PCI Security Scan Procedures. Version 1.0 December 2004



Similar documents
Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry Data Security Standard Explained

Payment Card Industry (PCI) Executive Report. Pukka Software

Westpac Merchant. A guide to meeting the new Payment Card Industry Security Standards

Bottom line you must be compliant. It s the law. If you aren t compliant, you are leaving yourself open to fines, lawsuits and potentially closure.

ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE

March

Payment Card Industry (PCI) Executive Report 08/04/2014

For more information on SQL injection, please refer to the Visa Data Security Alert, SQL Injection Attacks, available at

Your Compliance Classification Level and What it Means

Achieving PCI Compliance Using F5 Products

Payment Card Industry (PCI) Executive Report 10/27/2015

PCI Compliance. Top 10 Questions & Answers

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

NETWORK PENETRATION TESTING

Josiah Wilkinson Internal Security Assessor. Nationwide

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness

PCI PA - DSS. Point ipos Implementation Guide. Version VeriFone Vx820 using the Point ipos Payment Core

74% 96 Action Items. Compliance

Bendigo and Adelaide Bank Ltd Security Incident Response Procedure

GFI White Paper PCI-DSS compliance and GFI Software products

PCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00

Global Partner Management Notice

Frequently Asked Questions

PCI PA - DSS. Point BKX Implementation Guide. Version Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

Using Skybox Solutions to Achieve PCI Compliance

An Introduction to Network Vulnerability Testing

PCI Compliance Top 10 Questions and Answers

Becoming PCI Compliant

PCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com

Payment Card Industry (PCI) Approved Scanning Vendors. Program Guide Reference 1.0 PCI DSS Version 1.2

Why Leaks Matter. Leak Detection and Mitigation as a Critical Element of Network Assurance. A publication of Lumeta Corporation

PCI DSS Requirements - Security Controls and Processes

This chapter covers the following topics: Why Network Security Is Necessary Secure Network Design Defined Categorizing Network Security Threats How

Network Security Policy

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

PCI v2.0 Compliance for Wireless LAN

Security perimeter white paper. Configuring a security perimeter around JEP(S) with IIS SMTP

PROFESSIONAL SECURITY SYSTEMS

WHITE PAPER. The Need for Wireless Intrusion Prevention in Retail Networks

Achieving PCI-Compliance through Cyberoam

AIS Webinar. Payment Application Security. Hap Huynh Business Leader Visa Inc. 1 April 2009

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire

Windows Azure Customer PCI Guide

Network Security: Introduction

* Any merchant that has suffered a hack that resulted in an account data compromise may be escalated to a higher validation level.

Protecting the Palace: Cardholder Data Environments, PCI Standards and Wireless Security for Ecommerce Ecosystems

Payment Card Industry Data Security Standard

SonicWALL PCI 1.1 Self-Assessment Questionnaire

Cyber - Security and Investigations. Ingrid Beierly August 18, 2008

How To Prevent Hacker Attacks With Network Behavior Analysis

Barracuda Web Site Firewall Ensures PCI DSS Compliance

Voltage SecureData Web with Page-Integrated Encryption (PIE) Technology Security Review

Top Five Data Security Trends Impacting Franchise Operators. Payment System Risk September 29, 2009

WHITE PAPER. An Introduction to Network- Vulnerability Testing

Breach Findings for Large Merchants. 28 January 2015 Glen Jones Cyber Intelligence and Investigation Lester Chan Payment System Security

A Decision Maker s Guide to Securing an IT Infrastructure

Q: What is PCI? Q: To whom does PCI apply? Q: Where can I find the PCI Data Security Standards (PCI DSS)? Q: What are the PCI compliance deadlines?

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

LogRhythm and PCI Compliance

Web App Security Audit Services

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

Enterprise K12 Network Security Policy

Visa U.S.A Cardholder Information Security Program (CISP) Payment Application Best Practices

PCI DATA SECURITY STANDARD OVERVIEW

Thoughts on PCI DSS 3.0. September, 2014

WHITEPAPER. Achieving Network Payment Card Industry Data Security Standard (PCI DSS) Compliance with NetMRI

Intro to Firewalls. Summary

Why Is Compliance with PCI DSS Important?

CMPT 471 Networking II

How To Pass An Asv Scan

Network and Host-based Vulnerability Assessment

8 Steps for Network Security Protection

How To Protect Your Data From Being Stolen

Case 2:13-cv ES-JAD Document Filed 12/09/15 Page 1 of 116 PageID: Appendix A

8 Steps For Network Security Protection

1.3 Prohibit Direct Public Access - Prohibit direct public access between the Internet and any system component in the cardholder data environment.

