1st Edition

PCI Compliance The Definitive Guide

By Abhay Bhargav Copyright 2014
    351 Pages 68 B/W Illustrations
    by Auerbach Publications

    Although organizations that store, process, or transmit cardholder information are required to comply with payment card industry standards, most find it extremely challenging to comply with and meet the requirements of these technically rigorous standards. PCI Compliance: The Definitive Guide explains the ins and outs of the payment card industry (PCI) security standards in a manner that is easy to understand.

    This step-by-step guidebook delves into PCI standards from an implementation standpoint. It begins with a basic introduction to PCI compliance, including its history and evolution. It then thoroughly and methodically examines the specific requirements of PCI compliance. PCI requirements are presented along with notes and assessment techniques for auditors and assessors.

    The text outlines application development and implementation strategies for Payment Application Data Security Standard (PA-DSS) implementation and validation. Explaining the PCI standards from an implementation standpoint, it clarifies the intent of the standards on key issues and challenges that entities must overcome in their quest to meet compliance requirements.

    The book goes beyond detailing the requirements of the PCI standards to delve into the multiple implementation strategies available for achieving PCI compliance. The book includes a special appendix on the recently released PCI-DSS v 3.0. It also contains case studies from a variety of industries undergoing compliance, including banking, retail, outsourcing, software development, and processors. Outlining solutions extracted from successful real-world PCI implementations, the book ends with a discussion of PA-DSS standards and validation requirements.

    Payment-Card Industry: An Evolution
    The Development of a System: The Coming of the Credit Card
         The Need for Credit: A Historical Perspective
              Credit in the Mesopotamian Civilization
              Credit in the Era of Coins and Metal Bullion (800 BC to AD 600)
              The Rise of Virtual Money Transactions (AD 600 to AD 1500)
              The Reemergence of Coins and Precious Metal Currency (1500–1971)
              The Rise of Debt (1971 Onwards)
              The Need for Credit
         The Credit Card: A Means to Address the Need for Credit
              The History of the Credit Card
              The First Credit Cards
              The Development of a Credit Card Industry
    Debit Cards and Automated Teller Machines
         The Coming of the Debit Card
         The Automated Teller Machine
         E-Commerce and Online Payments
    The Future of Payments
         Trends for the Future of Payments
              Mobile Payments
              Contactless Payments
              Chip and PIN Cards

    Card Anatomy: The Essentials
    Payment Cards: Types of Cards
         Payment Card with Magnetic Stripe
              Magnetic Stripe Cards: A Brief History
              Magnetic Stripe Coercivity
              Magnetic Stripe: A Primer on Data Sets
         Chip and PIN Cards
    Payment Cards: An Anatomy
         Payment Card: External Visage (Front)
              The Card Issuer’s Logo
              The Payment Brand Logo and Hologram
              The Card Number (PAN)
              The Expiration Date
              The Cardholder’s Name
         Payment Card: External Visage (Back) 
              The Magnetic Stripe
              Signature Strip
              The CVV
              Service Disclaimer
              Bank Address and Contact Details
              Customer Service Information
    Data Sets: Payment Card
         Track 1 Data
         Track 2 Data
         Track 3 Data
    Payment Card: Terminology
         The Payment Card Processing Cycle 
         Payment Networks
         Other Service Providers
         Independent Sales Organizations
    Payment Card Transactions
         Card-Present Transaction
         Card-Not-Present Transactions
         Open-Loop Payment Systems
         Closed-Loop Payment Systems

    Security and the Payment-Card Industry
    A Brief History of Credit Card Fraud
    A Brief History of Significant Card Data Breaches
         The CardSystems Breach
         The TJ-Maxx Card Breach
         The Heartland Payment Systems Breach
         The Sony Playstation Network Breach
    Cardholder Security Programs
          Card Brand Cardholder Security Programs
         The Formation of the PCI-DSS and PCI-SSC
         Structure of the PCI Standards
         The PCI Assessment Environment
              PCI-QSAs and PCI-QSACs
              The PCI ASV (Approved Scanning Vendor)
              The PCI Internal Security Assessor
              The PCI Special-Interest Groups
         Payment Application Compliance
              PCI’s PA-DSS
              PA-QSA and PA-QSAC

