SecurityMetrics

SAQ D Boot CampDefeat by questionnaire is not acceptable!

“All truths are easy to understand once they are discovered; the point is to discover them.”

– Galileo Galilei

Summary of SAQs

• SAQ A – Merchant outsources all card collection and processing

• SAQ B – Merchant uses analog phone based POS terminal or imprint method

• SAQ C – Merchant processes and transmits card data but no e-storage

• SAQ C VT – Merchant does simple manual entry on single virtual terminal

• SAQ D – Merchant stores card data electronically in the card processing network

What Do I Do With an SAQ?

• SAQ is a merchant’s statement of PCI compliance

• Acquiring bank would ask a merchant for a completed SAQ, not card brand or PCI Council

• Acquiring bank’s responsibility to track a merchant’s PCI compliance

• It is a merchant’s responsibility to accurately complete the SAQ

“To SAQ D, or Not to SAQ D”

• SAQ D classification options1. Change your card data processes to

get out of SAQ D scope• Don’t store card data (tokenize)

2. Dig in. It’s not easy but it’s possible!• Get some help (QSA)

Know The Battlefield

• Before starting, there are some things you need to gather– Complete network diagram– Detailed card data flow

diagram/description– Unsecured card data locations– Written IT policies/procedures– Internal compliance team (network,

workstation/POS support, HR, help desk) – Management support!

Field Research: Data Discovery

“…you really need to use some kind of methodology to find where cardholder data is on the network…”

– Bob Russo, PCI SSC• Must have an data discovery methodology for

an accurate card data flow picture• Methodology should include:

– Data discovery tool(s)– Data flow documentation– Periodic repetition (annual minimum)

Recon: Card Data & Process

• Like camouflaged ground forces, unsecured card data and processes using card data can hide in rough terrain and go unnoticed until its too late

• Careful tracing and documentation of all processes that deal with card data is essential

• Search even locations/processes you think are “clean”

Weapons for Card Discovery

• A good discovery tool…• Automated exhaustive search capability

– Hard drives, systems, networks, attached storage devices, etc.

– Finds unencrypted PAN and magnetic stripe data

• Generates easy-to-understand reports • Shows count and location of payment card data found• Low false positive rate

Available Data Search Tools

• Payment card data search tools available to use on systems:

– PANscan®: https://securitymetrics.com/sm/PANscan/– SENF: http://www.utexas.edu/its/products/senf/– SPIDER: http://www.cit.cornell.edu/security/tools/

Where to Look?

• Obvious locations: – Systems involved in storage,

transmission, or processing of card data

– POS systems, web server, customer service workstation, etc.

– Database servers – Decommissioned systems– System backup locations

Where to Look?

• Look outside typical cardholder data network: – Accounting/Finance: spreadsheets from

banks, stored reports, etc.

– Sales: faxed forms (printed or digital), e-mail from sales reps, etc.

– Marketing: access to transaction databases/logs for research, etc.

Targeting SAQ D Scope

• “The cardholder data environment (CDE) is comprised of people, processes and technology that store, process or transmit cardholder data or sensitive authentication data” –PCI DSS

• PCI DSS applies to all system components included in or connected to the CDE

• Minimize where card data is dealt with and reduce SAQ D compliance effort and costs

Scoping Principals

• Find where data is using detailed flow and location analysis along with data discovery tools

• If you find it and don’t need it, get rid of it– Remove historical data– Secure data deletion process– Change process to eliminate need

• Search regularly for card data

• Remember: where there is card data, there is PCI DSS scope!

Found it! Now What?

• Identify network segment(s) where card data is stored, processed, or transmitted

• Watch for network segments “traversed” by streams of card data on its way elsewhere

• Include any process where card data is placed on media (paper, tape, CD, etc.)

• Remember:• Encrypted data is in scope

where decryption keys are present• Call center segments

viewing full PAN data should be in scope• Securely delete any unsecure data not needed

SAQ D-DAY!

