24
May
17

What Is The Secret?

If you are a P2PE-QSA, you have likely seen the documentation required to do a Non-Listed Encryption Solution Assessment (NESA).  While the P2PE assessment work program (on which the NESA is based) is available to everyone, apparently the Council feels that only P2PE-QSAs have a right to see the new NESA documentation.

Why?

My assumption about this secrecy is that the Council is restricting access to the NESA documentation to stop any QSAs that are not P2PE-QSAs from conducting their own NESAs.

But what does that do to the rest of us that are not so fortunate?  How will the rest of the QSA/ISA community know that what they are receiving as the NESA is in fact what they should be receiving if they have never seen it and the Council has chosen to not do training?

People already complain that the Council makes statements at the Community Meetings that are never communicated to the wider PCI community that are unable to attend.  So here we are with a process that produces one or more documents (who knows unless you are a P2PE-QSA).  Yet, as a QSA/ISA, we have no idea what it looks like and have no guidance as to what we should look for in these documents to ensure that the NESA was done properly.  We could end up with anything with a PCI SSC logo on it labeled “NESA” and have no idea whether it is acceptable or not.

And if history is a guide, I guarantee you the Council will hold QSAs/ISAs responsible if they accept anything as a NESA even though they have provided no guidance.  That is what happened with the first AQM reviews.  None of the QSACs in that first round of AQM reviews had ever seen the standards by which they would be judged (they were still being developed).  But almost every QSAC went into remediation (there were a few “favorites” that dodged remediation) because they were all assessed to those standards even though the first time those standards were seen by those QSACs was at the start of their respective AQM assessment.

As QSAs/ISAs we have a right to not accept any documentation or attestations that we feel does not convey the information that we believe is necessary to prove compliance of a third party solution.  So I guess until the Council trains us in the new NESA process and what is acceptable and not acceptable, we do not have to accept any output from that process.

At least that is how I recommend QSAs/ISAs should treat the NESA documents until the Council decides to train us.

22
May
17

Answering Some Dream Team Questions

After our PCI Dream Team event on May 17, I thought I would take some questions that do not require long and involved answers and publish them in this post.  FYI – I have edited and spell checked these, so they likely do not look like you entered them but they should convey your questions as you asked them.  Hopefully I answered on of your questions.

Q: Does anything special need to be done with the use of Virtual Terminals?  We use the virtual terminals to manually enter credit cards from time to time.  The computers used are normal user computers with the basic security done, but I have been wondering if they need to have extra limitations or security put in?

A: There are a lot of solutions that imply they take the workstation/terminal out of scope or magically reduce scope when using virtual desktop (VDI) solutions.  None of it is true.  If a device is used to enter PAN (regardless of HOW), it is a Category 1 device because it is used to enter PAN.  The bottom line is that any device used to enter PAN is in-scope for full PCI compliance.  There is no “magic” to change that fact.

Q: Do all POI devices have a keypad? I’m thinking of PC’s with integrated MCR’s – will those all change to separate POI’s with a keypad?

A: All point of interaction (POI), aka card terminals, that are customer facing have a keypad because they need to be able to accept PIN entry.  Merchants that are going to P2PE/E2EE solutions end up with a separate POI that is connected to the POS PC/terminal via USB so that the POS solution can communicate the total price of the sale as well as to know if the transaction is approved or declined.  The POI securely communicates with the transaction processor over Ethernet or using the USB connection and the Ethernet connection of the POS PC.  In both cases, the POS PC never has access to the sensitive authentication data (SAD)/cardholder data (CHD) as it is encrypted at the POI.  However is using an E2EE solution, the QSA will need to validate that the E2EE solution to ensure that they do in fact encrypt at the POI and therefore the POS PC/terminal is out of scope.  In addition, the merchant will have to contact their acquiring bank to get formal approval that the E2EE solution gives scope reduction for the merchant.  This will likely require the QSA to provide their evidence and assessment procedures to the acquiring bank for that approval.

Q: Are administrator workstations always in scope for PCI DSS regardless if an administrator is connecting to CDE servers via jump box?

