Payment Card Industry Data Security Standard Handbook E-Book

Table of Contents

Title Page

Copyright Page

Dedication

Introduction

PART 1 - The Fundamentals

CHAPTER 1 - PCI Fundamentals

HISTORY OF PCI

WHY PCI DSS?

CHAPTER 2 - Security 101

STRATEGY AND PLANNING

INFORMATION RISK MANAGEMENT

INFORMATION CLASSIFICATION

RISK ASSESSMENT

RISK ANALYSIS

DEALING WITH RISK

DEFENSE IN DEPTH

POLICY, STANDARDS, AND PROCEDURES

ADOPTION OF A SECURITY FRAMEWORK

SECURITY AND THE SYSTEM DEVELOPMENT LIFE CYCLE (SDLC)

SECURITY TRAINING AND AWARENESS

METRICS

PHYSICAL SECURITY

DATA COMMUNICATIONS AND NETWORKING

PERIMETER SECURITY

INFORMATION SECURITY MONITORING AND LOG MANAGEMENT

INTRUSION DETECTION AND INTRUSION PREVENTION TECHNOLOGY

LOGICAL ACCESS CONTROL

ELECTRONIC AUTHENTICATION

ENCRYPTION

REMOTE ACCESS CONTROL

SECURE COMMUNICATIONS

HTTPS

SECURE SHELL

VIRTUAL PRIVATE NETWORKS

WIRELESS

INCIDENT RESPONSE

FORENSICS

PART 2 - PCI Breakdown (Control Objectives and Associated Standards)

CHAPTER 3 - Build and Maintain a Secure Network

REQUIREMENT 1: INSTALL AND MAINTAIN A FIREWALL CONFIGURATION TO PROTECT ...

REQUIREMENT 2: DO NOT USE VENDOR-SUPPLIED DEFAULTS FOR SYSTEM PASSWORDS AND ...

REQUIREMENT A.1: HOSTING PROVIDERS PROTECT CARDHOLDER DATA ENVIRONMENT

CHAPTER 4 - Protect Cardholder Data

REQUIREMENT 3: PROTECT STORED CARDHOLDER DATA

PCI DSS APPENDIX B: COMPENSATING CONTROLS FOR REQUIREMENT 3.4

REQUIREMENT 4: ENCRYPT TRANSMISSION OF CARDHOLDER DATA ACROSS OPEN PUBLIC NETWORKS

CHAPTER 5 - Maintain a Vulnerability Management Program

REQUIREMENT 5: USE AND REGULARLY UPDATE ANTIVIRUS SOFTWARE

REQUIREMENT 6: DEVELOP AND MAINTAIN SECURE SYSTEMS AND APPLICATIONS

CHAPTER 6 - Implement Strong Access Control Measures

REQUIREMENT 7: RESTRICT ACCESS TO CARDHOLDER DATA BY BUSINESS NEED TO KNOW

REQUIREMENT 8: ASSIGN A UNIQUE ID TO EACH PERSON WITH COMPUTER ACCESS

REQUIREMENT 9: RESTRICT PHYSICAL ACCESS TO CARDHOLDER DATA

CHAPTER 7 - Regularly Monitor and Test Networks

REQUIREMENT 10: TRACK AND MONITOR ALL ACCESS TO NETWORK RESOURCES AND ...

REQUIREMENT 11: REGULARLY TEST SECURITY SYSTEMS AND PROCESSES

CHAPTER 8 - Maintain an Information Security Policy

REQUIREMENT 12: MAINTAIN A POLICY THAT ADDRESSES INFORMATION SECURITY

PART 3 - Strategy and Operations

CHAPTER 9 - Assessment and Remediation

PCI DSS PAYMENT CARD INDUSTRY SELF-ASSESSMENT QUESTIONNAIRE

PCI DSS SECURITY AUDIT PROCEDURES

PCI DSS SECURITY SCANNING PROCEDURES

LEVERAGING SELF-ASSESSMENT

STRATEGY AND PROGRAM DEVELOPMENT

CHAPTER 10 - PCI Program Management

CASE FOR STRATEGIC COMPLIANCE

WHO SHOULD BE INVOLVED ACHIEVING PCI DSS COMPLIANCE FOR OUR ORGANIZATION?

PCI DSS GLOSSARY, ABBREVIATIONS, AND ACRONYMS

REFERENCES

RESOURCES

INDEX

Copyright © 2009 by John Wiley & Sons, Inc. All rights reserved.

