Archive for the 'PCI Dream Team' Category

27
Aug
21

So Much For “Live” In October

We have been notified that the (ISC)2 Security Congress in October will now be virtual.

We would still like to virtually meet with all of you anyway. See this post for where to register and how to submit questions for our session that will still go on virtually.

31
Jul
21

PCI Dream Team LIVE! Is Coming In October

The PCI Dream Team will be appearing LIVE at the (ISC)2 Security Congress in Orlando this Fall, Monday, October 18 through Wednesday, October 20, 2021.   Our session is scheduled for Tuesday, October 19, at 11:45 AM ET/ 1545 UTC.

While we will be live at the conference, you can also attend the conference and our session virtually.  So other than training budget limitations, there is no other good reason you cannot join us.

As usual, we will be taking questions live and via email at pcidreamteam AT gmail DOT com.  We also monitor Twitter if you use #pcidreamteam.

We are expecting our usual lively discussion of all topics PCI and other security standards if time allows.

We really are looking forward to physically seeing people at the conference.

11
Jun
21

Same Dream Team, New Venue

After years on BrightTalk, the PCI Dream Team is relocating to a new venue due to changes in BrightTalk’s revenue model (i.e., you need to pay to be on BrightTalk).

Thanks to Dream Team member Arthur “Coop” Cooper and his employer, TrustedSec, we will now be broadcasting through TrustedSec’s GoToMeeting instance.

Which brings us to the fact that the PCI Dream Team will be live online on Wednesday, June 23, at 1PM ET/ 1700 UTC. If you would like to attend this live event, you can register here. As usual, this will be an interactive event with attendees providing the questions to the Dream Team to answer.

We expect to have a lively discussion after the PCI SSC’s QSA event on June 15 for an hour and a half. Still no clue as to what is going to be discussed at this QSA session, but if it is going to take an hour and a half it must be good.

As usual, we will also be accepting questions at pcidreamteam AT gmail DOT com. So if you cannot attend the live event or have questions that are just bugging you, you can submit them to that email account so that we have them for this session.

And as a reminder, no questions are off limits EXCEPT those regarding PCI DSS v4 (thank you NDA).

We look forward to seeing you at our new online home.

28
Mar
21

PCI Dream Team at Secure360 2021

Back by popular demand, the PCI Dream Team will again be taking our show to Secure360 this May 11 (Tuesday) at 4PM CT/2100 UTC.

Secure360 is the Upper Midwest’s premier security conference and will be meeting again virtually on Tuesday, May 11 and Wednesday, May 12.  It is well worth the cost to attend as there are always many informative sessions and keynotes.  If interested, you can register here.

While not in person last year, we had a great time answering a variety of PCI and not so PCI security questions.  We look forward to having another great session this year.

If you want to make sure your question gets answered, please submit them before the session at pcidreamteam AT gmail DOT com.

We look forward to seeing you at Secure360.

17
Dec
20

Quick Hits From PCI Dream Team Session 10

The following are some questions that were asked at the last PCI Dream Team session but we were unable to get to them during the session.

  1. If a PCI validated service provider omits requirements from SAQ-D-SP because they themselves also use PCI Validated Service providers who meet said requirements?

    First off, requirements cannot be “omitted” or marked “Not Tested” and have a compliant Service Provider SAQ D or ROC per FAQ #1382.
    As to how the organization should deal with requirements covered by a third party is to mark them as “In Place” with the description that the appropriate third party is responsible for the requirement and that the third party is PCI compliant as of the AOC date.
  2. Most QSA’s are suggesting that the best way to mitigate new requirements in PCI V4 is to implement P2PE. Would you agree?

    Going to a P2PE or E2EE solution is only part of the equation.  To reduce the scope the most, you would also want to implement tokenization to ensure that your systems never retain PAN.  It is important to remember that most P2PE/E2EE solutions do not automatically include tokenization.
    Also remember, only P2PE gets the immediate scope reduction without asking the acquiring bank.  However, E2EE can also result in scope reduction if properly documented and approved by your acquiring bank, so do not limit yourself to only P2PE solutions.  E2EE solutions from First Data (TransArmor) and Verifone (VeriShield) are the largest implemented scope reducing solutions in the marketplace and are offered through almost all payment processors.
  3. Can you give examples of connected-to tools for pushing out code – are you referring to Git, Chef, what other tools fall into this category?

    Yes, we were talking about tools such as Git, Jenkins and Chef.  But it is also more than just code that gets pushed out.  Configurations, networking, etc. are all getting pushed out by tools such as Ansible, Terraform and others in the cloud and are also in scope.
    Regardless of the PCI scoping issues, these tools create security issues for organizations because they are typically not very well protected and monitored.  These tools are an organization’s software factory and most organizations are leaving the factory’s doors wide open for anyone to come through and see how you construct your in-house software solutions that are supposedly the key to your organization’s success.  All of this should hit home pretty hard after the SolarWinds debacle.
  4. On the topic of end of life (EOL) software, what about open-source projects with no LTS such as React 16 since the next major version has been released?  Would I be compelled to update all my dependencies to the latest major version?

    As far as I am aware, there is no announced React 16 EOL date nor has there ever been an EOL announcement for any release of React.  That said, since React is a group of JavaScript libraries and JavaScript is a well-known attack vector, the risk of using an older React version just gets worse as time goes on.  A risk assessment for the React versions should take that all into account and drive your analysis as to when you should update React barring the vendor stating an EOL for the version.
    But there are larger issues with open source application projects that process, store or transmit cardholder data (CHD).  I wrote about this a few years back in this post and it has a link to a post on the subject from 10 years ago.
10
Nov
20

The PCI Dream Team Rides Again

Please join us on Thursday, December 10, at Noon ET/1700 UTC as the PCI Dream Team discusses all things PCI EXCEPT PCI DSS v4. LOL!

You can register here for this free one hour session.

As usual, if you wish to submit questions before the session, please send them to our email box at pcidreamteam AT gmail DOT com.

We look forward to all of you attending this session.

22
Jul
20

PCI Dream Team Is Back On BrightTalk

The subject is unsupported software and devices and how to handle them. But of course, any PCI or security question is welcome. Join us on BrightTalk on Tuesday, July 28, at Noon ET, 5PM BST. You can register here or view the recording at the registration link as well.

As usual, you can submit question live during the session as well as any time before or after the session by sending them to ‘pcidreamteam AT gmail DOT com’.

We look forward to “seeing” you all next week.

23
Apr
20

Upcoming PCI Dream Team Events

On Tuesday, May 5, at 11AM ET (3AM UTC) the Dream Team will be doing a virtual session for Secure360. Go here to register for the Secure360 Conference.

Then, on Wednesday, May 13, we are holding a GDPR Birthday Party on BrightTalk to celebrate the second birthday of GDPR.  While we will be taking PCI questions, we will also be entertaining questions on GDPR as well.  To register for the BrightTalk session, go here.

We look forward to your attendance at both of these events.  As always, if you cannot attend either of these sessions, you are more than welcome to submit questions at pcidreamteam AT gmail DOT com.

23
Mar
20

Work From Home PCI Considerations

The PCI Guru got a question regarding PCI compliance for service providers in today’s emergency work from home (WFH) environment from a blog reader and it got The PCI Dream Team thinking about how does that work?  So, thanks to David Mundhenk of Herjavec Group, Art “Coop” Cooper of NuArx, Ben Rothke of Tapad and Jeff Hall of Online Business Systems for contributing to this list.

Ben & David wrote a piece on the topic last week, and the Dream Team has a webinar on Dealing with PCI DSS Compliance During the COVID-19 Crisis on March 25.

Thanks to the Coronavirus crisis, organizations are now scrambling to get their employees working from home.  This is presenting a whole new series of challenges to their compliance, technology and information security teams as these employees are now operating in a potentially less secure and definitely less private environment.

Home networks are going to be less controlled and secure.  Making matters worse is that most home networks today are Wi-Fi based, not wired, so data is flowing over untrusted networks because everyone in the house knows the Wi-Fi password (assuming there is one and it is not the default).