• Done: Research, planning, targeting, and discovery steps

• Let’s attack SAQ D in detail

PCI DSS SAQ D Summary

• Build and Maintain a Secure Network– Req. 1: Install and maintain a firewall configuration to protect

cardholder data– Req. 2: Do not use vendor-supplied defaults for system

passwords and other security parameters• Protect Cardholder Data

– Req. 3: Protect cardholder data (encrypt or mask)– Req. 4: Encrypt transmission of cardholder data across open,

public networks• Maintain a Vulnerability Management Program

– Req. 5: Use and regularly update anti-virus software– Req. 6: Develop and maintain secure systems and

applications

PCI DSS SAQ D Summary

• Implement Strong Access Control Measures– Req. 7: Restrict access to cardholder data by business need-

to-know– Req. 8: Assign unique ID to each person with computer

access– Req. 9: Restrict physical access to cardholder data

• Monitor and Test Networks– Req. 10: Track and monitor all access to network resources

and cardholder data– Req. 11: Regularly test security systems and processes

• Maintain an Information Security Policy– Req. 12: Maintain documented policy and procedures that

address information security

SAQ D Requirement 1

• Document and maintain firewall configuration standards (1.1)– Need formal process for approving and auditing firewall rules

quarterly– Document all port traffic in/out and provide justification– Accurate network and transaction flow diagrams

• Secure network firewall architecture (1.2-1.4)– Create DMZ and Secure Zone (2-tiered firewall architecture), prohibit

direct public access to zone where data is stored, protect internal IP’s– Control and limit all inbound/outbound network traffic– Segment cardholder network from wireless or other network

segments– Use personal firewalls on mobile/personal

computers

SAQ D – Network Example

Dedicated Secure Zone

Strong Edge

Firewall & IDS

Isolate Wireless

Dedicated DMZ

2nd Firewall

Separate Office Zone

Segment the network to minimize scope!

Network Scoping and Segmentation

• Card network stores/processes/transmits card data

• Most networks not designed for PCI compliance. • Card processing systems are often mixed in with

back office systems (one big flat network)• “Adequate network segmentation, which isolates

systems that store, process, or transmit cardholder data from those that do not, may reduce the scope of the cardholder data environment.” (PCI DSS 1.1 Page 2)

SAQ D Requirement 2

• Change or do not use vendor-supplied defaults– Change defaults before adding system component to the

cardholder network (passwords, SNMP, wireless settings)

• Develop and maintain system configuration standards– Create system component configuration standards based on

industry best practice guidelines (CIS, NIST, etc.)– One primary function per server (or virtual server)– Disable unnecessary services/functions

• Use encrypted non-console admin access tools– SSH, RDP, VPN, SSL/TLS

SAQ D Requirement 3

• Protect stored data– Minimize confidential information storage, define

policy/procedure for removing old data– Do not store sensitive authentication data

subsequent to an authorization event (not even if encrypted)

• Track data, card identification number, PIN, PIN block

– Mask (truncate) account data when displayed (last 4 numbers are max that can be displayed)

• Don’t store masked and hashed PAN together

SAQ D Requirement 3

• Render PAN data unreadable anywhere it is stored– Strong 1-way hashing functions (SHA-1)

– Truncate data (e.g. - first 6 last 4)

– Use strong cryptography• Strong algorithms (3DES, AES, RSA, etc.)

• Proper key length for the algorithm (e.g. for AES 128 bits or more)

• Strong encryption key management processes– Protect Data Encryption Key (DEK) from disclosure and misuse

– Secure key storage (encrypt DEK)

– Periodic key changes at end of a defined crypto period

What is Sensitive Auth Data?