A: Yes, because they are “connected to” systems when they access the jump box.  They may not be entering cardholder data (CHD), but they likely can access it or influence its processing/transmission because they are administrators.  That said, I would treat them in the Open PCI Scoping Toolkit vernacular as a Category 2x system.  That means they can probably avoid the bulk of PCI requirements but, at a minimum, need to be properly security hardened, kept updated, have anti-virus/anti-malware and are monitored “periodically”.  And as a reminder, administrators will need to use multi-factor authentication (MFA) after January 31, 2018 when accessing the cardholder data environment (CDE).

Q: Are you having/forcing your clients to follow the December scoping guidance, and are you bringing administrator workstations into scope?

A: I guess I am curious as to when anyone would have thought that administrator workstations ever were out of scope?  Nothing has changed in that regard as they were always in scope for PCI compliance.

Q: Are “crash kits” in restaurants for use when the system is down in scope for compliance?

A: The kits themselves are not in scope, but when they get used, the forms that get generated which contain the embossed image or handwritten PAN and other sensitive authentication data (SAD)/cardholder data (CHD) place those forms in scope for PCI compliance.  They therefore need to be securely stored, securely transmitted and subsequently securely destroyed in accordance to the relevant requirements in section 9.

Q: Does pushing non-cardholder data out of CDE system excludes connected system out of PCI scope? For example pushing non-cardholder data such as CPU usage for monitoring or number of transactions per day used for reporting etc.

A: According to a discussion at the 2016 Community Meeting and a subsequent Assessor call, the Council has publicly stated that if it can be unequivocally proven that the flow is only outbound from the cardholder data environment (CDE) to a device and that the data does not contain cardholder data (CHD), that device can be ruled out of scope.  However you have to get your QSA to buy into that argument and I do not know too many QSAs that will agree with that decision.  In my experience, there is still too much of a risk that cardholder data (CHD) could leak through that flow and saying it is out of scope is not accurate nor is it good practice as it leads to an exfiltration point that is not monitored.  The question you have to ask yourself is, how will it look in that newspaper headline when your organization is breached that you ruled it out of scope because it was outbound only?

Q: PCI DSS requires a firewall in place, are host level firewalls meeting that requirement?

A: Yes, as long as they perform stateful packet inspection (SPI), they are properly and securely configured and they are appropriately monitored like any other in scope firewall.

Q: Regarding vulnerability assessments for internal scans, do we have to address medium vulnerabilities or only critical and high vulnerabilities?

A: The PCI DSS and the Council have been very clear on this which is why it is disconcerting when this question constantly gets asked.  The guidance for requirement 6.2 is very clear as it states, “Consider prioritizing patch installations such that security patches for critical or at-risk systems are installed within 30 days, and other lower-risk patches are installed within 2-3 months.”  The bottom line is that you need to apply ALL patches/updates to all in scope systems as soon as possible.  So get on with patching and updates, no excuses.

Q: More than once I’ve been told that the decision to implement PCI compliant controls is a financial decision. What are the expected fines and penalties for failing?

A: No organization gets to ignore any PCI requirement because of financial or any other reasons.  However in those cases where a requirement cannot be directly met, an organization must then come up with compensating controls that go above and beyond that requirement in order to be in compliance.  In my experience, it is almost always cheaper to meet the PCI requirement than to go the compensating control worksheet approach.  You will have to talk to the card brands as they are the ones that come up with the fines and penalties.

Q: Do you ever foresee the card brands implementing any sort safe harbor clauses in regard to PCI?  If a merchant is doing their best to be secure and (more importantly, as far as PCI is concerned) compliant and they are breached, as it stands right now, PCI will not help you.  Instead, PCI seems to be wielded as a weapon to extract fines from the merchant.

A: You are joking right?  LOL!  Actually, with merchants going to P2PE/E2EE and tokenization solutions, I could envision changes in the PCI compliance process at the merchant level because the risk is only with the POI.  Time will tell.

Q: Have you heard anything further regarding the FTC’s review of PCI?

A: Not a word and I would not expect to hear anything until the FTC decides to tell us anything.  I do know that issues regarding the FTC’s information requests from the QSACs were supposedly worked out and that the requested information was delivered to the FTC.  But that is the extent of my knowledge on the matter.