Bring Your Own Device (BYOD)

The biggest issue we are encountering is those organizations that need to rely on workstations owned by employees because they do not have company-owned and configured equipment to provide.  I have seen many a Tweet and LinkedIn post discussing the shortages of equipment for work from home and what options do they have.  The problem stems from most business continuity plans focusing on events that affect a business location or a community, not the entire country.  As a result, the idea of a pandemic forcing people to work from home was not thought of as a realistic threat.

As a result, bring your own device (BYOD) is the only answer in the near term to getting people working from home.  In discussions not only amongst the Dream Team but with other QSAs, there just do not seem to be any good answers for using BYOD and maintaining PCI compliance.  None of us can come up with ways to maintain compliance with BYOD because there are just too many factors involved from anti-virus (many varieties), limited or non-existent central monitoring and management, vulnerability scanning, penetration testing, patching, differing hardware, differing operating systems and a host of other issues that make it impossible to verify compliance let alone maintain compliance.

One potential option to reduce risk and gain better control with BYOD is using virtual desktop infrastructure (VDI) solutions such as Citrix Workspace, VMware Horizon or Windows Remote Desktop Services.  If you have that infrastructure in place, then we would recommend expanding it for WFH remote access.  If you do not have that infrastructure, you may be able to use Amazon Web Services (AWS), Microsoft Azure, Google Cloud or similar cloud environments to stand it up quickly.  That would allow you to reduce the risk of the BYOD being used but there still would be the risk of memory scraping and keyboard logging on the BYOD that must be managed.

That is not to say that you should not use BYOD as you need to keep your business running.  What it does mean is that you need to have a serious talk to your acquirer to determine how to handle this situation, what the risks are to your solution and then communicate the results of that discussion formally to your QSA.  You may even want to have your QSA on those calls with your acquirer to assist.  In these desperate times, I doubt that any bank is going to say you cannot stay in business as long as you can provide some controls and do your best to manage the risk.

We view BYOD though as a short term solution and that a longer-term solution needs to be developed as current estimates seem to indicate that the crisis will likely extend past the original estimate of four weeks.  That longer-term solution would involve acquiring the necessary hardware and software to implement a managed, secured and controlled environment that can be tested to ensure PCI compliance.

Company Provided Hardware and Software

For those companies that do have the equipment to send home with their employees, this is not a complete list, but a set of bullet points of ideas for how to address PCI compliance in our “new normal”.