1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained

Don t skip these expert tips for making your firewall airtight, bulletproof and fail-safe. 10 Tips to Make Sure Your Firewall is Really Secure

Encryption and Tokenization: Protecting Customer Data. Your Payments Universally Amplified. Tia D. Ilori Sue Zloth September 18, 2013

Is the PCI Data Security Standard Enough?

Demystifying Penetration Testing for the Enterprise. Presented by Pravesh Gaonjur

PCI DSS v3.0 Vulnerability & Penetration Testing

TIBCO LogLogic. PCI Compliance Suite Guidebook. Software Release: December Two-Second Advantage

Technical breakout session

PROTECTION OF OUR MERCHANTS AND REFERRAL PARTNERS IS OUR FIRST CONCERN

Name. Description. Rationale

Coalfire Systems Inc.

Transcription:

PCI Security Scan Procedures Version 1.0 December 2004

Disclaimer The Payment Card Industry (PCI) is to be used as a guideline for all entities that store, process, or transmit Visa cardholder data conducting network security scans to meet PCI requirements. Visa Asia Pacific, however, makes no warranty or claim that completion of network security scans will prevent security breaches or losses, and disclaims any responsibility or liability for any security breaches or losses incurred, whether the result of scans is compliant or not. Important The Payment Card Industry (PCI) is part of Visa Asia Pacific s Account Information Security (AIS) documentation suite. All Members and their agents (merchants and service providers) must ensure they process, store and transmit cardholder information in accordance with the PCI Data Security Standard (this standard supercedes Visa s AIS Standard v1.4, March 2000). For more information on Visa Asia Pacific s AIS program please visit http://www.visaasia.com/secured. 2004 Visa Asia Pacific, Risk Management, Payment Card Industry Security Scanning Prodecures

Objective and Audience This document identifies the procedures and guidelines for conducting network security scans in compliance with Payment Card Industry (PCI) requirements. The intended audience of the document is merchants and third party service providers who are scanning their infrastructures to demonstrate compliance. Introduction The PCI Data Security Standard details security requirements for members, merchants, and service providers that store, process or transmit cardholder data. To demonstrate compliance with the PCI Data Security Standard, merchants and service providers may be required to conduct network security scans on a regular basis as defined by each payment card company. Network Security Scans are an indispensable tool to be used in conjunction with a vulnerability management program. Scans help identify vulnerabilities and misconfigurations of web sites or IT infrastructures containing externally facing IP addresses. Scan results provide valuable information that support efficient patch management and other security measures that improve protection against internet hacking. Network Security Scans apply to all merchants and service providers with externalfacing IP addresses. Even if an entity does not offer Web-based transactions, there are other services that make systems Internet accessible. Basic functions such as e-mail and employee Internet access will result in the Internet-accessibility of a company s network. These seemingly insignificant paths to and from the Internet can provide unprotected pathways into merchant and service provider systems and potential expose cardholder data if not properly controlled. 2004 Visa Asia Pacific, Risk Management, Payment Card Industry Security Scanning Prodecures 1

Scanning Procedures To be considered compliant with the network scanning requirement, merchants and service providers must scan their web sites or IT infrastructures with externally facing IP addresses, according to the following guidelines: 1. All scans must be conducted by a third party compliant network security scanning vendor, selected from the list of approved vendors on https://sdp.mastercardintl.com/vendors/vendor_list.shtml. All compliant scanning vendors are required to conduct scans in accordance with a defined set of procedures. These procedures dictate that the normal operation of the customer environment is not to be impacted and that the vendor should never penetrate or alter the customer environment 2. Quarterly Scans are required for all merchants and service providers whose average monthly transaction volume exceeds 10,000. 3. If network or application modifications are made to the production environment, additional scans may be required to ensure that new vulnerabilities are not introduced into the infrastructure. 4. Prior to scanning the web site and IT infrastructure, merchants and service providers must; Provide the scan vendor with a list of all active externally facing IP addresses. Request the scan vendor to determine the entire externally facing IP range through network probing to determine which IP addresses and services are active. 5. Contract with the vendor to perform periodic scans of all active IP addresses and devices 6. Scan all filtering devices such as firewalls or external routers (if used to filter traffic). If using a firewall or router to establish a DMZ, these devices must be scanned for vulnerabilities. 7. Scan all Web servers. Web servers allow Internet users to view Web pages and interact with Web merchants. Because these servers are fully accessible from the public Internet, scanning for vulnerabilities is critical. 8. Scan application servers if present. Application servers act as the interface or middle-man between the Web server and the back-end databases and legacy systems. For example, when cardholders share account numbers with merchants or service providers, the application server provides the functionality to transport data in and out of the secured network. Hackers exploit vulnerabilities in these servers and their scripts to get access to internal databases that could potentially store credit card data. 2004 Visa Asia Pacific, Risk Management, Payment Card Industry Security Scanning Prodecures 2

