In: Computer Science
Identify what tools you would use, along with the testing procedures provided, to evaluate Requirement 6 of the PCI DSS. Make sure to identify a tool (as applicable) for testing procedure and state the tool you would use to verify compliance.
Develop and maintain secure systems and applications. PCI DSS Requirement 6 states that systems and applications require careful development and regular maintenance to ensure they are not only developed securely from the ground up but also regularly patched with updates provided by the developers.
Develop and maintain secure systems and applications.
PCI DSS Requirement 6 states that systems and applications require
careful development and regular maintenance to ensure they are not
only developed securely from the ground up but also regularly
patched with updates provided by the developers. This is to ensure
systems and applications are not exposing vulnerabilities that may
be exploited by malicious individuals or hackers, who are targeting
these systems to ultimately steal sensitive cardholder data such as
credit and debit cards. In addition, often malware makes use of
known (or in some cases unknown) vulnerabilities to automate the
unpatched vulnerabilities to gain privileged access to the
Cardholder Data Environment.
PCI SECURITY SERVICES Claim PCI DSS Requirement 1, PCI DSS Requirement 3, PCI DSS Requirement 5, PCI DSS Requirement 6, PCI DSS Requirement 7, PCI DSS Requirement 8, Firewall, Managed Firewall Services, Network Access Control (NAC), Database Security, Encryption & Key management, Tokenization, Endpoint security, Web Application Firewall (WAF), Call Centre Security, Access Control, Call Centre Security Access, Secure Remote Access, PCI Solution Provider, PCI Security Consultancy, PCI Approved, Compliant P2PE Solution, P2PE Application, Validated Payment Application.
When your website is protected by the Sucuri Website Firewall, you already satisfy the #1 requirement for keeping your visitors safe.
FortiWeb Web Application Firewalls provide specialized, layered web application threat protection for medium/large enterprises, application service providers, and SaaS providers. FortiWeb Web Application Firewalls protect web-based applications and internet-facing data from attack and breaches. Using advanced techniques it provides bidirectional protection against malicious sources, DoS attacks and sophisticated threats such as SQL injection, cross-site scripting, buffer overflows, file inclusion, cookie poisoning, and numerous other attack types.
Imperva SecureSphere Web Application Firewall analyzes all user access to your business-critical web applications and protects your applications and data from cyber attacks. SecureSphere Web Application Firewall dynamically learns your applications? ?normal? behavior and correlates this with the threat intelligence crowd-sourced from around the world and updated in real time to deliver superior protection.
The free and open source security framework w3af may help budget-strapped organizations find and fix these vexing security holes. Use w3af to identify more than 200 vulnerabilities and reduce your site?s overall risk exposure.
Acunetix Web Vulnerability Scanner helps you
meet PCI requirements. Acunetix will check your web site and alert
you to any issues you need to fix. Once fixed, it will create a
detailed report which will allow you to easily prove that you meet
these particular PCI-DSS standards.
Only a Web Vulnerability Scanner such as Acunetix can help you meet
the requirements; Network Security Scanners will not be able to
check the requirements.
WebInspect is a web application security assessment tool that helps identify known and unknown vulnerabilities within the Web application layer. It can also help check that a Web server is configured properly, and attempts common web attacks such as parameter injection, cross-site scripting, directory traversal, and more. It was produced by Spidynamics, which is now part of HP. HP WebInspect is the industry leading Web application security assessment solution designed to thoroughly analyze today?s complex Web applications.
Scanning applications can provide a key component to the vulnerability management process by helping you to understand your organization’s potential vulnerabilities. Penetration testing with Core Impact builds on this process by identifying which vulnerabilities are real, while determining if and how they can be exploited. This gives you the information you need to intelligently prioritize remediation efforts and effectively allocate security resources.
Incapsula’s cloud-based Web Application Firewall (WAF) hosted by Rackspace, safeguards your websites and application from any web attack, so you can avoid costly data breaches and downtime.
CloudFlare WAF stops attacks at the network edge, protecting your website from common web threats and specialized attacks before they reach your servers. It covers both desktop and mobile websites as well as applications.
In general, PCI compliance is required by credit card companies to make online transactions secure and protect them against identity theft. Any merchant that wants to process, store or transmit credit card data is required to be PCI compliant, according to the PCI Compliance Security Standard Council.
No matter where you are in your PCI compliance journey, you'll need a reference to help organize your thoughts and get headed in the right direction. We hope this article will serve as your “jumping off point” as you start to address the requirements of the PCI DSS.
