A look at the audit through the prism of the standard pci dss - 16 Марта 2011

Main » 2011 » Март » 16 » A look at the audit through the prism of the standard pci dss

10:46

A look at the audit through the prism of the standard pci dss

The rapidly growing number of transactions using credit cards: online payments, cashless payments in trade and service enterprises, manipulation of bank accounts in online banking and other payment applications from service providers. Respectively, expands the infrastructure in which the circulating information about the cardholder and sensitive authentication data. In case of contact with that information or part of it into the hands of criminals financial losses as banks are issuers and end users.

As the scale of the system, processing the data elements of the cardholder, and increases the field for fraud. In the context of the problem the most common attacks directed at the user, are still stealing data, using malicious software and information theft using fake Web resources company-vendor (phishing). Attacks aimed at the very vendor, in most cases carried out by employees of the victim (insayding). And if in the first case, an attacker can be fought at the level of informing the user and install the appropriate client software, whereas in the latter case, need an appropriate institutional and technical approach to the protection system processes, which are stored, processed and transmitted data elements of plastic cards.

Council on Safety Standards Payment Card Industry (Payment Card Industry Security Standards Council, PCI SSC) [1], founded by leading international payment systems (Visa, MasterCard, American Express , Discover, JCB), has developed a set of documents, which contain regulations to ensure the security of cardholder data - Data Security Standard Payment Card Industry (Payment Card Industry Data Security Standard, PCI DSS) .

Standard PCI DSS puts rather stringent requirements for security infrastructure components, which is transmitted, processed or stored information on payment cards. Check payment infrastructure for compliance with these requirements can identify factors that significantly reduce its level of security. Moreover, well-built audit procedure allows you to make the structuring of information obtained in the course of the evaluation of compliance and make recommendations to improve the level of information security as a priority. Thus, the disposal company, ordered the service to assess compliance with standards, as a result is not only the most complete picture of the security of the payment infrastructure in the form of an official report containing comments on each request, but a plan of action, which is a set of basic steps that must be done to fix the problems. Penetration tests that are included in the list of mandatory activities, regulated standard PCI DSS, able to demonstrate the real level of protection of information resources company c how to position the attacker located outside the perimeter of the study and from a position of domestic servant of the company.
International Payment Systems (MAP) requires all banks, trade and service enterprises (TSC), processing, and other companies that do business in the area of ??payment cards , comply with the PCI DSS. The absence of punitive sanctions by the Ministry of Railways for non-compliance is a standard measure for adaptive infrastructures and business processes of the TSC and service providers. It follows that the service should not be taken out to meet PCI DSS requirements only as a formal procedure for obtaining a certificate of conformity.

Consulting company that provides service to check for compliance with PCI DSS, must have at its disposal audit methodology for this standard, which will assess the state security investigation infrastructure. In the context of the requirements of PCI DSS, the methodology allows for a certain period of time to identify the main components of the system and properly structure the results. Thus, the task of the adviser is to ensure the security of cardholder data and as a consequence, the implementation of assistance in achieving compliance with PCI DSS requirements of the customer.

Definitions

ASV (Approved Scanning Vendor) - provider of scanning, which has the official status of the safety standards of the Council (PCI SSC).

On-site audit of the - Audit the customer's infrastructure, conducted by the auditor directly to the actual functioning components.

QSA (Qualified Security Assessor) - a company whose staff have been trained individually and examinations conducted by the Board security standards (PCI SSC).

Auditor (consultant) - a person engaged in an audit in compliance with PCI DSS (check compliance with the standard) and consulting activities related to the assessment of compliance with the PCI DSS.

Customer - a legal person interested in the performance of a service check on compliance with the PCI DSS.

Acquirer - a member of the issuers of bank cards, which establishes and maintains cooperation with enterprises and trade and service network that takes credit cards. [2]

Standard PCI DSS

Overview Standard PCI DSS

Data Security Standard Payment Card Industry is a collection of 12 detailed requirements to ensure the security data on the cardholder, which are transmitted, stored, and processed in the information infrastructure of trade and service enterprises, service providers and other organizations. Adoption of appropriate measures to ensure compliance with requirements of the standard implies a comprehensive approach to information security payment card data.

Composition [3] and a description of official documents supporting the Standard PCI DSS:

1) Data Security Standard Payment Card Industry. Requirements and procedures for security audit. Version 2.0 (Payment Card Industry Data Security Standard. Requirements and Security Assessment Procedures v2.0).
The document details the 12 requirements of the standard range of their applicability, basic information on preparing for audit compliance standards and audit, as well as information on writing deliverables. The document was developed primarily for use by auditors conducting onsite-audit for compliance with the standard.