Some Web site configurations do not include application servers; the Web server itself is configured to act in an application server capacity. 9. Scan all custom Web applications. The most elusive vulnerabilities are those introduced through a custom-developed e-commerce application of the merchant or service provider. 10. Scan Domain Name Servers (DNS). DNS servers resolve Internet addresses by translating domain names into Internet Protocol (IP) addresses. Merchants or service provider may use their own DNS server or may use a DNS service provided by their Internet Service Provider (ISP). If DNS servers are vulnerable, hackers can potentially spoof a merchant or service provider Web page and collect credit card information. 11. Scan mail servers. Mail servers typically exist in the DMZ and can be vulnerable to hacker attacks. They are a critical element to maintaining overall Web site security. 12. Scan all Load Balancers. To increase the performance and the availability of an environment, a load balancer can spread the traffic load to more than one physical server. If the environment of the merchant or service provider is using a load balancer, merchants and service providers should scan all individual servers behind the load balancer. Failure to scan all physical servers behind the load balancer could leave vulnerabilities undetected. 13. Scan Virtual Hosts. All merchants whose websites are hosted must request their hosting provider to scan their entire externally facing infrastructure and demonstrate compliance. It is common practice when using a hosted environment that one server contains more than one Web site. In this case, the merchant shares the server with other customers of the hosting company. This could potentially lead to an exploit of the server through Web sites other than the merchants. 14. Scan Wireless Access Points in wireless LANs (WLANs). Usage of WLANs introduces new data security risks that need to be identified and mitigated. Merchants, processors, gateways, service providers and other entities must scan their wireless components to identify potential vulnerabilities and misconfigurations. 15. Configure the IDS/IPS in a way to accept the originating IP address of the scan vendor. Should this not be possible, the scan should be originated in a location which prevents the IDS/IPS from interfering with its actions 2004 Visa Asia Pacific, Risk Management, Payment Card Industry Security Scanning Prodecures 3

Compliance Reporting Acquirers, merchants, and service providers will need to follow each payment card company s respective compliance reporting requirements to ensure each payment card company acknowledges an entity s compliance status. While scan reports must follow a common format, the results must be submitted according to each payment card company s requirements. Please contact your acquiring bank or check each payment card company s regional website to determine to whom the results should be submitted. Reading and Interpreting Reports Approved network scan vendors are able to produce an informative report, based on the results of the network scan The scan report will describe the type of vulnerability or risk, a diagnosis of the associated issues, and guidance on how to fix or patch the isolated vulnerabilities. The report will assign a rating for vulnerabilities identified in the scan process. Compliant network scanning vendors may have a unique method of reporting vulnerabilities; however, high-level risks will be reported consistently to ensure a fair and consistent compliance rating. Please consult your vendor when interpreting your scan report. The following table suggests how a compliant network scan solution may categorize vulnerabilities. This table is provided to demonstrate the types of vulnerabilities and risks which are considered high-level. To be considered compliant, a scan must not contain high-level vulnerabilities. In the below example, this translates into vulnerabilities designated as level 3, 4 or 5. Level Severity Description 5 Urgent Trojan Horses, file read and writes exploit, remote command execution 4 Critical Potential Trojan Horses, file read exploit 3 High Limited exploit of read, directory browsing and denial of service (DoS) 2 Medium Sensitive information can be obtained by hackers on configuration 1 Low Information can be obtained by hackers on configuration Level 5 Level 5 vulnerabilities provide remote intruders with remote root or remote administrator capabilities. With this level of vulnerability, hackers can compromise the entire host. Level 5 includes vulnerabilities that provide remote hackers full file-system read and write capabilities, remote execution of 2004 Visa Asia Pacific, Risk Management, Payment Card Industry Security Scanning Prodecures 4

commands as a root or administrator user. The presence of backdoors and Trojans also qualify as level 5 vulnerabilities. Level 4 Level 3 Level 2 Level 1 Level 4 vulnerabilities provide intruders with remote user, but not remote administrator or root user capabilities. Level 4 vulnerabilities give hackers partial access to file-systems (for example, full read access without full write access). Vulnerabilities that expose highly sensitive information also qualify as level 4 vulnerabilities. Level 3 vulnerabilities provide hackers with access to specific information stored on the host, including security settings. This level of vulnerabilities could result in potential misuse of the host by intruders. Examples of level 3 vulnerabilities include partial disclosure of file contents, access to certain files on the host, directory browsing, disclosure of filtering rules and security mechanisms, susceptibility to denial of service (DoS) attacks, and unauthorized use of services such as mail relaying. Level 2 vulnerabilities expose some sensitive information from the host, such as precise versions of services. With this information, hackers could research potential attacks against a host. Level 1 vulnerabilities expose information, such as open ports. 2004 Visa Asia Pacific, Risk Management, Payment Card Industry Security Scanning Prodecures 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information