Index

A

Access Control Entities (ACEs), 84
Access Control Lists (ACLs), 84
Access controls, 73
authentication
basics of, Requirement, 8, 7684
and Requirements 8.5.1–8.5.7, 7981
case study
loose permissions case, 99100
stolen database case, 9899
Cisco enforcing session timeout, 9091
databases and Requirement 8.5.16, 8384
educating users, 8182
locking users out, Requirements 8.5.13–8.5.15, 8283
multifactor authentication, 77
paper data, 9495
password
design for PCI DSS, Requirements 8.5.8–8.5.12, 82
policy enforcement, 96
password complexity requirements, 8990, 82
SUID and SGID, 89
PCI compliant access controls, 94
PCI DSS requirements, 7394
physical security, 9194
facility entry controls, 91
handling media, Requirements 9.5–9.10.2, 9394
handling visitors, Requirements 9.2–9.4, 9293
types of, 91
vulnerable area protection, 9192
POS terminal, 94
POSIX access control, 8890
Linux, 88
principles of, 7475
availability, 75
confidentiality, 74
integrity, 7475
random password for users, 97
rendering passwords unreadable, 7879
setting up SSH in Cisco environment, 9091
user’s access, Requirement, 7, 7576
tools, 80
two-factor authentication and Requirement 8.3, 7778
tools, 95
windows and PCI compliance, 8488
enabling password protected screen savers, 87
inactive accounts in active directory, 86
password requirement enforcement, 8687
setting file permissions, 8788
windows file access control, 8486
See also Network security
Access control systems, 89
Access lists (ACLs), 270, 57
Access point (AP), 132
Access_log, 190
Account lockout policy, 87
ACEs. See Access Control Entities
ACLs. See Access Control lists
Acquiring bank, 15, 266
in ASV picking, 167
in PCI payment ecosystem, 15
in PCI Validation Requirements submission, 315316
Active directory. See Windows Active Directory
Advanced Encryption Standard (AES), 137138
AES. See Advanced Encryption Standard
Albrecht Discount (ALDI), 8
American Express, 20
Anti-Spoofing technology, 58
Antivirus software
automatic validation tools, 169172
for malicious software, 156
PCI Requirement, 5, 150, 29
and Symantec AntiVirus, 200
Apache web server, 118
AP. See Access point
Applicability of PCI DSS, 1719
Application vulnerability assessment, 149150
Approved Scan Vendors (ASVs), 167, 151, 119, 29, 27, 20
expectations from, 175176
external vulnerability scanning with, 167
definition of, 167
operationalizing, 173175
picking considerations, 167172
automatic validation of PCI DSS controls, 169172
avoiding blind selection, 167168
group identification, 168
organization role, 172
using same technology provider, 168
working process, 172173
See also Qualified Security Assessor (QSA); Vulnerability management
Approved scanning vendors (ASVs), 312314
setting up quarterly external network scans, 246247
Assessors, 254256
advantages, 254255
balancing remediation needs, 255256
dealing with mistakes, 256258
interviewing, 254255
use of failed assessment, 256
ASVs. See Approved scanning vendors
Attestation of Compliance forms, 26
Audio/visual equipment (A/V equipment), 147
Auditors. See Assessors
Authentication, access control, 7684
multifactor authentication, 77
two-factor authentication, 7778
AxCrypt, 112

B

Bank Identification Number (BIN), 110
Base scoring metrics, 261
BIN. See Bank Identification Number
BitLocker Drive Encryption, 113
Blink (Visa), 293
Bluetooth®, 141142
Botnets, 8
Brand security programs, 25

