Although organizations that store, process, or transmit cardholder information are required to comply with payment card industry standards, most find it extremely challenging to comply with and meet the requirements of these technically rigorous standards. PCI Compliance: The Definitive Guide explains the ins and outs of the payment card industry (PCI) security standards in a manner that is easy to understand.
This step-by-step guidebook delves into PCI standards from an implementation standpoint. It begins with a basic introduction to PCI compliance, including its history and evolution. It then thoroughly and methodically examines the specific requirements of PCI compliance. PCI requirements are presented along with notes and assessment techniques for auditors and assessors.
The text outlines application development and implementation strategies for Payment Application Data Security Standard (PA-DSS) implementation and validation. Explaining the PCI standards from an implementation standpoint, it clarifies the intent of the standards on key issues and challenges that entities must overcome in their quest to meet compliance requirements.
The book goes beyond detailing the requirements of the PCI standards to delve into the multiple implementation strategies available for achieving PCI compliance. The book includes a special appendix on the recently released PCI-DSS v 3.0. It also contains case studies from a variety of industries undergoing compliance, including banking, retail, outsourcing, software development, and processors. Outlining solutions extracted from successful real-world PCI implementations, the book ends with a discussion of PA-DSS standards and validation requirements.
Payment-Card Industry: An Evolution
The Development of a System: The Coming of the Credit Card
The Need for Credit: A Historical Perspective
Credit in the Mesopotamian Civilization
Credit in the Era of Coins and Metal Bullion (800 BC to AD 600)
The Rise of Virtual Money Transactions (AD 600 to AD 1500)
The Reemergence of Coins and Precious Metal Currency (1500–1971)
The Rise of Debt (1971 Onwards)
The Need for Credit
The Credit Card: A Means to Address the Need for Credit
The History of the Credit Card
The First Credit Cards
The Development of a Credit Card Industry
Debit Cards and Automated Teller Machines
The Coming of the Debit Card
The Automated Teller Machine
E-Commerce and Online Payments
The Future of Payments
Trends for the Future of Payments
Mobile Payments
Contactless Payments
Chip and PIN Cards
Summary
Card Anatomy: The Essentials
Payment Cards: Types of Cards
Payment Card with Magnetic Stripe
Magnetic Stripe Cards: A Brief History
Magnetic Stripe Coercivity
Magnetic Stripe: A Primer on Data Sets
Chip and PIN Cards
Payment Cards: An Anatomy
Payment Card: External Visage (Front)
The Card Issuer’s Logo
The Payment Brand Logo and Hologram
The Card Number (PAN)
The Expiration Date
The Cardholder’s Name
Payment Card: External Visage (Back)
The Magnetic Stripe
Signature Strip
The CVV
Service Disclaimer
Bank Address and Contact Details
Customer Service Information
Data Sets: Payment Card
Track 1 Data
Track 2 Data
Track 3 Data
Payment Card: Terminology
The Payment Card Processing Cycle
Merchants
Acquirers
Payment Networks
Issuers
Processors
Other Service Providers
Independent Sales Organizations
Payment Card Transactions
Card-Present Transaction
Card-Not-Present Transactions
Open-Loop Payment Systems
Closed-Loop Payment Systems
Summary
Security and the Payment-Card Industry
A Brief History of Credit Card Fraud
A Brief History of Significant Card Data Breaches
The CardSystems Breach
The TJ-Maxx Card Breach
The Heartland Payment Systems Breach
The Sony Playstation Network Breach
Cardholder Security Programs
Card Brand Cardholder Security Programs
The Formation of the PCI-DSS and PCI-SSC
Structure of the PCI Standards
The PCI Assessment Environment
PCI-QSAs and PCI-QSACs
The PCI ASV (Approved Scanning Vendor)
The PCI Internal Security Assessor
The PCI Special-Interest Groups
Payment Application Compliance
PCI’s PA-DSS
PA-QSA and PA-QSAC
Summary
Payment Card Industry Data Security Standard (PCI-DSS)
Brief History of the PCI-DSS
PCI Compliance Levels: Payment Brands
Payment Brand Compliance Programs and PCI-DSS
Compliance Levels and Compliance Requirements
Visa Merchant and Service Provider Validation Levels
MasterCard Merchant and Service Provider Validation Levels
American Express Merchant and Service Provider Compliance Validation Levels
