PCI DSS

(Payment Card Industry

Data Security Standard)
Kelly Handerhan, Instructor

PAYMENT CARD INDUSTRY DATA SECURITY

STANDARD (PCI DSS) AGENDA
PCI DSS: Why, What, How, and Who?
Why do we need the PCI DSS?

What is PCI DSS and what does it do?

How does PCI-DSS protect financial and personal
information?

Who is affected by PCI DSS and to whom does it apply?

A word on Social Engineering
Wrap-Up

WHY WE NEED THE PCI DSS?

Why do we need a standard to protect payment card information?
To Prevent:
Fraud losses estimated to be in the BILLIONS
Identity Theft

Legal costs, settlements and judgments

Higher subsequent costs of compliance
Lost customer confidence
Lost sales
Cost of reissuing new payment cards
Loss of ability to process payment cards

WHERE IS DATA VULNERABLE?

Data in a payment system database
Compromised card readers and PoS Systems
Paper records improperly stored
Hidden camera recording entry of authentication data
Secret tap into your stores wireless or wired network

ATMs modified to contain software or hardware shims

Residual Information in RAM of systems that accept payment
card information (RAM Scraping)

EVERYWHERE!!! Where theres a will theres a way!

WELL-KNOWN ATTACKS
In 2012, about 40 million sets of PCI were compromised by a hack of Adobe
Systems.
In July 2013, press reports indicated four Russians and a Ukrainian were indicted in
New Jersey for what was called the largest hacking and data breach scheme ever
prosecuted in the United States.

Between 27 November 2013 and 15 December 2013 a breach of systems at Target

Corporation exposed data from about 40 million credit cards. The information stolen
included names, account number, expiry date and Card security code
From 16 July to 30 October 2013, a hacking attack compromised about a million sets
of payment card data stored on computers at Neiman-Marcus.
On September 8, 2014, The Home Depot confirmed that their payment systems were
compromised and released a statement saying a total of 56 million credit card
numbers were disclosed as a result.

SOURCES AND TYPES OF ATTACKS

INFORMATION TO PROTECT

https://www.pcisecuritystandards.org/smb/why_secure.html

SOURCES OF RISK
Risky Behavior A survey of businesses in the U.S. and Europe
reveals activities that may put cardholder data at risk.
81% store payment card numbers 73% store payment card
expiration dates
71% store payment card verification codes
57% store customer data from the payment card magnetic
stripe
16% store other personal data
Source: Forrester Consulting: The State of PCI Compliance (commissioned by RSA/EMC

TOOLS TO ENSURE PROPER PROTECTION OF PCI

PCI SSC: The PCI Security Standards Council offers robust and
comprehensive standards and supporting materials to enhance
payment card data security
PCI Data Security Standard (PCI DSS), which provides an
actionable framework for developing a robust payment card data
security process -- including prevention, detection and appropriate
reaction to security incidents.
Qualified Security Assessors: QSAs are approved by the Council to
assess compliance with the PCI DSS
Self-Assessment Questionnaire: The SAQ is a validation tool for
organizations that are not required to undergo an on-site assessment
for PCI DSS compliance

WHAT IS PCI DSS?

Payment Card Industry Data Security Standard
The goal of the PCI Data Security Standard (PCI DSS) is to
protect cardholder data that is processed, stored or
transmitted by merchants.
The security controls and processes required by PCI DSS
are vital for protecting cardholder account data, including
the PAN the primary account number printed on the front
of a payment card.

WHAT ARE THE GOALS AND REQUIREMENTS?

https://www.pcisecuritystandards.org/pdfs/pci_ssc_quick_guide.pdf

BUILD AND MAINTAIN A SECURE NETWORK

Historically, thieves had to have physical access to a building to steal
financial records. Now information is stored on networks, and often
transmitted across the internet. Protection of networks transmitting
cardholder data is a prime concern.
1. Install and maintain a firewall and router configuration to protect
cardholder data
Standards for configuration and testing
Deny all from untrusted networks
Prohibit direct public access between the Internet and any
system component in the cardholder data environment
Personal firewall software must be installed on mobile devices
and/or employee owned computers used to access the
organizations network

BUILD AND MAINTAIN A SECURE NETWORK

CONTINUED
2. Do not use vendor-supplied defaults for system passwords
and other security parameters

Most vendor defaults are simple and easy to guess

Frequently designed for ease-of-use

Passwords and other default settings should be
changed before connected installing on network.
Define and apply system base-lines and standard
configurations addressing known vulnerabilities
Encrypt all non-console administrative access

PROTECT CARDHOLDER DATA

In general, no cardholder data should ever be stored unless it is necessary to meet
the needs of the business, and then it should be rendered unreadable if possible.
3.