C

CA. See Certificate Authority
Capital Expenditure (CapEx), 272
Card brand, 16
Card scheme. See Card brand
Card transmission rules. See Misc card transmission rules
Cardholder data environment (CDE), 151152
Cardholder data protection, 281282
Cardholder Information Security Program (CISP), 2324
CCO. See Chief compliance officer
Cellular data networks, recent advancement, 131
Central Office (CO), 130
Certificate Authority (CA), 118
Chief compliance officer (CCO), 1
Chief information officer (CIO), 178
Chip & PIN technology, 294
CIA. See Confidentiality, integrity, and availability
CIP. See Critical Infrastructure Protection
Cisco and PCI requirements, 90
Cisco enforcing session timeout, 9091
setting up SSH in Cisco environment, 9091
Cisco ASA firewall device, 189
Citrix, 47, 274
Cleanup rule, 56
Client application vulnerability, half-life of, 180
Column-level encryption, 113116
advantages, 114115
disadvantages, 115
See also File-level encryption; Full-disk encryption (FDE)
Commercial off-the-shelf (COTS) software, 166
Common Gateway Interface (CGI), 123124
Common Vulnerability and Exposures (CVE), 260
Common Vulnerability Scoring System (CVSS), 153, 260262
Compensating control, 263265
case studies, 273275
newborn concierge case, 273275
creation of, 269273
approval, 269
encryption requirements, 266
flat store network, 269
funny controls, 267269
if not, 265267
lifespan, 266
in PCI DSS, 265
network components, 270
network segmentation, 265266
reliable logs, 272
store network segmentation, 270
suggestions, 271
uses, 266, 263264
Compliance Acceleration Program (CAP), 236, 249
See also Visa Compliance Acceleration Program (CAP) Fines
Compliance achievement, PCI DSS
bringing key players, 237
compliance team formation, 238
corporate sponsorship, 237238
fast getting results, 238239
front line notes, 239
roles and responsibilities of team, 238
budgeting time and resources, 239242
Gantt Chart, 241
goals and milestones establishment, 240241
management’s expectations, 240
setting expectations, 240
status meetings, 241242
justifying business case, 232237
compliance overlap, 233234
cost for noncompliance, 235237
need identification, 232233
penalties for noncompliance, 235237
validation level, 234235
PCI DSS prioritized approach, 248
project quickstart guide. See Project quickstart guide
staff education, 242244
company training on compliance, 242243
compliance team training, 242
corporate compliance training program, 243244
Visa TIP, 248250
Compliance efforts, 1
Compliance plans, 233
and key members, 237
in corporate compliance training program, 243
creation, 247248
justifying business case, 232
Compliance team
forming of, 238
training, 242
Confidentiality, Integrity, and Availability triad (CIA triad), 104105, 195
auditability component, 105
PCI DSS data protection, 106
Configuration standards development, 6263
Confusing validation requirements case, 36
Continuing Professional Education (CPE), 287
Core operating system vulnerability, half-life of, 180
Corporate social responsibility (CSR), 321
Corporate sponsorship, obtaining of, 237238, 245
Country code (CC), 109
Credit card acceptance risks, 224225
Credit card fraud, 7
cyber-criminals, 78
security breaches, 10
See also Identity theft; Personal data theft; Payment Card Industry Data Security Standard (PCI DSS)
Critical Infrastructure Protection (CIP), 2
Cross-border prosecution issues, 78
Cross-site request forgery (CSRF), 161
Cross-site scripting (XSS), 161
Cryptography, 127
Customer experience, payment schemes, 298
CVV2 storage, 309
Cyber-criminals, 78

D

DACs. See Discretionary Access Control Lists
DAM. See Database activity monitoring
Data acquisition and vulnerability management, 153
Data breaches, 34, 8
and PCI DSS, 309, 311
at TJX, 120
Data encryption
for data at rest, 111116
column-level encryption. See Column-level encryption
file-based versus full-disk encryption, 114
file-level encryption. See File-level encryption
folder-level encryption. See File-level encryption
full-disk encryption (FDE). See Full-disk encryption (FDE)
data encryption mistakes, 126128
database, 127
FDE, 112113
Data Loss Prevention (DLP), 41, 274
Data protection and requirement, 103105
Data Security Standard (DSS), 54
Database activity monitoring (DAM), 187188
Database Administrators (DBAs), 8384, 115
Database encryption. See Column-level encryption
Database server, 58, 63, 83
DatalossDB, 8
DBAs. See Database Administrators
Default passwords, 61
De-Militarized Zone (DMZ), 56, 182183
Detection, 186
Developing security program case, 3536
Digital Subscriber Line (DSL), 69, 140
Discover, 20
Discretionary Access Control Lists (DACs), 84, 272
Disk-only encryption, 268
DMZ. See De-Militarized Zone
Documentation, 68
Domain name server (DNS), 40, 63, 191