    Payment Card Industry Data Security Standard (PCI-DSS)
    Brief History of the PCI-DSS
    PCI Compliance Levels: Payment Brands
         Payment Brand Compliance Programs and PCI-DSS
         Compliance Levels and Compliance Requirements
              Visa Merchant and Service Provider Validation Levels
              MasterCard Merchant and Service Provider Validation Levels
              American Express Merchant and Service Provider Compliance Validation Levels
         Compliance Validation Levels: Identification and Implementation
    PCI-DSS: Applicability
         Applicability of PCI Compliance and Interplay with Compliance Validation Requirements
         Merchant Organizations
         Service Providers: Processors
         Service Providers: Everybody Else
         Cloud Service Providers
    PCI: Attestation, Assessment, and Certification
         The Role of a PCI-QSA
         The PCI-DSS Requirements
         Compensatory Controls
         Documentation: The Report on Compliance
         Documentation: The Attestation of Compliance

    The Payment Application Data Security Standard (PA-DSS)
    History and Overview of the PA-DSS
          The Need for Payment Application Validation for PCI
         A Brief History of the PA-DSS
         Primer on the PA-DSS Standard
              The PA-DSS Requirements
    PA-DSS Validation
         The PA-DSS Validation Process
         The Differences in PCI-DSS and PA-DSS Validation
         Technical Testing and Validation for the PA-DSS
         Role of a PA-QSA
    PA-DSS Documentation
         The PA-DSS Report on Validation
         The PA-DSS Implementation Guide
         The PA-DSS Attestation of Validation
         The PA-DSS Vendor Release Agreement
    PA-DSS Application Revalidation
         Annual Revalidation
         Changes to Payment Applications
              No-Impact Change
              Low-Impact Change
              High-Impact Change
         Change-Impact Documentation
              No-Impact Change-Impact Documentation
              Low-Impact Change-Impact Documentation
              High-Impact Change-Impact Documentation

    Enterprise Approach to PCI Compliance
    Industry Verticals and PCI Compliance
         PCI Approaches for Different Industry Verticals
              Basic Business Function
              Cardholder Information Touch Points
              The Organization Itself
         Service Providers
              Issuing TPPs
              Acquiring TPPs
         Other Service Providers
    Enterprise Challenges: PCI Compliance
         Information Overload: A Perspective
         Knowledge of the Team
         Management Impetus
         Budgetary Constraints
         Technical Constraints
    Good Practices: To Get PCI Compliant
         PCI Taskforce
         Create a Defined Scope
         Don’t Focus on PCI Compliance
         Understand Risk—Always
         Pick the Right QSA
    Good Practices for Application Vendors: PA-DSS
         Security from Incipiency
         Document, Document, Document
         Scope Out

    Scoping for PCI Compliance
    Scoping for PCI Compliance: A Primer
    The Cardholder-Data Environment (CDE)
         Defining the Cardholder-Data Environment
         Cardholder-Data Flow
         Cardholder-Data Matrix
              ATM Card Processing: Acquiring
              Card-Issuing Function
              POS Billing and Merchant Acquisition
              Fraud-Management Services
              Cardholder Customer Service Management
              Identifying Cardholder Data
         The Role of the PCI-QSA in the CDE
    Tips for Scope Reduction
         Why Reduce Scope?
         Network Segmentation
         Scoping Out E-Commerce Applications
         Tokenization and Other Data-Protection Techniques
    System Components in the PCI Scope
         Network and Network Components
         Servers and OS Components

    Requirement 1: Build and Maintain a Secure Network
    Network Security: A Primer
         Network Security Architecture: Enterprise
         Network Architecture: Scoping Out
              Benefits of Scoping Out with Network Segmentation
              Common Resources
              Technology: Network Segmentation
    Network Security Requirements for PCI
         The Network Security Documentation
              Requirement 1.1: Firewall and Router Configuration Standards
              PCI Assessor’s Notes: Requirement 1.1
         Network Components: Firewalls, Routers, and Other Network Components
              Firewall and Router Specifications and Configurations
         The Demilitarized Zone (DMZ)
              PCI Requirements Relating to the DMZ
         The Role of Managed Services