Protect stored cardholder data

Limit storage and retention

Dont store sensitive authentication information after authorization

Mask the PAN (Primary Account Number) when displayed (1 st six or

Last 4)

If stored, the PAN should always be unreadable

Protect keys used for encryption

Document and manage all key management processes and procedures

PROTECT CARDHOLDER DATA CONTINUED

4. Encrypt Transmission of Cardholder Data
Use strong cryptography and transport protocols like
SSL/TLS or IPSEC for transmission over open, public
networks (Internet, wireless, etc)
Never send PANs unencrypted by end-user messaging
technologies

MAINTAIN A VULNERABILITY MANAGEMENT

PROGRAM
Vulnerability Management is the process of systematically and
continuously finding weaknesses in an organizations payment
card infrastructure. Security procedures, system design
implementation, and internal controls are included.

5. Use and regularly update anti-virus software or programs

Deploy anti-virus software on all systems affected by
malicious software
Ensure that all anti-virus software is current, actively
running and capable of generating audit logs

MAINTAIN A VULNERABILITY MANAGEMENT

PROGRAM CONTINUED
6.

Develop and maintain secure systems and applications

Ensure all system components and software have the latest vendorsupplied patches (critical patches installed within a month)
Establish a process to identify new vulnerabilities (Alert services,
vulnerability scans/services)

Develop software applications in accordance with PCI DSS based on

industry best practices and incorporate information security
throughout the software development life cycle
Follow Change Control procedures for all changes to system
components
Develop web-based applications based on secure coding guidelines
Ensure all public web-facing applications are protected

IMPLEMENT STRONG ACCESS CONTROL

MEASURES
Access control allows merchants to allow or restrict the use of
cardholder data. Should include physical and technical
controls
7. Restrict access to cardholder data by business need-toknow

Allow access only as job requires access

Establish access control system for components with

multiple users. Default to deny all unless
specifically allowed

IMPLEMENT STRONG ACCESS CONTROL

MEASURES
8.

Assign a unique ID to each person with computer access

Assign all users a unique user name before allowing them

access

Require authentication by password, passphrase, or two-factor

authentication

Implement two-factor authentication for remote access to the

network by employees administrators and third parties.

Render all passwords unreadable for storage and transmission

Ensure proper user authentication and password management

for non-consumer users and administrators on all system
components

IMPLEMENT STRONG ACCESS CONTROL

MEASURES
9.

Restrict Physical Access to Cardholder data.

Use facility controls to limit and monitor physical access in the data environment

Develop procedures to help personnel easily distinguish between employees and

visitors

Ensure all visitors are authorized before allowing entry to sensitive areas

Use a visitor log to maintain a physical audit trail

Store media back-ups in a secure location

Physically secure all paper and electronic media containing cardholder data

Control internal/external distribution of any kind of media containing cardholder

data

Ensure that management approves moving secured media

Maintain strict control over storage and accessibility of media

Destroy media containing cardholder data when no longer needed

REGULARLY MONITOR AND TEST NETWORKS

Physical and wireless networks connect all endpoints and servers in the payment
infrastructure. Vulnerabilities in these devices must be tested and monitored to
prevent exploitation
10. Track and monitor all access to network resources and cardholder data
Link all access to an individual user

Implement audit trails

Record audit trail entries for each event including user id, type of event,
date and time, success/failure, identity or name of affected date
Synchronize all critical system clocks and times
Secure audit trails to prevent alteration
Review logs for security functions (at least) daily
Retain audit trail history for at least one year with 3 months being
immediately available for analysis

REGULARLY MONITOR AND TEST NETWORKS

11. Regularly test security systems and processes

Test for unauthorized wireless access points at least

quarterly
Run internal and external network vulnerability scans

Perform internal and external penetration testing

Use Network IDS/IPS to monitor all traffic in cardholder
data environment

Deploy file integrity checkers to alert personnel to

unauthorized modification of critical system files,
configuration files or content files