Compliance Validation Levels: Identification and Implementation
PCI-DSS: Applicability
Applicability of PCI Compliance and Interplay with Compliance Validation Requirements
Merchant Organizations
Service Providers: Processors
Service Providers: Everybody Else
Cloud Service Providers
PCI: Attestation, Assessment, and Certification
The Role of a PCI-QSA
The PCI-DSS Requirements
Compensatory Controls
Documentation: The Report on Compliance
Documentation: The Attestation of Compliance
Summary
The Payment Application Data Security Standard (PA-DSS)
History and Overview of the PA-DSS
The Need for Payment Application Validation for PCI
A Brief History of the PA-DSS
Primer on the PA-DSS Standard
The PA-DSS Requirements
PA-DSS Validation
The PA-DSS Validation Process
The Differences in PCI-DSS and PA-DSS Validation
Technical Testing and Validation for the PA-DSS
Role of a PA-QSA
PA-DSS Documentation
The PA-DSS Report on Validation
The PA-DSS Implementation Guide
The PA-DSS Attestation of Validation
The PA-DSS Vendor Release Agreement
PA-DSS Application Revalidation
Annual Revalidation
Changes to Payment Applications
No-Impact Change
Low-Impact Change
High-Impact Change
Change-Impact Documentation
No-Impact Change-Impact Documentation
Low-Impact Change-Impact Documentation
High-Impact Change-Impact Documentation
Summary
Enterprise Approach to PCI Compliance
Industry Verticals and PCI Compliance
PCI Approaches for Different Industry Verticals
Basic Business Function
Cardholder Information Touch Points
The Organization Itself
Merchants
Service Providers
Issuing TPPs
Acquiring TPPs
Banks
Other Service Providers
Enterprise Challenges: PCI Compliance
Information Overload: A Perspective
Knowledge of the Team
Management Impetus
Budgetary Constraints
Technical Constraints
Good Practices: To Get PCI Compliant
PCI Taskforce
Create a Defined Scope
Don’t Focus on PCI Compliance
Understand Risk—Always
Pick the Right QSA
Good Practices for Application Vendors: PA-DSS
Security from Incipiency
Document, Document, Document
Scope Out
Summary
Scoping for PCI Compliance
Scoping for PCI Compliance: A Primer
The Cardholder-Data Environment (CDE)
Defining the Cardholder-Data Environment
Cardholder-Data Flow
Cardholder-Data Matrix
ATM Card Processing: Acquiring
Card-Issuing Function
POS Billing and Merchant Acquisition
Fraud-Management Services
Cardholder Customer Service Management
Identifying Cardholder Data
The Role of the PCI-QSA in the CDE
Tips for Scope Reduction
Why Reduce Scope?
Network Segmentation
Scoping Out E-Commerce Applications
Tokenization and Other Data-Protection Techniques
System Components in the PCI Scope
Network and Network Components
Servers and OS Components
Applications
Summary
Requirement 1: Build and Maintain a Secure Network
Network Security: A Primer
Network Security Architecture: Enterprise
Network Architecture: Scoping Out
Benefits of Scoping Out with Network Segmentation
Common Resources
Technology: Network Segmentation
Network Security Requirements for PCI
The Network Security Documentation
Requirement 1.1: Firewall and Router Configuration Standards
PCI Assessor’s Notes: Requirement 1.1
Network Components: Firewalls, Routers, and Other Network Components
Firewall and Router Specifications and Configurations
The Demilitarized Zone (DMZ)
PCI Requirements Relating to the DMZ
The Role of Managed Services
Summary
Requirement 2: Vendor-Supplied Defaults, System Passwords, and Security Parameters
Vendor-Supplied Default Passwords
Configuration Standards and Vendor-Supplied Default Passwords and Security Parameters
Requirement 2.1: Change Vendor-Supplied Default Passwords
Requirement 2.2: Configuration Standards for System Components
Requirement 2.2.1: One Primary Function per Server
Insecure Protocols and Services
Requirements 2.2.3 and 2.2.4 Security Parameters: To Prevent Misuse
Nonconsole Administrative Access
Wireless Security Consideration: Vendor-Supplied Defaults
PA-DSS: Application Requirements for Vendor-Supplied Defaults and Security Parameters
Payment Application Vendor-Supplied Defaults
Requirement 3.1b of the PA-DSS
Requirement 5.1.3 of the PA-DSS
Secure Network Implementation: Payment Applications
Requirement 5.4 of the PA-DSS
Requirement 8.1 of the PA-DSS
Requirement 6 of the PA-DSS: Wireless Security Requirements
Summary
Requirement 3: Protect Stored Cardholder Data
Storage, Retention, and Destruction of Stored Cardholder Data
Do You Really Need to Store Cardholder Data?