Published by John Wiley & Sons, Inc., Hoboken, New Jersey. Published simultaneously in Canada.

Portions of this text are reprinted with permission from “Payment Card Industry (PCI) Data Security Standard, Version 1.1 (Release: September 2006)”, the contemporaneous version of which is available at the following internet address: https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf and “Payment Card Industry (PCI) Data Security Standard: Glossary, Abbreviations and Acronyms”, the contemporaneous version of which is available at the following internet address: https://www.pcisecuritystandards.org/pdfs/pci_dss_glossary_v1-1.pdf.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400, fax 978-646-8600, or on the web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, 201-748-6011, fax 201-748-6008.

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services, or technical support, please contact our Customer Care Department within the United States at 800-762-2974, outside the United States at 317-572-3993 or fax 317-572-4002.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books.

For more information about Wiley products, visit our Web site at www.wiley.com.

Library of Congress Cataloging-in-Publication Data:

Virtue, Timothy M., 1975- Payment card industry data security standard handbook / Timothy M. Virtue. p. cm. Includes bibliographical references and index.

eISBN : 978-0-470-45691-0

1. Credit cards—Security measures. 2. Data protection. I. Title. HG3755.7.V57 2009332.1’788028558—dc22 2008023247

This book is dedicated to my loving wife, Courtney. Thank you for all of the love, support, and inspiration you provided on this project and through all of life.

I would also like to thank my many wonderful family members, friends, teachers, and colleagues who have contributed to my growth and success over the years.

INTRODUCTION

This text is intended to guide, mentor, and otherwise assist organizations along their journey to compliance with the Payment Card Industry Data Security Standard (PCI DSS). Organizations that want to become PCI DSS compliant will find that many aspects of the program offer relatively little flexibility. After all, we are discussing compliance with industry imposed regulations, not a set of suggested best practices. However, several of the requirements can be achieved in many different fashions (within reason, and assuming the intent of the requirement is satisfied). I felt the best approach to addressing such a broad and complex compliance initiative was to create a text that could be used as an initial primer on PCI compliance and be referenced to support an organization’s maintenance of an ongoing commitment to PCI compliance, and to offer suggested strategies and detailed references that can be used to expand upon concepts discussed in this text.

The specific approach I took to achieve these goals was to break down the information into individually sustainable parts that can be read one after the other or else referenced individually. The text is divided into three parts: “The Fundamentals,” “PCI Breakdown,” and “Strategy and Operations.” Part One, “The Fundamentals,” addresses foundational information security practices. This part offers the benefit of an information security primer for those who have less of a background in the subject. It also provides an overall view of the essential components and best practices of a successful information security program. This understanding is critical to achieving PCI DSS compliance, since many of the PCI DSS requirements are based on industry best practices and a comprehensive information security program.

Part Two, “PCI Breakdown,” is the heart of the book. It sequentially lists all of the PCI DSS requirements and provides brief explanations, clarifications, or recommendations as applicable. Depending on the specific PCI DSS requirement, the level of detail of the additional information varies. Some of the requirements are very clear and address relatively straightforward topics, while others deal with concerns that are very complex and ordinarily take years to master. Indeed, some of these topics can take up entire books. I have attempted to strike a balance between offering the minimum required knowledge and providing a comprehensive discussion.

Part Three, “Strategy and Operations,” offers information that organizations can utilize to achieve and maintain ongoing compliance with PCI DSS. Compliance is not a onetime event or a checked box on an audit form. Organizations will need to remain proactive in their compliance efforts. They will need to remain abreast of both external and internal influences on their organization. Since changes will inevitably occur with PCI DSS requirements, technology, consumer demands, regulatory/legal requirements, and the business environment, organizations must adapt to protect the cardholder data environment while maintaining business objectives.

For those seeking higher levels of knowledge, I have also included a Resources section. This section will address situations where readers may need a more comprehensive discussion of the subject.

Since every organization is different and complex technology environments need to be managed on a case-by-case basis, I would encourage readers to leverage this text to embrace the requirements of PCI DSS compliance and adapt them accordingly to suit your organization’s specific needs. It is important to note that because of the ever-changing technology and business environment facing today’s organizations, PCI DSS compliance must be viewed as a cyclical and long-term process.

Finally, I wish each of you much success in your journey to achieving PCI DSS compliance for your organization.