2) Glossary. Version 2.0 (Glossary v2.0).
The list of terms and abbreviations used in the standard documentation PCI DSS. Designed to understand the terms used in other supporting documents, and therefore recommends the customer for review.

3) Orientation to the PCI DSS. Version 2.0 (Navigating the PCI DSS. Version 2.0).
The document, which describes the 12 requirements of the standard, with an explanation of their values ??in order to better understand the requirements of the standard enterprise sales and service network, service providers and other financial institutions.

4) prioritized approach to achieving compliance with PCI DSS. Version 1.2 (Prioritized Approach for PCI DSS v1.2).
Rules of works to reduce risks at the early stages of activities to achieve the standard. Prioritized approach consists of 6 phases, in order of priority will help to distribute the efforts to achieve compliance, reduce the risk of compromising the data on payment cards in the process of implementation. Approach does not replace the requirements of the standard PCI DSS v2.0.

5) Requirements for qualified security experts (PCI DSS Validation Requirements for Qualified Security Assessors).
Appendix, which contains requirements for the Council on the safety standards of payment card security experts who are receiving or are already having the status of a qualified expert security (QSA).

6) Requirements for service providers to scan (PCI DSS Validation Requirements for Approved Scanning Vendors).
Appendix, which contains requirements for the Council on the safety standards of payment card security experts who are receiving or are having service provider scans (ASV).

7) Sheets self-esteem. Version 2.0 (PCI DSS Self-Assessment Questionnaire v2.0).
Sheets are designed for self-organization self-assessment of trade and service enterprises and service providers to meet the standard and represent a means of verifying compliance with the financial institution with the PCI DSS according to the document "Data Security Standard Payment Card Industry. Requirements and procedures for security audit. Version 2.0 »(« Payment Card Industry Data Security Standard. Requirements and Security Assessment Procedures v2.0 »). There are several options samoootsenki sheet, which are used in a particular case.

8) Certification of compliance with PCI DSS - trade organizations. Version 2.0 (PCI DSS Attestation of Compliance - Merchants v2.0).
Document template that is filled with QSA or trade organization (if the trade organization conducts internal audits), and the result is an official document of compliance with the organization's the PCI DSS.

9) Certification of compliance with PCI DSS - service providers. Version 2.0 (PCI DSS Attestation of Compliance - Service Providers v2.0).
Template document, which must fill QSA and service provider as an official document of compliance of the service provider the PCI DSS.

Related Documents:

1) Additional documents - ASV (Additional Documents - ASV).
Documentation set for service providers scan (ASV): guidance on the ASV, a list of demands ASV, verification of compliance status of ASV.

2) Additional documents - QSA (Additional Documents - QSA).
Documentation set for qualified security experts (QSA): Agreement QSA, a list of demands QSA.

3) Additional documents - PFI (Additional Documents - PFI).
Set of documentation for the forensic experts in the Payment Card Industry (PFI): guidance on the PFI, a list of demands PFI, verification of compliance status PFI. Status of forensic experts in the payments industry introduced by the Council PCI SSC with the second version of the PCI DSS.

4) Requirement 11.3 Penetration Testing (Requirement 11.3 Penetration Testing).
A detailed description of the requirements of 3.11 with the PCI DSS to conduct penetration testing.

5) The requirement of 6.6 Protect Web-based applications (Requirement 6.6 Application Reviews and Web Application Firewalls Clarified).
Clarification of the requirement 6.6 of PCI DSS standard for protecting Web applications.

6) Guidelines for wireless networks. Version 1.2 (Wireless Guidelines v1.2)
The document contains proposals and recommendations for deployment and testing of wireless networks in the context of the requirements of the PCI DSS.

The developer is not paying attention to the standard procedure of structuring their documentation base. The consultant should determine the relationship of official documents in order to develop a methodological basis of the audit. Figure 1 contains a chart showing the subordination of the official documents of the PCI DSS.

Figure 1 - Subordination of official documents of the standard PCI DSS

Key requirements for the organization of data protection

Key requirements for the organization of data protection cardholder stated in the document "Data Security Standard Payment Industry cards. Requirements and procedures for security audit. Version 2.0 »(« Payment Card Industry Data Security Standard. Requirements and Security Assessment Procedures v2.0 ») and are grouped so as to simplify security auditing. Below is a list of 12 demands, which are based on the PCI DSS and grouped by type of audit procedures and their brief analysis. [4]

1) Requirement 1. "Establish and maintain a firewall configuration to protect cardholder data."
2) The requirement of 2. "Do not use passwords and other system parameters set by factory default."

The first group is called the "Build and Maintain a Secure Network" (requirements 1 and 2). On the first demand is becoming clear how important the process of segmenting the target infrastructure and through what means the construction process. Firewall - the foundation of security. Proper design tsirkuliruemogo traffic puts in order all the infrastructure in general. Nevertheless, the latest version of the standard still is some softening of language and the first requirement implies the fact of filtering and blocking traffic not only means the firewall.

