PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

Transcription

1 PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR AUTHOR: UDIT PATHAK SENIOR SECURITY ANALYST Public Network Intelligence India 1

2 Contents 1. Background PCI Compliance Requirements (Periodicity) References Public Network Intelligence India 2

3 1. Background Organizations that deal with card holder data need to comply with the Payment Card Industry Data Security Standard (PCI DSS). During the yearly PCI certification audit a PCI QSA (Qualified Security Assessor) requires various evidences to complete the Report on Compliance. A of the compliance requirements have their defined frequency as per the PCI DSS standard. This frequency is clearly mentioned in the PCI DSS v3.1 document; however an organization may define the frequency as per their policy which should not be less than that of the Standard. We have prepared a comprehensive list that includes the list of necessary reports and their associated frequency that should be kept ready during the PCI DSS certification audit. 2. PCI Compliance Requirements Periodicity and Evidences Required 1 PCI Compliance Requirements (Periodicity) Scope identification (Inventories and Cardholder Data (CHD) Flow Diagrams) NA At least annually and post changes. Defining the scope of PCI compliance is the key factor in a PCI DSS implementation exercise, as a too large scope will make the assessment complex and costly, where as a sketchy scope will be a threat to card holder data. Scope identification should be an ongoing process, incase of changes in the business model, network architecture, data flow etc., the changes should be made to the inventories, cardholder data flow diagram and network architecture diagram. The following documents should be kept ready: - Updated asset inventories of the cardholder data environment (CHD). - Cardholder Data (CHD) flow diagrams. - Network architecture diagram. 2 Internal audit report To verify all requirements are being met prior to the PCI QSA assessment At least annually or as per organization's audit calendar An internal audit report to ensure that all the PCI DSS compliance requirements are met and corrective action taken for the gaps identified. Public Network Intelligence India 3

4 3 Network device and web filtering proxy rule set review reports Half yearly Review the device ruleset for in-scope devices such as firewalls, routers, web filtering proxy, etc. to ensure, there are no insecure, unused, unauthorized rules Hardening documents for all system components 2.2 Ongoing or at least annually Prepare the hardening documents for all system components such as operating systems, databases, network devices, technologies used (e.g.. virtualization), applications, security tools (e.g. SIEM) etc., to ensure that all the know vulnerabilities related to the system are addressed. Also these documents should be updated to ensure that a newly identified vulnerability is addressed and fixed. The document should be based upon industry-accepted system hardening standards (CIS, ISO, NIST, SANS, etc.) but not limited to it. Data retention and handling policy 3.1a, 3.1b, 3.1c, 3.4a Quarterly A data retention and handling policy defining: - The location of the data storage (in accordance with legal requirements and business model) - Amount of data stored. - What type of data is stored i.e. card holder data (primary account or PAN (rendered unreadable), expiration date, cardholder name, and service code), Sensitive authentication (data consists of full track data, card validation code or value, and PIN data) Key-management policies and procedures 3.5,3.6,3.6.4,4.1b,4.3 On going Public Network Intelligence India 4

5 Document explaining: - List of user's having access to encrypting key and key encrypting key. - Process of granting access to the key. - Location where keys are stored. - Key meets the complexity level. -How keys are generated, transmitted, stored and updated. -Process to change the key incase the key is compromised or integrity is lost. 7 8 Malware threat analysis Ongoing or at least annually Systems that are not considered to be affected by malware perform a trend analysis of the malware threat to ensure that the system is still not affected by malware and it does not require anti-virus software. This could be achieved by reviewing the security advisory by the vendors, security blogs, antivirus news groups etc. Antivirus policy 5.2, 5.3, 5.4 Ongoing or at least annually Evidences showing that: - An antivirus is installed on all the systems, and the end user cannot disable or uninstall the antivirus software. - An antivirus is updated automatically with latest signatures. - Periodic scans are performed. - Logs are generated, monitored and retained. 9 Vulnerability Management 6.1,6.2,6.6 On going Public Network Intelligence India 5

