how to: the pci self-assessment questionnaire (saq)
Post on 20-May-2015
1.532 Views
Preview:
DESCRIPTION
TRANSCRIPT
SecurityMetrics
SAQ D Boot CampDefeat by questionnaire is not acceptable!
“All truths are easy to understand once they are discovered; the point is to discover them.”
– Galileo Galilei
Summary of SAQs
• SAQ A – Merchant outsources all card collection and processing
• SAQ B – Merchant uses analog phone based POS terminal or imprint method
• SAQ C – Merchant processes and transmits card data but no e-storage
• SAQ C VT – Merchant does simple manual entry on single virtual terminal
• SAQ D – Merchant stores card data electronically in the card processing network
What Do I Do With an SAQ?
• SAQ is a merchant’s statement of PCI compliance
• Acquiring bank would ask a merchant for a completed SAQ, not card brand or PCI Council
• Acquiring bank’s responsibility to track a merchant’s PCI compliance
• It is a merchant’s responsibility to accurately complete the SAQ
“To SAQ D, or Not to SAQ D”
• SAQ D classification options1. Change your card data processes to
get out of SAQ D scope• Don’t store card data (tokenize)
2. Dig in. It’s not easy but it’s possible!• Get some help (QSA)
Know The Battlefield
• Before starting, there are some things you need to gather– Complete network diagram– Detailed card data flow
diagram/description– Unsecured card data locations– Written IT policies/procedures– Internal compliance team (network,
workstation/POS support, HR, help desk) – Management support!
Field Research: Data Discovery
“…you really need to use some kind of methodology to find where cardholder data is on the network…”
– Bob Russo, PCI SSC• Must have an data discovery methodology for
an accurate card data flow picture• Methodology should include:
– Data discovery tool(s)– Data flow documentation– Periodic repetition (annual minimum)
Recon: Card Data & Process
• Like camouflaged ground forces, unsecured card data and processes using card data can hide in rough terrain and go unnoticed until its too late
• Careful tracing and documentation of all processes that deal with card data is essential
• Search even locations/processes you think are “clean”
Weapons for Card Discovery
• A good discovery tool…• Automated exhaustive search capability
– Hard drives, systems, networks, attached storage devices, etc.
– Finds unencrypted PAN and magnetic stripe data
• Generates easy-to-understand reports • Shows count and location of payment card data found• Low false positive rate
Available Data Search Tools
• Payment card data search tools available to use on systems:
– PANscan®: https://securitymetrics.com/sm/PANscan/– SENF: http://www.utexas.edu/its/products/senf/– SPIDER: http://www.cit.cornell.edu/security/tools/
Where to Look?
• Obvious locations: – Systems involved in storage,
transmission, or processing of card data
– POS systems, web server, customer service workstation, etc.
– Database servers – Decommissioned systems– System backup locations
Where to Look?
• Look outside typical cardholder data network: – Accounting/Finance: spreadsheets from
banks, stored reports, etc.
– Sales: faxed forms (printed or digital), e-mail from sales reps, etc.
– Marketing: access to transaction databases/logs for research, etc.
Targeting SAQ D Scope
• “The cardholder data environment (CDE) is comprised of people, processes and technology that store, process or transmit cardholder data or sensitive authentication data” –PCI DSS
• PCI DSS applies to all system components included in or connected to the CDE
• Minimize where card data is dealt with and reduce SAQ D compliance effort and costs
Scoping Principals
• Find where data is using detailed flow and location analysis along with data discovery tools
• If you find it and don’t need it, get rid of it– Remove historical data– Secure data deletion process– Change process to eliminate need
• Search regularly for card data
• Remember: where there is card data, there is PCI DSS scope!
Found it! Now What?
• Identify network segment(s) where card data is stored, processed, or transmitted
• Watch for network segments “traversed” by streams of card data on its way elsewhere
• Include any process where card data is placed on media (paper, tape, CD, etc.)
• Remember:• Encrypted data is in scope
where decryption keys are present• Call center segments
viewing full PAN data should be in scope• Securely delete any unsecure data not needed
SAQ D-DAY!
