White Paper
Best Practices to Protect the Cardholder Data
Environment and Achieve PCI Compliance
Best Practices to Protect the Cardholder Data Environment and
Achieve PCI Compliance
Executive Overview
Cyber-attacks designed for financial gain are on the rise, targeting proprietary information including customer and financial information. With over 127 million records exposed in 2007 in the US alone, attacks have become more sophisticated, involving not only attacks at both the network layer and the application layer but also other attack vectors such as social manipulation, breakdown in internal security processes and trusted insider abuse. The cost to businesses, in lost revenue and customer loss, can be staggering. TJX estimates that it spent over $20M related to its late 2006 breach, including settling lawsuits and addressing data security issues.
The Payment Card Industry Data Security Standard (PCI DSS) is a worldwide standard designed to help organizations secure cardholder processing environments. Formed in 2004 by Visa, MasterCard, American Express, Discover, and JCB, in response to the emerging threat to cardholder information, the PCI Standard Security Council (PCI SSC) provides 12 requirements that must be met for compliance with the standard; failure to do so may result in steep fines that can reach in the hundreds of thousands of dollars. PCI DSS V1.2, the latest update, was released in October 2008; the complete document, as well as what is new with V1.2 can be found at the PCI Security Standards Council website.
Best practices to effectively secure the cardholder environment and achieve compliance with the standard start with a properly documented, executive management endorsed, information security policy that must be broadly communicated, tested and enforced. These best practices also include understanding the organization’s cardholder data environment (where the data is located and stored and how it moves between applications), regular monitoring of network for potential vulnerabilities, on-going reporting of network activity, and regular inside and third-party penetration testing.
Data Breach Profile
Targeted, financially motivated attacks via the Internet continue to be on the rise, fueled even further by current economic factors. Internally originated threats are still considered to be a primary cause of security breaches, but external attacks are still a very serious threat. When asked at a recent e-Crime Survey who caused more damage, internal or external attacks, the distribution was fairly even, at 34% vs. 37%, respectively
. Acquiring unsecured financial information is the primary objective of hackers and organized crime in order to fuel a thriving black market for stolen credit card numbers, bank accounts, passwords, personal identification numbers and other data. With dramatically reduced budgets, the associated layoffs and fierce competition for revenues, industrial espionage is also likely to pose an increased threat. These attacks not only target online retailers but also, increasingly, higher education, government, manufacturing and bio-medical organizations. Furthermore, breaches now also occur on point-of-sale, back office, and wireless technology systems. Recent reported vulnerabilities, also on the rise (Figure 1), include SQL injections, poor/default server configuration, and Cross Site Scripting.
The Business Threat
According to the Identity Theft Resource Center (ITRC), in 2007 the total number of records containing sensitive personal information involved in security breaches was 127,726,343, involving companies that span all industries – retail, education, financial, government, telecommunications, healthcare, publishing, manufacturing, bio-med – no industry was immune. All companies handle personal information of some type, which subjects them to attack. Recently, the most successful attacks have been sophisticated, targeting particular organizations and designed for financial gain. Attacks have become more complex and involve other factors such as social engineering, insider abuse, and process breakdown in addition to technology weaknesses.
While the impact of the loss of personal information can be traumatic for consumers, who must go through the anxiety and remediation steps of potential or real identity theft, the cost to businesses can be staggering. Fines, loss of revenue, loss of customer loyalty, irreparable damage to brand or image, have all been experienced by organizations that have been hit by a data breach.
Figure 1 – Based on US Computer Emergency Readiness Team (CERT) Vulnerability Remediation Statistics; (total # of vulnerabilities cataloged based on public sources or directly submitted to CERT)
Payment Card Industry Data Security Standard (PCI DSS)
To combat data theft, the major credit card companies created a Data Security Standard that requires merchants, web-based retailers, and service providers that accept or process credit cards to comply with well-defined security directives. According to the standard, all members, merchants, and service providers that store, process, or transmit cardholder data must meet specific security requirements, which necessitate building a secure network and maintaining a vulnerability management program (see Table 1). To demonstrate compliance, most merchants and service providers must provide security assessments and perform quarterly network scans to locate and fix vulnerabilities to mitigate the risk of intrusion. Those organizations found not to be in compliance can face hefty penalties, in the hundreds of millions of dollars, if data breaches are discovered.
