Solved

PCI DSS experts and monitoring compliance

Posted on 2013-06-20
13
739 Views
Last Modified: 2013-07-15
Is there anything in PCI DSS that covers the following procedure. I assume its common for IT departments to determine a baseline security minimum standard for each system type/role. I.e. for laptop computers, I assume your security baseline would say laptop machines must have full disc encryption. But does PCI DSS (or any of these standards) recommend pro-active verifacation and monitoring that all your machines actually do have full disc encryption? If so could you point me in the direction of the section in PCI DSS that goes over this? I had a quick scan through but couldnt see to much in that area.
0
Comment
Question by:pma111
  • 4
  • 4
  • 3
  • +1
13 Comments
 
LVL 82

Accepted Solution

by:
Dave Baldwin earned 167 total points
Comment Utility
Here's the main site: https://www.pcisecuritystandards.org/security_standards/   The main document, pci_dss_v2.pdf, only mentions full disk encryption as one of the options.  They are much more concerned about how access and physical security are handled.
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 167 total points
Comment Utility
The thing you have to remember about PCI is it pertains 99% to the computers that house and or have access to PCI (credit card) data. You do not have to encrypt all your laptops because you house PAN number's etc. If you can show logical/physical seperation of that data from most of your LT's then there is no PCI mandate for them to be encrypted.
Full-Disk encryption is recommend in lieu of having the PAN numbers encrypted in a database or other "unreadable" container. But if they are going to be seen in plain-text, like through a web-portal to the DB by a computer, that computer is supposed to have compensating controls; being fully encrypted is considered a compensating control for theft of the physical PCI data. Section 3.4.1 goes over that.
It's about keeping the data secure, not always with encryption however, the data has to be decrypted at some point, so controls must be in place that limit that "exposure" of the decrypted data.
-rich
0
 
LVL 61

Assisted Solution

by:btan
btan earned 166 total points
Comment Utility
From PCI DSS - "PCI DSS follows common sense steps that mirror best security practices." so hope that helps where hardening need not be explicit as it is understood if you going for compliance to protect the asset. Most of the time, it is "Servers and Workstations connected to the CDE will be installed and configured according to security best practices."

As for disk encryption, the closest can be from Req 3 ("Protect Stored Cardholder Data") in 2.0. It did not mandate and as long as you can adhere to Req3 which I dont you can easy safeguard w/o having the disk encrypted since the crypto key must reside somewhere even in transient state....

E.g http://blog.403labs.com/post/8402704243/disk-encryption-and-pci-requirement-3-4-1

[PCI-DSS] 3.4.1 If disk encryption is used (rather than file- or column-level database encryption), logical access must be managed independently of native operating system access control mechanisms (for example, by not using local user account databases). Decryption keys must not be tied to user accounts.

3.5 Protect any keys used for encryption of cardholder data from disclosure and misuse.

3.6 Fully document and implement all appropriate key management processes and procedures for cryptographic keys used for encryption of cardholder data.

Excerpt:-
https://www.pcisecuritystandards.org/pdfs/pci_fs_data_storage.pdf

"If full-disk encryption is used, logical access must be managed independently of native operating system access control mechanisms. Decryption keys must not be tied to user accounts. Encryption keys used for encryption of cardholder data must be protected against both disclosure and misuse"

References
https://www.pcisecuritystandards.org/documents/PCI%20SSC%20Quick%20Reference%20Guide.pdf
0
 
LVL 82

Expert Comment

by:Dave Baldwin
Comment Utility
One of the problems with portable things like laptops is that they can be stolen by people who have the keys to decode the data.  The company or organization is still responsible for losing the data.  And if the laptop is taken outside to unsecured places like the employee's home, that would be considered bad practice.
0
 
LVL 38

Expert Comment

by:Rich Rumble
Comment Utility
Keep pci data on the servers :) Keep LT's from accessing it, that's what we recommend. FDE is still a good practice for LT's nonetheless.
-rich
0
 
LVL 3

Author Comment

by:pma111
Comment Utility
But I was more looking at this as an example, and why all these standards seem to have a blind faith that whatever method you use to deploy (or build standards) disc encryption has worked and is enabled.

