What is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment. Essentially any merchant that has a Merchant ID (MID) must adhere to these standards.
What does it protect and who does it apply to?
PCI protects credit cardholder data. They break it down into 2 types of data: Cardholder Data and Sensitive Authentication Data, according to the PCI DSS requirements:
Who manages it?
The Payment Card Industry Security Standards Council (PCI SSC) was launched by industry leaders on September 7, 2006 to manage the ongoing evolution of the Payment Card Industry (PCI) security standards with focus on improving payment account security throughout the transaction process. The PCI DSS is administered and managed by the PCI SSC (www.pcisecuritystandards.org), an independent body that was created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB.).
It is important to note, the payment brands (VISA, MasterCard, American Express, etc.) and acquirers are responsible for enforcing compliance, not the PCI council.
How do I know if I have to adhere to PCI?
If you process, store or transmit credit card information then you must adhere to PCI. In fact, before you are given a merchant ID that allows you to process transactions you must have a PCI audit to confirm that you adhere to the standards.
Note that if you outsource your checkout to clearinghouse 3rd party payers like GoogleCheckout then you do not process, store or transmit credit card information, the 3rd party does.
All merchants will fall into one of the four merchant levels based on Visa transaction volume over a 12-month period. Transaction volume is based on the aggregate number of Visa transactions (inclusive of credit, debit and prepaid) from a merchant Doing Business As (‘DBA’). In cases where a merchant corporation has more than one DBA, Visa acquirers must consider the aggregate volume of transactions stored, processed or transmitted by the corporate entity to determine the validation level. If data is not aggregated, such that the corporate entity does not store, process or transmit cardholder data on behalf of multiple DBAs, acquirers will continue to consider the DBA’s individual transaction volume to determine the validation level.
Merchant levels as defined by Visa:
Any merchant -- regardless of acceptance channel -- processing over 6M Visa transactions per year. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.
Any merchant -- regardless of acceptance channel -- processing 1M to 6M Visa transactions per year.
Any merchant processing 20,000 to 1M Visa e-commerce transactions per year.
Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants -- regardless of acceptance channel -- processing up to 1M Visa transactions per year.
* Any merchant that has suffered a data breach may be escalated to a higher validation level.
Can I avoid a PCI audit?
Yes, by outsourcing the checkout process on your ecommerce site to a third party.
Not all ecommerce sites have to process, store or transmit credit card information itself. In fact, many smaller sites will outsource the “checkout” process to a third party. In these cases, the third party is the one processing, storing and transmitting credit card information and hence the ecommerce site doesn’t have to have a PCI audit.
Who does the audits?
The PCI audit must be completed by an approved Qualified Security Assessor (QSA). Generally the QSA, because they are very expensive, only comes in after the company has completed the necessary internal audits and remediation/documentation necessary to pass the audit. Therefore, many companies will hire a security consultant familiar with PCI DSS to help them prepare for the audit by the QSA. The QSA is the person who will do the on-site visit.
What are the PCI standards?
There are 211 different PCI standards. These standards are organized into 12 requirements. The 12 requirements are organized into 6 sections. An example of a standard is:
Section 3 - Maintain a Vulnerability Management Program
Requirement 6 - Develop and maintain secure systems and applications
Standard 6.1 - Ensure that all system components and software have the latest vendor-supplied security patches installed. Install relevant security patches within one month of release.
The test for standard 6.1 is:
a) For a sample of system components and related software, compare the list of security patches installed on each system to the most recent vendor security patch list, to verify that current vendor patches are installed b) Examine policies related to security patch installation to verify they require installation of all relevant new security patches within 1 month
This table shows the sections and the corresponding requirements.
Here is the full detail of the standard:
PCI DSS Requirements and Security Assessment Procedures, Version 2.0 (PDF)
What does PCI require?
• Separate app/db servers
• Web application firewall (WAF)
• Daily log review
• Remote access server
• File integrity monitoring (FIM)
• SSL certificates
• Two-factor authentication for VPN connections
• Vulnerability scanning (on a quarterly basis)
• Annual penetration testing
• Offsite backup
• Patch management
• Change management
Below we describe which of these items we offer and which the client needs to provide to have a PCI compliant environment.
This diagram shows the components of a typical PCI stack. Some items can be purchased independently and others are provided by the client. Each is described in the following table with more detail.
Clients must have a separate web and database servers. So any PCI configuration requires at least two servers. They can be cloud or dedicated servers. In addition to the standard services offered with a dedicated server (HW, patch management, monitoring etc.), a PCI client must have:
This device monitors all web traffic going to and from the web server to ensure it isn’t displaying credit card information on web pages, or sending cardholder data to unauthorized users.
This is a piece of software installed on critical servers to monitor for changes to configuration files. FIM notifies someone every time any change to a specific set of configuration files occurs.
Every server must have antivirus software with current subscriptions.
When connecting to servers, the administrators must use two-factor authentication for VPN (Virtual Private Network) connection.
PCI requires server and network events be logged to a logging server and the logs be reviewed daily.
Every public-facing web page of the application that may carry transaction information must have an SSL certificate.
Every server and network device has to have a documented patch management process.
The data must be backed up offsite. The backup must be encrypted and not transmit to the open internet.
You must have an approved scanning vendor (ASV) scan your network and servers for vulnerabilities on a quarterly basis. You also must review the results of that scan and make changes to address any security holes.