18
May
17

Thank You To Everyone

We had a great session yesterday with lots of great questions.  We appreciate all of you that were able to attend and submitted questions both through the blog and when we were online.

For those that could not attend, the session was recorded so you can play it back on BrightTalk.

The session went the full hour and 15 minute limit and we just could not get to all of the questions posted.  However we did capture all of the questions posted.  I know I can see a number of blog posts here based on those questions and I am sure other Dream Team participants will write about them as well.  So stay tuned.

14
May
17

Talk To The PCI Guru Live

Actually, you will get to talk to FOUR PCI Gurus this coming week.  Bring us your hardest PCI questions.

Follow this link and register for our PCI Dream Team discussion on May 17 (depending on your time zone).

I hope to “see” you there. It should be a great time.

28
Apr
17

The Five Stages Of PCI

Had a meeting with a prospect recently that is bound and determined to avoid PCI compliance yet still will accept payment cards.

My response?  Good luck with that!

You would think after 15 years of PCI (and actually even longer) that people would understand that PCI compliance is a fact of life.  But I continue to find that PCI is no different than the five stages of grief.

Denial

This is where that prospect is now.  They cannot believe that there is no way to avoid PCI compliance.

For once and for all, if your organization accepts payment cards, you MUST comply with the PCI DSS.  Do not like that answer?  There is nothing as a QSA I can do to effect that fact.

However, for merchants there is a way out.  Do not accept payment cards for payment.  It is that simple.

That answer though immediately leads to the next stage.

Anger

I once had a prospect tell me very emphatically that PCI was unenforceable.  I asked them if they had read their Merchant Agreement with the bank that allowed them to accept payment cards for payments.  To my astonishment they said, “What the [expletive] does that have to do with anything?”

You can be angry all you want but PCI compliance is a legal, contractual requirement documented in the Merchant Agreement, Card Operating Rules and other documentation referenced in those documents.  Someone in your organization signed that Merchant Agreement – most likely your Chief Financial Officer (CFO), Controller, Treasurer or heaven forbid – the person that is blowing their cork.  That is the person you should share your anger with, not me.  As a QSA, I am just the messenger.

Anger is even worse with service providers.  Particularly those that provide services tangential to card processing such as those that provide network, firewall or server management services.  They had no idea that their customer(s) needed them to be PCI compliant because they never realized that their service(s) could affect the security of payments.  These folks get totally blindsided by PCI compliance and hence their anger.

I have found that anger over PCI can last a long, long time with some organizations and people.  I still have clients that are angry about it.  It may be less aggressively displayed, but you can tell that they are still angry.

Bargaining

A lot of organizations get stuck in this stage.  They are bound and determined to find that “silver bullet” that somehow magically gets them to PCI compliance with the minimum amount of effort (i.e., none).  They know it is out there and all they need to do is find it.

Because of this stage and the fact that organizations get stuck in it, there are any number of “snake oil” PCI compliance solutions that prey on those in the ‘Bargaining’ stage.  All of them have “The Solution” that will solve your organization’s PCI compliance problem.  They have a pitch for every day of the week and for every situation.  Just ask them.  But at the end of the day, all of these solutions just address one or two PCI compliance issues and do not result in that magical “silver bullet” that those in this stage continue to seek.

Another indicator of organizations stuck in this stage are that they go through compliance and IT leaders like a teenage girl goes through boyfriends.  You immediately know an organization is in the ‘Bargaining’ stage as a QSA because you are always dealing with someone new every year.

Another telltale of a ‘Bargaining’ stage organization is that they are constantly arguing with their QSA over what PCI DSS requirements they need to comply.  PCI is not anything at all like “Let’s Make A Deal”.  It gets even worse when they argue the PCI DSS like it is a legal document and you get discussions over the meaning of the word ‘is’.  At the end of the day, your QSA or acquiring bank cannot cut you a deal on what PCI DSS requirements your organization can ignore.

The bottom line is that the absolute least level of PCI compliance any organization can have are the requirements documented in SAQ A.  Period.  There is nothing less than those requirements.  And SAQ A requires that an organization totally outsource to a third party everything related to card processing.  And I do mean everything.  Nine times out of ten, complete outsourcing is unacceptable to organizations who demand control over their business processes and the “look and feel” of their operations.