Before diving into the PCI requirements, you will want to start by determining which SAQ applies to your business. While most requirements will stay the same, there are some differences in the work you’ll need to do based on your SAQ.
PCI DSS Requirement 1: Protect your system with firewalls
The first requirement of the PCI DSS is to protect your system with firewalls. Properly configured firewalls protect your card data environment. Firewalls restrict incoming and outgoing network traffic through rules and criteria configured by your organization.
You’ll want to install both hardware firewalls and software firewalls. Both provide a first line of defense for your network. Hardware firewalls are the more robust security option. They can protect an entire network and segment its internal areas. Hardware firewalls are typically more expensive, take time to properly configure, and need to be maintained and reviewed regularly.
Software firewalls are cheaper and easier to maintain. They are meant to protect a single host from internal threats—commonly those from employees’ mobile devices, which can move in and out of the secure environment. If an employee clicks on a link in a phishing email, a software firewall should prevent malware infection.
PCI DSS Requirement 2: Configure passwords and settings
You shouldn’t keep vendor-supplied defaults around.
Out-of-the-box devices, such as routers or POS systems, come with
factory settings like default usernames and passwords. Defaults
make device installation and support easier, but they also mean
that every model originates with the same username and password.
Default passwords are simple to guess, and most are even published
on the Internet.
The problem is that third parties sometimes install hardware or
software and leave merchants unaware that their entire system is
protected by an easy-to-find/crack password. Vendors might also
purposely leave weak or default passwords to make service easier.
But, that’s like leaving your front door unlocked just to make life
more convenient.
Fulfilling requirement 2 involves inventorying and then properly
configuring all security settings on all systems and devices. You
will need to assign someone to compile and review this
information.
PCI DSS Requirement 3: Protect stored cardholder data
The point of the 12 requirements of PCI is to protect and secure
stored cardholder data and prevent data breaches. And according to
requirement 3, stored card data must be encrypted using
industry-accepted algorithms (e.g., AES-256). The problem is many
merchants don’t know they store unencrypted primary account numbers
(PAN).
Not only must card data be encrypted, the encryption keys
themselves must also be protected. For example, using a solid PCI
DSS encryption key management process will help keep you from
storing the key in the “lock” itself.
To fulfill this requirement, you need to create and document a
current cardholder data (CHD) flow diagram for all card data flows
in your organization. A CHD flow diagram is a graphical
representation of how card data moves through an organization (see
example). As you define your environment, it’s important to ask all
organizations and departments if they receive cardholder
information, and then document how their answers may change card
data flows.
You should regularly run a data discovery tool like PANscan or
PIIscan. These tools help identify the location of unencrypted PAN
and other sensitive information, so you can securely delete or
encrypt it.
PCI DSS Requirement 4: Encrypt transmission of cardholder data across open, public networks
For requirement 4, you need to know where you send cardholder data. Here are common places where primary account numbers (PAN) are sent:
You then need to use encryption and have security policies in place
when you transmit this cardholder data over open, public
networks.
A note about SSL and early TLS web encryption: based on
vulnerabilities in web encryption, the PCI Security Standards
Council has released policy stating that you need to transition
from SSL and early TLS to secure versions of TLS by June 30,
2018.
PCI DSS Requirement 5: Use and regularly update anti-virus software
Anti-virus software needs to be installed on all systems
commonly affected by malware. Make sure anti-virus or anti-malware
programs are updated on a regular basis to detect known malware.
Maintaining an up-to-date anti-malware program will prevent known
malware from infecting systems.
Be sure you or your POS vendor are regularly running your
software’s anti-virus scans.
You should also keep up to date on current and existing malware
threats. Using outside sources, such as vendor/anti-virus threat
feeds, merchants can find out about emerging malware and attacks on
systems. Then you can configure systems to alert and report on
suspicious activity, such as new files added to known malware
directories or unauthorized access attempts.
PCI DSS Requirement 6: Regularly update and patch systems
Applications will never be perfect, which is why manufacturers
frequently release updates to patch security holes. These patch
updates can also be time sensitive. Once a hacker knows they can
get through a security hole, they pass that knowledge on to the
hacker community, which will then exploit the weakness until the
patch has been updated.
Quickly implementing security updates is crucial to your security
posture. Patch all critical components in the card flow pathway,
including:
Be vigilant and consistently update the software associated with
your system. Requirement 6.2 states merchants must “install
critical patches within a month of release” to maintain compliance.
Don’t forget to update critical software installations like credit
card payment applications and mobile devices. To stay updated, ask
your software vendors to put you on their patch/upgrade
notification list.