• Done: Research, planning, targeting, and discovery steps
• Let’s attack SAQ D in detail
PCI DSS SAQ D Summary
• Build and Maintain a Secure Network– Req. 1: Install and maintain a firewall configuration to protect
cardholder data– Req. 2: Do not use vendor-supplied defaults for system
passwords and other security parameters• Protect Cardholder Data
– Req. 3: Protect cardholder data (encrypt or mask)– Req. 4: Encrypt transmission of cardholder data across open,
public networks• Maintain a Vulnerability Management Program
– Req. 5: Use and regularly update anti-virus software– Req. 6: Develop and maintain secure systems and
applications
PCI DSS SAQ D Summary
• Implement Strong Access Control Measures– Req. 7: Restrict access to cardholder data by business need-
to-know– Req. 8: Assign unique ID to each person with computer
access– Req. 9: Restrict physical access to cardholder data
• Monitor and Test Networks– Req. 10: Track and monitor all access to network resources
and cardholder data– Req. 11: Regularly test security systems and processes
• Maintain an Information Security Policy– Req. 12: Maintain documented policy and procedures that
address information security
SAQ D Requirement 1
• Document and maintain firewall configuration standards (1.1)– Need formal process for approving and auditing firewall rules
quarterly– Document all port traffic in/out and provide justification– Accurate network and transaction flow diagrams
• Secure network firewall architecture (1.2-1.4)– Create DMZ and Secure Zone (2-tiered firewall architecture), prohibit
direct public access to zone where data is stored, protect internal IP’s– Control and limit all inbound/outbound network traffic– Segment cardholder network from wireless or other network
segments– Use personal firewalls on mobile/personal
computers
SAQ D – Network Example
Dedicated Secure Zone
Strong Edge
Firewall & IDS
Isolate Wireless
Dedicated DMZ
2nd Firewall
Separate Office Zone
Segment the network to minimize scope!
Network Scoping and Segmentation
• Card network stores/processes/transmits card data
• Most networks not designed for PCI compliance. • Card processing systems are often mixed in with
back office systems (one big flat network)• “Adequate network segmentation, which isolates
systems that store, process, or transmit cardholder data from those that do not, may reduce the scope of the cardholder data environment.” (PCI DSS 1.1 Page 2)
SAQ D Requirement 2
• Change or do not use vendor-supplied defaults– Change defaults before adding system component to the
cardholder network (passwords, SNMP, wireless settings)
• Develop and maintain system configuration standards– Create system component configuration standards based on
industry best practice guidelines (CIS, NIST, etc.)– One primary function per server (or virtual server)– Disable unnecessary services/functions
• Use encrypted non-console admin access tools– SSH, RDP, VPN, SSL/TLS
SAQ D Requirement 3
• Protect stored data– Minimize confidential information storage, define
policy/procedure for removing old data– Do not store sensitive authentication data
subsequent to an authorization event (not even if encrypted)
• Track data, card identification number, PIN, PIN block
– Mask (truncate) account data when displayed (last 4 numbers are max that can be displayed)
• Don’t store masked and hashed PAN together
SAQ D Requirement 3
• Render PAN data unreadable anywhere it is stored– Strong 1-way hashing functions (SHA-1)
– Truncate data (e.g. - first 6 last 4)
– Use strong cryptography• Strong algorithms (3DES, AES, RSA, etc.)
• Proper key length for the algorithm (e.g. for AES 128 bits or more)
• Strong encryption key management processes– Protect Data Encryption Key (DEK) from disclosure and misuse
– Secure key storage (encrypt DEK)
– Periodic key changes at end of a defined crypto period
What is Sensitive Auth Data?