Policies and Procedures around Storage of Cardholder Data
Requirement 3.2: Sensitive Authentication Data at Rest
Authentication Parameters: Concept Overview
CVV/CVC/CAV1&2
PIN Verification Value (PVV) and PIN Offset
PIN/PIN Block
Authentication Parameters
Issuers and Storage of Sensitive Authentication Data
Requirement 3.2: Assessment Notes
Display of the Card PAN
Requirement 3.4: Rendering the PAN Unreadable wherever
Stored
An Overview of Techniques to Render the PAN Unreadable
Use of One-Way Hashing
One-Way Hashing Algorithms and Security Considerations
Use of Truncation
Use of Tokenization
Use of Strong Cryptography
Rendering the PAN Unreadable Everywhere It Is Stored
Cryptography: Terminology and Concept Review
Cryptosystem
Key and Keyspace
Initialization Vector
Symmetric and Asymmetric Cryptography
Block Ciphers and Stream Ciphers
Block Cipher Modes of Encryption
Electronic Code Book
Cipher Block Chaining
Cipher Feedback
Output Feedback
Counter
Requirements 3.5 and 3.6: Key Security and Key Management
Key-Management Considerations: Enterprises
Key-Management Practices for Banks and Acquiring and Issuing TPPs
Hardware Security Module (HSM)
Local Master Key
Zone-Control Master Keys
PIN Working Keys
PIN Verification Key
Message Authentication Keys
Card Verification Keys
Derived Unique Key per Transaction (DUKPT)
Principles of Encryption and Key Management for Protecting the Stored PAN
Secure Key Generation
Single-Purpose Cryptographic Keys
Secure Key Storage
Secure Key Distribution and Exchange
Cryptoperiod and Key Changes
Dual-Key Management for Manual Cryptography
Summary
Requirement 4: Securing Cardholder Information in Transit
Requirement 4.1: Secure Transmission of Cardholder Information Over Open, Public Networks
Open, Public Networks: A PCI Viewpoint
Secure Protocols
HTTPS with SSL/TLS
Secure Shell (SSH)
IPSec VPN
Requirement 4.1.1: WiFi Security Practices for Cardholder Data Transmissions
Requirement 4.2: Unprotected PANs over End-User Messaging Technologies
Summary
Requirement 5: Use and Regularly Update Antivirus Software
Requirement 5.1: Use of Antivirus Programs to Protect Commonly Affected Systems
Antivirus Deployment within the PCI Environment (CDE)
Requirement 5.2: Managing the Antivirus Application
Managing and Monitoring the Antivirus Application for PCI Compliance
Commercial Applications: Antivirus Requirements
Summary
Requirement 6: Develop and Maintain Secure Systems
Requirement 6.1: Patch-Management Practices for PCI Compliance
Patch Management for PCI Compliance
Approaches to Patching and Patch Management
Change-Management Process of System Patch Deployment
Risk-Based Approach to Patch Management
Assessor’s Notes for Verifying Patch-Management Practices
Requirement 6.2: Vulnerability-Management Practices for PCI Compliance
Secure Application Development Practices for PCI-DSS and PA-DSS
Requirement 6.3: Secure SDLC for Application Development
The Risk-Assessment Approach to Secure SDLC
Requirement 6.3.1: Removal of Default User Accounts, IDs, and Passwords
Requirement 6.3.2: Custom Code Review for Security
Requirement 6.4: Application Change Management and Change Control
Requirement 6.4.5: Change-Management Document and the Essentials of Change Control and Change Management
Requirements 6.4.2 and 6.4.3: Separation of Production, Development, and Test Environments
Requirement 6.4.3: Use of Live PANs for Testing
Requirement 6.4.4: Removal of Test Data in Production
Requirement 6.5: Secure Coding Guidelines for Applications
Secure Coding Guidelines: References and Best Practices
Requirement 6.5.1: Secure Coding to Address Injection Flaws
SQL Injection
XPath Injection
LDAP Injection
Command Injection
Requirement 6.5.2: Secure Coding to Address Buffer Overflows
Requirement 6.5.3: Secure Coding to Address Cryptographic Flaws
Cryptography Essentials
Requirement 6.5.4: Secure Coding to Address Insecure Transmissions
The SSL/TLS Handshake Process
Implementation Best Practices for Secure Transmission: Web Applications
Requirement 6.5.5: Secure Coding to Address Improper Error Handling
Requirement 6.5.6: Remediation Measures to Address High-Severity Vulnerabilities
Requirement 6.5.7: Secure Coding to Address Cross-Site Scripting
Reflected XSS
Persistent XSS
Requirement 6.5.8: Secure Coding to Address Flawed Access Control
Session Hijacking
Cross-Site Request Forgery
Session Fixation
Forceful Browsing
Requirement 6.5.9: Secure Coding to Address Cross-Site
Request Forgery
Ongoing Vulnerability-Management Practices for Web Applications
Web-Application Vulnerability Assessments
Usage of a Web-Application Firewall
Summary