PART 1

The Fundamentals

CHAPTER 1

PCI Fundamentals

The Payment Card Industry Data Security Standards (PCI DSS) is commonly referred to as PCI compliance. Although this is one of the hottest topics of discussion among business and technology professionals alike, the spirit of PCI compliance is nothing new. In fact it has been around for several years. However, with the rise of information security-related legislation, privacy concerns, confirmed data breaches, and the overall prevalence of e-commerce in today’s society, PCI compliance is of the utmost concern for a wide assortment of people, organizations, and businesses.

Although the rise of e-commerce has had a profound economic impact on our daily lives at both the personal and professional levels, it brings a host of new challenges, including the challenge of properly protecting sensitive cardholder data. In all business activities, a certain amount of risk is assumed in order to gain the benefits associated with that business activity. In the world of payment cards and electronic commerce, the risk-and-reward model involves properly protecting cardholder data during payment card transactions. The importance of protecting cardholder data can’t be overstated.

Many of the key players in the payment card industry got together to develop a series of best practices that could be implemented by those utilizing payment cards. In today’s world of new legislation, regulation, and compliance, the payment card industry sought to develop a program where the industry could be self-regulated and proactively manage the risks associated with payment card programs. The goal of this initiative was to reduce governmental legislation and build confidence and trust among the participants (including consumers) that rely on payment cards to conduct commerce.

PCI compliance is important for a number of reasons, and no single reason outweighs any other. Their combined weight is what drives us toward compliance. Each reason falls under one of two headings: consumer confidence or effective business operations. From a consumer perspective, it is all about confidence. Consumers place enormous trust in those who use their sensitive cardholder data as part of their daily commerce. Although a majority of us take advantage of the convenience and efficiency associated with today’s electronic commerce, we do so with the expectation that our transactions will be performed in a secure manner. In a world of significant choice, consumers can easily select other vendors to provide their services if they are not comfortable in the security of their personal information. From a business perspective, organizations want to transact commerce in a secure manner so that they can maintain their customer’s confidence, have reduced operational costs, and protect organizational assets from fraud and abuse. On a larger scale, our economy depends on efficient trade markets. When commerce can be conducted electronically, there are tremendous gains in efficiency and globalization. When these daily operations are threatened by potential fraud and abuse, businesses are at risk of not being able to effectively operate in today’s e-commerce-based markets. The importance of these factors led to the establishment of the PCI and the corresponding data security standards.

There are numerous specific measures organizations can take to create a secure operating environment for the processing of payment cards. The PCI Security Standards Council has established 12 detailed control objectives, which are grouped into 6 broader categories:

These six categories are the critical foundation for creating, protecting, maintaining, and operating in a secure manner.

The PCI DSS is a standard that has evolved over many years by the efforts of the major payment card brands. Prior to PCI DSS, the major payment card brands individually developed various standards to improve the security of sensitive information used by the payment card industry. Visa USA had originally launched the Cardholder Information Security Program (CISP) in June 2001. From then until March 2004, these audit procedures underwent several revisions and continued to grow and evolve to address the many facets of protecting sensitive cardholder data.

There was also early collaboration between MasterCard and Visa in an attempt to validate and protect cardholder data. During these early attempts at collaboration, some gaps and inconsistency occurred between the separate programs. Although well intentioned, the relationship had a number of problems. The list of approved vendors was not well maintained and there was no clear way for security vendors to get added to the list. Another significant problem was that the other major payment card brands, such as Discover, American Express, and JCB (Japan Credit Bureau), were running their own programs and there was little collaboration across the entire industry.

This lack of collaboration caused tremendous hardships for merchants and service providers, as many of them spent a significant amount of resources to comply with the individual security programs offered by all of the major payment card brands. In order to overcome the challenges and offer a comprehensive information security program for the payment card industry, all of the major brands worked together and developed PCI DSS 1.0. To further solidify the ownership of the standards, the PCI Security Standards Council was founded. The council maintains the ownership of the PCI DSS, the approved vendor lists, training programs, and other relevant program details.

Although the primary focus of this text is compliance with PCI DSS, it should also be noted that each payment card brand also maintains its own security program in addition to the PCI DSS. These programs go beyond the data protection charter of PCI and include activities such as fraud prevention. The details of such programs can be found in the Resources section of this text. It is highly recommended that organizations adopt the specific card brand recommendations (as applicable to your organization) in addition to PCI DSS to further strengthen their overall security posture.