E

ECC. See Elliptical Curve Cryptography (ECC)
E-commerce, 227
ED. See Expiration date
E-discovery, 218219
Egress filtering, 6768
Electronic card payment ecosystem, 1519
Elliptical Curve Cryptography (ECC), 137138
E-mail logs, 190
E-mail scams, 7
Emerging technology. See Payment schemes, new; Europay, MasterCard, and Visa (EMV)
EMV technology. See Europay, MasterCard, and Visa (EMV)
Encrypted File System (EFS), 112
End sentinel (ES), 109
Environmental score metrics, 262
Error_log, 190
Europay, MasterCard, and Visa (EMV), 297
Europe vs US, payment schemes, 297298
Events Per Second (EPS), 211
Expiration date (ED), 109
External vulnerability scanning, with ASV, 167

F

Facility entry controls, Requirement 9.1, 91
Fail to win, 256
FC. See Format code
FDE. See Full-disk encryption
Federal Energy Regulatory Commission (FERC), 2
Federal Information Security Management Act (FISMA), 810
FERC. See Federal Energy Regulatory Commission
FHSS. See Frequency-Hopping Spread Spectrum
Field separation (FS), 109
File integrity monitoring, 182, 318
Requirement 10.5.5, 196
Requirement 11.5, 213, 217, 286
File permission
chmod command, 88
Linux systems, 88
on Standalone Windows Computers, 8788
File Transfer Protocol (FTP), 199
File-level encryption, 111112
advantages, 111112
disadvantages, 111
EFS, 112
FDE vs, 114
See also Column-level encryption; Full-disk encryption (FDE)
Firewall, 66, 67
considerations for PCI DSS requirement, 5860
Firewall configuration standards establishment, 5466
configuration standards development, 6263
connection restriction, 5758
data flow, 55
default passwords, 61
deleting unnecessary accounts, 62
denying traffic from untrusted networks, 5657
firewall considerations for requirement, 5860
firewall implementation, 56
IDS, 59
non-console administrative access encryption, 65
personal firewalls, 58
shared hosted environment protection, 6566
single purpose server implementation, 6364
SNMP, 61
system security parameter configuration, 6465
tools, 57
FISMA. See Federal Information Security Management Act
Flat network, 70
and compensating control, 265266
definition, 307308
and prioritization, 153154
Folder-level encryption. See File-level encryption
Format code (FC), 109
Free open-source database MySQL, 115
Frequency-Hopping Spread Spectrum (FHSS), 134, 142
Full-disk encryption (FDE), 112
advantages, 112113
disadvantages, 113
file-level encryption vs, 114
See also Column-level encryption; File-level encryption

G

Gantt Chart, 241
Gantter, planning software, 240
GanttProject, planning software, 240
General Mobile Radio Service (GMRS), 134, 142
General Packet Radio Service (GPRS), 118, 120
Global System for Mobile Communications (GSM), 118
GMRS. See General Mobile Radio Service
GNU Grep, 41
GNU Privacy Guard (GPG), 112
GnuPG. See GNU Privacy Guard (GPG)
Google checkout, 295296
GPO. See Group Policy Object
GPRS. See General Packet Radio Service
Gramm–Leach–Bliley Act of 1999 (GLBA), 810, 2
Group Policy Object (GPO), 84
GSM. See Global System for Mobile Communication