In addition to blocking and filtering network traffic on the main components of the system (in the context of supporting documents means the server in the network under investigation), the first requirement contains a paragraph 1.4, which includes personal firewalls on the workstations of employees with the proper configuration (user can not change the settings of your firewall) - this is the most trudnokontroliruemaya procedure by the administrator of the organization. The second requirement is reminiscent of the network administrators the mandatory change of system parameters specified by the manufacturer defaults.

3) Requirement 3. "Protect stored cardholder data."
4) Requirement 4. "Encrypt transmission of cardholder data across public networks."

The group claims "Protecting cardholder data" (requirements 3 and 4) examine the critical methods of data protection (encryption, policy security keys, etc.) and their application area, in While other methods of information security described in other requirements, are positioned as a means of reducing the risk of compromise. This set of requirements describes the policy and lifecycle of security keys. Due to the fact that storing data on cardholders in an encrypted form allows you to exclude the fact of their illegal use by an attacker (if he in any way he overcame the remaining line of defense), points in this group are very strong language, which allows to interpret it the object of and subject to audit. Useful technique for storing data on cardholders relating to personal data (information relating to a particular individual) is their "depersonalization" - how to remove or independent storage of these data fragments, which themselves can not clearly identify its owner.

5) Requirement 5. "Use and regularly update anti-virus software.
6) Requirement 6. "Develop and maintain secure systems and applications".

Group, combining the requirements 5 and 6, is called the "Managing Vulnerability". Under the management of vulnerability refers to the timely installation of recent updates, including on anti-virus software, developing, maintaining and using secure applications, including web-based.

7) Requirement 7. "Restrict access to cardholder data by business necessity."
8) Requirement 8. "Assign a unique ID to each person with access to information infrastructure."
9) Requirement 9. "Restrict physical access to cardholder data."

Claims 7, 8, 9 grouped "The introduction of strict access control measures" and have the organizational and technical protection of information using both organizational security measures and mechanisms for physical access and monitoring.

10) The requirement of 10. "Track and monitor all access to network resources and cardholder data."
11) Requirement 11. "Regularly test systems and security processes."

A notable for the auditor is a group of requirements "Regular monitoring and testing network" (claims 10, 11). Not every merchant can afford the maintenance of internal information security services and his forces regularly carry out preventive penetration testing and monitoring processes to ensure safety. The need for these systematic procedures gives rise to the information security market of services in the form of internal and external penetration testing, scanning infrastructure vulnerability from completely different vendors. Auditor in the evaluation process for compliance with PCI DSS, should see the results of the last preventive penetration test and ASV-scan (sub-11.2 Quarterly scanning for vulnerabilities, "and 11.3" The annual penetration tests) and verify that all identified vulnerabilities are eliminated. The fact that these results can be obtained from the service penetration testing and vulnerability scanning provided by a third entity and as a consequence, the auditors' conclusions based on the credibility of the data obtained in the course of providing this service by a third party.

12) Requirement 12. "Develop and maintain information security policy."

The requirement of 12 on the scale of its implementation is one of the most difficult to adapt to the customer's infrastructure. Paragraph 12.1.1 requires the creation of a policy that takes into account all the requirements of PCI DSS. Trade and service enterprises and service providers that are certified to develop its security policy or to revise the current in accordance with the requirements of the standard.

Security Software Visa and MasterCard

Standard PCI DSS was developed by leading international payment systems, and combines the requirements of safety programs, Visa and MasterCard.

Program Visa AIS

Security Program account (Visa Account Information Security, AIS) developed by Visa for Europe (a similar program for Visa USA - Cardholder Information Security Program) to help commercial and service enterprises and service providers measures to improve their data security holders of Visa payment cards and information about the transaction.

Program Requirements Visa AIS, which must be fulfilled organization depends on the number of annual stored, processed and transmitted by her credentials Visa.V accordance with these data acquirer assigns a certain level of trade and service enterprises. Below is a list of program requirements for merchants and service providers.

Requirements for commercial and service enterprises (merchants):

1) an annual audit for compliance with PCI DSS (any TSP, handling more than 6 million Visa transactions per year, or international TSP, which was assigned to level 1 Visa in another region or country)

2) annual self-administered questionnaire (SAQ) (TSP, processing 1 million to 6 million Visa transactions per year across all payment channels, or TSP, processing from 20 000 up to 1 million e-commerce transactions on Visa / year);

Views: 472 | Added by: w1zard | Rating: 0.0/0

Total comments: 0


Имя *:
Email *:

Код *: