Solved

PCI DSS workstation/user requirements

Posted on 2011-09-21
9
1,334 Views
Last Modified: 2012-05-12
Are there any specific PCI requirements for workstations or user profiles in thin client environments?
0
Comment
Question by:pma111
  • 4
  • 3
  • 2
9 Comments
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 200 total points
ID: 36576542
Only for VPN really, the rest isn't specific to machines or host, but the controls around the data:
https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf
Mostly about how CC data is accessed/transmitted/stored. It's not a list of MUST's in most cases, compensating controls can be used instead of or in lieu of certain "requirements".
-rich
0
 
LVL 19

Accepted Solution

by:
CoccoBill earned 300 total points
ID: 36578349
Well, as the intro part of the standard states, all of the requirements apply to all system components, including workstations and user profiles, within the cardholder data environment plus any connected systems. System hardening, patch management, change management, AV, IDS, FIM, user access control, logging and monitoring, vulnerability scans and penetration testing, ALL apply to them, just as with any servers and network active devices.

Also, a compensating control is something that you can use if there is a business or technical reason why you cannot implement the exact control mandated by the standard. However, the compensating control must take the overall security level of the environment to the same or higher level than the original control would, and you need to write up a document detailing why and how it was done for each of them, and they need to be separately approved by your issuer, not the QSA. The standard is absolutely a list of MUSTs in all but very few cases.
0
 
LVL 3

Author Comment

by:pma111
ID: 36814253
CoccoBill - what would a PCI DSS audit of user profiles include? I.e what neesd configuring on user profiles to ensure PCI compliance? And "user access control" - could you provide some examples?

Thanks man
0
 
LVL 19

Expert Comment

by:CoccoBill
ID: 36814349
I suggest you get the standard and see the requirements yourself, the standard is available at https://www.pcisecuritystandards.org/security_standards/documents.php (PCI DSS v2.0).

User access control is covered by requirements 7 and 8, which describe how user access must be granted, what kind of privileges can be given, authentication methods, password policies etc. Also take a look at requirement 2.2, which states you need to have a configuration standard for all system components. In practice this means all devices must be hardened according to an industry-accepted hardening guide, I would recommend the Center for Internet Security benchmarks: http://benchmarks.cisecurity.org/en-us/?route=downloads.benchmarks. they will detail each and every operating system level setting and how to configure them.

But in essence, your environment (your determined PCI scope) has to fulfill all applicable requirements in the standard in order to be compliant. Is your organization a service provider or a merchant, has your PCI scope been determined and what is your validation level (self-assessment questionnaire or on-site audit required)?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 3

Author Comment

by:pma111
ID: 36814380
We dont store PCI data in our network, however we do take phone payments via phone using internal phone system - and access an externally hosted app that collects such data from machines within our LAN
0
 
LVL 3

Author Comment

by:pma111
ID: 36814396
Are the benchmarks tools or just documents?

Do you have to be a member?
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 36814453
No membership, if your not storing the data, then the PCI burden is on your external vendor, phone payments in this scenario are not subject to pci.
-rich
0
 
LVL 19

Expert Comment

by:CoccoBill
ID: 36814457
So I'll assume you're a merchant (you own the payment card transactions that your process) and you don't process hundreds of thousands of transactions a year, so you are not required to have an annual on-site audit.

I would look into the following options:

1. See if you can outsource the processing of payment data and make sure your environment never sees a single PAN. Cheapest and easiest option by far. :)
2. Contact your issuing bank to see if they have a specific policy for applicable requirements for your organization. The issuer determines your validation level and can agree to somewhat looser set of requirements under certain conditions.
3. If neither 1. nor 2. work out, your issuer will anyway determine which SAQ is applicable to you (https://www.pcisecuritystandards.org/merchants/self_assessment_form.php). There are 4 different ones, all with a different subset of the requirements for varying environments. Find out which one you need to fill and see the requirements that apply to you (well they still all apply, but only those will be validated).

The CIS benchmarks as pdf documents are free but require registration, the XCCDF format benchmarks are members only (non-free).
0
 
LVL 19

Expert Comment

by:CoccoBill
ID: 36814471
> No membership, if your not storing the data, then the PCI burden is on your external vendor, phone payments in this scenario are not subject to pci.

Not true, unless the issuer determines this is the case. By default all requirements apply to all parts of the environment that "store, process or transmit" cardholder data, even one PAN is enough. They get the PAN from the customer over the phone and type it in using their thin clients to the external payment application, the physical premises where the thin clients are, the thin clients, the network are all in-scope by default.
0

Featured Post

Give your grad a cloud of their own!

With up to 8TB of storage, give your favorite graduate their own personal cloud to centralize all their photos, videos and music in one safe place. They can save, sync and share all their stuff, and automatic photo backup helps free up space on their smartphone and tablet.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Account Lockouts 25 144
clean-up rule netscreen firewall 3 81
Sharepoint 2013 Security not locking down document library 15 70
yahoo hack question 3 45
Encryption for Business Encryption (https://en.wikipedia.org/wiki/Encryption) ensures the safety of our data when sending emails. In most cases, to read an encrypted email you must enter a secret key that will enable you to decrypt the email. T…
Three simple tips to quickly and efficiently back up and protect the contents of your PC and Mac®.
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

948 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now