Merchant Validation Requirements1
Level/Tier Merchant Criteria (Annual Transactions)
Validation Requirements
1 Over 6 million Annual Report on Compliance (ROC) by Qualified Security Assessor (QSA)
Quarterly network scan by Approved Scan Vendor (ASV) 2 1 to 6 million (all
channels)
Annual Self-Assessment Questionnaire (SAQ) Attestation of Compliance Form
3 20K to 1 million Annual SAQ
Quarterly network scan by ASV Attestation of Compliance Form 4 Less than 20K
e-commerce and all other merchants processing up to 1 million
Annual SAQ recommended
Quarterly network scan by ASV if applicable Compliance validation requirement set by acquirer Table 1: Merchant Validation Requirements
PCI DSS is designed to facilitate global adoption of consistent data security measures to eliminate the loss of cardholder information, and clearly defines the steps needed to secure a networked environment. The scope of these requirements is broad but straightforward, giving direction to the service providers and merchants on what technologies, policies and procedures are needed to achieve compliance. PCI DSS incorporates best practices for perimeter security, data privacy, and application security.
Lacking any other guide to network security, the PCI DSS has been used by many network security professionals to develop a network security plan. But more specifically, the PCI DSS is a framework of best practice requirements for those companies that handle sensitive credit card data to ensure that they properly protect that information. By banding together and supporting the PCI DSS, the major credit card companies have developed momentum for standard adoption.
Even though merchant compliance is up significantly (by end of 2007, 77% of large merchants vs. 12% in March 2006, and 62% of midsize merchants vs. 15% in 2006, according to a report issued by Visa in early 2008), a recent Gartner report1 indicates that “newly released statistics show Visa making strong progress in driving Payment Card Industry
security compliance…but other card brands’ compliance efforts, and PCI Security Council communications, still need improvement.” Merchants that fail to meet the standards risk stiff penalties imposed for non-compliance. According to Visa, penalties for noncompliance range from fines of up to $500,000 to increased auditing requirements or even losing the ability to process credit card transactions. And these new regulations are holding all merchants, regardless of size, to much higher standards of performance when it comes to protecting the financial and personal information of their customers.
What is PCI Compliance?
The PCI DSS requires any merchant, processor, point-of-sale vendors, financial institutions and payment companies to implement processes, procedures and technology to protect credit card information. There are twelve PCI DSS-required controls that cover access management, network security, incident response, network monitoring and testing and information security policies:
Build and Maintain a Secure Network (*) Install and maintain a firewall configuration to protect cardholder data
Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data Protect stored cardholder data
Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program Use and regularly update antivirus software
Develop and maintain secure systems and applications Implement Strong Access Control Measures Restrict access to cardholder data by business need-to-know
Assign a unique ID to each person with computer access Restrict physical access to cardholder data
Regularly Monitor and Test Networks (*) Track and monitor all access to network resources and cardholder data
Regularly test security systems and processes
Maintain an Information Security Policy Maintain a policy that addresses information security
* PCI DSS also provides guidelines to prevent breaches involving wireless networks used in environments that contain credit card data:
1. Firewall segmentation between wireless networks and POS networks
2. Use of a wireless analyzer to detect unauthorized wireless devices and attacks
As stated in Table 1, the process to become PCI DSS compliant requires that many organizations complete a detailed self-assessment questionnaire and receive quarterly network vulnerability scans for all Internet facing systems from an independent scanning vendor. PCI SSC New Self-Assessment Questionnaire (SAQ) Summary V1.2 is designed to help organizations determine which SAQ is appropriate for their company. For merchants that execute 6 million or more transactions annually, the regulations require a detailed onsite assessment. In addition, merchants who experience an incident will automatically be treated as a level 1 merchant, and are therefore required to employ a Qualified Security Assessor to audit the cardholder environment, at the discretion of the PCI Security Council in conjunction with Visa/MC. Regardless of transaction rate or company size, failure to comply can lead to steep penalties and unwanted publicity. News of a security breach taints brand image, reduces consumer trust and results in serious fines and class action lawsuits from consumers or banks that have to reissue new credit cards.
