kaosmadness
asked on
PCI-DSS Linux file storage network server with USB key authentication
Hi,
I work for a major brand hotel and I wanted to implement a PCI-DSS compliant server were we can store credit card information that is faxed to us by that are a third party billing (such as if I wanted to pay for your room or was planning a meeting event). Since companies began PCI implementation, vendors have been faxing third party credit card authorizations for our guests which sometimes have a reservation made months in advance, which, from what I understand, means we can hold it "as long as necessary to obtain authorization" which could mean until the guest checks out or even 30 days after that because since we did not swipe the card, the transaction can be disputed and with out a an authorization form in which they state they agree to pay for some charges. So instead of locking up hundreds of documents (which we will for groups and events) for the numerous faxes we get I was thinking of a full encryption disk server and using truecrypt to encrypt the volume or file containing those documents. Two way authentication would Ideally consist of USB "keys" issued to only managers which, much like their money safety deposit box, they would be responsible for safe keeping. So they would have to type a password to get in the server and have the USB key to access those files. I would keep the master key and header in our vault (only 3 people know the combo, not including me) and change the key and reissue it every 30 days or when a usb device is lost. How would I go about doing this or is there an easier or more secure way to be compliant? Maybe I am over thinking this but USB keys would be cool. There would obviously be RAID (hardware and soft ware) and this would not be networked or even go on the net except for updates. I am just not sure I can do that in a liable manner with no data loss.
Thanks,
Art
I work for a major brand hotel and I wanted to implement a PCI-DSS compliant server were we can store credit card information that is faxed to us by that are a third party billing (such as if I wanted to pay for your room or was planning a meeting event). Since companies began PCI implementation, vendors have been faxing third party credit card authorizations for our guests which sometimes have a reservation made months in advance, which, from what I understand, means we can hold it "as long as necessary to obtain authorization" which could mean until the guest checks out or even 30 days after that because since we did not swipe the card, the transaction can be disputed and with out a an authorization form in which they state they agree to pay for some charges. So instead of locking up hundreds of documents (which we will for groups and events) for the numerous faxes we get I was thinking of a full encryption disk server and using truecrypt to encrypt the volume or file containing those documents. Two way authentication would Ideally consist of USB "keys" issued to only managers which, much like their money safety deposit box, they would be responsible for safe keeping. So they would have to type a password to get in the server and have the USB key to access those files. I would keep the master key and header in our vault (only 3 people know the combo, not including me) and change the key and reissue it every 30 days or when a usb device is lost. How would I go about doing this or is there an easier or more secure way to be compliant? Maybe I am over thinking this but USB keys would be cool. There would obviously be RAID (hardware and soft ware) and this would not be networked or even go on the net except for updates. I am just not sure I can do that in a liable manner with no data loss.
Thanks,
Art
ASKER
Thanks for the reply and your insight, I guess what I was saying is that we are already doing the fax/sending but because we get so many and because we have to store them for months at a time with variable charge amounts (most of the time we can pre-charge except for a deposit but in a banquet or meeting event this would be useless). So yes, I want only one machine, inaccessible to the network, in a locked office, turned off after business day is over that needs key and password, but I kinda wanted to do that at login/logon and screen saver access. Again, everyone would have USB keys (the same) but would be breaking the part of unique user authentication if more than one person access it. So maybe they can all have a login to Linux (different) and can all access the file, but mount it only with the key and password meeting both requirements of a two method authentication and unique user/password. IDK if I am over thinking this or if you know of an easier way. I don't understand why some stuff is being asked by the council but it is what it is.
Depends, so I am assuming these are electronic faxes, tiff/doc/pdf types of files, or are you having to convert any of them from physical paper to electronic document?
Faxes, or physical CC data are barely covered in the 2.0 standard:
https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf (Requirement 9)
9.6 Physically secure all media.
9.6 Verify that procedures for protecting cardholder data include controls for physically securing all media (including but not limited to computers, removable electronic media, paper receipts, paper reports, and faxes).
If it's the electronic type already, your not supposed to store more than the first 6 and or last 4 digits (even if it's encrypted) unless there is a legitimate business need, which you appear to have(3.3). What companies typically do, is get the transaction entered into the system, and put it on hold in the system only, and destroy all but the last 4 digits, and the contact info about the customer. That puts this burden back on your processor, they should be able to store the data and have the transaction completed at a later date.
