Why You Need PCI DSS Compliance & How to Pass The Audit
We are working in an age where it looks like a big part of our lives went through a digital converter. All the information we possess is slowly being turned in to Data, even in parts we didn’t expect, such as our finances.
This does not necessarily need to be a bad thing for us and the security of our assets, if it is handled correctly.
The way we do that is by enforcing certain rules and regulations that we can abide to in order to uphold a well established standard of working.
Since there are many Fields in which we have went digital so to there are different types of standard and regulations that we have created.
To get a better picture, some of those fields are:
The reasoning behind this is that, each field has their own specific set of standards that they need to uphold. Meaning that one set of rules for the Financial Field might not be fully applicable to the Medical Field.
In this article we will focus on the Financial field as an example of this kind of regulatory obedience, more importantly the Payment Card Industry.
WHAT IS PCI DSS AND WHY GET CERTIFIED?
The PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards made for companies which process store or transmit any type of credit card information. It has been created to provide and maintain a secure Financial Environment, above all.
In the documentation, its key components are broken down in to certain mile stones or goals to make it easier for any company undertaking this process to segregate individual tasks and requirements.
These Goals Have been well explained in the following table:
|Build and Maintain a Secure Network||1. Install and maintain a firewall configuration to protect cardholder data|
|2. Do not use vendor-supplied defaults for system passwords and other security parameters|
|Protect Cardholder Data||3. Protect stored cardholder data|
|4. Encrypt transmission of cardholder data across open, public networks|
|Maintain a Vulnerability Management Program||5. Use and regularly update anti-virus software or programs|
|6. Develop and maintain secure systems and applications|
|Implement Strong Access Control Measures||7. Restrict access to cardholder data by business need-to-know|
|8. Assign a unique ID to each person with computer access|
|9. Restrict physical access to cardholder data|
|Regularly Monitor and Test Networks||10. Track and monitor all access to network resources and cardholder data|
|11. Regularly test security systems and processes|
|Maintain an Information Security Policy||12. Maintain a policy that addresses information security for employees and contractors|
From this we can get a good glimpse in the processes handled in order to get PCI DSS Certified. But what does it mean to get Certified and why should you follow any of this?
Becoming PCI DSS Certified companies give their clients the ease of mind that they are not a shady merchants and that they are in fact upholding the operation to a certain rigorous standard. This makes business a lot more productive and of course secure.
The overall Security that companies gain through the implementation of such a standard is a great reason on its own why they should get certified. Having a process which enables a company to have greater overall control of what is going on within their infrastructure and policies set in place to know how to react is a great boon for any enterprise.
This is the biggest reason for certification. When someone reads that the company from which they are buying from is PCI DSS Certified they are well aware that certain measures have taken place and it is easier for clients to trust the company a lot more if the company itself invests in Security.
In some cases is it mandatory to be certified.
Basically if someone is dealing with client information such as their personal numbers or credit card details, in order for the business itself to run in certain locations or fields it must be PCI-DSS Compliant first. Otherwise there is the matter of extravagant fines from third party audits which go to great lengths to protect the personal data of their clients usually by legal means.
The reasoning behind why companies should get certified is solid, but how do they actually get certified?
WHAT IS A COMPLIANCE AUDIT?
An Audit is the process of making sure that all previously mentioned goals, such as in the table above, are actually met.
Usually Auditors or professionals which are very knowledgeable in their field, perform these audits in order to give their clients a passing score that they are in fact upholding their end of the deal.
Auditors go through each checkpoint so to say, depending on the type of compliance in question and review everything they believe should be upheld. Auditors usually tend to be from completely neutral third party companies that have nothing to do with the company they are actually auditing.
This preserves the common interest between parties and it makes sure that no foul play such as false certifications are taking place.
The process is usually resembling a very thorough and practical Q&A of sorts. Where both the company in question and the auditor sit down and go through each step in a methodical way. The company provides evidence to whatever the Auditor requests and if they are satisfied, these segments get a passing score.
Otherwise, if certain goals are not met and the Auditor is dissatisfied they have the means to not grant certification or even re-certification to companies until they fix everything. Usually a good time frame for these kinds of actions is given in order for everything to be dealt with in a comprehensive manner.