There are other items that are required and will have to be provided by the client.
Once a year, and after major changes to the application, you must have an outside firm perform internal and external penetration testing. It takes about 50-100 hours of work to complete the test. It requires the use of technology to scan the target servers and human use of the application to attempt to hack the application and database.
PCI certification is granted only once a QSA has completed the audit and written a final report. This must be done by a qualified QSA per the list on Visa.com
Cardholder data must be encrypted in the database.
What is Two-Factor Authentication for VPN?
The VPN (Virtual Private Network) connection between the servers must have two-factor authentication in place. This means that the user must enter a username and password plus one other method (hence two-factor) to confirm their identify. In the case of our product, we use the user’s cell phone to confirm their identify.
When a user enters his username and password to log into the VPN, our product will send a text message to the user’s cell phone number on record. The user then replies to that text message to confirm the login, and then the VPN connection automatically completes. The user can use a text message, phone app or even call to confirm the login.
The client will remotely access their servers using a two- factor remote VPN connection. This is a new product that any VPN client may want to consider.
What is an SSL Certificate?
In order to safely transmit information online, a SSL (Secure Sockets Layer) certificate provides the encryption of sensitive data, including financial and healthcare. A SSL certificate verifies the identity of a website, allowing web browsers to display a secure website.
Especially important with cloud infrastructures, an SSL certificate is a special piece of software that can encrypt data moving between two or more endpoints, such as from a browser to a server containing an application or website.
PCI requires an SSL certificate for any website that captures or displays credit card information. Any of the Online Tech SSL products will meet these needs. Note that the client may need more than one.
What is a Web Application Firewall (WAF)?
A WAF is a device that monitors the internet traffic going to and from a web server. It examines the data on a web page to see if it contains restricted information. For example, it might check to see if a credit card number is being displayed on a page where it isn’t supposed to be, and if so, the WAF will warn the administrator.
It’s a bit like a firewall but instead of looking at the packets of data to make sure it isn’t going to/from the wrong IP address, it puts packets together into the human readable form and makes sure that doesn’t contain unintended data.
Is a WAF required for PCI?
PCI requires that either the client go through a secure code review or have a WAF. Code review can be more expensive and time-consuming than deploying a WAF.
In mid-2008, "Application layer firewall" [legacy term] or "Web application firewall" technology was upgraded from a 'best practice' to a requirement.
WAF technology is now required in the protection of public-facing web applications, especially where hosts are determined to be financially significant or financial data [credit card detail] is processed.
What is File Integrity Monitoring (FIM)?
File integrity monitoring (FIM) makes sure that critical files, such as configuration files, are not changed nefariously. Depending on the application, there may be configuration files that contain information for the application or database. Hackers will attempt to find and modify those configuration files which can modify how the program runs. FIM monitors the critical files (ones you have configured the system to monitor) and makes sure someone knows every time there is a change.
What does it take to deploy a FIM?
It can take a good bit of work to deploy and properly configure a FIM. You need a good understanding of the application and database and how they use various files. You then need to tell the FIM which files those are and which changes should be flagged. As the application changes, the FIM may need to be updated. Many PCI compliant providers will offer the FIM tool, but not the extra effort it takes to configure and maintain it.
Where is FIM installed?
FIM is a piece of software that is installed on the actual server that it is protecting.
What is Daily Log Review?
PCI requires logging of all server and network events (all activity on the system) and that someone reviews those logs to check for user patterns and abnormal activity that may indicate a breach or attempted breach. This can require a significant amount of manual time and expertise. It has to be done by a security expert who knows that he is looking for, and can be outsourced to a trusted and credible security provider.
About Daily Log Review
Our service includes logging and daily log analysis. The events from covered devices are written to Online Tech’s centralized log server which is reviewed daily by a security analyst for abnormal behavior. A report is generated daily (for Online Tech as a whole, not just for a specific client) that our engineers review. This service includes both the logging and the daily log analysis.
PCI requires that servers be patched on a regular and documented basis. Each dedicated server includes OTManage, which includes patch management and documentation. At Online Tech, we offer three different levels of patch management; notify clients of outstanding updates waiting to be applied; and offer any assistance with patch installation to ensure comprehensive security measures are implemented accurately and timely.
PCI requires all public-facing web pages scanned by an approved scanning vendor (ASV) on a quarterly basis. Visa.com contains a list of all approved scanning vendors.
Our client can log into the scanning portal to run a quarterly vulnerability scan. This scan checks for open ports, updated patches, antivirus and other features of the OS (operating system) to make sure it is secure. It generates a report called the ROC (Report on Controls) which is required to maintain PCI compliance, and can be sent to auditors to fulfill the PCI requirement.
How do you configure a PCI stack?
We offer a collection of products (WAF, FIM etc.) that can be used to configure a shared or dedicated PCI compliant solution.
The size of servers is based on the client’s application. The solution requires though separate database and web/app servers. The servers can be physical dedicated servers, managed cloud servers or virtual servers on a client’s private cloud.
Add the following items for a complete PCI stack solution:
- Web Application Firewall (WAF)
- File Integrity Monitoring (FIM) for each server
- Daily Log Review
- Two-Factor Authentication for VPN
- SSL Certificate for the covered domains
- Offsite Backup for each server
- Antivirus for each server