Professional Documents
Culture Documents
Beyond Pci Checklists:: White Paper
Beyond Pci Checklists:: White Paper
white paper
According to the New York Times, on January 19, 2009, and present the primary risks that they are designed to miti-
Heartland Payment Systems disclosed that they may have gate. These controls span most of the PCI DSS requirements,
exposed the credit information of tens of millions of credit either implicitly or explicitly.
and debit card holders in what may be one of the largest data In Part I we discuss the first area, configuration controls,
compromises to date. Heartland had been compliant with the which require that specific configuration settings are correct.
Payment Card Industry Data Security Standard (PCI DSS), the Returning to the airplane analogy, in a pre-flight checklist,
standard designed by the major credit card companies to “pro- configuration controls equate to checking that fuel levels are
tect consumers, merchants and banks from the theft or loss of correct, the baggage door indicator light indicates the door is
credit information and any subsequent fraudulent activity.”1 closed, the flaps are in the correct setting for takeoff, and so
The Heartland security breach illustrates a concerning trend forth.
toward organizations achieving PCI compliance, but still suffering In Part II we discuss the second area, change process con-
a major breach. trols, which ensure required activities have been completed
properly. In a pre-flight checklist, these equate to ensuring
Being PCI Compliant Does Not Ensure Security that the pilot checks that the flap controls have the appro-
The PCI DSS applies to any organization that accepts, stores or priate range of motion, that all maintenance issues were
processes payment cards of any type and is a comprehensive appropriately addressed, the pilot has signed all the required
checklist of actions these organizations must take to improve forms, the flight attendants correctly performed the safety pre-
the security of global payment systems. Although the adoption sentation, and the pilot and copilot visually check the runway
of PCI DSS by an organization will most likely improve its secu- for other plans before takeoff, and so forth. These activities
rity posture, being compliant with the PCI DSS does not ensure must be validated not just at one point in time, but regularly
the organization is secure. over an entire period of time (i.e. the entire year between
As security practitioners, if we mechanically follow the PCI PCI audits).
DSS checklist and our organization suffers a data security
breach, we are still held responsible, and our organization still The Intent of Configuration and Change
gets fined, suffers brand damage and may lose its ability to Process Controls
process credit card transactions. While checklists are useful For the PCI DSS, configuration controls ensure that all comput-
tools, following them can lull us into a false sense of security. ing systems2 in the cardholder data environment are configured
To rely solely on the PCI DSS checklists to secure cardholder correctly. For example, PCI DSS Requirement 1 deals with fire-
data is similar to a pilot relying only on the pre-flight checklist walls, and includes requirements that all firewall settings are
before takeoff, then colliding with another plane during take- set to “deny all,” that audit logging is enabled, that required
off. A checklist is not enough. password aging is enabled, and so forth.
In reality, the goal of effective security controls is to prevent On the other hand, change process controls ensure all
security breaches from occurring, and when they do, to allow changes to those computing systems in the cardholder data
quick detection and recovery. This requires not just following a environment were adequately tested, authorized and verified.
checklist, but understanding the organization’s compliance and For example, PCI DSS Requirement 1 also requires evidence
security objectives, understanding what the top risks to achiev- that all changes to firewall rules are detected and authorized
ing those objectives are, having adequate situational awareness by management. Other PCI Requirements require that all appli-
to identify where we need controls to mitigate those risk, and cation software and operating system patches are tested by
then having implementing and monitoring the correct produc- management for correct functionality before deployment into
tion controls. production.
Configuration controls tend to more explicit, and can be
Two Areas Of Risks: Configuration And Change verified merely by examining production configuration settings
In this paper, we will first review the high-level goals of the to the PCI DSS standard. This often makes configuration con-
PCI DSS. Then, we will examine two areas of technical controls trols easier to test.
required by the PCI DSS relevant to configurations and change,
The PCI DSS Configuration and other technical guidance. This includes:
• The Center For Internet Security (CIS) (www.cisecurity.org)
Controls • The Defense Information Systems Agency (DISA)
In this section, we examine the broad requirements where the (www.disa.mil)
PCI DSS requires configuration controls. For each requirement, • The SANS Institute (www.sans.org)
we will explain the requirement intent and provide specific
• Firewall vendors
examples of how to fulfill them. To ensure compliance with
configuration controls, we can either inspect these settings Verifying correctness of these settings can be done manually.
manually or use automated tools. However, automated tools are preferable, as they increase
reliability, reduce the risk of human error, and reduce the time
Requirement 1: Install and maintain a firewall and effort required.
configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied
Requirement 1 of the PCI DSS states: “Firewalls are computer
defaults for system passwords and other
devices that control computer traffic allowed between a com-
security parameters
pany’s network (internal) and untrusted networks (external),
as well as traffic into and out of more sensitive areas within a Requirement 2 of the PCI DSS states: “Malicious individuals
company’s internal trusted network. The cardholder data environ- (external and internal to a company) often use vendor default
ment is an example of a more sensitive area within the trusted passwords and other vendor default settings to compromise sys-
network of a company. tems. These passwords and settings are well known by hacker
A firewall examines all network traffic and blocks those communities and are easily determined via public information.”
transmissions that do not meet the specified security criteria. The application stack consists of applications, databases,
All systems must be protected from unauthorized access from operating systems and network devices. Each computing system
untrusted networks, whether entering the system via the Internet in each of these layers has configuration settings and user
as e-commerce, employees’ Internet access through desktop accounts that may use vendor-supplied defaults. For each of
browsers, employees’ e-mail access, dedicated connection such as the computing systems in the cardholder data environment,
business to business connections, via wireless networks, or via PCI DSS requires evidence that configuration settings are set
other sources. Often, seemingly insignificant paths to and from securely, and that default user accounts have been either dis-
untrusted networks can provide unprotected pathways into key abled or do not use the vendor-supplied default passwords.
Controls
risk include not storing cardholder data unless absolutely neces-
sary, truncating cardholder data if full PAN is not needed, and
In this section, we examine each requirement for the change not sending PAN in unencrypted e-mails.”
process controls the PCI DSS requires. Just as we did for the To fulfill PCI DSS Requirement 3, we must protect stored
earlier configuration controls, we’ll explain the intent behind cardholder data by:
each requirement. We’ll also provide steps we can take to fulfill • Ensuring that applications prevent prohibited cardholder data
them. To ensure compliance with change process controls, we such as CVV and AV23 from being stored in system logs, a
can either inspect these settings manually or use automated data warehouse or database.
tools.
• Storing cardholder data securely.
1 PCI Data Security Standard 1.2. October 1, 2008. Published by the PCI
Security Standards Council. https://www.pcisecuritystandards.org/
security_standards/pci_dss_download.html
2 In this paper, the term “computing systems” is used, consistent with the
PCI DSS parlance. In previous papers, the term “IT assets” was used.
3 “Prohibited cardholder data” is defined by PCI to be any personally iden-
tifiable information (PII) associated with a cardholder: Primary Account
Number (PAN) that includes expiration date, cardholder name and address,
CVV (Card Verification Values) or CVC Card track data (magnetic stripe)
4 Case Studies of Using GAIT for Business and IT Risk To Scope PCI
Compliance. Published by The Institute of Internal Auditors. September
16, 2008. http://www.theiia.org/itaudit/features/in-depth-features-5-1-08/
gait-pci-scenario/
www.tripwire.com
©2009 Tripwire, Inc. | Tripwire is a registered trademark of Tripwire, Inc. All other product and company names are property of their respective owners. All rights reserved. | WPBCL1