Author Archive for PCI Guru

31
Jul
21

PCI Dream Team LIVE! Is Coming In October

The PCI Dream Team will be appearing LIVE at the (ISC)2 Security Congress in Orlando this Fall, Monday, October 18 through Wednesday, October 20, 2021.   Our session is scheduled for Tuesday, October 19, at 11:45 AM ET/ 1545 UTC.

While we will be live at the conference, you can also attend the conference and our session virtually.  So other than training budget limitations, there is no other good reason you cannot join us.

As usual, we will be taking questions live and via email at pcidreamteam AT gmail DOT com.  We also monitor Twitter if you use #pcidreamteam.

We are expecting our usual lively discussion of all topics PCI and other security standards if time allows.

We really are looking forward to physically seeing people at the conference.

14
Jun
21

Last PCI DSS v4 Request For Comments Period

According to an email I received today, the draft validation documents (I am assuming that means the ROC Reporting Template and AOC) will be released on Monday, June 28, on the PCI Portal for QSAs, ISAs and POs to review and comment.

The comment period will be open for 30 days from that date.

Make sure you get your copy, review the documents and generate comments as this is your chance to have input on the PCI DSS.

11
Jun
21

Same Dream Team, New Venue

After years on BrightTalk, the PCI Dream Team is relocating to a new venue due to changes in BrightTalk’s revenue model (i.e., you need to pay to be on BrightTalk).

Thanks to Dream Team member Arthur “Coop” Cooper and his employer, TrustedSec, we will now be broadcasting through TrustedSec’s GoToMeeting instance.

Which brings us to the fact that the PCI Dream Team will be live online on Wednesday, June 23, at 1PM ET/ 1700 UTC. If you would like to attend this live event, you can register here. As usual, this will be an interactive event with attendees providing the questions to the Dream Team to answer.

We expect to have a lively discussion after the PCI SSC’s QSA event on June 15 for an hour and a half. Still no clue as to what is going to be discussed at this QSA session, but if it is going to take an hour and a half it must be good.

As usual, we will also be accepting questions at pcidreamteam AT gmail DOT com. So if you cannot attend the live event or have questions that are just bugging you, you can submit them to that email account so that we have them for this session.

And as a reminder, no questions are off limits EXCEPT those regarding PCI DSS v4 (thank you NDA).

We look forward to seeing you at our new online home.

02
May
21

April 2021 Assessor Newsletter

A couple of interesting items in this month’s Assessor Newsletter that came out on April 30.

All Assessor Webcast

The first thing is the June 15 All Assessor Webcast that will be held at 1430 UTC and will be an hour and a half long. I reached out to some contacts I have and they are all mum as to what could possibly take an hour and half to discuss. Given that the final RFC of PCI DSS v4 might be out by then, it could be there will be a discussion of that document. Regardless, I would recommend everyone sign up to attend this session.

QSA v4 Training

Another little interesting tidbit was in the QSA Program Changes. I do not recall hearing about this in the past, so that is why I found it interesting.

“QSAs can only perform assessments using versions of the standard for which they have received PCI SSC training:

– This requirement only applies to major releases of the standard, it does not apply to minor revisions.

– Once a QSA completes the PCI DSS v4 Transitional Training, an indicator will be added to the QSA Assessor listing on the Website.”

From what I can gather, what this means is that until a QSA has attended the PCI DSS v4 Transitional Training, a QSA will not be able to conduct a PCI assessment using the v4 template. As a result, I am guessing that attendance at these training sessions will be at a premium as QSAs will want to attend them as soon as possible. Hopefully these will be online sessions so that getting into them early are not as big an issue as would be for in-person training.

QSAC QA Questionnaire

For those QSACs that have been looking for the annual QA Questionnaire, it was released on March 24 and is posted on the PCI Portal under the Resources Center. So make sure you download it and go through it as soon as you can.

FAQ of the Month

The final tidbit is regarding this month’s FAQ #1325 entitled ‘Does PCI SSC provide a “PCI DSS Compliant” logo?’.

