5 Under-utilized PCI Requirements and how you can leverage them

By – Praveen Joseph Vackayil
Praveen Joseph Vackayil
CISSP, CCNA, ISO 27001 LA, former PCI QSA, MS (Warwick), BE

• Mobile phones – you know what to do! 
• Questions are welcome
• Share your knowledge

• Quick Introduction to PCI DSS
–CHD and SAD
–PCI Requirements
• 5 Under-utilized PCI Requirements

The Payment Card
Industry Data Security
Standards are a set of
security standards
created to protect
credit and debit card
data.

• One of the most precise and granular
information security standards out
there.
• 12 broad requirements, 300+ sub-requirements
• People (10%) – Processes (30%) –
Technology (60%)

Cardholder Data:
• Card Number
• Cardholder Name
• Service Code (not shown
in image)
• Expiry Date

Sensitive Authentication
Data:
• CVV
• Track data (Magnetic
Stripe data or Chip data)
• PINs or PIN blocks
123

Stored card numbers must be encrypted, truncated,
hashed, or protected with one time pads.
4757 2828 9290 2929
1aM3fz9eo0F1idqKq2Z23i0F3a
kdjl53f32F23k3qsaf

CVV, Track/Chip and PIN data must never be stored.
“July_Customer_CVV.xlsx”

Ref: PCI DSS v3.0

Firewall Rule Review
Formal Change Management
Updated Network Diagram
Firewall config vs
Business Justification
Document
Check incoming
packets for IP
Spoofing
NATting
Internal Zone-> DMZ
->External Zone

Change all vendor supplied
defaults
Remove all
unnecessary
scripts, drivers,
servers and
other
functionalities
One primary function
per server
Non-console admin
access
must be encrypted
Hardening standards based on CIS, SANS, NIST, etc.

Minimize stored PAN
Do not store any SAD
Mask PAN when displayed
Render stored PAN
un-readable
Key Management
Drive Awareness
Review stored PAN via
quarterly data discovery
scans

Encrypt PAN sent over
wireless. Eg. IEEE
802.11i
(No WEP, SSL v2.0)
Encrypt PAN sent on
open public networks
Encrypt PAN if sent over
email, chat, etc.
Drive Awareness

If AV exists, deploy it
Do RA to identify threats
for Mainframes or other
systems without AV
Periodic Scans
Automatic Updates
Anti-virus logs

Identify new security
vulnerabilities from
external sources
Patch Management
Secure SDLC
WAF or App VA for
public facing web apps

Access to CHD based on
job-based need to know
Default deny-all setting
in access provisioning

User ID settings
Two-factor
authentication for
remote connections
Password settings
Session time-out
settings

Physical Access Controls:
-CCTV and/or
-Access control
mechanism
Visitor Management
Media
Management
Physical Security of POS
devices

What should be logged
What a log should
contain
Log Retention
FIM on logs
Log Review
Time synchronization
Access to Logs

Penetration
Testing
Wireless Scan IDS/IPS
Vulnerability
Assessment
Change Detection Software

Risk Assessment
Human Resources
-NDA
-BGV
Service Provider
Management
Incident Management
Policies and Procedures
- Information Security
- Acceptable Usage, etc.

• Firewall Rule Review
• Log Review
• Penetration Testing
• Risk Assessment
• Service Provider Management

1.1.7 Review firewall and
router rule sets at least once
every six months

“Nipper gives a lot of false
positives, you know?”
“We need ICMP for troubleshooting”
-We ran a Nipper
scan.
-And?
-That’s it!

• Re-validation of all business requirements (and nothing else)
being met through the firewall
• Review/removal of ACLs which are convenient for firewall
device management but not for network security.
• Protection from new attack vectors (especially public facing
firewalls)
• Checking for incorrectly configured rules
• Clean-up of obsolete rules and user ids on firewall
• Revoke of “temporary” access requests on expiry
• Firewall performance tuning
• More accurate responses from network administrator during
external audit. 

Prerequisites
- Network Diagram
- Device Inventory
- Updated DFD
- Firewall Rules Business
Justification Document
Shortlist the firewalls to be
reviewed
- eg. Internet FW, Internal
FW
- Review the network
diagram, DFD
- Validate the FW
configuration against
approved services, ports,
protocols
Remediation
What to Look For:
- Obsolete ACLs
- Inconsistencies with BJD
- Insecure services, ports,
protocols - FTP, Telnet, SNMP.

Ref: SANS - Methodology for
Firewall Reviews for PCI
Compliance
http://www.sans.org/reading-room/
whitepapers/auditing/met
hodology-firewall-reviews-pci-compliance-
34195

SCOPE
10.6 Review logs and security events for all system components
FREQUENCY
10.6.1 Review the following at least daily:
• All security events
• Logs of all system components that store, process, or transmit CHD/SAD
• Logs of all critical system components
• Logs of security devices - firewalls, IPS, etc.
10.6.2 Review logs of all other system components periodically as determined by
a risk assessment.
REMEDIATION
10.6.3 Follow up anomalies identified during the review process.