• Track or mag stripe data– Used to duplicate a plastic card
• Track 1: %B4111111111111111^Public John Q.^080910100876000
• Track 2: 4111111111111111=0809101543219987000
– Violation to store Track 1 or 2, even if encrypted• Exception: some “store and forward” situations are allowed if no
authorization event occurs
• Card identification number– Violation to store even if encrypted
• Exception: can be stored encrypted prior to “authorization event”
• PIN number or encrypted PIN block
Encryption & Key Management
• Don’t use weak, or non-industry standard encryption algorithms
• Most common problem with encryption is insecure encryption key management
• Look carefully at SAQ D sections 3.5-3.6 for correct key management practices, work with a QSA on a key management scheme
SAQ D Requirement 4
• Encrypt sensitive data over public networks– Use strong cryptography to protect card data as it
traverses a public network (SSL/TLS, IPSEC, etc.)– Open (insecure) network examples: Internet, Wi-Fi,
GSM, GPRS, satellite– Use strong encryption method if sending card PAN via
e-mail (be careful where email stored)
• Protect card data flowing over wireless networks
– Use WPA/WPA2 (WEP not allowed)
SAQ D Requirement 5
• Anti-Virus/Anti-Malware– Deploy anti-virus software on all systems in the
card environment commonly affected by malicious software
– Software must detect and clean other types of malware (spyware, adware)
– Ensure anti-virus / anti-malware software and signatures are up to date
– Ensure anti-virus / anti-malware software generates logs and keep the logs
SAQ D Requirement 6
• Patch Management and Change Control– Ensure system components and software up to date (install relevant
security patches within 30 days)
– Keep up on newly discovered vulnerabilities that may affect systems or software; assign a risk ranking to each discovered vulnerability
– Document and follow change control procedures
• Track all system and software configuration changes (e.g. - network components, servers, software, etc.)
• Secure Software Processes– Use PA-DSS validated software, install it correctly
– If develop own software (web or client), SAQ D 6.3, 6.5, 6.6 get very important and difficult, get help from a QSA
SAQ D Requirement 7
• Limit access to computing resources and cardholder information to only those with a “need-to-know”
• Ensure systems have automated access controls systems implemented
• Have a traceable process for granting/denying access to cardholder network systems based on job role
SAQ D Requirement 8
• Protect access to the cardholder data network– All users must have unique ID’s to access cardholder
network systems– All users must authenticate to the systems using a
password (or token, or biometric)– All passwords must be stored encrypted– Remote access into the cardholder network must be
secured by 2-factor authentication• Something you know (a password), and something you have
(token or certificate)• Examples: RADIUS, TACACS, VPN with individual
certificates, key fob, etc.
SAQ D Requirement 8
• User and password management– Process to control addition/deletion of users– Verify identity before password resets, use strong initial
passwords– Revoke access of terminated users, remove inactive
accounts every 90 days– No “group” or shared user IDs or passwords – Change passwords every 90 days, keep history– Password strength: 7+ chars, alpha/numeric– Lock after 6 invalid logins for at least 30 min– Idle session timeout of 15 min (can be screen saver)
SAQ D Requirement 9
• Physical security of facilities– Control access to physical location
of cardholder network systems– Video and/or access control
mechanisms in data center, store video data at least 3 months
– Restrict access to network jacks, wireless access points, network hardware, and handheld devices
SAQ D Requirement 9
• Employee controls– Must be able to distinguish
employees from visitors (ID badges or other means)
– In sensitive areas: visitors must be authorized, sign log, be given physical token of visitor status that expires, and surrender token upon leaving
SAQ D Requirement 9
• Controls over the storage of media– Physically secure all electronic or paper media that
contains cardholder data– Store media backups in secure location, preferably off-site– Maintain strict control over internal/external distribution of
media• Management must approve all distribution of media• Classify media so it can be identified as confidential• Use secured courier or delivery mechanism that can be tracked• Inventory all distributed media
– Destroy media when no longer in use (shred, degauss, physically destroy, etc.)