“PCI SSC does not issue an official PCI seal, mark or logo that companies can use when they achieve PCI DSS compliance. Please note that the PCI logo is a registered trademark and may not be used without authorization. You may not use the marks PCI Compliant, PCI Certified, PCI DSS Compliant, PCI DSS Certified or PCI with check marks or any other mark or logo that suggests or implies compliance or conformance with our standards. If your company is a member of one of PCI SSC’s programs, i.e. PO, QSA, ASV, ISA, or QIR, please contact your Program Manager who can provide a program logo that can be used for members of that program only. Note that authorized use of an applicable PCI logo by a program member is not an indication of that organization’s PCI compliance status or an endorsement by PCI SSC.

April
Article Number 1325″

This ranks up there with FAQ #1220 on the subject of PCI compliance certificates and the fact that they are worthless. Why these continue to be allowed to go on, I do not understand. I suppose until the Council begins putting QSACs in remediation for these incidents, they will continue.

Just thought these topics were worth sharing in case you missed the latest newsletter.

21
Apr
21

No 2021 Community Meetings

So much for getting together this year for a PCI Community Meeting anywhere in the world.  The Council sent out an email on Wednesday, April 21, that explains what will replace those events.

“PCI SSC is excited to announce the most important global online event for the payment card industry. New this year, the PCI SSC Global Community Forum will bring together industry experts from all over the world to share the latest in information security, update you on changes to PCI standards and programs as well as provide opportunities to network with peers. The PCI SSC Global Community Forum will take place online from Tuesday, 26 October – Thursday, 28 October.
This global online event held over the course of three days will include all the things you expect from PCI SSC events – important Council updates, regional insights, opportunities for feedback, networking, and fun engagement activities. Given the uncertainty of travel and international border restrictions, the Council has made the decision to offer this online event with dedicated days for each region presented in local time zones and cancel its 2021 in-person Community Meetings in North America, Europe, and Asia-Pacific.
Global Community Forum speaking submissions are still being accepted through Friday, 23 April at 11:59 PM EDT.”

Hopefully we will all get together in person sometime in the future.

01
Apr
21

There Will Be No PCI DSS v4

In a brief yet bold announcement, the PCI Security Standards Council today announced that the card brands have come to an impasse and cannot agree on key provisions of PCI DSS v4.

Council Communications Director, April Fools-Day, states in the Council’s Blog post that, “The card brands have tried and tried to work through their differences on key parts of the new version of the PCI DSS, but their differences have been unable to be resolved.  As a result, the Council has been informed that we will need to go back to pre-Council times when each card brand had their own security compliance program.”

An anonymous source from American Express stated that, “We fully expect to have our security program issued in a matter of days.  We were happy with where version 4 was headed, and we intend to publish that program with only minor revisions.”

A source from Visa USA who insisted on anonymity because they are not allowed to officially speak about the matter stated, “Version 4 as it existed was not an advancement.  Too many loopholes in the work program.  It wasn’t about to advance security of card data and was taking us back to the dark ages of information security.”

A Mastercard spokesperson stated, “What Visa said.”

Spokespeople for Discover and JCB had no comment on the news.

Dr. Brandon Williams, a known critic of the Council stated, “It was just a matter of time before this all imploded.  I have seen this coming for years.”

Dr. Anton Chuvakin, noted SIEM expert and author of many PCI DSS books, said, “Meh!”

The PCI Dream Team were stunned by the news.  However, after a moment to catch his breath, Art “Coop” Cooper said, “I suppose it was bound to happen at some point.  I just thought it would be decades out.”

It will be interesting to see the reaction to this news as people let it all sink in.  In the meantime, enjoy April the First.

28
Mar
21

PCI Dream Team at Secure360 2021

Back by popular demand, the PCI Dream Team will again be taking our show to Secure360 this May 11 (Tuesday) at 4PM CT/2100 UTC.

Secure360 is the Upper Midwest’s premier security conference and will be meeting again virtually on Tuesday, May 11 and Wednesday, May 12.  It is well worth the cost to attend as there are always many informative sessions and keynotes.  If interested, you can register here.

While not in person last year, we had a great time answering a variety of PCI and not so PCI security questions.  We look forward to having another great session this year.

If you want to make sure your question gets answered, please submit them before the session at pcidreamteam AT gmail DOT com.

We look forward to seeing you at Secure360.

01
Mar
21

Quick Update on PCI DSS v4

In the February 2021 Assessor newsletter, the Council announced the following.