“It is not possible to
investigate all alerts. There
are tons of false positives.”
-We manually review logs everyday.
Surprisingly, we have no incidents so
far.
-You mean NOT surprisingly

Central Log
Storage for
easy access and
review
Log
Review
Continuous and
Automated
Monitoring
“Do Not Show
Again”
configuration
to reduce false
positives
Timely
Response
Mechanism
Qualified
personnel who
know what
kind of logs to
look for

Requirements for PT in PCI v2.0
11.3 Perform external and internal
penetration testing at least once a year and
after any significant infrastructure or
application upgrade or modification. These
penetration tests must also include
application and network layer penetration
tests.

“We ran a PT scan.
Here is the report.”
“We fixed all the VA findings.
So there are no vulnerabilities to
exploit, meaning there is no point
in a PT.”
(hence proved)

• PT Methodology
– A methodology will bring structure and consistency to the testing approach
– Provide standardized documentation
– Assist in training and KT between staff
Eg. N/w PT – OSSTM (from Institute for Security and Open Methodologies), NIST SP 800-115
App PT - OWASP Testing Project for App PT
• External and Internal PT
Outside Inside
Has no access to systems
No knowledge about the systems
Has at least general user access, may
have some knowledge on the
systems
Begins with reconnaissance (public
information) and enumeration
(network discovery, port scanning)
Begins with user privilege escalation
(eg. General to admin user)

• PT must validate network segmentation
methods used to isolate the CDE
– Router or Firewall ACLs
– VLANs configured on L3 switches
Eg. Port scanning to check for any open ports on the router
through which one can connect from a trusted but non-CDE
network.
• PT must be on-going
– Remediation must be validated by re-testing

SAMPLE TESTS
• Database security audit
• SQL injection techniques
• Network traffic eavesdropping
• Access control testing
• Network intrusion testing
• Network stress testing
• DoS attacks
• Manipulating user input data
• Web application penetration
testing
Induction Phase:
- Decide on test timelines
- Shortlist the tests to be done
Interaction Phase:
- Network Discovery
-Select target systems for each
test
Inquest Phase:
Find out as much data as
possible about target systems
Intervention Phase:
Verify functionality of security
and alerting mechanisms
• Web server, DB Server
• Firewall, etc.
• Which ports are open
• What services are
running
• Device configuration
vulnerabilities
• Log alerts
• FIM alerts
• IPS alerts

PCI Req 12.2
Implement a risk-assessment process that:
Frequency:
• Is performed at least annually and upon significant changes to
the environment (for example, acquisition, merger, relocation,
etc.)
Entities:
• Identifies critical assets, threats, and vulnerabilities,
Methodology:
• Results in a formal risk assessment

This is an example of a compliance RA. Not a security RA

A PCI Risk Assessment must be:
• Formal:
– Measurable
– Comparable
– Repeatable
• Focusing on card data as the central asset
• Emphasizing security and not compliance

Risk Assessment can be used to
• Tailor the PCI requirement to the unique
nature of the organization’s CDE
• Reduce the overall cost of compliance
and security maintenance
• Assist in scope reduction

Scope
Assets
Threat
Documentation
Risk Score Vulnerability
Treat:
Firewall config to be
reviewed every quarter by
Security team. Corrective
action to be taken by
Network team.
Risk Management
-Treat, Transfer,
Terminate, Tolerate
E-Commerce Website
Primary Asset – CHD
Supporting Assets–
People, Technology
Disclosure of CHD via
compromise of perimeter
firewall by external entity
No defined frequency for
firewall rule review
Medium

No knowledge on
– the extent to which service provider can access client’s systems and
information
– service provider’s information security controls and how effective they
are
– how they verify employees’ backgrounds
No defined ownership of applicable PCI requirements
Eg. Application hosted at client’s site, but developed remotely by a third party
organization:
– 6.4.1 Separate development/test environments from production
environments ->Client
– 6.4.2 Separation of duties between development/test and production
-> Service Provider

12.8: Maintain and implement policies and procedures to manage
service providers with whom cardholder data is shared, or that
could affect the security of cardholder data
• Maintain a list of service providers
• Due diligence in selecting service providers
• MSA: Service providers are responsible for the security of
cardholder data they possess or otherwise store, process or
transmit on behalf of the customer
• Annually monitor their PCI compliance
• Classify PCI requirements as per client - service providers’
responsibility and get mutual agreement

Stay in Touch
• www.linkedin.com/in/vackayil
• praveen.jvc@gmail.com

5 Under-utilized PCI Requirements and how you can leverage them

More Related Content

What's hot (20)

Similar to 5 Under-utilized PCI Requirements and how you can leverage them (20)

5 Under-utilized PCI Requirements and how you can leverage them