Requirement 7: Restrict Access to Cardholder Data by Business
Need to Know
Requirement 7.1: Restrict Access to Systems with Cardholder Data
Access Restrictions across the PCI Environment
The Principle of Least Privilege
Documentation of Approval: Access Privileges
Automated Access-Control System
Summary
Requirement 8: Access-Control Requirements for PCI Environments
Unique IDs for Users: PCI Environment
Requirement 8.1: Assign Unique IDs to Users in PCI Environment
Factors of Authentication
The Three Factors of Authentication Supplementing User IDs
Something You Know: Knowledge Factors
Something You Are: Physical Factors
Something You Have: Physical Token Parameters
Two-Factor Authentication: Remote Access
Protection of Passwords: Transmission and Storage
Protection of Passwords in Transit
Protection of Passwords at Rest
Authentication Management for PCI Environments
Access-Control Procedure
Requirement 8.5.1: Control of Operations on Access Control
Requirement 8.5.2: Verification of User Identity (Password Resets)
Requirement 8.5.3: Unique Password Value and First-Use Change
Requirement 8.5.4 and 8.5.5: Revocation and Removal of User Access Rights
Requirement 8.5.4: Revocation of User Access Rights Immediately after User Separation
Requirement 8.5.5: Disabling User Accounts within 90 Days
Requirement 8.5.6: Vendor Account Access Management
Requirement 8.5.8: Prohibit Shared, Group, or Generic Accounts
Requirements 8.5.9–8.5.15: Password Management for PCI Environments
Database Access Requirements for PCI Environments
Requirement 8.5.16: Database Authentication Requirements
PA-DSS Requirements for Authentication
Requirement 8 of PCI and Requirement 3 of the PA-DSS
Summary
Requirement 9: Restrict Physical Access to Cardholder Data
Requirement 9.1: Physical Access Controls for the PCI Environment
Requirement 9.1.1: Use of Cameras and/or Access-Control Mechanisms
Requirement 9.1.2 and 9.1.3: Restrict Physical Access to Network Components
The Dangers of Visitor Network Access
Protection Strategies for Visitor Network Access
Requirement 9.1.3: Physical Protection for Network Devices
Requirements 9.2, 9.3, and 9.4: Employee and Visitor Access
Visitor-Management Procedure
Visitor Access and Employee Access Distinctions
Granting Visitor Access
Visitor Access Privileges and Restrictions
Revocation of Visitor and Employee Access
Access to Badge System/Physical Access-Control System
Visitor Distinction
Visitor Access Records
Requirements 9.5–9.10: Media Management and Security
Requirement 9.5: Physical Security—Off-Site Media Backup Location
The Need for Off-Site Backup
Security Controls: Off-Site Backup
Requirements 9.9 and 9.10: Media Destruction
Summary
Requirement 10: Logging and Monitoring for the PCI Standards
Audit Trails: PCI Requirements
The Need for Audit Trails and Logs
Challenges: Log Management
Distributed Event Logs
Volume of Log Entries
Nonstandard Logging Practices
Multiple Tools
People Intensive
Access-Control Link: Audit Trails
Details: Audit Trail Capture
Audit Logs: Details
Individual Access to Cardholder Data
Actions by Root or Administrative Users
Access to Audit Trails
Invalid Access Attempts
Use of Identification and Authentication Mechanisms
Initialization of Audit Logs
Creation of System-Level Objects
Audit-Trail Entries and Records
User Identification
Type of Event
Date and Time
Indication of Success or Failure
Origination of Event
Identification of Affected System, Resource, or Component
Application Logging Best Practices
The Importance of Time and Its Consistency
Time Sync across IT Components
Network Time Protocol for Time Synchronization
Securing Audit Trails and Logs
Business Need to Know: Logs and Audit Trails
Securing Log Information
Strong Access Control
System Hardening
Centralized Log Server
File-Integrity Monitoring
Log Monitoring, Review, and Retention
Requirement 10.6: Log Review and Monitoring
Requirement 10.7: Log Retention
Summary
Requirement 11: Security Testing for the PCI Environment
Wireless Access Point: Testing
Testing for Rogue/Unauthorized Wireless Access Points
Wireless Network Scanning
Physical Inspection
Network Access Control
Wireless IDS/IPS Deployment
Internal and External Network Vulnerability Scanning
Vulnerability Scanning: Concept Note
Vulnerability Categorization
Vulnerability Scanning: Methodology
Internal and External Network Vulnerability Scanning
Internal and External Vulnerability Scanning
Network Vulnerability Scanning
Scanning by PCI Approved Scanning Vendor (ASV)
Internal and External Penetration Testing
Fundamental Differences: Vulnerability Assessment and Penetration Testing
Why Perform a Penetration Test?