At the time of this writing, the PCI organization is in its early stages and evolving, and it will continue to grow and improve over time. Inevitably, this maturation process will strengthen the council’s ability to deliver security-minded services to merchants and service providers. Due to this fact, it is recommended that organizations continuously monitor and consult the PCI Council’s resources and Web site (pcisecuritystandards.org) on a regular basis to ensure that appropriate levels of compliance are achieved and maintained by your organization.

The short answer is because it is required. Fortunately, there are many additional benefits to achieving PCI DSS compliance. Fundamentally, many of the methodologies and specific requirements associated with PCI DSS are actually industry standards or best practices. Any organization that can implement and manage the components of PCI DSS will significantly improve its overall security posture and fortify its protection of sensitive cardholder data. Also, PCI DSS compliance offers many organizational benefits and specific risk mitigation solutions.

The cardholder data environment has an aggregated risk based on the subrisk categories of reputation, financial, compliance, and operational. Exhibit 1.1 represents how each category of risk is tied together to create an overall level of risk for the cardholder data environment.

EXHIBIT 1.1 Aggregated Risk for Cardholder Data Environment

EXHIBIT 1.2 Examples of Cardholder Data Environment Risk

Exhibit 1.2 provides examples of the risks that organizations face within their cardholder data environment.

Furthermore, the direct costs associated with a data breach are significantly increasing on an annual basis. In fact, research from the Ponemon Institute has shown that the cost of a data breach continues to rise and has done so by 43 percent since 2005. Highlights from the institute’s 2007 Annual Study: U.S. Cost of a Data Breach follow:

The Ponemon Institute research clearly demonstrates the costs associated with a data security breach. Since most organizations are not likely to want to absorb these additional costs, we can clearly see the financial benefits of protecting the cardholder data environment and embracing PCI DSS to reduce the likelihood of a data breach. Now that we have an understanding of what exactly drives PCI DSS, we can begin to discuss what it is and what it means to your organization.

A fundamental component of PCI DSS compliance is to understand the terms, definitions, and requirements put fourth by the PCI Security Standards Council. Throughout this text, I will be referring to the terms and definitions that are listed in the Payment Card Industry Data Security Standards Glossary, Abbreviations, and Acronyms document. In Exhibits 1.3, 1.4, and 1.5, I have included selected terms in order to clarify key components of the PCI Data Security Standard. It is strongly recommended that you frequently review the glossary, abbreviations, and acronyms documentation on a regular basis for any updates or modifications. In addition, this document is an invaluable resource for a more detailed understanding of relevant PCI DSS terms and definitions. The link to the complete list is located in the Resources section of this text.

Now that we have an understanding of key payment card industry terms and definitions, we can review a typical payment card transaction. Exhibit 1.6 illustrates a typical payment card transaction:

The following three steps explain a typical payment card transaction and highlight the associated parties required to complete the transaction:

EXHIBIT 1.3 Card-Specific Information

EXHIBIT 1.4 Transaction-Specific Information

EXHIBIT 1.5 Organization-Specific Information

EXHIBIT 1.6 Typical Payment Card Transaction

Each payment card brand has defined a set of merchant levels based on transaction volume over a 12-month period. Exhibit 1.7 summarizes the merchant level definitions based on annual transaction volume for Visa, MasterCard, and American Express. However, if a merchant has been the victim of a hack that resulted in an account data compromise, the merchant may be escalated to a higher level. Note, the JCB and Discover card brands do not classify merchants based on annual transaction volume. Refer to the Resources section for the Web site addresses for these payment card brands.

EXHIBIT 1.7 Merchant Level Definitions Based on Annual Transactions

Based on their level, merchants are required to submit validation of compliance with PCI Data Security Standards. For MasterCard, Visa, and American Express, merchants must submit the following:

As you can see from the list above, all merchants are required to complete a Quarterly Network Scan. This scan, which must be completed by an Approved Scanning Vendor, is an automated tool that checks systems for vulnerabilities. It conducts a nonintrusive scan to remotely review networks and Web applications based in the externally facing Internet Protocol (IP) address provided by the merchant.

Like merchants, payment card brands also define levels for service providers. Exhibit 1.8 summarizes these level definitions for Visa and MasterCard. Note, American Express, JCB, and Discover card brands do not classify merchants based on annual transaction volume. Refer to the Resources section for the Web site addresses for these payment card brands.