6 A vulnerability management program to ensure all the vulnerabilities are addressed, below reports should be maintained: - A process to identify vulnerabilities and classify the risk rating (High, medium low) based upon the overall impact and industry known resources (e.g. CVE, CVSS scores). - A policy document to define, how new vulnerabilities are identified and managed. - Perform vulnerability Assessment of all the system components of card holder data environment. - Antivirus signature update report. - Patch update report. - IPS signature update report. - Application vulnerability Assessment report. - Web Application firewall signature update report ,6.5 Secure software development guidelines Annually Prepare Software development guidelines, to ensure that: - Industry accepted best practices are included. - Software developed undergoes change management process. - Software changes are reviewed. - Production and test environments are separated, and production data is not used for test purpose. - An independent secure code review to ensure that code related security vulnerabilities are addressed Privileged ID review report Quarterly Performed a quarterly review of privileged users to ensure: - Privileges are required as per business need and assigned post approval. - A user is not assigned higher privilege than actually required to perform the task. Access reconciliation report 8.1.3a, B, Ongoing Public Network Intelligence India 6

7 Access reconciliation report for local access, remote access, logical access, physical access (smart cards, tokens, etc.) Reports to ensure: - An account inactive for 90 days is deactivated. - Access that is no longer required is revoked (local access, remote access, logical access, physical access). 13 Storage security review report b,9.6.1,9.7.1 Annually Below reports should be kept handy: - Security review report for storage location. - Inventory of the storage media. - Classification of the media so as to identify the sensitivity of the information stored. - Logs to track the movement of the storage media. 14 Review of point of sale device 9.9 Ongoing or at least annually Ensure that the integrity of the point-of-sale devices (POS) such as swipe machine is maintained. - Inventory of all such devices - Review report for integrity check. - Training records for personnel at point-of-sale. 15 Security Audit Log and review reports 10.1 to , Daily Log monitoring, reviewing and analyzing helps detect anomalies and abnormalities in the system. A Log review report for the logs collected from critical system components (such as active directory domain controller, file and printer server, storage server, database, server etc.), network and web application firewalls, IDS/IPS, file-integrity monitoring (FIM) systems, antivirus software, physical access control system, privileged identity management solution (PIM), web filtering proxies, network devices, network performance monitoring tools etc. Note: Log review can be manual or using log review tools 16 Rogue access point detection (Wi-Fi scanning) Public Network Intelligence India 7

8 11.1 Quarterly Rogue access point detection report: -Inventory of authorized wireless access points (with a documented business justification) -Perform scan to identify the unauthorized and rogue access points. Note: This is a mandatory report, even if the organization doesn't use wireless technology. 17 Internal vulnerability assessment Quarterly Internal Vulnerability assessment report - Reports for a period of last 12 months. - Internal Vulnerability assessment should be done till all the vulnerabilities (High-risk as per Req.6.1) are closed. - Relevant change management tickets for the closures ASV scan reports Quarterly and post changes Scanning reports by a PCI ASV (Approved Scanning Vendor) for all the public IPs that are in scope. - A PCI Pass scan report from Approved Scanning Vendor. - PCI Pass reports for a period of last 12 months. - Scanning should be done till all the vulnerabilities (PCI Fail) are closed. Note: PCI Fail: vulnerabilities rated 4.0 or higher by the CVSS. PCI Pass: vulnerabilities rated less than 4.0 by the CVSS. Vulnerability Assessment Post Changes Post significant changes Public Network Intelligence India 8

9 In case of any significant changes (e.g. new server deployment, operating system upgrade, new service introduction, deployment of new network device, changes to existing network architecture, application level code changes, introduction to new functionality in the application etc.) perform external vulnerability assessment or internal vulnerability assessment (whichever is applicable). - Vulnerability assessment should be done till all the vulnerabilities (High-risk as per Req.6.1) are closed Penetration test and Network segmentation test 11.3 Annually or Post significant changes Internal and external penetration test reports - Evidence that all high risk issues have been addressed. - Evidence that card holder data environment is segregated from non card holder data environment. Note: Perform penetration test and network segmentation test post any significant changes For more information refer our case study on PCI DSS Segmentation File integrity check 11.5, Weekly Exception report. - Evidence that an unauthorized change to the configuration will be detected. - Configure FIM (File integrity monitor) to generate alerts and monitor the alerts for anomalies, to ensure configuration changes by a malicious code (virus, Trojan, malware) will be detected. Information Security Policy Annually and post any changes Information security policy document and evidence to support it is communicated. 23 Risk Assessment 12.2 Annually and post any changes Public Network Intelligence India 9

10 A risk assessment report, risk assessment should be performed annually and post any changes (such as change in business model, technology etc.) 24 Information Security awareness , At least annually Attendance and refresher session records for new as well as existing employees. 3. References Public Network Intelligence India 10