H

Hacking, 78
Hactivism, 278
“Hard-coding” secrets, 118
Health Insurance Portability and Accountability Act (HIPAA), 2, 810, 233
HIDS. See Host-based intrusion detection system
HIPS. See Host-based intrusion system
Host-based intrusion detection system (HIDS), 59
Host-based intrusion system (HIPS), 59, 60
Host-based security, 53
HP ArcSight, 211212
HTTP. See Hypertext Transfer Protocol
Hybrid interaction detection system (Hybrid ISD)
Hypertext Transfer Protocol (HTTP), 149150, 199

I

IBM DB2 database, 115
ID theft. See Identity theft
Identity theft, 7
breaches, 10
computer attacks, 8
cyber-criminals, 78
data breaches tracking tools, 8
hacking, 78
personal data theft, 7, 8
security problems, 810
See also Credit card fraud; Payment Card Industry Data Security Standard (PCI DSS)
IEC. See International Electrotechnical Commission
Inbound traffic, 30, 228
Independent Sales Organizations (ISOs), 15, 229
Information risk management documents, 306
Information security, 185
process, 186
Information technology (IT), 2930
and PCI DSS requirements, 264
and penetration testing, 150
staff training, 279280
secure coding practices, 279280
systems training, 280
Infrastructure, 210
of log management, 220
of network, 189, 196
and security, 187
Initialization vector (IV), 144
In-scope user, 80
Integrity monitoring, 217218
Intelligence, 185
Internal network, 56
Internal Security Assessor (ISA), 50, 23, 20
Internal vulnerability scanning, 176
PCI compliance, 177
PCI DSS scan issue tracking process, 177
penetration testing, 178179
remediation, 176177
in servers, 177
system change issues, 178
See also Approved scanning vendor (ASV); Vulnerability management
International Electrotechnical Commission (IEC), 2
International Organization for Standardization (ISO), 2
Internet Control Message Protocol (ICMP), 53
Internet Protocol (IP), 8384
Internet Protocol SECurity (IPSec), 117
Internet Service Provider (ISP), 53
Intrusion detection system (IDS), 59, 60, 138139, 187
HIPS, 5960
key facts, 215
mistakes, 216217
in monitoring cardholder data environment, 213
network taps, 216
NIDS, 59
NIPS, 60
TAP, 5960
VLAN, 5960
Intrusion prevention systems (IPSs), 53, 60, 154155, 138139
deployment, 215
key facts, 215
in monitoring cardholder data environment, 213214
IP-based Point of Sale (POS), 69
ISO17799 standard, 35, 307
ISO27002 standard, 9, 307
ISO27005 “Information security risk management,”, 306
IT. See Information technology

J

JCB card, 20
Juniper firewall log message, 189

K

Key management
and PCI, 116117
equirement 3.6, 116117
Kismet, 142144
KISP. See Cardholder Information Security Program (CISP)
Knee jerk reactions, 223
Knowledge of encryption, 268
“Known bad” message, 204
identification, 204205

L

Legitimate technological constraint, 263264
Level 4 merchant, 223
Lifecycle process for changes to PCI, 32
Lightweight Directory Access Protocol (LDAP), 77
Linux IPTables firewall, 189
Linux, 88
access control systems, 89
password complexity requirements, 8990
Log management problem, 188
Log review, 196, 219
Logging and monitoring cardholder data environment, 187190
case study
risky risk-based approach case, 219220
tweaking to comply case, 220221
e-mail tracking, 190
firewall log messages, 189
in PCI DSS, 186187
log management problem, 188
log-producing technologies, 189
mistakes and pitfalls, 218219
monitoring using logs, 189
PCI relevance of logs, 190191
reviewing NIDS logs, 189
web server log analysis, 190
Logging and monitoring in PCI, 197201
across PCI DSS requirements, 198199
antivirus defenses, 200
changing user passwords, 200
data encryption, 199200
installing and maintaining firewall configuration, 197
justification and documentation, 199
password management, 199
scanning in-scope systems, 201
secure systems and applications, 200
security policy, 201
Logging in PCI, Requirement, 10, 191-, 195, 197
CIA, 195196
log retention, 196197
log reviews, 196
logging requirement, 193
PCI events, 194
Logging tools, 209212
LogLogic, 211212
Longitudinal redundancy check (LRC), 109
LRC. See Longitudinal redundancy check

