The PCI DSS setup necessitates certain requirements for establishing a defense in depth concept. The DSS requirements interpretation depends on organization structure and ability of the IT department. The ultimate aim is to achieve and maintain compliance within the organization.
The key areas are addressed by PCI DSS through requirements and common actions involved in the setup:
I: A Secured Network and Systems must be Built and Maintained
Requirement 1: Firewall configuration must be Installed and maintained to protect cardholder data
Testing Procedures: Examine the firewall configuration standards and verify router configuration standards through a documented list of all services, protocols and ports, including business justification approvals for each and every system activity.
Guidance: Network and cardholder data-flow diagrams should describe how the organization tracks the scope of their environment, and control cardholder data flows across networks and between individual systems and devices.
Requirement 2: Defaults system passwords and other security parameters supplied by vendor should be changed
Testing Procedures: The organization must change all vendor-supplied defaults and eliminate unnecessary default accounts. All the primary function per-server should have mechanism for preventing threats at different security levels that co-exist on the same serves. Necessary services, protocols, daemons, etc., should be secured for implementing the procedure.
Guidance: Often vendors use default settings, account names, and passwords to test the operating system software, applications, and the systems on which they are installed. Default settings are often published to the hacker communities, by not changing these settings the systems will turn into vulnerable target for attacks.
II: Cardholder Data Protection
Requirement 3: Protecting the accumulated cardholder data
Testing Procedures: Sensitive data must be authenticated and examined from the point where they are received, reviewed as per the policies and procedures, and system configurations should be verified for data retention.
Guidance: All the accumulated data must be encrypted for a quicker compliance. The data must be easy to assess for several commercial tools as and when required. The only cardholder data that must be retained for authorization should be the primary account number or PAN rendered unreadable, expiry date of the card, cardholder name, and service code.
Requirement 4: Transmission of the cardholder data across open and public networks should be encrypted
Testing Procedures: The documented policies and procedures must be put in place to verify the processes, acceptance of trusted keys and/or certificates, protocols used that support the secured versions and configurations. Implementation of proper encryption strengthens security protocols and strong cryptography.
Guidance: Malicious users are spread widely to eavesdrop on wireless communications. With the help of strong cryptography the organization can limit sensitive information disclosure across wireless networks. This will prevent malicious users from gaining access to the wireless network or gain access to internal networks or data utilizing wireless networks. With proper Mapping of router transmission, a quicker encryption requirement can be identified, while another transmission can be configured for VPN software like SSL & IPSec.
III: Maintain a Vulnerability Management Program
Requirement 5: Anti-virus software that protects your system must be regularly updated against malware
Testing Procedures: Examine anti-virus configurations, master installation of the software and sample of system components to verify the effectiveness of anti-virus software. Network Access Control (NAC) mechanism will ensure that antivirus patches are applied to individual workstations and do not disturb the system protection, as they attempt to connect to the network.
Guidance: Audit logs provide the ability to monitor virus, malware activity and reactions to anti-malware. Imperative anti-malware solution configured should generate audit logs to manage the system activities. The PCI DSS standard clarifies with a note that anti-malware protection must be included in all operating systems, addressing all forms of malware.
Requirement 6: Systems and applications developed and maintained must be secured
Testing Procedures: Policies and procedures must be in place to verify the processes security vulnerabilities, risk ranking to vulnerabilities and outside sources for security vulnerability.
Guidance: The organizations should keep all the data checked for the possible vulnerabilities that might impact their environment. Sources for vulnerability information are often vendor websites, industry news groups, mailing list, or RSS feeds. The organization must adapt methods to evaluate vulnerabilities on an ongoing basis and assign risk rankings to the vulnerabilities. Thus, identifying, prioritizing, and addressing the highest risk quickly.
IV: Implement Strong Access Control Measures
Requirement 7: The cardholder data access should be subjected to restriction by business
Testing Procedures: Access and privilege assignments should be pre-defined for each role in the organization. Privileged user IDs necessary to perform job responsibilities should be assigned along with classification and function. The approval must be documented with authorized parties’ signature.
Guidance: The access to cardholder data should be limited as it involves risk to the user’s account. Limiting the access to the data will help the organization in preventing mishandling of cardholder data. The organization should define the access and role of all the individual’s handing the data like system administrator, call center personnel, or store clerk. The level of privilege each role should be effectively performed accordingly.
Requirement 8: Identify and authenticate access to system components, a unique identification ID number should be assigned for access to each individual, by defining uniquely accountable action.
Testing Procedures: Administrative personnel should confirm that all users are assigned with a unique ID for access to the system components or cardholder data. Associated authorizations and system settings must be by verified through each user ID and privileged user ID
Guidance: Ensuring uniquely identified user ID for several employees of an organization can maintain individual responsibility and actions for an effective audit trail. This will speed up the issue resolution and avoid malicious incidents.
Requirement 9: Cardholder data access must be restricted from physical access
Testing procedure: The physical security controls should be ensured for each computer room, data center, and other physical areas within the systems and data environment. The access must be controlled through badge readers along with authorized badges, lock and key.
Guidance: Physically access to the sensitive areas should be strong as the criminal’s attempt to gain physical access to sensitive areas bypassing the monitoring controls. Strong controls should be in place for tampering like video cameras positioned to monitor the area and control mechanisms for physical protections should be installed for perverting damages or malicious individuals.
V: Regularly Monitor and Test Networks
Requirement 10: All access to the network resources and cardholder data must be tracked and monitored
Testing Procedures: Through observation and interviewing the system activities must enable Audit trails and active components of a system. The Access to the system components must be linked to individual users and should be tracked appropriately.
Guidance: Generating audit trails with susceptible activities alerts by the system administrator and monitoring mechanisms through events like intrusion detection systems, provides a solution for post incident follow-up. The events and incidents enable an organization to identify and trace potential malicious activities.
Requirement 11: Regularly test security systems and processes
Testing Procedures: Verify the methodology that is adequate enough to detect and identify unauthorized wireless access points such as WLAN cards inserted into system component or Portable/ mobile devices attached to system components to create a wireless access point. The output must be examined and checked at least quarterly for all the systems.
Guidance: Implementation of wireless technology within a network is the common root for malicious users to gain access over the network and cardholder data. Unauthorized wireless devices hidden could result in an unauthorized access point into the environment. Taking the wireless devices and administrating it quickly identify responding and unauthorized wireless access points proactively. This will help in minimizing the exposure of CDE to malicious individuals.
VI: Maintain an Information Security Policy
Requirement 12: Addressing all the security personal Information security policy must be maintained
Testing Procedures: Risk-assessment review must be documented and verified for the risk-assessment process. This must be performed at least once in a year to have a check on significant changes in the environment.
Guidance: The organization information security policy is the roadmap for implementing security measures to protect the valuable assets. All personnel within the organization should be aware of the sensitivity of data and their responsibilities in Security operation protection. Frequent updates of the security policy should reflect relevant changes addressing the threats areas.
Resources should be effectively allocated to implement controls that reduce the likelihood and/or the potential impact of the threat being realized. Performing risk assessments annually on significant changes, allows the Security operations to stay updated with the organizational changes and evolving threats, trends, and technologies.
Courtesy: PCI-DSS V 3.2 Standard