PCI DSS Compliance Blog

“Public-facing” web applications are those that are accessible over the Internet, as opposed to intranet applications intended solely for a company’s internal use.  Because these applications are open to the general public, they are subject to all the usual Internet-based hazards.  It should be no surprise, then, to find that these public-facing web applications are subject to PCI Data Security Standard (PCI DSS) requirements.   In order to ensure that companies manage these applications properly, the PCI DSS requires compliance with one of the security practices listed below:

 

1. Companies must review their public-facing web applications at least once per year and after any changes are made to the system.  This review should be performed with manual or automated vulnerability assessment tools, and the entity responsible for this evaluation must be distinct from the application’s development team.  All vulnerabilities that are found must be patched or otherwise addressed.

 

OR

 

1. Companies must install a web-application firewall in front of the application in order to thwart Internet-based cyberattacks.

An important aspect of PCI compliance involves restricting physical access to areas where sensitive data is stored.  Firewalls and encryption can protect data from being intercepted by a hacker who operates from a remote location, but sensitive information is still at risk if you fail to create and enforce a company policy regulating who can enter areas and rooms where this data is stored.  A vital part of this policy should involve establishing a system for utilizing visitor badges for individuals on the premises that are not employees.  So what does the PCI Data Security Standard say about visitor ID badges?  The PCI DSS requires businesses to conform to the following guidelines relating to visitor badges:

• Visitor badges should be used to deny wearers unescorted access to areas where sensitive data can be found.

• Visitor badges should be designed to ensure that visitors can be easily distinguished from normal personnel.

• Visitor badges should expire at a specified time.

• Visitors should return their badges before leaving the premises or at the expiration time.

Only authorized personnel should be allowed to issue visitor badges.

In today’s business environment, so-called internal threats—theft and other types of mischief that can be traced to onsite employees—pose a growing menace.  Recognizing the hazards that can come from within an organization, many businesses have instituted background check programs; these can range from a simple criminal record search to an extensive overview of an applicant’s personal and professional history.  But what a lot of business owners do not realize is that the use of background checks for potential employees isn’t just a good practice—it is required by the PCI Data Security Standard. 

Requirement 12.7 of the PCI DSS calls for businesses to “screen potential personnel prior to hire” in a manner that complies with local laws.  Therefore, to remain PCI compliant a business should ensure that its Human Resources department conducts background checks on all prospective employees applying for positions that would grant them access to sensitive data.  An exception is made for employees who process one-at-a-time transactions (such as cashiers) and have no access to stored payment card data. 

Incidentally, the PCI DSS doesn’t provide specific guidelines for carrying out background checks, leaving it largely up to the discretion of the individual company.

Many merchants rely heavily on point-of-sale payment card processing, and for them it’s certainly not news that enterprising criminals sometimes target these systems to steal sensitive data.  It’s important to keep in mind that these types of attacks are not static in nature—the general advance of technology tends to result in comparable enhancements in malware and similar threats. 

There are reports circulating that a new Trojan aimed at POS systems utilizing Microsoft Windows is wreaking havoc in the wild, stealing valuable data.  Called “vSkimmer,” this malware steals the “track 2” data normally encoded within a card’s magnetic stripe. 

The arrival of vSkimmer is another reminder of the need for merchants to continually optimize their security systems by applying relevant patches and antivirus updates as soon as these are made available.  Keeping your POS up to date with security patches will not only minimize security risks but ensure compliance with the PCI Data Security Standard (PCI DSS). 

In a sense, April 8, 2014 will mark the end of an era—this is the date when Microsoft will cease providing support for its perennially popular Windows XP operating system.  Since its launch way back in 2001, XP has proven surprisingly durable, managing to retain a large portion of the market share even after subsequent operating systems (e.g., Vista) arrived on the scene.   But Microsoft is finally bringing down the curtain on XP; after April 2014, the company will stop providing security patches, updates, and related support services. 

What will this mean for the substantial number of merchants that still rely on XP?  Unfortunately, it will be necessary for them to make the leap to a newer operating system.  Though XP will continue to operate after its end-of-life date, the termination of support services makes the system vulnerable to new viruses and other cyberthreats that may arise.  Consequently, merchants that utilize XP will fall out of compliance with PCI DSS Requirement 6.1, which obliges businesses to ensure the safety of their payment processing systems by installing “the latest vendor-supplied security patches.”  These merchants, therefore, must switch to a supported operating system by April 2014.