Depression

Once an organization realizes that there are no “silver bullets”, depression quickly sets in.  With some clients you can see depression get deeper with every data breach announcement that hits the media.  All they can imagine is that their organization is next.

Then there is the fact that PCI compliance is going to cause changes and cost people, time and money to address compliance gaps.  This is where a good QSA can be of great help.  A good QSA can give you options to minimize those resources.  Good QSAs understand that most merchants do not exist on huge margins and that investments with an ROI of more than three years are very painful and difficult to justify.

Unfortunately, in a lot of cases, there are not a lot of options available and even good QSAs are not miracle workers.  This is particularly true when the organization has not invested in infrastructure and application software in a long time.  Worse is when they have invested (usually heavily) in one or more of those “silver bullets” from the ‘Bargaining’ stage and they assist in their compliance efforts only minimally.

Acceptance

I would like to tell you that I have a lot of clients in this stage, but I do not.  Although the number is growing slowly but surely.

But the good news is that if you can get your organization to this stage, there are benefits.

The biggest benefit in my view is that organizations in Acceptance “get” security and why it is a necessary “evil” in today’s ever more connected world.  Never mind the PCI component.

Those at this stage are great to deal with because they have taken steps to minimize their PCI scope and simplify their card processing as much as possible.  They have standardized processes.  They understand that PCI compliance improves their organization’s security.  And not just for the security of cardholder data but for the security of all sensitive information and the whole organization.  Their investments in PCI compliance have paid off (sometime in spades) as they simplified their operations and got rid of sensitive information that they have no longer deemed necessary to retain.

A lot of organizations in this stage have integrated some or all of the PCI DSS requirements into their everyday operations.  As a result, PCI compliance is a daily affair, not the once a year fire drill that it is for most organizations.

These organizations are not perfect by any sense of the word.  But they are a level or more above other organizations and that is all it takes.  Because information security is no different than those movies that show a herd of animals being chased by a lion or tiger.  To survive, you just have to make sure that you are not one of the weakest animals in the pack.  Or as a friend of mine has said for years, “My security program does not have to be the best, just better than yours.”

10
Apr
17

MFA – It Is All In The Implementation

I have been challenged over the last few weeks over requirement 8.3.1 along with the implications of the Council’s latest Information Supplement on multi-factor authentication (MFA).  Requirement 8.3.1 does not go into effect until February 1, 2018, but there are a lot of organizations trying to get a jump on it.  As a result I am hearing from QSAS that they are getting more and more questions and scenarios to see if they are PCI compliant.

As a reminder, requirement 8.3.1 states:

“Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access.”

The most common and biggest challenge has come from organizations that have implemented MFA across their entire network and therefore believe that they are automatically in compliance with 8.3.1.

Not so fast.  The guidance for 8.3.1 states:

“If the CDE is segmented from the rest of the entity’s network, an administrator would need to use multi-factor authentication when connecting to a CDE system from a non-CDE network. Multi-factor authentication can be implemented at network level or at system/application level; it does not have to be both. If the administrator uses MFA when logging into the CDE network, they do not also need to use MFA to log into a particular system or application within the CDE.”

According to this guidance, it is the cardholder data environment (CDE) that is the border for the MFA, not the network as a whole.  So while an organization might have implemented MFA as part of their general security, having MFA for the entire network does not meet the requirement of 8.3.1.

We need to remember what drove the development of requirement 8.3.1 was a lesson learned from the Target and similar breaches.  In all of these breaches, system administrators were spear phished allowing the attackers to access the CDE in one way or another.  Requirement 8.3.1 minimizes this threat by requiring MFA to gain access to the CDE.  So even if an attacker obtains an administrator’s credentials or compromises an administrator’s system, that fact in and of itself would not compromise the CDE.

This is why the guidance for 8.3.1 puts the MFA border at the CDE.  If you have MFA implemented in order to gain access to your network, how does that stop the threat of phishing?  It does not.  A spear phishing attack against such an MFA implementation defeats the MFA because it has already been applied.  The MFA in this scenario does not stop access to the CDE.