    Requirement 2: Vendor-Supplied Defaults, System Passwords, and Security Parameters
    Vendor-Supplied Default Passwords 
         Configuration Standards and Vendor-Supplied Default Passwords and Security Parameters
              Requirement 2.1: Change Vendor-Supplied Default Passwords
              Requirement 2.2: Configuration Standards for System Components
              Requirement 2.2.1: One Primary Function per Server
              Insecure Protocols and Services
              Requirements 2.2.3 and 2.2.4 Security Parameters: To Prevent Misuse
         Nonconsole Administrative Access
         Wireless Security Consideration: Vendor-Supplied Defaults
    PA-DSS: Application Requirements for Vendor-Supplied Defaults and Security Parameters
         Payment Application Vendor-Supplied Defaults 
              Requirement 3.1b of the PA-DSS
              Requirement 5.1.3 of the PA-DSS
         Secure Network Implementation: Payment Applications
              Requirement 5.4 of the PA-DSS
              Requirement 8.1 of the PA-DSS
              Requirement 6 of the PA-DSS: Wireless Security Requirements

    Requirement 3: Protect Stored Cardholder Data
    Storage, Retention, and Destruction of Stored Cardholder Data
         Do You Really Need to Store Cardholder Data? 
         Policies and Procedures around Storage of Cardholder Data
    Requirement 3.2: Sensitive Authentication Data at Rest
         Authentication Parameters: Concept Overview
              PIN Verification Value (PVV) and PIN Offset
              PIN/PIN Block
         Authentication Parameters
         Issuers and Storage of Sensitive Authentication Data
         Requirement 3.2: Assessment Notes
    Display of the Card PAN
    Requirement 3.4: Rendering the PAN Unreadable wherever
         An Overview of Techniques to Render the PAN Unreadable
              Use of One-Way Hashing
              One-Way Hashing Algorithms and Security Considerations
              Use of Truncation
              Use of Tokenization
              Use of Strong Cryptography
         Rendering the PAN Unreadable Everywhere It Is Stored
    Cryptography: Terminology and Concept Review
         Key and Keyspace
         Initialization Vector
         Symmetric and Asymmetric Cryptography
         Block Ciphers and Stream Ciphers
         Block Cipher Modes of Encryption
              Electronic Code Book
              Cipher Block Chaining
              Cipher Feedback
              Output Feedback
    Requirements 3.5 and 3.6: Key Security and Key Management
         Key-Management Considerations: Enterprises
         Key-Management Practices for Banks and Acquiring and Issuing TPPs
              Hardware Security Module (HSM)
              Local Master Key
              Zone-Control Master Keys
              PIN Working Keys
              PIN Verification Key
              Message Authentication Keys
              Card Verification Keys
              Derived Unique Key per Transaction (DUKPT)
         Principles of Encryption and Key Management for Protecting the Stored PAN
              Secure Key Generation
              Single-Purpose Cryptographic Keys
              Secure Key Storage
              Secure Key Distribution and Exchange
              Cryptoperiod and Key Changes
              Dual-Key Management for Manual Cryptography

    Requirement 4: Securing Cardholder Information in Transit
    Requirement 4.1: Secure Transmission of Cardholder Information Over Open, Public Networks
         Open, Public Networks: A PCI Viewpoint
         Secure Protocols
              HTTPS with SSL/TLS
              Secure Shell (SSH)
              IPSec VPN
         Requirement 4.1.1: WiFi Security Practices for Cardholder Data Transmissions
    Requirement 4.2: Unprotected PANs over End-User Messaging Technologies

    Requirement 5: Use and Regularly Update Antivirus Software
    Requirement 5.1: Use of Antivirus Programs to Protect Commonly Affected Systems
         Antivirus Deployment within the PCI Environment (CDE)
    Requirement 5.2: Managing the Antivirus Application
         Managing and Monitoring the Antivirus Application for PCI Compliance
    Commercial Applications: Antivirus Requirements

    Requirement 6: Develop and Maintain Secure Systems
    Requirement 6.1: Patch-Management Practices for PCI Compliance
         Patch Management for PCI Compliance
         Approaches to Patching and Patch Management
              Change-Management Process of System Patch Deployment
         Risk-Based Approach to Patch Management
         Assessor’s Notes for Verifying Patch-Management Practices
    Requirement 6.2: Vulnerability-Management Practices for PCI Compliance
    Secure Application Development Practices for PCI-DSS and PA-DSS
         Requirement 6.3: Secure SDLC for Application Development
              The Risk-Assessment Approach to Secure SDLC
              Requirement 6.3.1: Removal of Default User Accounts, IDs, and Passwords
              Requirement 6.3.2: Custom Code Review for Security
         Requirement 6.4: Application Change Management and Change Control
              Requirement 6.4.5: Change-Management Document and the Essentials of Change Control and Change Management
              Requirements 6.4.2 and 6.4.3: Separation of Production, Development, and Test Environments
              Requirement 6.4.3: Use of Live PANs for Testing
              Requirement 6.4.4: Removal of Test Data in Production
    Requirement 6.5: Secure Coding Guidelines for Applications
         Secure Coding Guidelines: References and Best Practices
         Requirement 6.5.1: Secure Coding to Address Injection Flaws
              SQL Injection
              XPath Injection
              LDAP Injection
              Command Injection
         Requirement 6.5.2: Secure Coding to Address Buffer Overflows
         Requirement 6.5.3: Secure Coding to Address Cryptographic Flaws
              Cryptography Essentials
         Requirement 6.5.4: Secure Coding to Address Insecure Transmissions
              The SSL/TLS Handshake Process
              Implementation Best Practices for Secure Transmission: Web Applications
         Requirement 6.5.5: Secure Coding to Address Improper Error Handling
         Requirement 6.5.6: Remediation Measures to Address High-Severity Vulnerabilities
         Requirement 6.5.7: Secure Coding to Address Cross-Site Scripting
              Reflected XSS
              Persistent XSS
         Requirement 6.5.8: Secure Coding to Address Flawed Access Control
              Session Hijacking
              Cross-Site Request Forgery
              Session Fixation
              Forceful Browsing
              Requirement 6.5.9: Secure Coding to Address Cross-Site
    Request Forgery
    Ongoing Vulnerability-Management Practices for Web Applications
         Web-Application Vulnerability Assessments
         Usage of a Web-Application Firewall

    Requirement 7: Restrict Access to Cardholder Data by Business
    Need to Know
    Requirement 7.1: Restrict Access to Systems with Cardholder Data
         Access Restrictions across the PCI Environment
         The Principle of Least Privilege
         Documentation of Approval: Access Privileges
         Automated Access-Control System

    Requirement 8: Access-Control Requirements for PCI Environments
    Unique IDs for Users: PCI Environment
         Requirement 8.1: Assign Unique IDs to Users in PCI Environment
    Factors of Authentication
         The Three Factors of Authentication Supplementing User IDs
              Something You Know: Knowledge Factors
              Something You Are: Physical Factors
              Something You Have: Physical Token Parameters
         Two-Factor Authentication: Remote Access
    Protection of Passwords: Transmission and Storage
         Protection of Passwords in Transit
         Protection of Passwords at Rest
    Authentication Management for PCI Environments
         Access-Control Procedure
         Requirement 8.5.1: Control of Operations on Access Control
         Requirement 8.5.2: Verification of User Identity (Password Resets)
         Requirement 8.5.3: Unique Password Value and First-Use Change
         Requirement 8.5.4 and 8.5.5: Revocation and Removal of User Access Rights
              Requirement 8.5.4: Revocation of User Access Rights Immediately after User Separation
              Requirement 8.5.5: Disabling User Accounts within 90 Days
         Requirement 8.5.6: Vendor Account Access Management
         Requirement 8.5.8: Prohibit Shared, Group, or Generic Accounts
         Requirements 8.5.9–8.5.15: Password Management for PCI Environments
    Database Access Requirements for PCI Environments
         Requirement 8.5.16: Database Authentication Requirements
    PA-DSS Requirements for Authentication
         Requirement 8 of PCI and Requirement 3 of the PA-DSS

    Requirement 9: Restrict Physical Access to Cardholder Data
    Requirement 9.1: Physical Access Controls for the PCI Environment
         Requirement 9.1.1: Use of Cameras and/or Access-Control Mechanisms
         Requirement 9.1.2 and 9.1.3: Restrict Physical Access to Network Components
              The Dangers of Visitor Network Access
              Protection Strategies for Visitor Network Access
              Requirement 9.1.3: Physical Protection for Network Devices
    Requirements 9.2, 9.3, and 9.4: Employee and Visitor Access
         Visitor-Management Procedure
              Visitor Access and Employee Access Distinctions
              Granting Visitor Access
              Visitor Access Privileges and Restrictions
              Revocation of Visitor and Employee Access
              Access to Badge System/Physical Access-Control System
              Visitor Distinction
              Visitor Access Records
    Requirements 9.5–9.10: Media Management and Security
         Requirement 9.5: Physical Security—Off-Site Media Backup Location
              The Need for Off-Site Backup
              Security Controls: Off-Site Backup
         Requirements 9.9 and 9.10: Media Destruction

    Requirement 10: Logging and Monitoring for the PCI Standards
    Audit Trails: PCI Requirements
         The Need for Audit Trails and Logs
         Challenges: Log Management
              Distributed Event Logs
              Volume of Log Entries
              Nonstandard Logging Practices
              Multiple Tools
              People Intensive
         Access-Control Link: Audit Trails
    Details: Audit Trail Capture
         Audit Logs: Details
              Individual Access to Cardholder Data
              Actions by Root or Administrative Users
              Access to Audit Trails
              Invalid Access Attempts
              Use of Identification and Authentication Mechanisms
              Initialization of Audit Logs
              Creation of System-Level Objects
         Audit-Trail Entries and Records
              User Identification
              Type of Event
              Date and Time
              Indication of Success or Failure
              Origination of Event
              Identification of Affected System, Resource, or Component
         Application Logging Best Practices
    The Importance of Time and Its Consistency
         Time Sync across IT Components
         Network Time Protocol for Time Synchronization
    Securing Audit Trails and Logs
         Business Need to Know: Logs and Audit Trails
         Securing Log Information
              Strong Access Control
              System Hardening
              Centralized Log Server
              File-Integrity Monitoring
    Log Monitoring, Review, and Retention
         Requirement 10.6: Log Review and Monitoring
         Requirement 10.7: Log Retention

    Requirement 11: Security Testing for the PCI Environment
    Wireless Access Point: Testing
         Testing for Rogue/Unauthorized Wireless Access Points
              Wireless Network Scanning
              Physical Inspection
              Network Access Control
              Wireless IDS/IPS Deployment
    Internal and External Network Vulnerability Scanning
         Vulnerability Scanning: Concept Note
              Vulnerability Categorization
              Vulnerability Scanning: Methodology
         Internal and External Network Vulnerability Scanning
              Internal and External Vulnerability Scanning
              Network Vulnerability Scanning
         Scanning by PCI Approved Scanning Vendor (ASV) 
    Internal and External Penetration Testing
         Fundamental Differences: Vulnerability Assessment and Penetration Testing
              Why Perform a Penetration Test?
              Network-Layer Penetration Tests
              Application-Layer Penetration Testing
    Deployment of Intrusion Detection/Prevention Devices or Applications
         Intrusion Detection/Prevention Systems: An Overview
              Signature Based
              Statistical-Based Anomaly Detection
              Stateful Protocol Analysis Detection
         PCI Requirement: Intrusion Detection/Prevention System
    File-Integrity Monitoring: Critical System Files and Configurations
         Attacks: Key System Files
         File-Integrity Monitoring: Critical System Files, Processes, and Content Files