EXHIBIT 1.8 Service-Provider Level Definitions

CHAPTER 2

Security 101

As discussed in the preface of this text, the Payment Card Industry Data Security Standard (PCI DSS) is built on a series of information security best practices that are widely accepted across many industries and organizations. An individual with a comprehensive understanding of information security best practices who is part of an organization with a mature information security program would likely face a manageable transition into PCI DSS compliance (since many of the requirements are based on best practices). For individuals not so placed, for those who must increase their knowledge of strong information security programs or implement PCI DSS into an organization with a new or evolving information security program, this primer will be invaluable.

Although information security is a complex subject and there are many intricate details involved in developing, implementing, and managing an information security program, it is critical to have a broad understanding of the requirements of a strong information security program. The technical ins and outs are not covered by this text, but we will examine selected fundamentals of information security as they relate to PCI DSS.

This discussion will provide a solid foundation for those less familiar with information security, as well as a review for individuals with a deeper understanding of the field. The information included in this chapter will help organizations trying to strengthen their information security programs and/or become compliant with PCI DSS requirements.

It would be a difficult, if not impossible, undertaking for organizations to become PCI DSS compliant without a rudimentary understanding of information security. The following information provides a broad outline of the information that organizations can use to develop, implement, and maintain a strong information security program. Depending on the level of maturity of an organization’s program, it may not be essential to review all of these components. However, it is recommended to perform at least a cursory review, as many belong to the underlying principles required for a strong information security program and PCI DSS compliance.

Since it is impossible for an organization to achieve perfect security, the strategy and planning elements of an information security program are essential. Organizations have a finite number of resources and it is essential that a good plan be developed to ensure the maximization of these resources, effective security program implementation and management, and proper alignment with high-level organizational objectives. Remember that effective compliance strategies are developed to protect an organization’s assets, not hinder its business operations.

Organizations can utilize a number of strategies, frameworks, methodologies, and approaches when developing, implementing, and managing an information security program, but there are certain foundational planning elements that should be included in the strategy and planning process. Exhibit 2.1 highlights these foundational elements and provides supporting examples.

Since all environments are subject to risk, organizations must implement a proactive process to address this risk. As with most enterprise initiatives, it is important to clearly define objectives and develop procedures to accomplish the organization’s information risk management goals.

EXHIBIT 2.1 Elements of Information Security—Program Strategy and Planning

Information risk management can be defined as the process of identifying, controlling, and mitigating information system-related risks. It typically includes a formal risk assessment; cost-benefit analysis; and the selection, testing, evaluation, and implementation of appropriate safeguards. This process must be supported by senior management and include representatives from all of the teams impacted by the risk management processes. Organizations must consider the impact the risk management plan will have on the organization, as well as internal and external influences such as policy, business goals, and legal and regulatory requirements.

Now that we have a working definition of information risk management it is important to note a few critical points from our definition factors that impact a successful information risk management process. First, information risk management is a process. This means that it is continually evolving, adapting, and changing due to the numerous external and internal factors that impact an organization’s risk environment and information risk management process.

The other key point to take away from our definition is the concept of cost-benefit analysis. Unfortunately, any component of the information risk management process that is not guided by this principle will ultimately prove to be unsuccessful. Any information risk management methodology that is too costly, too difficult to manage or a general hindrance to the organization will never add value and most likely will be abandoned by its organization. Remember, the point of information risk management is to help the organization achieve its business objectives, in this case by managing the risk associated with its information systems.

This perspective does not advocate ignoring appropriate protective measures just because they pose initial costs. Organizations must balance said costs against the benefits of security protections, always doing so in a way that promotes business objectives instead of thwarting them. Information risk management strategies and tactics must enable the business to operate in a secure environment but never prevent the organization from achieving its core competencies.

EXHIBIT 2.2 Risk Management Cost-Benefit Relationship

There are a variety of factors that influence the cost-benefit components of information risk management. Broadly, these break down into the cost of managing the risk, the impact of ignoring the risk, and the benefit of mitigating or eliminating the risk. Exhibit 2.2 represents the cohesive relationship among these factors. Organizations must remember that there will be a series of trade-offs in the cost-benefit aspect of risk management. The goal is to strike the appropriate level of balance between risk and cost, not eliminate risk altogether.

One of the most critical steps to implementing an information security program is the classification of the organization’s information and associated systems. Unfortunately, many organizations overlook this important step and become focused on the technology requirements and operational details associated with an information security program. Although technology and operations are actually an important part of the process, they must be addressed after the organization’s systems and information have been properly classified. Why spend your organization’s valuable resources (time and money) safeguarding information that may not need to be protected?