate the traffic involved in credit card processing, this would protect the cardholder data and ensure that only this part of the infrastructure is subject to PCI compliance scope i.e. target environment. You will also need to consider how you are going to demonstrate a solid change management process, so that any proposed changes to configurations, firewalls and routers are thoroughly reviewed and impact assessed, so that the impact of the changes is understood, documented and approved.

Tip: A good change management process will always include a back out plan (just in case things don’t work out).

Tips for Requirement 1 – ‘Install and maintain a firewall configuration to protect data’:

1 Establish firewall configuration standards.

2 Deny all traffic from untrustworthy networks/hosts, except protocols necessary for cardholder data environment.

3 For any system component storing cardholder data:

a. Restrict connections from publicly accessible servers.

b. Prohibit direct public access from external networks.

4 Implement IP masquerading to prevent internal addresses being translated and revealed on Internet.

Task 2 (Requirement 2) – Do not use vendor-supplied defaults for system passwords and other security parameters

This second requirement may seem obvious, but it remains essential to evaluate all PCI-related IT components and generate lists of the default passwords, user IDs, and passwords. For example; in the Windows® environment, service accounts created under a system administrator’s personal credentials are a good target for review.

You must take a holistic view of each layer and of every component that is involved in the PCI activity, and make sure that all the default system passwords have been disabled and the service accounts have either been disabled or that there is a legitimate reason for them to exist in the first place.

Tips for Requirement 2 – Do not use vendor-supplied defaults for system passwords and other security parameters:

1 Change vendor-supplied defaults before installation.

2 Develop configuration standards for all system components.

3 Encrypt all non-console administrative access.

4 Hosting providers must protect entity’s hosted environment and data.

Protect cardholder data

Task 3 (Requirement 3) – Protect stored cardholder data

This requirement begins with the encryption of any information that concerns cardholder data. It is a very challenging requirement for many entities to meet, in part because of performance expectations and the complexities created by system integration. You will have to maintain a good track record of maintaining encryption mechanisms (cryptographic keys) and make sure there is a policy in place. Managing this requirement extends through the entire IT environment, from the point-of-sale or website to the data centre and thus can be very intensive.

Tips for Requirement 3 – Protect stored cardholder data:

1 Store as little cardholder data as possible.

2 Develop and test a data retention/disposal policy.

3 Do not store sensitive data (subsequent to authorisation) at all, even if encrypted.

4 Mask PAN when displayed.

5 Render PAN unreadable anywhere it is stored.

6 Protect encryption keys.

7 Document and implement all key management processes.

Task 4 (Requirement 4) – Encrypt transmission of cardholder data and sensitive information across public networks

This requirement ensures that any traffic going over the public Internet, whether inbound to or outbound from an entity’s website, is encrypted. Entities may meet this requirement using a number of technologies, including Secure Socket Layer (SSL), IPSec, WPA and WPA2.

Tips for Requirement 4 – Encrypt transmission of cardholder data and sensitive information across public networks:

1 Use strong encryption and security protocols.

2 Never send unencrypted PANs by e-mail.

Maintain a vulnerability management programme

Task 5 (Requirement 5) – Use and regularly update anti-virus software

Anti-virus software provides the first line of defence; you need to ensure, and demonstrate, that the latest signature files are distributed regularly, to both entity-side and server-side systems.

Tips for Requirement 5 – Use and regularly update antivirus software:

1 Deploy anti-virus malware software on all systems commonly affected.

2 Ensure current, active, and capable of logging.

 

Task 6 (Requirement 6) – Develop and maintain secure systems and applications

Under this requirement, your entity must ensure that the entire infrastructure involved in cardholder and credit card processing is updated as soon as security patches are provided. PCI auditors look for specific evidence that this practice is taking place in the target environment. Another part of this requirement mandates that adequate testing before a patch is applied to production systems takes place (think evidence) and that a solid change control process is in place for all systems and self-reconfigurations. PCI auditors are concerned with how frequently your entity upgrades applications, the quality processes involved, whether there is a traceability index, and whether they can pinpoint specifically what changes have been made to each application.

Tips for Requirement 6 – Develop and maintain secure systems and applications:

1 Install latest relevant vendor-supplied security patches within one month of notifications.

2 Have a process to identify new security vulnerabilities and update standards where relevant (this is also in line with Requirement 2).

3 Include information security best practices throughout the software development cycle.

4 Use stringent change control procedures and follow them.

5 Use secure coding guidelines for web application development (i.e. OWASP).

6 Protect all web-facing applications against known attacks.

Implement strong access control measures

Task 7 (Requirement 7) – Restrict access to cardholder data by business ‘need-to know’

To meet this requirement, you must document each specific function in processing cardholder and credit card transactions and be able to demonstrate that each staff member performs the function allocated to that role only. You must also show who has access to which systems and data (i.e. role based access control). This separation of function helps to ensure that no one in your entity has access to the entire procedure for processing cardholder data.

Tips for Requirement 7 – Restrict access to cardholder data by business ‘need-to-know’:

1. Limit access to job role only.

2. Restrict user access by ‘need-to-know’ in multi-user systems.

3. Employ role based access control (RBAC) techniques.

 

Task 8 (Requirement 8) – Assign a unique ID to each person with computer access

Hopefully your entity already has a written information security policy in place, in some cases this is signed by each employee, but this is usually covered in employee contracts. Either way, it should state that all user IDs and credentials are to be used solely by the individual to whom they are assigned and for the task assigned to them (role). You should also ensure that they have a policy for password ageing and that password ageing can be verified and validated. For example, if your policy states that passwords should be changed every thirty days, they should be able to prove that passwords are actually changed within that timeframe.

In addition, you should be able to demonstrate that there is an automatic provisioning process in place for new recruits and for employees who transfer to other positions whilst still in your employment. In addition, the information security policy should state what the disciplinary procedures (or repercussions) are should a violation of policy occur.

Tips for Requirement 8 – Assign a unique ID to each person with computer access:

1 Assign unique user ID before granting system access.

2 Use authentication mechanisms to ensure correct person logging on.

3 Implement 2 factor authentication for remote users.

4 Encrypt all passwords during transmission and also whilst in storage.

5 Proper authentication and password management for non-consumer users and administrators.

 

Task 9 (Requirement 9) – Restrict physical access to cardholder data

To meet this requirement, you need to monitor access in sensitive areas, deploy procedures to track those who enter or leave the environment, and ensure that audit trails are stored in a safe location, in an encrypted format, and with good physical security.

Tips for Requirement 9 – Restrict physical access to cardholder data:

1 Employ stringent access entry controls to the facility.

2 Distinguish between visitors and employees (clear and coloured badges).

3 Ensure formal visitor handling, accompany all visitors.

4 Ensure visitor logs are retained and available following an incident.

5 Back-ups in a secure off-site location.

6 Physically secure all media with cardholder data.

7 Control media distribution.

8 Management approval of all media moved from secure areas.

9 Control storage and accessibility.

10 Destroy media with cardholder data when not needed.

Regularly monitor and test networks

Task 10 (Requirement 10) – Track and monitor all access to network resources and cardholder data

Under this requirement you must track and monitor all access to network resources and cardholder data – including during day-to-day, real-time, and dynamic events. To do so, you must have a clear policy about the kinds of data being logged and ensure the integrity of the data being logged. Importantly, and as per requirement 7, only those who ‘need-to-know’ should have access to cardholder data.

During a typical credit card transaction, log data is generated and flows through the network and is processed with business information, including payment authorisation, risk screening, fulfilment, and settlement. Hackers know that there are vulnerabilities in these processes that leave data unprotected. Internal threats such as insider misuse are also of great concern and therefore you should have an audit trail in place to be able to track and monitor unauthorised access.

Tips for Requirement 10 – Track and monitor all access to network resources and cardholder data:

1 Be able to identify who has access to what, especially with administration privileges.

2 Implement automated audit trails for all systems.

3 Ensure you have configured components to reconstruct specific events (for subsequent investigation).

4 Record audit trails for specific system events.

5 Ensure all servers and workstations are receiving regular time updates from a single synchronised clock server.

6 Secure audit trails to prevent alteration.

7 Review system logs daily and establish mechanism to escalate in an emergency.

8 Retain audit trails for one year minimum, with three months minimum available online.

Task 11 (Requirement 11) – Regularly test security systems and processes

To meet this requirement, you will need to demonstrate that your IT department regularly undertakes testing to ensure that all other requirements are met. The quarterly vulnerability scan, which focuses on penetration testing from the outside, comes into play here, as well as capabilities in place for integrity checking within your entity.

Tips for Requirement 11 – Regularly test security systems and processes:

1 Test networks annually, and test wireless at least quarterly.

2 Vulnerability scans at least quarterly and after significant network changes.

3 Penetration test at least annually and after major changes.

4 Use network and host-based IDS, and intrusion prevention software.

5 Deploy file integrity monitoring software.

Maintain an information security policy

Task 12 (Requirement 12) – Maintain a policy that addresses information security for employees and contractors

All the available Gartner and Forrester reports continually indicate that approximately only 30 per cent of entities have a written security policy in place. Yet as discussed in previous sections having a sound written information security policy (and its supporting policies) is the foundation for a solid information security management system. It is also essential to fulfilling the requirements of the PCI audit.

Tips for Requirement 12 – Maintain a policy that addresses information security for employees and contractors:

1 Establish, publish, maintain and disseminate a security policy that:

a. Address all requirements in the PCI DSS.

b. Includes annual processes identifying threats and vulnerabilities resulting in a formal risk assessment.

c. Includes an annual review and updates when environment changes.

2 Develop daily operational security procedures.

3 Develop usage policies for critical employee-facing technologies.

4 Include clearly defined InfoSec responsibilities for all employees, contractors and third parties.

5 Assign responsibility for information security to one person or a team.

6 Implement a formal security awareness programme.

7 Screen potential employees and ensure references are validated.

8 Service providers must contractually adhere to the PCI DSS and accept responsibility for data held.

9 Implement an incident response plan.

10 Implement policies and procedures to manage all ‘connected entities’ and key third parties that provide outsourced arrangements.

Hopefully, this section has provided a flavour of the work required to ensure PCI compliance. There is still a lot to be done, but take heart that once the ‘baseline’ is achieved maintaining, monitoring and improving it should be straightforward, assuming you have followed the minimum guidance provided in this guide.

There is one last significant task that should be completed once the baseline has been achieved, and that is to update the security improvement plan. Don’t forget that this document, having had significant input from the gap analysis and risk analysis, now needs to be updated to demonstrate progress and ongoing PCI improvement.

Tip: Don’t forget to update the project plan and risk register as well.

_______________

37 A virtual LAN, commonly known as a VLAN, is a group of hosts with a common set of requirements that communicate as if they were attached to the same wire, regardless of their physical location. A VLAN has the same attributes as a physical LAN, but it allows for end stations to be grouped together even if they are not located on the same LAN segment. Network reconfiguration can be done through software instead of physically relocating devices.