[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

PCI-DSS Linux file storage network server with USB key authentication

Posted on 2011-10-14
7
Medium Priority
?
507 Views
Last Modified: 2013-11-15
Hi,

I work for a major brand hotel and I wanted to implement a PCI-DSS compliant server were we can store credit card information that is faxed to us by that are a third party billing (such as if I wanted to pay for your room or was planning a meeting event). Since companies began PCI implementation, vendors have been faxing third party credit card authorizations for our guests which sometimes have a reservation made months in advance, which, from what I understand, means we can hold it "as long as necessary to obtain authorization" which could mean until the guest checks out or even 30 days after that because since we did not swipe the card, the transaction can be disputed and with out a an authorization form in which they state they agree to pay for some charges. So instead of locking up hundreds of documents (which we will for groups and events) for the numerous faxes we get I was thinking of a full encryption disk server and using truecrypt to encrypt the volume or file containing those documents. Two way authentication would Ideally consist of USB "keys" issued to only managers which, much like their money safety deposit box, they would be responsible for safe keeping. So they would have to type a password to get in the server and have the USB key to access those files. I would keep the master key and header in our vault (only 3 people know the combo, not including me) and change the key and reissue it every 30 days or when a usb device is lost. How would I go about doing this or is there an easier or more secure way to be compliant? Maybe I am over thinking this but USB keys would be cool. There would obviously be RAID (hardware and soft ware) and this would not be networked or even go on the net except for updates. I am just not sure I can do that in a liable manner with no data loss.

Thanks,

Art
0
Comment
Question by:kaosmadness
  • 4
  • 3
7 Comments
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 36974653
Keep it simple... TC doesn't use USB one-time pad's or traditional 2 factor authentication tokens. The issue with TC and sharing access is that each container(file/folder/drive) can be mounted using 1 and or 2 passwords and or keys only. There is no shared container. TC is able to make very strong encrypted containers, you can use a password only, a keyfile only and or a combination of the two. A keyfile is literally a file that is used as a "second password" if you will, this way you can avoid keyloggers and have a second form of encryption.
TC is cross platform so you can use any OS you like. But what all the above means is that you have to give out each person the same password and or the same keyfile as well, unless you make identical copies of the data, and store them each with unique passwords/keyfiles.
TC works by "mounting" a container, meaning you unlock it with your pass/keyfile, and that container appears as another drive on the PC. That means, that while that "drive" is mounted, anyone with rights to that "drive" can access it while it's mounted (aka unlocked). The data is only decrypted in memory, not on disk, so if power is lost all of a sudden while it was mounted, it's not accessable when rebooted because it needs to be mounted again (mounting stores the decryption keys in memory, and doesn't actually decrypt the data on disk)

Instead, I'd suggest faxing/sending the people a form that does give consent (a invoice they fill out, or one you "prefill out" except for the CC#), and storing those secuely. Of course they should sign it.
-rich
0
 

Author Comment

by:kaosmadness
ID: 36977060
Thanks for the reply and your insight, I guess what I was saying is that we are already doing the fax/sending but because we get so many and because we have to store them for months at a time with variable charge amounts (most of the time we can pre-charge except for a deposit but in a banquet or meeting event this would be useless). So yes, I want only one machine, inaccessible to the network, in a locked office, turned off after business day is over that needs key and password, but I kinda wanted to do that at login/logon and screen saver access. Again, everyone would have USB keys (the same) but would be breaking the part of unique user authentication if more than one person access it. So maybe they can all have a login to Linux (different) and can all access the file, but mount it only with the key and password meeting both requirements of a two method authentication and unique user/password. IDK if I am over thinking this or if you know of an easier way. I don't understand why some stuff is being asked by the council but it is what it is.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 36977522
Depends, so I am assuming these are electronic faxes, tiff/doc/pdf types of files, or are you having to convert any of them from physical paper to electronic document?
Faxes, or physical CC data are barely covered in the 2.0 standard:
https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf (Requirement 9)
9.6 Physically secure all media.
9.6 Verify that procedures for protecting cardholder data include controls for physically securing all media (including but not limited to computers, removable electronic media, paper receipts, paper reports, and faxes).

