Frequently asked questions on the road to PCI DSS compliance

Frequently asked questions on the road to PCI Compliance

Sergey ShustikovDigital SecurityHead of information security governance direction, CISA, PCI QSA

March 17, 2010

© 2002—2010, Digital Security

PCI DSS

2

1. Developed and being promoted by the PCI Security Standards Council (PCI SSC), founded by Visa,

MasterCard, American Express, Discovery, JCB payment brands

2. PCI Compliance is necessary for every company, that stores, processes or transmits the cardholder

data: banks, processors, merchants and service providers

3. Annual onsite QSA-assessment is required for every company, that processes more than 300 000

PANs per year

4. As for March 2010 in Russia there is only 6 service providers, validated their PCI compliant status



Road to PCI Compliance

3



Milestones on the Road to PCI Compliance

4

1. QSA-pre-assessment• Report on Compliance (ROC)• Action Plan (AP) = formal table with dates only (!)

2. Development of QSA-recommendations for solving noncompliance• Expert’s report of QSA-consultant with detailed recommendations on how to treat

compliance issues and reduce the cardholder data security risks3. Development of technical project

• Approved technical project, describing all planned changes and solutions4. Implementation of developed solutions

• Acceptance report5. Performing the mandatory checks

• Penetration testing report• ASV-scanning report

6. Certification QSA-assessment• Report on Compliance (ROC)• Certificate of Compliance



Question 1: Scoping

5

1. PCI DSS requirements are applicable to all systems, that store, process of transmit cardholder data (cardholder data environment, CDE)

2. PCI DSS requirements are also applicable to all connected systems, which are not separated from cardholder data environment by securely configured firewall

3. There is difference between scope of PCI applicability and scope of PCI validation for bank’s in house processor‑ :• PCI requirements are applicable to all cardholder data business processes, both issuing and

acquiring• Acquiring process is the subject of QSA-assessment• Payment Brand can make a decision to assign QSA-assessment of issuing process for exact

organization (http://selfservice.talisma.com/article.aspx?article=5391&p=81)


http://selfservice.talisma.com/article.aspx?article=5391&p=81


Question 2: Configuration standards

6

1. Configuration standards are required by Req. 2.2 PCI DSS

2. Best Practice: divide configuration standard into two logical parts:

• Standard, that describes base configuration of sample devices or software (e.g. Oracle 10g DBMS, Windows XP workstation, Solaris 10 server, Cisco router, D-link access point);

• Passport for each device or software installation, where current values of parameters of this exact entity are written.

3. So, for each device or software installation you’ll have base configuration standard of family + documented by passport fine tuning of exact entity

4. It is insistently recommended to embed this documentation into change management procedures to increase performance of information infrastructure management



Question 3: Cryptography

7

1. Cryptography is not only encryption of stored and transmitted cardholder data, but also it means implementation and usage of secure key management procedures

2. Key management procedures should be developed for every implemented control, that uses cryptography mechanisms

3. Common fails:

• PANs in DB are encrypted, but encryption key is stored on the server’s HDD as plain text

• Physical security of cryptography key media is forgotten during storage and transportation

4. Visa Inc. issued best practices for Data Field Encryption: http://usa.visa.com/download/merchants/bulletin_encryption_best_practices_10052009.pdf


http://usa.visa.com/download/merchants/bulletin_encryption_best_practices_10052009.pdf


Question 4: Remote access

8

1. Correct implementation of remote access mechanisms and security controls will leave remote host out of the PCI DSS scope

2. Rules of pretty good remote access implementation:

• DMZ, separated by firewall

• Proper firewall’s access control lists

• Two-factor authentication of remote users

• Encryption of communication channel (VPN)

• Restriction of clipboard usage and cardholder data storage on remote host



Question 5: Events logging

9

1. Proper implementation of audit and event log management controls includes development of process of regular event log review

2. Commonly “paranoid” mode of logging systems is turned on, it leads to:

• Impossibility of accurate analysis of all events

• Disk volume problems with event logs storage

3. The solution can be found from understanding the intent of audit and log management requirements, its necessary to collect and store only events helpful for:

• Security incident identification

• Tracking possibilities while forensic investigation



Question 6: Information security management system (ISMS)

10

1. Information security is a process, that has its start but has not end, it needs to be managed, so ISMS effectiveness is no less important than effectiveness of controls implemented

2. QSA wants to find daily process, but not the bale of dusty paper: “once written – never been used”

3. Best Practice: use methodology, described in ISO 27001 and STO BR IBBS-1.0 standards



Question 7: Compensating controls

11

1. its possible to use compensating control only in the case of substantiated constraints for implementing the control, described in PCI DSS requirement

2. Fulfilling another PCI DSS requirement can not be recognized as a compensating control to substitute PCI DSS requirement

3. Compensating control should mitigate the security risk no less effective, than PCI DSS requirement, being substituted

4. Restriction of sensitive authentication data (CVV2/CVC2, track, PIN/PIN-block) storage after authorization can not be substituted by any compensating control

5. Compensating control should be considered as temporary measure, because the easiest way to mitigate the security risk is described in the strait requirement, all other ways – complicated bypasses



Question 8: Assessment process

12

1. Assessor makes decision about is control in place or not, basing on:

• Employee’s interview

• Analysis of documentation

• Information infrastructure components configuration examination

• Process observation

2. Assessor collects evidences of control’s performance (records, screenshots, copies of documents)

3. Collected evidences are being securely stored in QSA-company for three years from the moment of the audit, evidences can be requested and examined by PCI Council during execution of quality assurance procedures as well as ROCs



Questions?

13

Answers on PCIDSSRU.COM!


Frequently asked questions on the road to PCI DSS compliance

Business

Transcript of Frequently asked questions on the road to PCI DSS compliance