M

MAC. See Mandatory access control
Malicious software, 8, 156
automatic validation of, 169172
Management sponsorship, 237
Mandatory access control (MAC), 272
MasterCard Fines, 236
Level 1 and 2 merchants, 236
Level 3 merchants, 236
MasterCard, 20
Media Access Control (MAC), 133
Merchant levels, 1718
Merchant Service Provider (MSP), 15
Merchants, 14
levels, 1718
PCI DSS
compliance deadlines for, 19
requirements on, 16
validation, 23
See also Service providers
Message Digest 5 (MD5), 90
Microsoft IIS, 118
Microsoft MS SQL Server, 115
Microsoft Project, planning software, 240
Minnesota’s Plastic Card Security Act,
Misc card transmission rules, 120121
Mitigation, vulnerability management and, 150151
Mixed Mode, 44
Mobile scheme, 292293
Monitoring
data and log for security issues, 195197
integrity monitoring, 217218
and logging
in PCI, other requirements, 197201
in PCI DSS, 198199, 186-, 187
in-depth, 187190
physical access, 98
tools for, 213
Multifactor authentication. See Two-factor authentication, and Requirements 8.3

N

National Security Agency (NSA), 89
National Vulnerability Database (NVD), 154, 260
user privilege violation vulnerability in, 163
Near-Field Communication (NFC), 292294
payment brands, 293
routing, 293
scheme, 292
spoofed card risk, 294
“Need-to-know,” for access, 75, 81
NetStumbler, 142143
Network intrusion detection system (NIDS), 59, 189
deployment, 214216
in monitoring cardholder data environment, 213
Network security
database structure, 67
do over case, 71
documentation, 68
egress filtering, 6768
firewall, 6667
firewall configuration standard establishment, 5455
configuration standards development, 6263
connection restriction, 5758
data flow, 55
default passwords, 61
deleting unnecessary accounts, 62
denying traffic from untrusted networks, 5657
firewall considerations for Requirement 1, 5860
firewall implementation, 56
IDS, 59
non-console administrative access encryption, 65
personal firewalls, 58
shared hosted environment protection, 6566
vvvsingle purpose server implementation, 6364
SNMP, 61
system security parameter configuration, 6465
tools, 57
host-based security, 53
arge, flat corporate network case, 7071
layers, 5354
network administration, 66
PCI DSS requirements, 5466
securing tips, 66
small, flat store network case, 6870
system defaults, 68
See also Access controls; Payment Card Industry Data Security Standard (PCI DSS)
Network Test Access Ports (TAPs), 5960
Network time protocol (NTP), 40, 191
Network vulnerability assessment. See Vulnerability assessment
Network vulnerability scanner, 152
Network vulnerability scanning. See Vulnerability assessment
Network vulnerability testing. See Vulnerability assessment
Network-based intrusion prevention system (NIPS), 60
Nevada’s PCI Law, 11
New Technology File System (NTFS), 86
Next-gen Payments. See Payment schemes, new; Europay, MasterCard, and Visa (EMV)
NFC. See Near-Field Communication
NIDS. See Network intrusion detection system
Nigerian e-mail scams, 7
NIST 800-30 “Risk Management Guide for Information Technology Systems,”, 306
Nitro, 211212
Noncompliance
cost for, 235237
penalties for, 235237
Non-console administrative access encryption, 65
North American Electric Reliability Corporation (NERC), 2
NSA. See National Security Agency
NTP. See Network time protocol
NVD. See National Vulnerability Database