Best Practices to Enable PCI Compliance
Policies, processes and training are as important to PCI compliance as the technologies that are implemented. Network and security administrators must be guided by policies that embed the security standard’s requirements into ongoing operational activities. Developing security best practices will help organizations put the controls in place to achieve and maintain PCI compliance. These best practices must include:
• A formal Information Security Policy supported by executive management
• Broad communication, training, testing and enforcement of policies and processes
• Constant and accurate knowledge of location and movement of cardholder data
• Implementation of an enterprise level vulnerability assessment program, including regular monitoring of network for potential vulnerabilities
• Reporting of network activity and log entries to quickly react to attacks and to validate effectiveness of policies and technologies
• Validation of third-party as well as custom applications in the cardholder environment
• Regular third-party testing
Define Security Policies
An organization entrusted with cardholder information must develop an information security policy focused on protecting this sensitive data from unauthorized access and from the risk of identity theft. The security policy is a formal definition of what is allowed and what is not allowed, including acceptable use of systems, applications and data for all categories of users, including the administrators. This policy must have executive management support, must be fully documented and should be reviewed at minimum annually, allowing for new requirements and updates as identified by audits and feedback. Roles and responsibilities need to be defined and employees need to understand how he or she contributes to the security of the organization.
Implementing industry defined security policies from Microsoft, NSA, the Center for Internet Security (CIS) and National Institute of Standards and Technology (NIST) is a good first step in ensuring that networks are properly secured.
Communication, Training, Testing & Enforcement
Once an information security policy has been defined, it must be communicated throughout the organization. Proper communication must include a required training process whereby users learn policy procedures as well as their roles and responsibilities; they also learn about the implications of not complying with the organization’s policies. A comprehensive test should be administered to validate successful completion of this important training. To maximize the effectiveness of the policies, it is imperative that organizations strictly enforce them.
It is important to note that training must also include external users that have access to the data infrastructure. For example, for simplicity many merchants unfortunately use generic usernames and passwords to access point-of-sale systems; since a critical aspect of the security policy must ensure knowledge of who is accessing what information and from where, these merchants must be trained to use specific names and passwords, and to change them according to the organization’s password policy.
A clear goal of training an organization about the information security policy is to address the growing problem of
Social Engineering. Social engineering is a term that describes the non-technical intrusion into an organization’s data environment that relies on human interaction, often involving tricking people in order to break normal security policies. Similar to traditional “con games” where one person is duped because they are naturally trusting, social engineers will use any technique to gain unauthorized information. Social engineering techniques include everything from phone calls with urgent requests to people with administrative privileges to viruses lurking behind email messages that attempt to lure the user into opening the attachments.
Most people have a tendency to trust others. The naïve insider who falls for a phishing scam or takes a phone call from someone who needs ‘inside’ information occurs frequently in the workplace. Employees need to be trained on social engineering tricks, on what constitutes sensitive information, and how revealing seemingly unimportant data can result in unauthorized access. Training should include security policies and procedures on credit card acceptance and incident response.
Some organizations periodically test for social engineering exposure by calling individuals from a phone number without caller id and asking some simple questions to try to learn about the business from the employee on the phone. It is considered a best practice to integrate ‘audit response validation’ around the manipulation of the human element.
Where is the Data?
PCI DSS V1.2 illustrates the different types of requirements that apply to cardholder data and sensitive
authentication data -- whether or not storage of the data is permitted and whether the data must be protected: Data Element Storage
Permitted
Protection Required
PCI DSS
Cardholder Data
Primary Account Number (PAN)
Yes Yes Yes
Cardholder Name Yes Yes No
Service Code Yes Yes No
Expiration Date Yes Yes No
Sensitive Authentication Data* Full Magnetic Stripe Data No N/A N/A CAV2/CVC2/CVV2/CID No N/A N/A
PIN/PIN Block No N/A N/A
Unfortunately, it is common practice for employees to duplicate data in spreadsheets, documents and other
unsecured files to share with others and simplify business processes, unknowingly exposing the company to violations. Unnecessarily storing credit card data and failing to isolate the data from traveling across less secure parts of the network compounds the problem. Encryption is often inconsistent across a company’s computer system and credit card data may be protected in some instances, but not others. Organizations are often not aware of systems that have retained cardholder data such as data warehouses, staging servers, backup systems, desktops or other systems that for some reason received a copy of a transaction. Understanding where cardholder data is stored and where it moves through the network and whether it is encrypted is a critical step in beginning to put together a PCI strategy designed to protect it. Only when the location of the data is known can it be protected from unauthorized access. As stated above, retaining full magnetic stripe or CVV2 data is in violation of the PCI DSS requirements. The PCI standard only allows the account number, expiration date and name to be retained and cardholder data must never be stored on a server connected to the Internet. When asking for a CVV2 code, it must not be documented or recorded on any database after transaction authorization.
PCI compliance is more easily achieved by reducing the amount of cardholder data that is stored, and reducing the number of systems that touch it. Organizations may need to restructure their network to consolidate all systems that handle credit card transactions into a single network segment. By doing so, the risk of compromise is reduced, the management and execution of the compliance process is simplified, and the scope of PCI compliance validation efforts is contained. In addition, steps can be taken to mitigate risk via IT procedural policies. For example, IT organizations can conduct regular scans of public/private networks to expose sensitive cardholder information vulnerabilities and take the necessary remediation steps.
Organizations using wireless networks to connect remote locations to the central database for data consolidation either need to provide strong encryption for the data for transfer or may want to consider moving to a more secure medium such as secure point-to-point virtual private network connections.
Vulnerability Program – Monitoring of Network for Potential Vulnerabilities
The networked environment is not static – new systems are introduced, laptops come in an out of the network, new software and upgrades get installed regularly. Regularly scanning the network environment for software
vulnerabilities and abnormal activity is paramount to network security and is an important PCI objective (#3), which requires quarterly network scans; it ensures that network administrators keep track of activity that could introduce new exposures. Scanning often uncovers new exposures introduced by updates, new systems, new software or other changes to the environment. As noted earlier in the paper, vulnerabilities continue to be on the rise and constitute a serious security exposure.
Organizations with online e-commerce application should protect against SQL injection attacks caused by insecure shopping carts. The credit card companies have created lists of validated applications that should be considered for use. Even if a proven shopping cart is used, in many organizations Internet facing systems must be scanned quarterly for vulnerabilities that could compromise the online business.
Reporting – Required for Compliance, to Monitor Effectiveness, to Respond to Attacks
PCI compliance requires detailed documentation and reporting; PCI DSS V1.2 includes a template to be used for creating the Report on Compliance. This template outlines the need to document, “the four most recent quarterly scan results;” detailed report descriptions and findings on each requirement and sub-requirement; details on specific devices, vulnerabilities and transmission; and processing of cardholder data, including authorization, capture, settlement, charge-back and other flows as applicable, among other things. To support the requirements of the report, organizations must document how the security policy is implemented to protect cardholder data. A
frequently updated document that proves that security policies, practices and tools are in place to maintain the confidentiality of cardholder data will also come in extremely handy if the network is breached and data is stolen. To ensure that the necessary information is properly documented to prove compliance as required by PCI DSS, organizations must ensure that every security technology implemented comes with strong reporting capabilities. The reports delivered help security staff understand the effectiveness of security programs and whether policies need to be updated or modified. Robust reporting can help identify instances when malicious hackers or anyone without authorization tries to access cardholder data, and thus take the necessary steps to respond. Installing products that centrally manage the IT assets and push out software patches and antivirus updates to the systems ensures all remote sites are up to date with security software. Being able to log and audit all transactions involving cardholder data is required by PCI.
Selecting Validated Payment Applications
Any software vendor that develops applications for processing credit card payment should have the software
validated by a third-party, Visa-accredited assessor as part of their development process. The card associations have developed a set of voluntary application best practices, the Payment Application Data Security Standard (PA-DSS), for software providers that ensure an acceptable level of security and reduce the scope and costs of compliance.
These best practices also pertain to custom applications developed specifically for an organization:
Do not retain full magnetic strip or CVV2 data – Cardholder data must not be recorded in any file or database
including logs, diagnostic files, audit trails, transaction history, and images. If cardholder information must be stored, it should never be stored on a server connected to the Internet.
• Protect stored data – Any displayed cardholder data used to populate forms must be masked.
• Provide secure passwords features – Unique usernames and complex passwords for all administrative access
and access to cardholder data must be used.
• Log application activity – Records and audit trails of anyone who accesses cardholder data must be retained.
• Develop secure applications – System development practices, secure coding practices, code reviews and
security testing must be implemented; non-essential application accounts, usernames, and passwords, unnecessary and insecure services and protocols must be removed before applications go live.
• Protect wireless transmissions – Strongly encrypted wireless connections deployed outside firewalls must be
in place.
• Test applications to address vulnerabilities – All applications, especially those running on Internet facing
systems must be scanned, before they are deployed and regularly thereafter to ensure no exposures were introduced via upgrades or bug fixes.
• Facilitate secure network implementation – Remote access to the network needs to be secured via firewalls,
VPNs, and two-factor authentication (username/password plus token). If the application transmits cardholder data, it much be encrypted, especially over public networks. All non-console administrative access must also be encrypted.
Third Party Assistance
Much assistance is available to organizations striving to protect the cardholder environment and achieve PCI compliance. DSS trains and certifies third-parties to help with the process. For some organizations, third-party involvement is required to validate compliance but for all organizations it is required to perform quarterly network scans. The largest (Level 1) merchants are required to have annual on-site assessments by Qualified Security
Assessors (QSA’s); other merchants may choose to use these expensive QSA’s to help validate compliance but for Level 2 – 4 merchants the Self-Assessment Questionnaire (SAQ) is all that is mandated. Many merchants are required to use Approved Scan Vendors (ASV’s) for their mandatory quarterly scans.
Using security consultants that are experienced in holistically testing organizations’ security is highly recommended. These consultants understand the threat and vulnerability landscape and know what needs to be tested to validate effective policies and practices. They are also skilled at training organizations on best practices that must be adopted to fully deploy security policies.
Achieving PCI DSS Compliance
Achieving PCI DSS compliance is no longer an option but a mandatory business requirement for any business that wants to maintain customer relationships. Effective security policies that continuously assess and remediate enterprise systems keep businesses compliant. By ensuring a continuous state of compliance, organizations can proactively eliminate threats which exploit the ever changing network landscape, protect their cardholder environment and ensure ongoing compliance.
PCI DSS has been put in place to provide valuable guidance and direction to organizations that must protect the cardholder environment; it includes requirements that organizations must follow. Information security best practices will help organizations achieve and maintain PCI compliance.
About Rapid7
Rapid7 is a leading provider of IT security risk management software. Its integrated vulnerability management and
penetration testing products, Nexpose and Metasploit, and mobile risk management solution, Mobilisafe, enable
defenders to gain contextual visibility and manage the risk associated with the IT environment, users and threats relevant to their organization. Rapid7’s simple and innovative solutions are used by more than 2,000 enterprises and government agencies in more than 65 countries, while the Company’s free products are downloaded more than one million times per year and enhanced by more than 175,000 members of its open source security community. Rapid7 has been recognized as one of the fastest growing security companies by Inc. Magazine and as a “Top Place to Work” by the Boston Globe. Its products are top rated by Gartner®, Forrester® and SC Magazine. The Company is backed by Bain Capital and Technology Crossover Ventures. For more information about Rapid7, please visit http://www.rapid7.
com.
PCI BP 1208 (Footnotes)