-rich
Faxes, or physical CC data are barely covered in the 2.0 standard:
https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf (Requirement 9)
9.6 Physically secure all media.
9.6 Verify that procedures for protecting cardholder data include controls for physically securing all media (including but not limited to computers, removable electronic media, paper receipts, paper reports, and faxes).
If it's the electronic type already, your not supposed to store more than the first 6 and or last 4 digits (even if it's encrypted) unless there is a legitimate business need, which you appear to have(3.3). What companies typically do, is get the transaction entered into the system, and put it on hold in the system only, and destroy all but the last 4 digits, and the contact info about the customer. That puts this burden back on your processor, they should be able to store the data and have the transaction completed at a later date.
-rich
ASKER
uhmmm.. Interesting thought. I will look into it but I don't think our processor will let us do that. Usually the data flows from paper fax, to input in our property management system which is PA-DSS compliant and all but the last four are masked while managers can unmask the full PAN, when settled they are sent to our PA-DSS compliant payment processor/merchant software and then get dispatched to the bank when the transaction if finalized and part of a batch of checked out guests. The problem with just storing is that we do receive quite a few disputes and charges backs occur often (mainly in the event of no-shows specially because we don't have the credit card imprint or swipe or any validation method to show the transaction was authorized by the card holder). Regretfully the biggest transactions get paid in this manner and with the worst of enemy of a business, American Express. I HATE THEM WITH A PASSION! When they send an "inquiry", they will charge you back when the person disputing it is obviously wrong and base it on some minor technicality. One time some one had two rooms, complained about one of them, disputed their bill as "duplicate charge" and explained he had a horrible stay. We showed two signed registration cards, two imprints, two itemized bills, two emails sent confirming two reservations, house keeping reports showing the room he signed a registration card for was occupied and we got a charge back!!! They stated that I did not address the cardholders claim that he had a horrible stay, and I didn't because what was in question was a double charge.
Your right about the paper fax not being too much of a problem as long as we can secure physical access to them. The only problem that we get so many of them that it would be hard to keep track which day to destroy what based on weather or not it might result in a loss due to a charge back. Perhaps secure electronic, not connected to the internet that makes those documents searchable and we can guarantee they get electronically shredded based on a monthly review would be easier that to trust our front desk, reservations, sales and accounting staff to keep track of so many of them and be able to show their proper distraction.
By the way, we are no not PCI compliant, I am working on that for this company finally. But we have not been asked any questions by anyone. In less than a month I hope to make us fully compliant but how do I approach getting validation??? Will they ask why we had not done so before? Should I wait until they as to become validated>? I think this may be because our applications are PA-DSS compliant and enforce PCI-DSS to use their apps or you can't use them.
Your right about the paper fax not being too much of a problem as long as we can secure physical access to them. The only problem that we get so many of them that it would be hard to keep track which day to destroy what based on weather or not it might result in a loss due to a charge back. Perhaps secure electronic, not connected to the internet that makes those documents searchable and we can guarantee they get electronically shredded based on a monthly review would be easier that to trust our front desk, reservations, sales and accounting staff to keep track of so many of them and be able to show their proper distraction.
By the way, we are no not PCI compliant, I am working on that for this company finally. But we have not been asked any questions by anyone. In less than a month I hope to make us fully compliant but how do I approach getting validation??? Will they ask why we had not done so before? Should I wait until they as to become validated>? I think this may be because our applications are PA-DSS compliant and enforce PCI-DSS to use their apps or you can't use them.
ASKER
Ohh. Ric, I forgot to say thanks for your reply and insight.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the tips!!!
TC is cross platform so you can use any OS you like. But what all the above means is that you have to give out each person the same password and or the same keyfile as well, unless you make identical copies of the data, and store them each with unique passwords/keyfiles.
TC works by "mounting" a container, meaning you unlock it with your pass/keyfile, and that container appears as another drive on the PC. That means, that while that "drive" is mounted, anyone with rights to that "drive" can access it while it's mounted (aka unlocked). The data is only decrypted in memory, not on disk, so if power is lost all of a sudden while it was mounted, it's not accessable when rebooted because it needs to be mounted again (mounting stores the decryption keys in memory, and doesn't actually decrypt the data on disk)
Instead, I'd suggest faxing/sending the people a form that does give consent (a invoice they fill out, or one you "prefill out" except for the CC#), and storing those secuely. Of course they should sign it.
-rich