Understanding PCI Compliance (Part 3)

10 April 2013
By Roman Denisenko, Senior QA

The Payment Card Industry Data Security Standard (PCI DSS) is a set of 12 detailed requirements for card issuing organizations, providers of fee-based services, and to other companies who store, process, or transmit cardholders’ data. Adherence the PCI DSS rules reduce risks and help to defend products from unauthorized attacks.

Having considered the main risks and discussed the first 6 of the 12 requirements we are now close to the end of our PCI DSS tour.

Table 1

Implement Strong Access Control Measures
  1. Restrict access to cardholder data on a business oriented need to know basis
  2. Assign a unique ID to each person with computer access
  3. Restrict physical access to cardholder data
Regularly Monitor and Test Networks
  1. Track and monitor all access to network resources and cardholder data
  2. Regularly test security systems and processes
Maintain an Information Security Policy
  1. Maintain a policy that addresses information security for all personnel

Implement Strong Access Control Measures

The main purpose of access control is to allow merchants to permit or deny either physical or virtual access to PAN or other cardholder data.

7. Restrict access to cardholder data on a business oriented need to know basis

When operating with cardholder data the separation of access rights is critical. The data should be accessed only by authorized personnel. The access granted to employees should be limited according to their job functions, responsibilities, and needs. Access rights must deny all activities by default and only grant rights when explicitly specified.

8. Assign a unique ID to each person with computer access

Awareness of who had performed an action with cardholder data is also important. Information about authentication restrictions and password policies are also included in this requirement:

  1. Each user must have a unique user name.
  2. Each user must authenticate to the system by using a password or two-factor authentication.
  3. For remote access to the network, the two-factor authentication must be implemented. Use of virtual private networks (VPN) with individual certificates or a terminal access controller access-control system with tokens is also mandatory.
  4. The storage and transmission of passwords should be held in encrypted form.
  5. Password must be at least seven characters and contain both numeric and alphabetic symbols.
  6. Password must be changed to a new one at least every 90 days. It shouldn’t match the previous four passwords used.
  7. There should be no more than 6 grace logins available. After the seventh unsuccessful attempt access should be blocked for a minimum of 30 minutes.
  8. An active user`s session must be locked out automatically after more than 15 minutes of idle.

9. Restrict physical access to cardholder data

The ability to physically access cardholder data is also a key point. Any physical access to the data or systems that accommodate cardholder data provides the opportunity to access devices or data and to remove systems or hardcopies for users. The PCI standard sets thte following restrictions on the physical side:

  1. Merchant must limit and monitor all physical access to systems.
  2. Merchant must use video cameras to monitor entry and exit points to cardholder data storage facilities.
  3. All employees must be easily identifiable (ex. using badge).
  4. All unnecessary media must be destroyed.
  5. All information about visitor activities must be retained for at least three months.
  6. Store media back-ups in a secure location (preferably an off-site facility, such as an alternate or back-up site, or a commercial storage facility).

Regularly Monitor and Test Networks

The network is one of the most important elements in the cardholder data environment. A vulnerability existing on any part of the network is a potential attack vector.

10. Track and monitor all access to network resources and cardholder data

Logging mechanisms and the ability to track user activities are critical in preventing, detecting, or minimizing the impact of a data breach. The presence of logs in all environments allows thorough tracking, alerting, and analysis when something goes wrong. That’s why merchants must save a history of all access by individual users to cardholder system components. It is essential to be able to provide a detailed audit report on request for PCI DSS. The audit trail history must be stored at least for one year. In addition, logs for the last three months should be available immediately. The log must be daily (or several times a day) reviewed for anomaly activities. All log data should be stored on a separate log-server on the internal LAN.

11. Regularly test security systems and processes

Be sure that your system is safe, do not neglect performing regular security reviews. New vulnerabilities appear daily thanks to malicious hackers. However security testers can identify bugs quite fast.. PCI DSS requires merchants to perform regular system tests in order to find the latest vulnerabilities and to fix them. Test scope includes wired/wireless networks, network equipment, servers, and custom software. Since threats come from both directions (inside and outside) the testing should be performed both internally and externally. What is important: network testing must be conducted every 90 days or after any substantial changes with the software or system configuration.

Network testing is an automated process which is performed by automation scanners. PCI DSS allows the internal test to be performed in-house. The external test must be conducted only by an Approved Scanning Vendor (ASV). In addition to network scanning, a merchant must annually, or after significant changes with the software or system configuration, perform internal and external penetration tests.

It should be noted that there it is mandatory to employ an intrusion detected/prevention system (IDS/IPS) and integrity monitoring software.

Maintain an Information Security Policy

A strong security policy sets the security tone for the whole entity and informs personnel what is expected from them. All personnel should be warned about the sensitivity of data and their responsibilities as to how they are required to protect it. A merchant organization has to govern all PCI DSS security activities with clear security policies. Policy-making starts at the top of an organization, and must flow through to each employee.

12. Maintain a policy that addresses information security for all personnel

Your security policies determine the nature of the controls used to ensure security and comply with PCI DSS requirements. The PCI DSS requires merchants to direct information about security to employees and contractors. The policy must cover the following aspects:

  1. Comprehensive formal policy (your security policy must address all PCI DSS requirements).
  2. Daily procedures.
  3. Usage policies.
  4. Security awareness program.
  5. Employee screening.
  6. Incident response plan.

In conclusion

Surely we can’t present more detailed information about PCI DSS compliance in just three blog posts. To learn more, you can read the following:

  1. “PCI Compliance for Dummies” – Sumedh Thakar, Terry Ramos.
  2. “PCI Compliance: Understand and Implement Effective PCI Data Security Standard Compliance” – Dr. Anton Chuvakin, Branden R. Williams.
  3. “PCI DSS: A Practical Guide to Implementation” – Steve Wright.

Or visit these sites: https://www.pcisecuritystandards.org/ and http://www.pcicomplianceguide.org/.

In conclusion I would like to emphasize the most important thing. PCI DSS compliance is more than a one-time annual event. You must continuously follow the process of assessment, remediation, and reporting to ensure the ongoing safety of cardholder data.

Data security is a continuous process, and all requirements must be taken into consideration.

See also:

Understanding PCI Compliance. Part 1
Understanding PCI Compliance. Part 2

Add Comment

Name Mail Website Comment