“Because of the broad impact PCI DSS has on the payment community, the Council is seeking additional feedback into the PCI DSS v4.0 validation documents. As a result of expanding stakeholder feedback opportunities to include these supporting documents, the Council is now targeting a Q4 2021 completion date for PCI DSS v4.0. The publication and availability of PCI DSS v4.0 is still being determined. The Council will communicate the targeted publication date in the coming months.”

So we will apparently see one more iteration of v4 before it is released. According to their blog post, the comment period will start around June 2021.

See their blog post for more information.

One other important item from the newsletter for all QSAs, do not forget to register for the next All Assessor Webcast on March 18, 2021.

17
Dec
20

Quick Hits From PCI Dream Team Session 10

The following are some questions that were asked at the last PCI Dream Team session but we were unable to get to them during the session.

  1. If a PCI validated service provider omits requirements from SAQ-D-SP because they themselves also use PCI Validated Service providers who meet said requirements?

    First off, requirements cannot be “omitted” or marked “Not Tested” and have a compliant Service Provider SAQ D or ROC per FAQ #1382.
    As to how the organization should deal with requirements covered by a third party is to mark them as “In Place” with the description that the appropriate third party is responsible for the requirement and that the third party is PCI compliant as of the AOC date.
  2. Most QSA’s are suggesting that the best way to mitigate new requirements in PCI V4 is to implement P2PE. Would you agree?

    Going to a P2PE or E2EE solution is only part of the equation.  To reduce the scope the most, you would also want to implement tokenization to ensure that your systems never retain PAN.  It is important to remember that most P2PE/E2EE solutions do not automatically include tokenization.
    Also remember, only P2PE gets the immediate scope reduction without asking the acquiring bank.  However, E2EE can also result in scope reduction if properly documented and approved by your acquiring bank, so do not limit yourself to only P2PE solutions.  E2EE solutions from First Data (TransArmor) and Verifone (VeriShield) are the largest implemented scope reducing solutions in the marketplace and are offered through almost all payment processors.
  3. Can you give examples of connected-to tools for pushing out code – are you referring to Git, Chef, what other tools fall into this category?

    Yes, we were talking about tools such as Git, Jenkins and Chef.  But it is also more than just code that gets pushed out.  Configurations, networking, etc. are all getting pushed out by tools such as Ansible, Terraform and others in the cloud and are also in scope.
    Regardless of the PCI scoping issues, these tools create security issues for organizations because they are typically not very well protected and monitored.  These tools are an organization’s software factory and most organizations are leaving the factory’s doors wide open for anyone to come through and see how you construct your in-house software solutions that are supposedly the key to your organization’s success.  All of this should hit home pretty hard after the SolarWinds debacle.
  4. On the topic of end of life (EOL) software, what about open-source projects with no LTS such as React 16 since the next major version has been released?  Would I be compelled to update all my dependencies to the latest major version?

    As far as I am aware, there is no announced React 16 EOL date nor has there ever been an EOL announcement for any release of React.  That said, since React is a group of JavaScript libraries and JavaScript is a well-known attack vector, the risk of using an older React version just gets worse as time goes on.  A risk assessment for the React versions should take that all into account and drive your analysis as to when you should update React barring the vendor stating an EOL for the version.
    But there are larger issues with open source application projects that process, store or transmit cardholder data (CHD).  I wrote about this a few years back in this post and it has a link to a post on the subject from 10 years ago.
13
Dec
20

Network Segmentation Testing

NOTE: If you have not read the PCI SSC Information Supplement – Guidance for PCI DSS Scoping and Network Segmentation you must do so before using the procedures documented in this post.

How something so simple became something so complicated (or at least believed to be complicated), I just will never understand.  The only thing I can point to is the fact that network segmentation testing falls within the requirements of penetration testing.  Because of that, I think people therefore believe there is something “special” about how segmentation testing must be performed.  Never mind the fact that there is the even more basic issue of how to approach network segmentation testing.

Here is the network segmentation testing methodology for traditional IP networks.