If it's the electronic type already, your not supposed to store more than the first 6 and or last 4 digits (even if it's encrypted) unless there is a legitimate business need, which you appear to have(3.3). What companies typically do, is get the transaction entered into the system, and put it on hold in the system only, and destroy all but the last 4 digits, and the contact info about the customer. That puts this burden back on your processor, they should be able to store the data and have the transaction completed at a later date.
-rich
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 

Author Comment

by:kaosmadness
ID: 36978072
uhmmm.. Interesting thought. I will look into it but I don't think our processor will let us do that. Usually the data flows from paper fax, to input in our property management system which is PA-DSS compliant and all but the last four are masked while managers can unmask the full PAN, when settled they are sent to our PA-DSS compliant payment processor/merchant software and then get dispatched to the bank when the transaction if finalized and part of a batch of checked out guests. The problem with just storing is that we do receive quite a few disputes and charges backs occur often (mainly in the event of no-shows specially because we don't have the credit card imprint or swipe or any validation method to show the transaction was authorized by the card holder). Regretfully the biggest transactions get paid in this manner and with the worst of enemy of a business, American Express. I HATE THEM WITH A PASSION! When they send an "inquiry", they will charge you back when the person disputing it is obviously wrong and base it on some minor technicality. One time some one had two rooms, complained about one of them, disputed their bill as "duplicate charge" and explained he had a horrible stay. We showed two signed registration cards, two imprints, two itemized bills, two emails sent confirming two reservations, house keeping reports showing the room he signed a registration card for was occupied and we got a charge back!!! They stated that I did not address the cardholders claim that he had a horrible stay, and I didn't because what was in question was a double charge.

Your right about the paper fax not being too much of a problem as long as we can secure physical access to them. The only problem that we get so many of them that it would be hard to keep track which day to destroy what based on weather or not it might result in a loss due to a charge back. Perhaps secure electronic, not connected to the internet that makes those documents searchable and  we can guarantee they get electronically shredded based on a monthly review would be easier that to trust our front desk, reservations, sales and accounting staff to keep track of so many of them and be able to show their proper distraction.

By the way, we are no not PCI compliant, I am working on that for this company finally. But we have not been asked any questions by anyone. In less than a month I hope to make us fully compliant but how do I approach getting validation??? Will they ask why we had not done so before? Should I wait until they as to become validated>? I think this may be because our applications are PA-DSS compliant and enforce PCI-DSS to use their apps or you can't use them.
0
 

Author Comment

by:kaosmadness
ID: 36978105
Ohh. Ric, I forgot to say thanks for your reply and insight.
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 2000 total points
ID: 36980219
Most home office faxes now days can also convert to tiff/pdf/doc automatically rather than printing, printing is still the default me thinks however. If possible I'd try to eliminate the physical, it's another PCI nightmare to dispose of those physical copies properly. If your stuck with an old fashioned fax, upgrade, because most faxing services aren't PCI/DSS compliant.
This is what I suggest, buy or use a fax machine with internal storage, most of the "card readers" that the printers have can be leveraged to store documents. These will be plain-text, but as a compensating control place it under lock and key in a closet office or other confined space. That is probably as simple as possible, if you can audit who goes in or out of that confined space, all the better (key card access?) but it should be good enough to pass an audit(believe it or not). With the caveat that the records are deleted from that media as soon as they are not needed anymore (again you can record the name/last-4 or even first 6 digits, just not the secret pin(on the back) or anything in between).
There are numerous companies that will do an audit for you, if your a franchise, contact the main office and see if they can point you in the right direction. If your a mom&pop, there should be plenty of 3rd parties out there. We've used http://www.protiviti.com those folks a number of times, there are dozens more out there. http://www.google.com/search?q=pci+auditor
-rich
0
 

Author Closing Comment

by:kaosmadness
ID: 37053832
Thanks for the tips!!!
0

Featured Post

Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Rules and regulations were devised in order to maintain the integrity of a system. However, interpretation of rules can be quite tricky.
When you discover the power of the R programming language, you are going to wonder how you ever lived without it! Learn why the language merits a place in your programming arsenal.
An overview on how to enroll an hourly employee into the employee database and how to give them access into the clock in terminal.
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
Suggested Courses
Course of the Month19 days, 3 hours left to enroll

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question