Professional Documents
Culture Documents
Practical Guid Lin S For Complianc: Yjffman
Practical Guid Lin S For Complianc: Yjffman
Y J FF MAN
Ta le of Content
CHAPT R 1
Glo ar of Term
A OUT
1
PCI S CURITY
AT T I T U D
2014 WAS LA
VS. COMPLIANC
u ine
of the e attack
PCI tandard and I can tell ou that, too often, the attitude of m
cu tomer conve ed a en e of Let get thi over with... or The
audit of the month i wa ting m time... or even Ju t tell me what I
need to do to pa .
There are certainl exception . ut Ive worked with too man
companie that dont reall em race the impact that ucce ful PCI
ecurit
po ture not impl for the protection of credit card data, ut for
the protection of their entire enterpri e. The principle of PCI
compliance can e applied equall e ectivel to the c
er ecurit
ecau e the
t. M client alwa
them a out how PCI control had come a out and what the meant
in other word , clarif ing the context. Frequentl , at the conclu ion
of the a e ment, cu tomer will tell me, That wa the toughe t
ecurit program.
Unfortunatel , the are rarel perceived a
repre ent a are minimum approach and that a real ecurit focu ed program would go much further and require much more.
However, the ame organization
omething ou do
ju t a out ever
2
TH
TRUTH
HIND THR
PCI MYTHS
M th #1
Hard-to-detect, cu tomized malware targeting peci c retailer point
of ale (POS)
tem
eing exploited
tem
tem
a third
the
M th #2
De pite pending con idera le re ource on PCI compliance,
criminal are till ucce full targeting retailer
pent on
M th #3
There are man moving part of a retail tore network and man
t pe of u er acce ing them, making it more di cult to egment the
cardholder data environment from the re t of the network
There are two pro lem here: Fir t, PCI DSS doe not require
egmentation, particularl a a ecurit
depth) e ond the implied three-level architecture common to ecommerce implementation . Second, when applied, egmentation i
done for the expre
tem
er ecurit
3
FIV
R COMM NDATIONS
AND CY
RS CURITY
ervice or remediation
Concentrate on what the PCI DSS oth pre cri e and recommend
and oull e well on our wa to a full
a compliance. In particular:
PCI. The
and non-compliant.
tem , the
to US
di a le all other US port , there till i at lea t one for the POI (not
to mention the occa ional monitor, ke
tem
ical ecurit control for the e POI device in PCI DSS ver ion 3.
unle
our IT or
IS team are actuall monitoring the tool , tud ing their output ,
and re ponding to u piciou event a the occur.
Over the ear , the mo t ecure compan network I have een are
the one where there are certain individual (or team ) that take it
upon them elve to know their network, the u ine
proce e
and data ow , and the overall operation. The are the one mo t
likel to notice anomalou
o
of data and the are the one that mo t often ave the da for
their companie .
; the dont
that other
ituation.
Reali ticall , man retailer out ource the monitoring and detection
re pon i ilitie to managed ecurit
u cient ta ,
for an automated alarm.) When ou out ource re pon i ilit for the
ecurit of our network to a third part , ou are putting our
compan life in omeone el e hand . I thi a
cal nece it ?
4
ST PRACTIC S
K
P I N G M A LWA R
OUT
er ecurit
trateg that al o
training (required
ection addre
emplo ee
placing increa ed
a out the ad thing that the mu t avoid doing not onl what
ehavior
ut wh the
o lecture .
e t practice tie
reach
all
gue
or
US port in the ph
operation .
La tl , here are a few word a out whiteli ting olution , which are
in vogue for man retailer a a compen ating control for the
following rea on :
A lack of anti-viru /anti-malware olution and/or the ina ilit
to keep ignature current
An a
tem ) are
5
ST PRACTIC S
N C R Y P T I O N A N D TO K N I Z AT I O N
encr pted card data (and the token value) i not cardholder data
therefore the
ncr ption
Realit i more complicated than argument a out whether
encr pted card data i nt cardholder data, and therefore not u ject
to PCI review. The PCI Securit Council ha made it ver clear that
encr pted cardholder data can onl
if the merchant (the council a
decr pt the data. Make
i ro u t and cr ptographicall
ound, it
encr ption work . The igge t pro lem i that mo t encr ption
algorithm in u e toda are
PTS POI device (i.e., the pin pad or the card reader) if and onl if the
reading of the magnetic tripe data and the encr ption of aid data
occur within a hardware encr ption module that i em edded
within the device. Thi ha
encr ption ke
tatement, the encr pted data i not cardholder data. And the
authorized decr ption ha to e out of the hand of the merchant a
wellt picall the re pon i ilit of a pa ment gatewa or proce or
who in turn tran mit the data onto the ank for authorization.
The r t certi ed P2P
olution onl
2013, and a of the date of thi document there are till ver few
compliant olution li ted. Unle
what? That
where all the memor - craping malware weve een reading a out i
equall adept at tealing the data.)
I am a certi ed cr ptanal
ecurit
the
u ject to PCI
impl
ou wont get a
ou
implemented correctl .
Speaking of implementation, encr ption i not onl required for the
torage of cardholder data ut al o for tran mi ion of data over
open, pu lic network . Thi i commonl accompli hed u ing the
Secure Socket La er (SSL) protocol. Thi protocol initiall perform
a hand hake with a pu lic ke (certi cate) that provide a ecure
method of haring a
o commonl
erver
ut al o remote acce
technologie
technologie , and we
tem .
Tokenization
Tokenization i a great wa to improve ecurit
reducing the
tem
tatement
implemented correctl .
Al o, doe de-tokenization mean that the tockpile of token i
meaningle
to all
the token . Therefore, all that left i to gure out how to detokenize and voila!Ive tolen credit card data. M target then
ecome the de-tokenization method, and the people (and their
tem ) who u e the de-tokenization method.
So, I am not comforta le with di regarding the token . In fact, I
elieve that the rule applied to encr pted data hould e extended to
token : If ou can de-tokenize, it
upreme; ou mu t keep
ou introduce
the PCI
DSS tandard . Recognize them for what the are (and arent) and
leverage the PCI compliance proce
G
GLOSSARY
CHD - cardholder data
DoD - Department of Defen e
DSS - Data Securit Standard
IDS - intru ion-detection
IPS - intru ion-prevention
tem
tem
A
A OUT
A out Je Man
Je ha compiled a rich knowledge a e
in cr ptograph , information ecurit ,
and mo t recentl PCI. With PCI
impacting nearl ever
vertical, he ha
u ine
e t practice
ecurit
tandard .
man of the
Note
Some of the following material originall appeared in the Tena le
log or in Wired InnovationIn ight
log.