These standards never seem to have a requirement to monitor for compliance of your security standards, i.e. why doesnt it recommend a security admin to monitor that all of your laptops have encryption enabled? Surely things can go wrong that means unless you are monitoring the security compliance then you wouldnt have a clue about non compliant machines. Its just a set it and forget type mindset with these technical requirements, they completely overlook monitoring procedures for compliance.

So which control in PCI DSS has a requirement to proactively audit your machines to ensure they comply with security settings? As per most I suspect there isnt one.
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 82

Expert Comment

by:Dave Baldwin
Comment Utility
You really ought to read thru pci_dss_v2.pdf at least once.  In that document, there are testing procedures listed beside each PCI DSS requirement.  As for laptops, anything with cardholder data is supposed to be kept under lock and key and access restricted to only those who are authorized to access or use the data.  That pretty means that laptops lose their usefulness since you can't take them anywhere.
0
 
LVL 38

Expert Comment

by:Rich Rumble
Comment Utility
You've found out what millions already know, it's a bunch of check-boxes and not much else. It's hard to make requirements beyond what PCI mandates in most organizations security takes a back seat and if they can get even close to PCI compliance they are 10 steps ahead of where they were before they read the DSS requirements.
Physical controls (section 9) are supposed to be in place for accessing PCI environments, but LT's are out of scope and not hinted at whatsoever.

Also FYI pci does recommend monitoring, and you get to fill in that portion with things you think you should monitor in addition to access, most people don't understand this sections additional intention.
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Logging mechanisms and the ability to track user activities are critical in preventing, detecting, or minimizing the impact of a data compromise. The presence of logs in all environments allows thorough tracking, alerting, and analysis
They expect you to audit your FDE, but aren't clear about that true enough.

As for the base-line security settings, PCI does not attempt to approach that subject, and rightly so. PCI is high level because they were kinda smart not to get into specific's. Creating baselines for Windows(|98|NT|2000|xp|2003|2008|7|vista|8|2012)/Linux/Mac|Apple/Android/iOS/Cisco/Juniper/ etc... take your pick, it's not going to work out well for the PCI board. So they say "fully patched", up2date software/os's and non-default security configurations, which we think is a no brainier, however you do have to say it still...
It's not blind-faith because 9-10 times the FDE you choose will be very sufficient for keeping an attacker at bay should the LT be stolen. "Evil maid's" and cold-boot attacks are sexy and plausible in some cases, but not to a degree that it makes sense to force EVERYONE to have their security that "goes to 11". Security is always a trade-off, typically between ease of use, functionality and or -->budget<--. PCI can't mandate that PGP be used because it's not free and in fact costs lot's of money, it also would put PGP in a monopoly position, when TrueCrypt, FreeOTFE, CheckPoint, Seagate Momentus, Dell, DestCrypt, BitLocker, ScramDisk and so many others can do the job.
They leave it general because frankly that's the best way. There are too many variables to get technical.

Also as you seem to know already, some of these controls are paper-tigers if no one is monitoring them, and even if they are, some are for naught in many instances. There is a requirement for VPN users to have 2-factor authentication to make a connection to the PCI environment. 2-Factor only works at the initial VPN connection, once that is established, if a machine is compromised, the network layer can be used to gain access to the lan and the 2-factor part is never needed (\\ip.ip.ip.ip can't be 2-facotr'd in windows).

While PCI is far from perfect, and can be a pain (like most security), at a high-level it is a decent building block for a secure environment. Please note that even if you fail a PCI audit, you can still go about you're day to day until next year, they really don't do anything to anyone when they fail, I've audited many organizations, what the self-assessment questionnaire says and what you actually find are typically not even close to correct. So if anything PCI needs more enforcement by sanctions and fines, which I've personally never seen it do. Needs more "teeth" in that side of things than anywhere else in my opinion.
-rich
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Logging mechanisms and the ability to track user activities are critical in preventing, detecting, or minimizing the impact of a data compromise. The presence of logs in all environments allows thorough tracking, alerting, and analysis

Open in new window

0
 
LVL 3

Author Comment

by:pma111
Comment Utility
@DaveBaldwin - there are testing procedures, but are those intended for internal security officers to "self assess", or for external officers auditing compliance?
0
 
LVL 61

Expert Comment

by:btan
Comment Utility
actually in all security compliance set, monitroring need not be explicit. when the time comes for compliance check, audit or pentest etc, the sad truth is most of the time gaps and non-compliance are surfaced. either you discover it earlier through constant checks and sensor else leave it to fate which most see security as after thought...Also being compliance does not mean it is secure system or architecture - minimally you meet some baseline and best practice and not "naked" to malicious acts...