O

OmniPlan, planning software, 240
Open Source Vulnerability Database (OSVDB), 260
Open Web Application Security Protocol (OWASP)
OpenProj, planning software, 240
OpenWorkbench, planning software, 240
Oracle database, 115
Outbound traffic, 6768, 228
Outsourcing, 223
cost analysis, 229
OSVDB. See Open Source Vulnerability Database
OWASP. See Open Web Application Security Protocol

P

PA-DSS. See Payment Application Data Security Standard
PA-QSAs. See Payment Application Qualified Security Assessors
Packet filtering router, 53
Parkerian hexad, 74
Password
complexity requirements, 82
default passwords. See Default passwords
design for PCI DSS, Requirements 8.5.8—8.5.12, 82
and Linux distributions, 8990
policies and procedures, 61
random passwords. See Random password for users
unreadable in transit and storage, 7879
for Windows computers, 8687
for screen savers, 87
Payment Application Best Practices (PABP), 2728
Payment Application Data Security Standard (PA-DSS), 19, 2425, 2728
Payment Application Qualified Security Assessors (PA-QSAs), 24, 2728
Payment brand. See Card brand
Payment Card Industry (PCI), 8, 54
Payment Card Industry Co (PCI Co). See Payment Card Industry Data Security Standard (PCI DSS)
Payment Card Industry Data Security Standard (PCI DSS), 1, 2, 263
Chief Compliance Officer (CCO), 1
compliance, 1
controls, automatic validation, 169172
organization, 45
requirements, 11, 150151
standards and regulations, 2
usability in daily job, 34
users, 3
Payment Card Industry Data Security Standard (PCI DSS), access control, 263
password complexity requirements, 82
password design for, Requirements 8.5.8—8.5.12, 82
pitfalls
legacy systems, 9798
physical access monitoring, 98
poor documentation, 97
Payment Card Industry Data Security Standard (PCI DSS), data protection
Appendix A of. See PCI DSS, Appendix A of
awareness in industries, 12
banned data, 109
case study, 128130
in credit card industry, 10
firewall solution, 57
leaky data case, 128129
mapped to CIA, 106
requirements, 54
satellite location case, 128130
stopping security breaches, 11
Payment Card Industry Data Security Standard (PCI DSS), logging and monitoring
avoiding pitfall, 211
building initial baseline, 204
daily log workflows, 205
daily tasks, 208209
exception investigation and analysis, 205206
intrusion prevention functionality, 213
IPS, 213-, 215
“known bad” message identification, 204205
log review validation, 207
logging tools, 209212
monitoring tools, 213
NIDS, 213-, 216
PCI-related reports and alerts, 212
periodic operational task, 208
policies and procedures, 201209
finding exceptions, 202203
implicit event type creation, 202203
log message review, 203
PCI log flow, 202
periodic log review, 202
prioritized approach, 319
Payment Card Industry Data Security Standard (PCI DSS), myths and misconceptions
case study, 321322
cardless merchant case, 321322
conceptual risk formula, 320
Myth #1, application aspects, 302305
example, 302305
SAQ type A, 304305
Myth #2, clarity and unambiguous, 305307
Myth #3, onerous process, 307309
Myth #4, relevancy aspects, 309312
requirements for data security, 310
Myth #5, PCI for security need, 312314
for multipurpose usage, 312313
Myth #6, easy, 314316
Myth #7, on PCI compliance, 316319
prioritized approach, 319
Myth #8, on security power, 319321
rules
for health care providers, 302
violation, 302
Payment Card Industry Data Security Standard (PCI DSS), need for, 13
applicability, 1719
ASVs, 29
brand security programs, 2425, 3536
changes to, 32
compliance, 14, 20-, 21, 3132
benefits, 3435
compensating control use, 32
and validation, 2023
compliance deadlines, 1920
for merchants, 19
resources, 20
data protection issue, 14
electronic card payment ecosystem, 1519
goal, 1617
history, 2324
merchants, 1416
MSPs, 16, 30
PA-DSS implementation, 31
PCI SSC, 2425
growth, 25
PA-QSA, 2728
PCI ecosystem, 2526
Principal-Associate QSA, 28
QSAs, 2627
tools, 26
vendor certifications programs, 25
PFIs, 2829
prescriptive, 30