• Track or mag stripe data– Used to duplicate a plastic card

• Track 1: %B4111111111111111^Public John Q.^080910100876000

• Track 2: 4111111111111111=0809101543219987000

– Violation to store Track 1 or 2, even if encrypted• Exception: some “store and forward” situations are allowed if no

authorization event occurs

• Card identification number– Violation to store even if encrypted

• Exception: can be stored encrypted prior to “authorization event”

• PIN number or encrypted PIN block

Encryption & Key Management

• Don’t use weak, or non-industry standard encryption algorithms

• Most common problem with encryption is insecure encryption key management

• Look carefully at SAQ D sections 3.5-3.6 for correct key management practices, work with a QSA on a key management scheme

SAQ D Requirement 4

• Encrypt sensitive data over public networks– Use strong cryptography to protect card data as it

traverses a public network (SSL/TLS, IPSEC, etc.)– Open (insecure) network examples: Internet, Wi-Fi,

GSM, GPRS, satellite– Use strong encryption method if sending card PAN via

e-mail (be careful where email stored)

• Protect card data flowing over wireless networks

– Use WPA/WPA2 (WEP not allowed)

SAQ D Requirement 5

• Anti-Virus/Anti-Malware– Deploy anti-virus software on all systems in the

card environment commonly affected by malicious software

– Software must detect and clean other types of malware (spyware, adware)

– Ensure anti-virus / anti-malware software and signatures are up to date

– Ensure anti-virus / anti-malware software generates logs and keep the logs

SAQ D Requirement 6

• Patch Management and Change Control– Ensure system components and software up to date (install relevant

security patches within 30 days)

– Keep up on newly discovered vulnerabilities that may affect systems or software; assign a risk ranking to each discovered vulnerability

– Document and follow change control procedures

• Track all system and software configuration changes (e.g. - network components, servers, software, etc.)

• Secure Software Processes– Use PA-DSS validated software, install it correctly

– If develop own software (web or client), SAQ D 6.3, 6.5, 6.6 get very important and difficult, get help from a QSA

SAQ D Requirement 7

• Limit access to computing resources and cardholder information to only those with a “need-to-know”

• Ensure systems have automated access controls systems implemented

• Have a traceable process for granting/denying access to cardholder network systems based on job role

SAQ D Requirement 8

• Protect access to the cardholder data network– All users must have unique ID’s to access cardholder

network systems– All users must authenticate to the systems using a

password (or token, or biometric)– All passwords must be stored encrypted– Remote access into the cardholder network must be

secured by 2-factor authentication• Something you know (a password), and something you have

(token or certificate)• Examples: RADIUS, TACACS, VPN with individual

certificates, key fob, etc.

SAQ D Requirement 8

• User and password management– Process to control addition/deletion of users– Verify identity before password resets, use strong initial

passwords– Revoke access of terminated users, remove inactive

accounts every 90 days– No “group” or shared user IDs or passwords – Change passwords every 90 days, keep history– Password strength: 7+ chars, alpha/numeric– Lock after 6 invalid logins for at least 30 min– Idle session timeout of 15 min (can be screen saver)

SAQ D Requirement 9

• Physical security of facilities– Control access to physical location

of cardholder network systems– Video and/or access control

mechanisms in data center, store video data at least 3 months

– Restrict access to network jacks, wireless access points, network hardware, and handheld devices

SAQ D Requirement 9

• Employee controls– Must be able to distinguish

employees from visitors (ID badges or other means)

– In sensitive areas: visitors must be authorized, sign log, be given physical token of visitor status that expires, and surrender token upon leaving

SAQ D Requirement 9

• Controls over the storage of media– Physically secure all electronic or paper media that

contains cardholder data– Store media backups in secure location, preferably off-site– Maintain strict control over internal/external distribution of

media• Management must approve all distribution of media• Classify media so it can be identified as confidential• Use secured courier or delivery mechanism that can be tracked• Inventory all distributed media

– Destroy media when no longer in use (shred, degauss, physically destroy, etc.)