PCI DSS Requirement 7: Restrict access to cardholder data by business need-to-know
To fulfill requirement 7, you need a role-based access control
(RBAC) system, which grants access to card data and systems on a
need-to-know basis. Configure administrator and user accounts to
prevent exposure of sensitive data to those who don’t need this
information.
PCI DSS 3.2 requires a defined and up-to-date list of the roles
(employees) with access to the card data environment. On this list,
you should include each role, the definition of each role, access
to data resources, current privilege level, and what privilege
level is necessary for each person to perform normal business
responsibilities. Authorized users must fit into one of the roles
you outline.
PCI DSS Requirement 8: Assign a unique ID to each person with computer access
According to PCI DSS requirement 8, user IDs and passwords need
to be sufficiently complex and unique. You should not use group or
shared passwords.
However, your system security should not be based solely on the
complexity of a single password. No password should be considered
“uncrackable,” which is why, as of February 1, 2018, all
non-console administrative access (remote access) to in-scope
systems requires multi-factor authentication.
PCI DSS Requirement 9: Restrict physical access to workplace and cardholder data
Employees may think physical security only applies after hours.
However, most data thefts (e.g., social engineering attacks) occur
in the middle of the day, when staff is often too busy with their
various assignments to notice someone walking out of the office
with a server, company laptop, phone, etc.
You are not allowed to store sensitive information like payment
card data out in the open. For example, many hotels keep binders
full of credit card numbers behind the front desk, or piled on the
fax machine, for easy reservation access. Unfortunately, this
collection of files not only makes life easier for employees but
gives criminals easy access to this information.
Requirement 9 states that you must physically limit access to areas
with cardholder data, as well as document the following:
You will also need to implement automated lockout/timeout
controls on workstations, periodically inspect all devices, and
most importantly—train your staff regularly about physical
security, policies and procedures, and social engineering.
PCI DSS Requirement 10: Implement logging and log management
We found that in 2017, non-compliance with requirement 10 was
the most common contributor to data breaches. Logs are only useful
if they are reviewed.
System event logs are recorded tidbits of information regarding
actions taken on computer systems like firewalls, office computers,
or printers. To fulfill requirement 10, you must review logs at
least daily to search for errors, anomalies, and suspicious
activities that deviate from the norm. You’re also required to have
a process in place to respond to these anomalies and
exceptions.
Log monitoring systems, like Security Information and Event
Monitoring tools (SIEM), can help you oversee network activity,
inspect system events, alert of suspicious activity, and store user
actions that occur inside your systems.
PCI DSS Requirement 11: Conduct vulnerability scans and penetration
tests
Your data could be left vulnerable due to defects in web
servers, web browsers, email clients, POS software, operating
systems, and server interfaces. Yes, fulfilling requirement 6
(installing security updates and patches) can help correct many of
these defects and vulnerabilities before attackers have the
opportunity to leverage them. But in order to be sure you’ve
successfully patched these vulnerabilities, you need to be able to
find them and test them. For that you need to perform regular
vulnerability scanning and penetration testing.
A vulnerability scan is an automated, high-level test that looks
for and reports potential vulnerabilities. All external IPs and
domains exposed in the CDE are required to be scanned by a PCI
Approved Scanning Vendor (ASV) at least quarterly.
A penetration test is an exhaustive, live examination designed to
exploit weaknesses in your system. Just like a hacker, penetration
testers analyze network environments, identify potential
vulnerabilities, and try to exploit those vulnerabilities (or
coding errors). Basically, these analysts attempt to break into
your company’s network.
Requirements for frequency and type of penetration test will vary
depending on your SAQ, business size, environment, systems,
etc.
DSS Requirement 12: documentation and risk assessments
The final requirement for PCI compliance is to keep
documentation, policies, procedures, and evidence relating to your
company’s security practices.
If you perform a PCI audit, you’ll quickly pick up on the fact that
there’s a big emphasis on your documented security policies and
procedures. During an assessment, QSAs will typically verify that
specific requirements are defined in company policies and
procedures. Then, they’ll follow predefined testing procedures to
verify that those controls are implemented in accordance with the
PCI Data Security Standard and with written company policies.
You will need to include the following information in your
documentation:
The second part of requirement 12 is to perform an annual, formal
risk assessment that identifies critical assets, threats, and
vulnerabilities. This requirement will help you identify,
prioritize, and manage your information security.
The process of reaching PCI compliance takes time and can seem like
an overwhelming list of demands, but it’s ultimately what will make
the difference between a failed cyber-attack on your business and a
cyber-attack that sinks your business.