requirements, 2930
risk management, 3234
security-motivated regulatory guidance, 31
validation, 2122
dependency, 22
requirements, 2122, 36
types based on card acceptance methods, 22
Payment Card Industry Data Security Standard scoping (PCI DSS scoping), 3940
basics of, 3942
cardholder data environment, 4546
cardholder information, 4041
challenges, 50
data discovery tools, 41
entrenched enterprise case, 5152
“gotchas” of, 4246
guidance, 40
leaky data case, 5051
Mixed Mode, 44
Prioritized Approach tool for, 49
problems, 4243
process, 42
QSA, 44
SAQ, 4950
scope reduction, 4648
smaller versus larger businesses, 40
under-scoping problem, 4445
virtualization, 44
Payment Card Industry Security Standards Council (PCI SSC), 2, 2426
growth, 25
PA-QSA, 2728
PCI ecosystem, 2526
Principal-Associate QSA, 28
Prioritized Approach for, 49
QSAs, 2627
tools, 26
vendor certifications programs, 25
Payment schemes, new, 291296
case study, 298299
cashless cover charge case, 298299
customer experience, 298
EMV, 297
for global businesses, 297298
Google checkout, 295296
mobile scheme, 292293
NFC. See Near-Field Communication (NFC)
payment acceptance effect, 293
Paypal. See Paypal
prediction, 296297
RFID, 293
SIM-based payments, 292
spoofing, 293
square scheme, 294295
TIP, 293
Paypal, 295296
disadvantages, 295
online retailers, 295
PCI and key management, 116117
PCI compliance, pitfalls, 126128
checkbox encryption, 127128
complexity of key management, 126
data encryption mistakes, 126128
database data encryption, 127
hard-coded secret effects, 127
secure data deletion, 126
PCI Compliance Evidence Package, 207208
PCI Council, 2426
PCI DSS, Appendix A of
compliance, 124126
business process identification, 124125
data location identification, 125
need for access, 125126
policy development and documentation, 126
shrinking scope, 125
work with identified data, 125
shared hosting provider, 123124
PCI Forensic Investigator (PFI), 2425, 2829
PCI project, planning, 4850
PCI Requirement 3, cardholder data protection, 103, 106107, 128
CIA triad, 104106
data encryption methods
column-level encryption, 113116
FDE, 112113
file-level encryption, 111112
ensuring transmitted data, 117121
key management practices, 116
by mainframe systems, 117
CI DSS requirements, 104105
PCI DSS subrequirements
banned data, 108109
limited data storage, 107108
processes and procedures, 110
rendering PAN, 110
sensitive authentication data storage, 110
policy angle of encryption, 116117
processes and activities, 104
review, 107117
PCI Requirement 4, 117121
IPsec VPNs, 118119
misc card transmission rules, 120121
Transport Layer Security (TLS) and secure sockets layer, 118
wireless transmission, 119120
PCI Security Standards Council (PCI SSC), 2, 13
PCI self-assessment, 287
PCI vulnerability management
case study
PCI at e-commerce site case 182—183
PCI at retail chain case, 181182
mistakes in, 179181
Penetration testing, 150, 178179
Personal data theft, 78
Personal firewalls, 58
Personal identification number (PIN), 108
Personally identifiable information (PII), 10
Phishing attacks, 7
Pluggable Authentication Modules (PAM), 89
Point Of Sale (POS), 4041, 9192, 131, 227228, 270
break of, 227
damage of, 227
POSIX access control, 8890
Linux, 88
access control systems, 89
password complexity requirements, 8990
SUID and SGID, 89
Prevention, 186
Primary account numbers (PANs), 39, 74, 107, 109, 160
Principal-Associate QSAs, 28
Prioritization, vulnerability management and, 153154
Prioritized Approach for DSS 2.0, 26
Prioritized Approach tool, 49
Privacy Rights Clearinghouse, 8
Private network, 57
Profit & Loss (P&L), 51
Project quickstart guide, 244248
annual assessment preparation, 248
corporate sponsorship, 245
gap analysis, performing, 247
PCI DSS compliance plan creation, 247248
PCI DSS SAQ-D completion, 246
PCI level determination, 246
setting up quarterly external network scans, 246247
steps, 244248
team identification and establishment, 245246
validation by QSA, 247