SAQ D Requirement 10

• Track & monitor access to systems in the cardholder network– Enable audit logging on all systems handling cardholder data– Implement log monitoring and notification software (review

daily)– Track all privileged access to credit card data outside of

defined payment applications – Centralize the storage of audit logs. Include all logs (system,

application, firewall, IDS, web…)– Protect audit logs from modification– Sync system time throughout the cardholder network to a

known, protected source

SAQ D Requirement 11

• Regularly test security systems– Quarterly external & internal vulnerability scans

• PCI authorized scan vendor for external testing, internal testing can be done with VA scanning tools

• Act on scan results until the scans are running clean

– Conduct external penetration testing• Annually or after any significant infrastructure or application upgrade

or modification• Testing conducted by experienced penetration tester who is not part

of the card network admin team• Must include both network and application layer testing

– Intrusion Detection System monitors all traffic– File Integrity Monitoring software watching critical files

SAQ D Requirement 12

• Document Information Security Policy and Procedures– Develop, maintain, and publish infosec policies to

address all PCI requirements– Review policy and conduct risk assessment annually– Develop daily operational security procedures to ensure

continued PCI compliance (watch logs, updates, etc.)– Develop employee acceptable use policies for employee

facing technologies (modem, network, wireless, etc.)

SAQ D Requirement 12

• Document Information Security Policy and Procedures– Define management responsibilities (policy, control

access, monitor alerts, incident response, etc.)– Develop & implement a security awareness program– Background check potential or new employees– 3rd parties that receive card data from you must have

contractual language to follow PCI DSS – Develop, distribute and periodically test an Incident

Response Plan

Documentation Hurdles

• Amount of documentation and process development/rollout is a big deal for successful SAQ D compliance effort

• Must be a comprehensive and implemented across the board

• Don’t depend on “employee memory”• Carefully document security procedures

and policies, train employees periodically• Good data security starts from the top

down not from the IT staff up!

Why Go Through All This Work?

?

Compromise: Hospitality Industry

• Network vulnerabilities found:– Insecure remote access– Common default passwords– Logging not enabled, not watching logs– Flat network design - limited or no segmentation– No IDS/IPS in place

• Attack vectors included:– Compromised remote access– Installed suite of malware: processor memory dump program,

parser looking for credit card data in dump files, shared folder search app that looked for passwords, credit card numbers, social security numbers, etc.

What Did It Cost?

• Bottom line costs:– Cost of the forensic investigation $32,000– Number of cards stolen 150,000– Fines $80,000– Reimburse for fraudulent uses $440,000

• All this from just two sites involved in the compromise

• Tokenization• Point to Point Encryption (P2PE)• Mobile payment technologies

Emerging Technologies

Tokenization

• Token representing PAN is returned from the gateway/processor, eliminates storage risk

• No storage of sensitive PAN data which reduces PCI-DSS requirements but PAN data is still transmitted (potential reduction of validation to SAQ C)

• Biggest advantage: Tokens have no value unless redeemed, can potentially store tokens outside of CDE without impacting PCI scope

• Historical PAN data must be tokenized or removed• Many processors/gateways are beginning to support

tokenization, but switching processors may be harder• Best if integrated with Point-to-Point Encryption solution

Point to Point Encryption

• All card data is encrypted by the swipe device hardware, no cleartext data enters merchant POS systems

• Merchant does not have keys that can decrypt the data

• Has potential for a large reduction in scope since internal systems never see or transmit useable card data

• Could lower PCI-DSS assessment scope but new hardware and services would have to be purchased

• Format Preserving Encryption has potential for integration of legacy software (PCI-SSC still “in session” on FPE issues)

• Security issues:– Smart phone malware potential– Many other end user technologies potentially in use on the

devices (SMS, web browsing, Wi-Fi, etc.)– Hard to control the personal device security

• P2PE and EMV technologies help with “encrypt at swipe” card reader, but manual transaction entry still a problem

• Long term: “sandbox” the payment app to run in a dedicated secure environment, requires new mobile hardware

• More guidelines from PCI SSC expected soon

Taking Mobile Payments

Wrap Up

• PCI DSS compliance and validation is typically not a quick easy process– Know where the the card data is!– Take time to really understand the SAQ D

requirements and your card network– Plan on sufficient time for the effort

• Consider consulting with a QSA even if just filling out an SAQ

• Remember, compliance is often more work than just SAQ validation

Don’t Give Up!