Afterwards another audit takes place and if this time everything checks out, the company receives the highly sought after certification for being Fully Compliant.
Different types of auditors are needed for different types of Compliance Certifications. They are usually focusing on one or two at the most, it’s often very hard to have an auditor which specializes in more.
Compliance Auditing is important because it is most of the time the only way to get comprehensively certified in a neutral non-repudiating path.
GETTING PREPARED FOR THE PCI DSS AUDIT
In order to get acquainted with what is needed in order to get certified, we need to go through the PCI DSS Goals.
Having a Firewall in place is not enough. It needs to be well managed and configured. The difference between a bad auditor and a good one is the difference between what they accept is fine. A bad auditor is perfectly fine if the company shows them a firewall is active while a good one will question further and would usually want to see if it is Properly Configured as well and in some cases even test it.
Usually Auditors are either Penetration Testers themselves or they have such professionals on standby to make different types of checks before they can verify that everything is working as it should. Make sure that your firewalls are well configured.
Vendor Supplied Defaults
Usually after an installation, inexperienced system administrators will leave the default credentials on the systems they have installed.
This is a hazardous way to run things inside ones infrastructure since if an attacker finds out what type or version of technology is running on the systems, they can immediately try out all defaults first. This sounds basic, but you would be surprised how effective and common it is.
Roaming through highly secured networks in order to fail on the most basic of security implementations such as default credentials. Always make sure that everything is custom and changed since before even deploying.
Protect Stored Cardholder Data
Cardholder Data usually refers to the vital information gained from Credit Cards or any other appliance which could seriously jeopardize ones privacy.
Usually Banks as well as other establishments that need to hold on to this kind of data, have to have certain protocols in how they actually preserve it from being compromised.
For example there are a few questions that the Auditor could ask:
- Is the Data Encrypted?
- Is there Physical Security on site where the Data is being stored?
- What proactive measures such as CCTV cameras do you have in place?
- Is the data shared with anyone at any time?
The answers to these types of questions may well be the difference between a passed or failed audit.
At some point in time, this type of data may be transferred. Either inside the infrastructure or publicly. During these transfers it is imperative that the data is encrypted at all times. Since it leaves from its source all the way to its destination. The reasoning behind this is the sniffing that could occur inside the network.
Basically sniffing is the act of trying to intercept data when it is flowing from one point to another in order to capture it. But if the data itself is encrypted, even if it is captured it remains unintelligible. Encryption also has to be something which is currently held as a standard, it can’t be outdated or already proven to be easily cracked.
Regularly Update Software & Anti-Virus
This one I believe needs no introduction. It’s basic Security standard 101. Even so, many companies do not take responsibility on regular updating of their systems.
This is becoming the main issue of infiltration today. Attackers usually manage well known exploits for older systems.
Basically the older a system is the more likely it has already been exploited and exposed publicly. Attackers use these exploits to get inside. In order to prevent this, the best way is to hold your systems constantly updated and at their newest versions as to minimize the chance of public exploits working.
Also, having an Anti-Virus on all hosts prevents most known malware to be activated on your system. Having the Anti-Virus updated constantly also makes sure that the latest signature database is up and running which mitigates any newly released threats as well.
Develop & Maintain Secure Systems and Applications
Custom made applications are usually a part of most companies which deal with payment methods. These systems can be proprietary and as such will need custom maintenance and dealing with bugs/security risks. Also the overall infrastructure on which it is hosted will demand good upkeep both in a practical and secure way.
Basically, this point focuses on our custom builds and what we can do to make them better. Good configuration for example comes in to mind for these systems/applications.
The difference often between a secure environment and a not so secure one lays in the way it was configured. Basically what it was approved to allow. Sometimes as we mentioned before defaults are not the best way to go since they might allow many unfavourable settings as well.
Restrict Access to Card Holder Data by Need To Know Principle
Basically, only the applications, databases, servers, nodes or people that absolutely need to have access to the Card Holder Data should be allowed and no one else. This enforces the Need To Know Principle. For example, servers that have no need to access the data in any way, should not be allowed to have any network connectivity to said data.