    Requirement 12: Information Security Policies and Practices for PCI Compliance
    Information Security Policy: PCI Requirements
         Security Policy Definition
         Risk Assessment: PCI Compliance
              A Question of Adequacy
              Risk Assessment: Process and Overview
         Annual Review: Policy and Risk-Management Framework
    Operational Security Procedures
         Security Focus Areas         
         Acceptable Usage Policies and Procedures
              List of Acceptable Technologies, Applications, and Devices
              Explicit Approval for Technology Usage
              Inventory and Labeling
              Authentication for the Use of Technology
              Acceptable Usage
    Security Roles and Responsibilities
         Documentation: Roles and Responsibilities
              The Chief Information Security Officer
              Distribution of Policies and Procedures and Monitoring of Security Alerts
              User Management: Roles and Responsibilities
    People Security Practices
         Security Awareness Training and Monitoring
         Employee Background Verification
    Vendor Management and PCI Compliance
         Vendors: Data Sharing and Risk Management
    Incident Management and Incident Response
         Incident-Response Plans and Procedures
              Elements of Incident-Response Plan
              Incident-Response Success Factors

    Beyond PCI Compliance
    Maintaining PCI Compliance: The Challenge
         The Challenge: The Dilemma Produced by Success
              The Information Problem
              The Technology Challenge
              Management Attitude
    Success Factors for Continuing PCI Compliance
         A Change of Attitude
              Deep Understanding of Risk and Its Application
              The CISO



    Abhay Bhargav is the founder and chief technical officer of the we45 Group, a Bangalore based information security solutions company. He has extensive experience with information security and compliance, having performed security assessments for many enterprises in various domains, such as banking, software development, retail, telecom, and legal. He is a qualified security assessor (QSA) for the payment-card industry and has led several security assessments for payment-card industry compliance. He is also the coauthor of Secure Java for Web Application Development, published by CRC Press.

    Abhay is a specialist in Web-application security with broad experience in vulnerability assessment and penetration testing, and he has served as a consultant for a wide array of enterprises and governmental/quasi-governmental entities. He was recently awarded the prestigious SANS Certified GIAC Web Application Penetration Tester certification. He has been interviewed by leading media outlets for his expertise on information security, particularly application security. Links to the interviews are available here and here.

    Abhay is a regular speaker at industry events. He was a featured speaker at the JavaOne Conference in September 2010 at the Moscone Center in San Francisco. He also regularly speaks at OWASP (Open Web Application Security Project) conferences around the world, notably in New York at the world’s largest application security conference, the OWASP AppSec Conference, in September 2008. He has also spoken at various other conferences and seminars, such as the PCI summit in Mumbai in December 2008. He is a regular speaker at industry events such as the Business Technology Summit and events organized by the Confederation of Indian Industry (CII). He has also delivered several talks to government entities and their stakeholders on information security and application security. He is also a trainer in information security and has led several public workshops on PCI, PA-DSS, and risk assessment.

    Abhay is well versed in risk assessment and risk management, with rich consulting experience in the OCTAVE® Risk Assessment and NIST SP 800-30 methodologies. His expertise also extends to providing solutions on information security based on the ISO-27001, HIPAA, SOX, GLBA, and other security-compliance standards.

    Previously, Abhay was the leader of application security and PCI compliance at SISA Information Security Pvt Ltd. Prior to that, he was involved in implementing enterprise IT solutions for various verticals, including manufacturing and retail. He has developed various business applications in Java and proprietary object-oriented program languages such as TDL. He has also written various articles on application security and security compliance.

    Apart from his professional interests, Abhay is also a trained Carnatic classical flutist and has delivered several concerts. He is also a theater enthusiast and playwright with an English comedy play to his writing credits. He blogs actively and maintains a security blog and a personal blog. He also writes a weekly article on computer education in a leading Kannada daily newspaper for the rural youth.