"Regularly test security systems and processes "

E.g. PCI DSS compliance specifies that changes to existing data in log files must be detected, whereas the addition of new data can be ignored. For other files, such as critical configuration files, any change may be important. That said, you need then some form of Continuous File Integrity Monitoring then...

The whole idea for PCI is to reduce your scope and exposure for cardholder data. We dont really liken burning midnight oil for "exam" coming - last min rush is never in favour and always a hassle or even be successful in passing the checks. Increasingly, organisations are so focused on achieving compliance that they often miss the bigger, more important picture of ensuring consistent corporate data security through effective risk management. Achieving reliable and continuous information security needs to be based on real risk management and not sporadic compliancy metrics.
0
 
LVL 82

Expert Comment

by:Dave Baldwin
Comment Utility
I don't see a distinction as to who performs the testing.  The testing procedures are clearly written down and if your 'internal security officers' ignore them, 'external officers auditing compliance' will not.  They don't tell you who needs to do things.  They do tell you what needs to be done and expect that you will take care of it.

If you had a serious breach and you were audited and they found that you hadn't performed due diligence in your monitoring and testing procedures, then you could have serious trouble in court if you were sued.

It's not unlike going 50 mph in a 40 mph zone.  It probably doesn't matter until you hit someone.  Then they will use it against you in court and add additional penalties for driving too fast.
0
 
LVL 38

Expert Comment

by:Rich Rumble
Comment Utility
Check the PCI councils website for approved QSA's (qualified security assessor's)
https://www.pcisecuritystandards.org/approved_companies_providers/qsa_companies.php
In the US there are about 141, so the PCI council does say use one of them, it doesn't say which. PCI again can't tell you HOW to test, only what to test FOR. Each solution is unique so it's hard to do more than generalize what to test for.
PCI is anything but clear, there are no clear testing procedures, and there can't be, but there are guidelines and measurements to abide by.
Sections 11-12 are very broad, but they expect documentation to be produced to your QSA.
-rich
0
 
LVL 61

Expert Comment

by:btan
Comment Utility
thought key is to priortise and set the goals. pci has a doc on this to assist if needed...below are the goals

@ https://www.pcisecuritystandards.org/documents/Prioritized_Approach_for_PCI_DSS_v20.xls

1      Remove sensitive authentication data and limit data retention. This milestone targets a key area of risk for entities that have been compromised. Remember – if sensitive authentication data and other cardholder data are not stored, the effects of a compromise will be greatly reduced. If you don't need it, don't store it

2      Protect the perimeter, internal, and wireless networks. This milestone targets controls for points of access to most compromises – the network or a wireless access point.

3      Secure payment card applications. This milestone targets controls for applications, application processes, and application servers. Weaknesses in these areas offer easy prey for compromising systems and obtaining access to cardholder data.

4      Monitor and control access to your systems.  Controls for this milestone allow you to detect the who, what, when, and how concerning who is accessing your network and cardholder data environment.

5      Protect stored cardholder data. For those organizations that have analyzed their business processes and determined that they must store Primary Account Numbers, Milestone Five targets key protection mechanisms for that stored data.

6      Finalize remaining compliance efforts, and ensure all controls are in place.  The intent of Milestone Six is to complete PCI DSS requirements, and to finalize all remaining related policies, procedures, and processes needed to protect the cardholder data environment.

Also from - http://www.theukcardsassociation.org.uk/security/PCIDSS_checklist.asp
*These actions need to be done EVERY year. If you don’t continue to do this, you will not maintain on-going compliance. Scans have to be undertaken on a quarterly basis.
0

Featured Post

Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

Join & Write a Comment

Suggested Solutions

It’s a strangely common occurrence that when you send someone their login details for a system, they can’t get in. This article will help you understand why it happens, and what you can do about it.
Find out what Office 365 Transport Rules are, how they work and their limitations managing Office 365 signatures.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now