Sensitive authentication data are those elements of a payment card transaction that are used to verify the identity of the cardholder.  This category of data is regulated by the PCI Data Security Standard:  PCI DSS Requirement 3.2 strictly forbids merchants from storing this information after authentication—even in an encrypted state.  Given the importance of handling this data properly, it’s worth exploring the subject in more detail.  So what kinds of information constitute sensitive authentication data?  This type of data includes the following: 

• Full magnetic stripe data.  This is the complete range of data coded within the stripe across the back of a payment card.
• The card security code (CSC).  This goes by a variety of names, depending on the specific brand (e.g., CVV2, CID, CAV2).  It is printed on several spots around a card:  in the magnetic stripe and—the area where most consumers will recognize it—near the signature panel, where it is rendered as a three-digit number.  (For American Express cards, it is a four-digit number printed on the front.)
• The PIN and/or PIN block.  When the customer enters their PIN, it is captured by the system as a “PIN block” that includes part of the primary account number and a few other pieces of data. 

This data cannot be retained by the merchant after the authentication process is complete.

If current trends continue, cloud computing—that is, a network of computing resources made available over and accessible from the Internet—will soon play a major role in the business world.  This is why the PCI Security Standards Council (PCI SSC) recently released its “PCI DSS 2.0 Cloud Computing Guidelines” document, containing a wealth of information on the subject.  The document covers a lot of ground, and among this abundance of material, the PCI SSC helpfully pinpoints and defines the four main categories of cloud computing environments.  We’ll briefly explore these below:

• Private clouds – This is a cloud environment intended for a single client.  It may be operated by the client that utilizes it or by a third-party entity, and it may be located on-site or off-site.
• Public clouds – This is a cloud environment open to the public or a large group of users.  It is owned and maintained by a third-party provider.
• Community clouds – This is a cloud environment shared by several clients with related computing needs.  It may be operated by one or more of the user clients or by a third party.
• Hybrid clouds – As the name implies, this is a cloud environment that incorporates elements of more than one type.  For example, a private cloud may utilize resources from a public cloud on an as-needed basis.

  No matter which type of cloud is used, cloud service providers and their users share responsibility of PCI DSS. Although responsibility is shared, merchants must continue to follow the requirements of the PCI Data Security Standard (PCI DSS).

“Attack potential” is a term that appears often in the documentation published by the PCI Security Standards Council (PCI SSC).  It is a numeric value that refers to the security vulnerability of a given piece of equipment.    The higher the number, the more secure the device.   This score is calculated by considering a handful of factors relating to the device:

• Attack time – This is the amount of time necessary to identify or exploit a vulnerability.
• Expertise – The skill level required to carry out a successful attack.  Three categories are recognized (in ascending order):  Laymen, Proficient, and Expert.
• Knowledge of the device – The type of knowledge pertaining to the specific device that is required to execute a successful attack.  This is classified in one of three categories:  Public (accessible to everyone), Restricted (accessible upon request or in official documentation), and Sensitive (hard-to-obtain “secret” information).
• Access to the device – The kinds of equipment that can be obtained to identify or exploit a device’s vulnerability.  There are three categories:  mechanical samples, functional samples without working keys, and functional samples with working keys.
• Equipment – The type of equipment necessary to identify or exploit a vulnerability.  These are categorized as follows (in ascending order):  Standard, Specialized, Bespoke, and Chip-level. 
• Parts – The type of parts that must be used to hide an attack or replace material damaged in an attack (in ascending order):  Standard, Specialized, or Bespoke.

For small merchants and organizations, implementing the guidelines of the PCI Data Security Standard (PCI DSS) can be a reasonably simple task—especially with the high-quality security tools provided by Element Payment Services.  But larger companies often find it convenient to have employees whose job duties are entirely or substantially given over to monitoring and maintaining the organization’s compliance with PCI regulations.  For these individuals, the PCI Security Standards Council has developed the Internal Security Assessor (ISA) program, which trains qualified personnel in appropriate data security techniques.  Once trained, ISAs can help their companies with internal audits and self-assessments.

Steps for Becoming an ISA

• Sponsor Company Qualification – An organization that wishes to train one or more employees as Internal Security Assessors must first apply to become a Sponsor Company.  NOTE:  ISAs must be affiliated with a Sponsor Company, and his or her qualifications cannot be transferred to another company.
• ISA Qualification – Once the organization has been approved as a Sponsor Company, eligible employees may take the PCI Security Standards Council’s ISA training course.
• Annual Requalification – Both the Sponsor Company and the individual ISAs must recertify on an annual basis to maintain their respective qualifications.