  • The easiest topic is remote access. The PCI DSS explicitly calls out that a secure VPN (i.e., encrypted) with multi-factor authentication (MFA) for users to obtain access to the service provider network (8.3.2.a).  But where things can go sideways is complying with 8.3.1.a which requires MFA for non-console access to systems/devices in the cardholder data environment (CDE).  It goes awry because people think that the first MFA covers the MFA into the CDE and it does not.  The reason is that 8.3.1.a was designed to stop the phishing of Administrators to gain access to the cardholder data environment (CDE).  To stop that, you need additional MFA to access the CDE.  That does not mean a separate MFA solution (which would be ideal), but it does mean enforcing a delay in the single MFA so that the same MFA code cannot be used to access the internal network and then also the CDE.  A lot of organizations implement the delay in their remote logon script by invoking a timer delay that expires after the longest time a code can be active (usually 30 seconds).
  • A secure VPN is necessary to remove the home network from scope. Ideally, the VPN should be required to always be in use so that the workstation cannot get to the internet other than over the VPN.  For those that do allow the home network and internet to be accessible, you will need to ensure that the firewall on the workstation appropriately protects the workstation as well as implementing a host intrusion detection solution (HIDS).
  • VDI is also a solution because it allows for the use of thin-client and devices such as Chromebooks to be used to connect. Most VDI solutions also embed a secure remote connection via HTTPS or similar secure connectivity solutions.  If not then you will need to use a secure VPN as documented above.  However, even a thin client runs the risk of memory scraping and keyboard logging so you need to manage those risks.
  • Review all automated workflows to make sure that they are producing the necessary audit trails that will provide evidence for you PCI assessment of what is happening. Where this becomes problematic is when the workflows are developed only for PCI compliance and with the changes for remote operations, those workflows are not picking up new users, devices and other changes that were made to allow for remote work.
  • People that typically work together but now are remote will start using Microsoft Teams, Slack, Skype and other collaboration platforms to communicate and that may include sharing cardholder data (CHD) or sensitive authentication data (SAD) at times. You will need to train and quickly remediate situations if CHD/SAD enters these applications as well as periodically reminding these people that the use of these communication systems for transmitting SAD/CHD is not allowed.  If possible, enable data loss prevention (DLP) or similar capabilities to identify and then redact SAD/CHD in any of these communications.
  • If you are pushing out call center operations, remember that softphones will bring the workstation they connect into scope for PCI compliance because the workstation is now directly connected to the CDE which is, of course, the VoIP telephone system. That means an increase in scope and that those workstations need to be hardened, managed, logged and controlled for PCI compliance.  Call center operations may also require additional network segmentation to be put in place to ensure the size of your CDE does not exponentially grow.
  • While not entirely PCI related but needs to be noted are some other remote call center operation issues to consider that could make compliance with contractual obligations regarding privacy and confidentiality of data discussed or processed by the operator. You may need to supply operators with shredders, printers, additional monitors and other equipment to ensure privacy and productivity.  You may also have to instruct people to locate their work area to a bedroom or other room where a door can isolate the operator while they work so that family members do not come into contact with information or documents they should not view.
  • Ensure that you have ways to document changes happening, their review and approval. A lot of organizations have paper forms, Excel spreadsheets, email forms, etc. they use that sometimes can get lost in people’s inboxes, archives and folders or just lost, period.  You need to make sure that the change management system will work in the remote mode and that change evidence, reviews and approvals are maintained.
  • Logging should not be an issue unless your organization was not logging the VPN or other devices because they were not in scope for PCI compliance but now are in scope. So, you need to review your new workflows to ensure all devices and systems are logging to your SIEM or logging solution so that you comply with PCI requirement 10.
  • Encryption key management could become an issue particularly if your process does not support remote management. This can happen with some hardware security modules (HSM) and systems that require that the key custodians physically input their seed values into the device’s console.  So, going on-site may be required for encryption key changes and that may require formal approval from local authorities to occur.

These are the top of mind ideas that we were able to come up with for this discussion.  However, every environment is different so not everything discussed may be possible for your organization to use and maintain compliance.  We would recommend you work with a QSA to make sure that what you are attempting to do is not creating risks you are unwilling to accept or if you cannot manage appropriately.

We wish all of you the best of luck during this crisis.  We will get through this, but it will likely take some ingenuity in how that happens.

Also, be aware that the Council and the Card Brands are working on this topic as well and I expect more from them in the coming weeks.

Stay safe and healthy.

 

Other WFH resources:

CISA Coronavirus Guidance – https://www.cisa.gov/coronavirus

NIST Teleworking Guidance – https://csrc.nist.gov/publications/detail/sp/800-46/rev-2/final

SANS Work From Home Webcast – https://www.sans.org/webcasts/archive/2020

20
Mar
20

Special PCI Dream Team COVID-19 Session

On Wednesday, March 25, at 1800 UTC (2PM ET) the PCI Dream Team of Ben Rothke, David Mundhenk, Art Cooper and Jeff Hall will be on BrightTalk to discuss the impact on PCI compliance of the current COVID-19 crisis.

This should be a tough session as a lot of organizations are facing difficult decisions as they try to implement work from home (WFH) as well as maintain PCI compliance.  Thanks to the crisis, there are constraints that ordinarily would not be a problem such as a difficulty in obtaining hardware and remotely connecting a large workforce.

To register for the session, go here.

As usual, if you are unable to attend, please send your questions ahead of the session to pcidreamteam AT gmail DOT com.

We look forward to your questions and hope we can provide some help.

Thank you to all of you that attended. We had a lot of great questions from the attendees. We apologize for not being able to get to all of the questions, but I intend to follow up on a few of those in future blog posts.




December 2021
M T W T F S S
 12345
6789101112
13141516171819
20212223242526
2728293031  

Months