This prevents many types of missuses and attack vectors. For example if the Server that does not need to have contact is in fact compromised then it simply can’t get to the Card Holder Data.
On the other hand, if everything in the network for example was allowed and any person that wanted to could pop up a shell and look through everyone’s records, there would be a disaster and this would not be compliant to PCI DSS Standards.
Unique ID for each person that has access
Everyone that can connect on the network which is in any way close to the Card Holder Data should have their own unique ID. The reasoning behind this is that everyone has to be accountable for their actions.
All run commands need to be logged and the administrators should know exactly who ran them. In the case of an emergency or an issue, it will be well documented who caused said issues.
Restrict Physical Access to Card Holder Data
The Systems or nodes which are used to connect to the Card Holder data or the ones that actually store it need to be physically protected. By using CCTV Cameras, doubled fences, Mantraps, Biometrics, etc. We make sure that access is on a need to know basis.
Track & Monitor all Access to the Network & Card Holder Data
Monitoring is one of the main ways to make sure that you have complete control of your traffic and general access. In order to have a comprehensive list of users or applications that have tried to contact the locations of the Card Holder Data you need monitoring tools and proper logging in place.
Logs are a great way to provide you with evidence of what is happening and where it has already happened. By constantly monitoring all critical servers and services, companies are making sure they have a good foothold in what is happening inside their infrastructure.
Regularly Test Systems & Components
This part is more inclined to Penetration Testing. Companies usually hire Penetration Testers to regularly check their Security Perimeter. This is done either Quarterly as Vulnerability Scanning or Annually as Full Blown Penetration Testing.
The client wants everything connected or relevant to the Card Holder Data to be tested, basically all of the parameters that we have said are in place, now are, well, put to the test.
The penetration tester will usually have a Final Report where they will explain all of the shortcomings which the client needs to have fixed within a given deadline before an auditor comes. If everything has been properly fixed, the company is certified for PCI DSS.
Maintain a Policy that Addresses Information Security for All Personnel
This point is more or less focused on the executive management rather than technical points. Basically this is where the management of the policies and paperwork come in to play. To comply with this point, the company must publish and maintain a good Security Policy which is reviewed annually and updated depending on needed changes.
Aside from this, a Risk Assessment process is also implemented in order to identify threats and measure them accordingly. All personnel should also have clearly defined positions and tasks that they should carry out.
It should never be left to ad hoc choices, instead it should be perfectly documented as to who is doing what and more importantly who is responsible if anything happens.
We went through all of the 12 Requirements for PCI DSS and as such are now a little more knowledgeable on the subject. As it is mentioned in each one, it is vital for everything to be properly managed, documented and established.
Doing things in a way that will jeopardize these requirements by usually cutting corners or costs is a full proof way to get denied PCI DSS Status.
These points are there for a reason. Each has its place and meaning.
Although going through such rigorous testing would make most people believe that it is a one time thing, actually PCI DSS needs annual re-certification.
Security is a maintained process, technology moves fast and upkeep is needed as within any environment.
As we mentioned earlier, audits are needed in order to confirm the validity of the security perimeter previously set in place. The auditor in question does the same validity checks as before, but this time with a bit more accent on the higher class issues from last time.
The same format is upheld as well the second time around, checks by means of Penetration Testing are done, security measures are analyzed and documentation is reviewed. It is vital to mention that the auditor in this stage has the power to revoke the PCI DSS certificate if they seem fit to do so.
This however does not come quick, even if inefficiencies are found in the infrastructure, usually the auditor has to give the company in question a decent period to fix all of the findings in order to get re-certified. Of course if results are not delivered within the given time frame, then sanctions such as revocation of PCI DSS Certification is undertaken.
Though through constant vigilance and upkeep, companies can have a fairly easy re-certification process. If throughout the year, since as we mentioned, re-certification comes annually most times, have kept up their guard and went with all of the best practices everything should run smoothly.
Getting PCI DSS Certified is no easy task. Usually it requires tremendous amounts of effort from many fields and many divisions inside a company. IT Staff have to talk to Managers, C-Suite has to develop proper strategies and so on.
But ultimately, having PCI DSS Status is worth it, because it shows that you went through all of this trouble just so that your end users are safe and that gives a sense of security to all that use your services or products.