Network-Layer Penetration Tests
Application-Layer Penetration Testing
Deployment of Intrusion Detection/Prevention Devices or Applications
Intrusion Detection/Prevention Systems: An Overview
Signature Based
Statistical-Based Anomaly Detection
Stateful Protocol Analysis Detection
PCI Requirement: Intrusion Detection/Prevention System
File-Integrity Monitoring: Critical System Files and Configurations
Attacks: Key System Files
File-Integrity Monitoring: Critical System Files, Processes, and Content Files
Summary
Requirement 12: Information Security Policies and Practices for PCI Compliance
Information Security Policy: PCI Requirements
Security Policy Definition
Risk Assessment: PCI Compliance
A Question of Adequacy
Risk Assessment: Process and Overview
Annual Review: Policy and Risk-Management Framework
Operational Security Procedures
Security Focus Areas
Acceptable Usage Policies and Procedures
List of Acceptable Technologies, Applications, and Devices
Explicit Approval for Technology Usage
Inventory and Labeling
Authentication for the Use of Technology
Acceptable Usage
Security Roles and Responsibilities
Documentation: Roles and Responsibilities
The Chief Information Security Officer
Distribution of Policies and Procedures and Monitoring of Security Alerts
User Management: Roles and Responsibilities
People Security Practices
Security Awareness Training and Monitoring
Employee Background Verification
Vendor Management and PCI Compliance
Vendors: Data Sharing and Risk Management
Incident Management and Incident Response
Incident-Response Plans and Procedures
Elements of Incident-Response Plan
Incident-Response Success Factors
Summary
Beyond PCI Compliance
Maintaining PCI Compliance: The Challenge
The Challenge: The Dilemma Produced by Success
The Information Problem
The Technology Challenge
Management Attitude
Success Factors for Continuing PCI Compliance
A Change of Attitude
Deep Understanding of Risk and Its Application
The CISO
Summary
Index
Biography
Abhay Bhargav is the founder and chief technical officer of the we45 Group, a Bangalore based information security solutions company. He has extensive experience with information security and compliance, having performed security assessments for many enterprises in various domains, such as banking, software development, retail, telecom, and legal. He is a qualified security assessor (QSA) for the payment-card industry and has led several security assessments for payment-card industry compliance. He is also the coauthor of Secure Java for Web Application Development, published by CRC Press.
Abhay is a specialist in Web-application security with broad experience in vulnerability assessment and penetration testing, and he has served as a consultant for a wide array of enterprises and governmental/quasi-governmental entities. He was recently awarded the prestigious SANS Certified GIAC Web Application Penetration Tester certification. He has been interviewed by leading media outlets for his expertise on information security, particularly application security. Links to the interviews are available here and here.
Abhay is a regular speaker at industry events. He was a featured speaker at the JavaOne Conference in September 2010 at the Moscone Center in San Francisco. He also regularly speaks at OWASP (Open Web Application Security Project) conferences around the world, notably in New York at the world’s largest application security conference, the OWASP AppSec Conference, in September 2008. He has also spoken at various other conferences and seminars, such as the PCI summit in Mumbai in December 2008. He is a regular speaker at industry events such as the Business Technology Summit and events organized by the Confederation of Indian Industry (CII). He has also delivered several talks to government entities and their stakeholders on information security and application security. He is also a trainer in information security and has led several public workshops on PCI, PA-DSS, and risk assessment.
Abhay is well versed in risk assessment and risk management, with rich consulting experience in the OCTAVE® Risk Assessment and NIST SP 800-30 methodologies. His expertise also extends to providing solutions on information security based on the ISO-27001, HIPAA, SOX, GLBA, and other security-compliance standards.
Previously, Abhay was the leader of application security and PCI compliance at SISA Information Security Pvt Ltd. Prior to that, he was involved in implementing enterprise IT solutions for various verticals, including manufacturing and retail. He has developed various business applications in Java and proprietary object-oriented program languages such as TDL. He has also written various articles on application security and security compliance.
Apart from his professional interests, Abhay is also a trained Carnatic classical flutist and has delivered several concerts. He is also a theater enthusiast and playwright with an English comedy play to his writing credits. He blogs actively and maintains a security blog and a personal blog. He also writes a weekly article on computer education in a leading Kannada daily newspaper for the rural youth.