  • Gather an inventory of all of the network segments.  Label each network segment as Cardholder Data Environment (CDE), Connected To or Out of Scope based on the definitions from the Scoping Information Supplement.
  • Make sure you have Nmap installed on a portable computer.  The reason this needs to be portable is because you will likely have to move around your facilities in order to complete all of the testing.  It is also not unusual to use diagnostic systems in the data center to accomplish this effort (they may already have Nmap installed) as well as creating VMs for this testing and then remoting into those systems.  The important thing is to have access to every network segment in your environment so that you can conduct this testing.
  • Connect your scanner to every CDE network segment and attempt to reach all of the Out of Scope network segments from the CDE.  You will want to run an Nmap scan that scans all TCP and UDP ports (i.e., 1 through 65535) against all IP addresses in a given out of scope network segment.  This likely sounds extreme but to prove segmentation you must test all 65,535 TCP/UDP ports against all IP addresses to make sure that no traffic “leaks” to your out of scope networks.  If you do find a port open in one of your out of scope networks, you will have to track down where that leak occurs.  Example: nmap –p- -sT –sU 10.10.0.0/16
  • While in each CDE, test connections out to your Connected To network segments testing all TCP and UDP ports against all IP addresses in your Connected To network segments.  Since communication between the CDE and Connected To segments is allowed, you will need to compare the results of the Nmap scan to your documented, approved ports and firewall rules to confirm that no ports are open that are not documented and approved.
  • Finally, you will need to test that your CDE can only reach the internet through ports and IP addresses you have specified.  Obviously, you are not going to test every internet address as that would take forever.  However, what I tell my clients to do is to use every external IP address they have for business partners or other third parties they are connected to.  Again, you are going to test all TCP and UDP ports against those addresses. If you get any unexpected results back, you are going to have to resolve those issues as there should be no external connectivity.
  • Connect to every Connected To network segment and conduct testing into the CDE for all TCP and UDP ports against all IP addresses in the CDE network segment.  Again, since communication is allowed between these network segments you will need to compare the results of the Nmap scan to your documented, approved ports and firewall rules to confirm that no ports are open that are not documented and approved.
  • While in the Connected To network segments, conduct testing to all Out of Scope network segments.  Since communication is allowed between these network segments you will need to compare the results of the Nmap scan to your documented, approved ports and firewall rules to confirm that no ports are open that are not documented and approved.
  • Connect to every Out of Scope network segment and run an Nmap scan into each CDE network segment for every TCP and UDP port for all IP addresses in the CDE.  This should return no results back if the network is truly out of scope.  If it does return results, you will have to figure out way and block that traffic into the CDE.
  • Save all of your results and comparisons so that you have a record of your testing.  If you found issues, make sure you document in detail what was done to resolve those issues and conduct new scans to prove that those issues were remediated.

When you bring in newer solutions such as the Cloud, containers, serverless, microsegmentation and the like the traditional method of network segmentation testing is impossible to completely test.  You can conduct all of the tests documented above from outside of the environment looking into your cloud environment, but you cannot look from inside the cloud out.  That must be done manually by examining the cloud configuration information and ensuring that networks are properly segmented.

If you are like me, you are looking for a better way to deal with the Cloud as well as large networks.  There are network tools from vendors such as FireMon, AlgoSec, Skybox and Tufin that have capabilities to take the Cloud configuration information as well as firewall, router, switch and other network infrastructure configurations and provide analytical capabilities to simulate the testing above from both internal and external perspectives.  The downside of these tools of course is that they are not inexpensive and can require significant horsepower to operate.  However, they can be worth their weight in gold for their ability to analyze and understand your networks, find misconfigurations and find issues where attacks can potentially succeed.

There is no reason to pay your penetration tester to conduct network segmentation testing unless you are uncertain as to how to analyze the information from the Cloud.




Announcements

If you are posting a comment, be patient, as the comments will not be published until they are approved.

If your organization has a PCI opportunity, is in need of assistance with a PCI issue or if you would like the PCI Guru to speak at your meeting, you can contact the PCI Guru at pciguru AT gmail DOT com.

I do allow vendors to post potential solutions in response to issues that I bring up in posts. However, the PCI Guru does not endorse any specific products, so "Caveat Emptor" - let the buyer beware. Also, if I feel that the response is too "sales-ee", I reserve the right to edit or not even authorize the response.

Calendar

August 2021
M T W T F S S
 1
2345678
9101112131415
16171819202122
23242526272829
3031  

Enter your email address to subscribe to the PCI Guru blog and receive notifications of new posts by email.

Join 2,418 other followers