SAQ D Requirement 10
• Track & monitor access to systems in the cardholder network– Enable audit logging on all systems handling cardholder data– Implement log monitoring and notification software (review
daily)– Track all privileged access to credit card data outside of
defined payment applications – Centralize the storage of audit logs. Include all logs (system,
application, firewall, IDS, web…)– Protect audit logs from modification– Sync system time throughout the cardholder network to a
known, protected source
SAQ D Requirement 11
• Regularly test security systems– Quarterly external & internal vulnerability scans
• PCI authorized scan vendor for external testing, internal testing can be done with VA scanning tools
• Act on scan results until the scans are running clean
– Conduct external penetration testing• Annually or after any significant infrastructure or application upgrade
or modification• Testing conducted by experienced penetration tester who is not part
of the card network admin team• Must include both network and application layer testing
– Intrusion Detection System monitors all traffic– File Integrity Monitoring software watching critical files
SAQ D Requirement 12
• Document Information Security Policy and Procedures– Develop, maintain, and publish infosec policies to
address all PCI requirements– Review policy and conduct risk assessment annually– Develop daily operational security procedures to ensure
continued PCI compliance (watch logs, updates, etc.)– Develop employee acceptable use policies for employee
facing technologies (modem, network, wireless, etc.)
SAQ D Requirement 12
• Document Information Security Policy and Procedures– Define management responsibilities (policy, control
access, monitor alerts, incident response, etc.)– Develop & implement a security awareness program– Background check potential or new employees– 3rd parties that receive card data from you must have
contractual language to follow PCI DSS – Develop, distribute and periodically test an Incident
Response Plan
Documentation Hurdles
• Amount of documentation and process development/rollout is a big deal for successful SAQ D compliance effort
• Must be a comprehensive and implemented across the board
• Don’t depend on “employee memory”• Carefully document security procedures
and policies, train employees periodically• Good data security starts from the top
down not from the IT staff up!
Why Go Through All This Work?
?
Compromise: Hospitality Industry
• Network vulnerabilities found:– Insecure remote access– Common default passwords– Logging not enabled, not watching logs– Flat network design - limited or no segmentation– No IDS/IPS in place
• Attack vectors included:– Compromised remote access– Installed suite of malware: processor memory dump program,
parser looking for credit card data in dump files, shared folder search app that looked for passwords, credit card numbers, social security numbers, etc.
What Did It Cost?
• Bottom line costs:– Cost of the forensic investigation $32,000– Number of cards stolen 150,000– Fines $80,000– Reimburse for fraudulent uses $440,000
• All this from just two sites involved in the compromise
• Tokenization• Point to Point Encryption (P2PE)• Mobile payment technologies
Emerging Technologies
Tokenization
• Token representing PAN is returned from the gateway/processor, eliminates storage risk
• No storage of sensitive PAN data which reduces PCI-DSS requirements but PAN data is still transmitted (potential reduction of validation to SAQ C)
• Biggest advantage: Tokens have no value unless redeemed, can potentially store tokens outside of CDE without impacting PCI scope
• Historical PAN data must be tokenized or removed• Many processors/gateways are beginning to support
tokenization, but switching processors may be harder• Best if integrated with Point-to-Point Encryption solution
Point to Point Encryption
• All card data is encrypted by the swipe device hardware, no cleartext data enters merchant POS systems
• Merchant does not have keys that can decrypt the data
• Has potential for a large reduction in scope since internal systems never see or transmit useable card data
• Could lower PCI-DSS assessment scope but new hardware and services would have to be purchased
• Format Preserving Encryption has potential for integration of legacy software (PCI-SSC still “in session” on FPE issues)
• Security issues:– Smart phone malware potential– Many other end user technologies potentially in use on the
devices (SMS, web browsing, Wi-Fi, etc.)– Hard to control the personal device security
• P2PE and EMV technologies help with “encrypt at swipe” card reader, but manual transaction entry still a problem
• Long term: “sandbox” the payment app to run in a dedicated secure environment, requires new mobile hardware
• More guidelines from PCI SSC expected soon
Taking Mobile Payments
Wrap Up
• PCI DSS compliance and validation is typically not a quick easy process– Know where the the card data is!– Take time to really understand the SAQ D
requirements and your card network– Plan on sufficient time for the effort
• Consider consulting with a QSA even if just filling out an SAQ
• Remember, compliance is often more work than just SAQ validation
Don’t Give Up!
top related