SAQ D Compliance Scott St. Aubin Senior Security Consultant QSA, CISM, CISSP
Ground Rules WARNING: Potential Death by PowerPoint Interaction Get clarification Share your institution s questions, challenges, and solutions What have you learned along the way
SAQ D Compliance Key Points Remediation Strategies Recap Applying the Requirements Requirements Discussion
Remediation Strategies Recap Preliminary Steps Review PCI activities to minimize CHD and simplify business processes Can you move to a SAQ C or even a SAQ B? Outsource PCI activities Use compliant payment applications Compliant as SAQ C or SAQ D? Segmentation
Remediation Strategies Recap Prioritized Approach Remove sensitive authentication data and limit data retention Protect the perimeter, internal, and wireless networks Secure payment card applications Monitor and control access to your systems Protect stored cardholder data Finalize remaining compliance efforts, and ensure all controls are in place
Applying the Requirements Each Requirement is Unique Interpretations Compensating Controls What are they When / How can they be used Costs Open-source solutions should be available
Requirement 1: Install and maintain a firewall configuration to protect CHD At each Internet connection AND between the DMZ and internal network Which devices should be in the PCI Island? Jump host for administrators Are VLANs and ACLs sufficient? Maybe. Network Traffic Access Control: Minimized, Documented, and Proxied (inbound and outbound)
Requirement 1: Install and maintain a firewall configuration to protect CHD Misc Review ACL rules every six months RFC 1918 private IP addresses Change management Current network diagram Cost Include systems/areas that handle CHD New firewall if necessary
Requirement 2: Do not use vendor supplied defaults blah blah blah HARDEN YOUR SYSTEMS Develop configuration standards Center for Internet Security (cisecurity.org) Level 1 vs. Level 2 National Institute of Standards Technology / NIST (nist.gov) SysAdmin Audit Network Security / SANS (sans.org)
Requirement 2: Do not use vendor supplied defaults blah blah blah HARDEN YOUR SYSTEMS Wireless Strong Encryption WPA/WPA2 NOTWEP (prohibited after June 30 th ) One function per server Cost What about virtualization? Additional systems to meet one function requirement
Requirement 3: Protect stored CHD Most of the requirement can be met by using compliant software It may be impossible / infeasible to verify requirements on non-compliant software Potential to use a compensating control Institution must create an institution data retention and disposal policy Cost Compliant software or compensating control
Requirement 4: Encrypt transmission of CHD across open, public networks Encrypted CHD is still CHD Exception: When there is no way to decrypt the data at the facility (e.g. public keys) Use strong cryptography and protocols Do not use end-user messaging technologies to send unencrypted PANs E.g. e-mail, IM, chat Effective solutions may differ, depending on the number of individuals impacted Small org policy may be sufficient Large org policy and technology may be necessary for enforcability
Requirement 6: Develop and maintain secure systems and applications Apply critical patches within one month of release Process to identify newly discovered vulnerabilities AND update configuration standards Change control process Document impact Management sign-off Testing of operational funcationality Back-out procedures
Requirement 5: Use and regularly update anti-virus software or programs It s not just anti-virus you must address all known types of malware Required on All systems commonly affected by malicious software Windows: yes Linux/Mac: no at least not right now Automatic updated, periodic scans, logs generated Cost
Requirement 6: Develop and maintain secure systems and applications Public-facing web apps - options Evaluate annually By an organization that specializes in application security Either internal or external organization Must be independent and qualified Protect by a web-application firewall Cost Patch management software Web-app assessment or firewall
Requirement 7: Restrict access to CHD by business need-to-know Role-based access control Access is assigned based on job function Least privileges needed for job responsibilities Signed authorization form Automated system to enforce privileges Default deny-all Cost
Requirement 8: Assign a unique ID to each person with computer access Unique ID and password / passphrase / 2 nd factor No group, shared, or generic accounts Including administrators Proper management of user IDs Authorization forms for add, delete, modify Verify identity prior to password resets Unique first-time passwords Immediately revoke access for terminated users Remove / disable inactive accounts (90 days max)
Requirement 8: Assign a unique ID to each person with computer access Remote access Off-campus, not off-vlan Two-factor authentication required for access to network Costs RADIUS / TACACS with tokens VPN with individual certificates Two-factor authentication solution