MAINTAIN AN INFORMATION SECURITY

POLICY
A strong security policy sets expectation for an organizations employees
and informs them security-related duties.
12. Maintain a policy that addresses information security for employees
and contractors
Establish, publish, maintain, and distribute a security policy
that addresses all PCI DSS requirements
Develop daily operational security procedures that are
consistent with requirements of PCI DSS
Develop usage policies for critical employee-facing
technologies to define proper usage including remote access,
wireless, removable media, laptops, handheld devices, etc
Ensure the policy and procedures clearly define information
security responsibilities for all employees and contractors

MAINTAIN AN INFORMATION SECURITY

POLICY CONTINUED
Assign to an individual or team information security
responsibilities
Implement a formal security awareness program to make all
employees aware of the importance of cardholder data
security
Screen employees prior to hiring
If cardholder data is shared with service providers, then
require them to implement PCI DSS policies and procedures
Implement an Incident Response Plan

AND FINALLYA WORD ON SOCIAL ENGINEERS

Dont forget to consider social engineering. Dont be
tricked!
Leads to Identity Theft, Fraud, and Compromise
According to a 2012 report from Verizons Data Breach
Investigation report, 7 percent of all breaches now involve
social engineering, but the number grows to 22 for larger
organizations.
Compromises companies sensitive information
Often allows an attacker access to a sensitive system

TYPES OF SOCIAL ENGINEERING

According to Tripwire.com there are five types of social
engineering attacks that are on the rise.
Phishing
Pretexting
Baiting
Quid Pro Quo

Tailgating

PHISHING
Based on the idea that if you cast a large enough net, you are
bound to catch some phish.
Frequently attacks come through emails asking a user to respond
with information, click on an infected link, or visit a compromised
website.
Be suspicious of unsolicited emails
Dont click on links. Go to the website through its known URL
Dont download attachments that arent digitally signed
Report suspected phishing attempts to your security team
If it sounds too good to be true, it probably is.

PRETEXTING

An attacker uses the pretext that they have a legitimate need for the information.
For example, a credit card company calls and tells you that there has been a
problem with your card. They then ask for your card number and other information

A service rep calls and needs to reset your password because your system has
been compromised

An urgent need to gain access to a sensitive room due to a gas leak or some
other environmental issue

These attacks often use urgency as a tool to add pressure to the victim.

Follow company policy. When in doubt refer to a supervisor to make the decision.

Be skeptical.

Dont allow intimidation to work. No legitimate individual should force you to

violate the company security policy

Never disclose password information

BAITING
Promising something good in exchange for an action or
information
A USB stick found in the parking lot might have
interesting information on it.

Download this gaming app, when it actually contains

malware
Scan all downloaded items

Avoid downloads from untrusted sources

Avoid downloads that havent been digitally signed.

QUID PRO QUO

Similar to Baiting, but offers a service rather than a good in
exchange for information or an action
I will help you with a bug in your system if youll just turn
off your anti-virus program
Allow me remote access to your system so I can show you
how to install this file
When in doubt follow policy and check with your IT Security
department.

PIGGYBACKING/TAILGATING
Entering a building directly behind someone who has used
their credentials for access.
Often facilitated by users holding door open for someone
behind them.
Takes advantage of the fact that many people strive to be
courteous
Ask to see credentials, and if credentials cant be provided,
escort to security

MITIGATE SOCIAL ENGINEERING

Require multifactor authentication
Trust no one!
Follow company policy
When in doubt, call your security team
If you make a mistake and divulge more information
than intended, notify your security team

PAYMENT CARD INDUSTRY DATA SECURITY

STANDARD (PCI DSS) WRAP-UP
PCI DSS: Why, What, How, and Who?
Why do we need the PCI DSS?

What is PCI DSS and what does it do?

How does PCI-DSS protect financial and personal
information?

Who is affected by PCI DSS and to whom does it apply?

A word on Social Engineering
Wrap-Up

SOURCES AND DISCLAIMERS

The majority of material for this presentation was provided courtesy of
the Payment Card Industry Security Standards Council via
https://www.pcisecuritystandards.org/pdfs/pci_ssc_quick_guide.pdf
NOTE: This presentation is not and shall not be considered legal
advice. Cybrary is providing you with general information about the
rules and general information regarding the Payment Card Industry
Data Security Standard. Please make sure that for legal questions
specific to your company, ensure you are working with your own legal
counsel who can best represent your organization.