But keep in mind, MFA only minimizes the risk to administrators.  You still need to be vigilant in ensuring that administrator systems remain secure and free of viruses and malware.  As such, it is not unusual to find that organizations are taking more active approaches to securing administrator systems including adding other technologies such as file integrity monitoring, white listing and/or black listing in addition to anti-virus.

But it is not just administrators you need to worry about.  Anyone that has access to bulk cardholder data (CHD) that is stored is also at risk.  As a result, we are starting to see organizations also requiring these users to use MFA to access the CDE as well as having their systems implement enhanced security to ensure they remain uncompromised.

Just some things to think about as you got through your MFA discussions.

02
Apr
17

Business Continuity And PCI

This topic came up this past week in a conversation.  I had to go to the PCI DSS v3.2 and check to make sure what was being discussed was accurate.  The discussion was around requirement 12.10.1 which says:

“Create the incident response plan to be implemented in the event of system breach. Ensure the plan addresses the following, at a minimum:

  • Roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum

  • Specific incident response procedures

  • Business recovery and continuity procedures

  • Data backup processes

  • Analysis of legal requirements for reporting compromises

  • Coverage and responses of all critical system components

  • Reference or inclusion of incident response procedures from the payment brands.”

The points of the discussion focused on the third and fourth bullets.  Yes, that is right, they are calling out business recovery and continuity procedures and data backup processes.  This caught me a bit flat footed at first.

For those of you that have been involved in or around PCI for a while are probably scratching your heads because the PCI DSS has never truly cared about business continuity unless it was a hot failover solution.  The Council has even said so much at various Community Meetings over the years when business continuity and disaster recovery have come up as question topics.

So, what is the deal?

Well, the guidance provided for 12.10.1 sure does not give you a clue as it only says:

“The incident response plan should be thorough and contain all the key elements to allow your company to respond effectively in the event of a breach that could impact cardholder data.”

And the Report On Compliance (ROC) is still only asking for the name of the QSA that will attest to the incident response plan including these items.

Is the PCI DSS now interested in business continuity?

As I said earlier, the PCI DSS was to a degree interested in business continuity if it was always active as with a hot failover scenario and they have always been concerned about data backup processes as witnessed by requirements 9.5, 9.6, 9.7 and 9.8.  The more we discussed these topics the more we believe that the PCI DSS is looking for organizations to ensure continuity of their PCI compliance when they invoke their business continuity plan.

The PCI DSS has only included business continuity (aka disaster recovery) in scope if cardholder data (CHD) is actively involved.  This happens when organizations have hot recovery capabilities in their disaster recovery data center or are replicating data (that includes CHD) in real time to a disaster recovery site.  Otherwise, the disaster recovery site is not in scope for the PCI assessment.  As a result, most organizations push back on including their disaster recovery sites in their PCI assessments if they are cold or warm sites with no CHD involved.

However, here is the rub with that approach.  Under the PCI DSS and the card brand agreements, the moment that any disaster recovery site becomes active because of a disaster, it is required to be PCI compliant.  There is no grace period.  None.

So, if a disaster recovery site has never been assessed for PCI compliance, how does an organization know it will be compliant?  They do not.  There could be significant PCI compliance issues not just with the site, but with the emergency business processes as well.  That is why smart organizations periodically assess their disaster recovery sites and processes for PCI compliance so that there are few, if any, PCI compliance surprises when they activate them.

While the PCI DSS is not asking for an assessment of business continuity and data backup processes, the PCI DSS is providing a friendly reminder to organizations that business continuity can become a compliance problem and should be looked at before it creates an issue.




Announcements

If you are posting a comment, be patient, as the comments will not be published until they are approved.

If your organization has a PCI opportunity, is in need of assistance with a PCI issue or if you would like the PCI Guru to speak at your meeting, you can contact the PCI Guru at pciguru AT gmail DOT com.

I do allow vendors to post potential solutions in response to issues that I bring up in posts. However, the PCI Guru does not endorse any specific products, so "Caveat Emptor" - let the buyer beware. Also, if I feel that the response is too "sales-ee", I reserve the right to edit or not even authorize the response.

Calendar

May 2017
M T W T F S S
« Apr    
1234567
891011121314
15161718192021
22232425262728
293031  

Enter your email address to subscribe to the PCI Guru blog and receive notifications of new posts by email.

Join 1,836 other followers