Requirement 8: Assign a unique ID to each person with computer access Proper management of user IDs (cont) Maintenance accounts only enabled when needed Passwords Required change every 90 days, minimum of 7 characters, alpha-numeric Disallow last four passwords Account lockout after no more than six attempts, locked out for 30 minutes Authentication required after 15 minutes of inactivity
Requirement 9: Restrict physical access to CHD Facility entry controls to access CHD Badge readers, lock/key Video camera or other device to monitor INDIVIDUAL access retained for three months Restrict access to publically accessible network jacks, access points, gateways, handheld devices, etc (in CHD environment)
Requirement 9: Restrict physical access to CHD Distinguish between employees and visitors Authorized prior to entering CHD area Identification as a non-employee Visitor log retained for three months Off-site backups are stored securely Paper and electronic media physically secured
Requirement 9: Restrict physical access to CHD Maintain strict control over media with CHD Classified Media sent off-site is authorized by management, sent by secure courier, and tracked Inventory media at least annually Properly destroyed when no longer needed Cost Facility access controls, physical storage
Requirement 10: Track and monitor all access to network resources and CHD Audit trails Log the following: Individual access to CHD All actions taken by individuals with root/administrative privileges Access to all audit trails Invalid logical access attempts Use of identification and authentication mechanisms Initialization of the audit logs Creation and deletion of system-level objects
Requirement 10: Track and monitor all access to network resources and CHD Detail required for each event: User ID Type of event Date/Time Success/Failure Origin of event Identity or name of affected data, system component, or resource
Requirement 10: Track and monitor all access to network resources and CHD Log Management Requirements All critical system clocks and times are synchronized Secure audit trails so they cannot be altered Review logs at least daily (e.g. IDS, AAA). Tools may be used!! Retain at least one year history three months immediately available for analysis Costs Centralized logging system, storage space, monitoring tools
Requirement 11: Regularly test security systems and processes Wireless Test quarterly for rogue access points (NetStumbler, Kismet, etc); or Deploy a wireless IDS/IPS IDS/IPS Monitoring in the PCI Island Configured to alert of suspected compromises
Requirement 11: Regularly test security systems and processes Network Vulnerability Scans Internal Quarterly and after significant changes Can be performed by internal staff External Quarterly and after significant changes Quarterly scans must be performed by an Approved Scanning Vendor (ASV) qualified by the PCI SSC Scans after changes can be performed by internal staff
Requirement 11: Regularly test security systems and processes Network Penetration Tests External and internal tests required Annually and after significant changes Network layer and application layer Can us a qualified internal resource or third party; must be organizationally independent File Integrity Monitoring Alert personnel to unauthorized changes of system files, configuration files, content Perform comparisons at least weekly Costs Wireless IDS/IPS, IDS/IPS, ASV Scans, Pen-tests, FIM
Requirement 12: Maintain a policy that addresses information security for employees and contractors Technical Guideline (Draft) includes items that can be centralized Institutions must create policies and procedures Complete an annual risk assessment Document information security responsibilities Establishing, documenting, and distributing security policies and procedures Monitoring, analyzing, and distributing security alerts and information Create an Incident Response Plan (Template available) Administrative accounts Access to data
Requirement 12: Maintain a policy that addresses information security for employees and contractors Institutions must create policies and procedures (cont) Awareness training Signed acknowledgements of security policies Conduct background checks for anyone that has access to more than one credit card number at a time Maintain a list of computer devices and personnel with access Label with owner, contact information, and purpose
Requirement 12: Maintain a policy that addresses information security for employees and contractors Service provider management List of providers Acknowledgement of responsibilities for PCI data Due diligence prior to engagement Monitor PCI DSS compliance Costs
Summary Remediation Strategies Recap Applying the Requirements Requirements Discussion
Questions for the QSA?
NetSPI 800 Washington Avenue North Suite 670 Minneapolis, Minnesota 55401 Direct: 612-695-0661 Scott.St.Aubin@netspi.com www.netspi.com