Q

Q1Labs, 211212
QSAs. See Qualified Security Assessors
Qualified Security Assessors (QSAs), 2, 20, 2627, 263
data flow uses, 55
employee lookup tools, 28
firewall installation in wireless network, 135
on-site DSS assessments, 27
in PCI DSS scoping, 44
Principal-Associate, 28
recertification, 2627
See also Assessors
Quality assurance (QA), 165
Quarterly external vulnerability scans, 166, 168, 174
PCI DSS Requirement 11.2, 173174

R

RACLs. See Reflexive access list
Radio frequency (RF), 131
Radio-Frequency IDentification (RFID) chips, 293
Random Number Generator (RNG), 268
Random password for users, 97
RC4 algorithm, 133
RDP, 274
Reflexive Access Lists (RACLs), 57, 135, 271
Relational Database Management Systems (RDBMSs), 190
Remediation, 176177
balancing needs, 255256
process, 259
Report on Compliance (ROC), 21, 48, 235, 277
case study, 287289
compliant company case, 288289
PCI self-assessment, 287
reviewing PCI requirements, 280
access control measure implementation, 284285
building and maintaining secure network, 280281
cardholder data protection, 281282
maintaining information security policy, 286287
monitoring and testing networks, 285286
vulnerability management program, 282284
security. See Security
Request For Comment (RFC), 57
Requirement 11.1, PCI DSS
testing for unauthorized wireless, 138140
wireless IDS/IPS, 140
Requirement 5, PCI DSS
ensuring system components and software, 158
new vulnerability identification, 158159
review of custom code, 160
security assessment, 156158, 165
software application development, 159
software development and maintenance practices, 159160
testing security systems and processes, 165166
web application firewalls, 164165
in QA environment, 165
tuning, 165
web application scanning, 161164
application scanner work, 163
commercial tools’ vendors, 162
free or open-source tools, 162
intrusive behavior, 162163
modern, 164
requirement, 163
user privilege violation vulnerability, 163
web-application security, 161
and web vulnerabilities, 161165
Requirement 6, PCI DSS, 165176
secure and compliant, 165
vulnerability management activities in, 183
Requirements 2, 4, and 9 PCI DSS
wireless devices actual security of, 136138
installation, 136137
physical protection, 138
Response, 186
Rest of the world, vs Europe vs US, payment schemes, 297298
RFC 1918 space, 57
Risk analysis, 263264
RS’s envision, 211212
Ruby scripts, 97
Rule Set Based Access Control (RSBAC), 89

S

SAQ. See Self Assessment Questionnaire
Sarbanes–Oxley Act (SOX), 2, 810, 193, 233
Scoping errors, 181
SE Linux, 89
Secure SHell (SSH), 7879, 117, 199
Secure Sockets Layer (SSL), 7879, 117118, 136
Security, 277278
PCI DSS requirements, 279
periodic review and training, 278280
professionals’ training, 280
secure coding practices, 279280
systems training, 280
threats, 278
Security assessment procedures
assessors. See Assessors
reassessment planning, 262
remediation planning, 258
remediation process, 259
risk classification tools, 258260
using CVSS, 260262
Security Content Automation Protocol (SCAP), 153
Security Focus Bugtraq, 260
Security policy consideration
complying with PCI DSS, 122
data sharing with service providers, 122
defining policy and procedures, 121122
human resources requirement, 122
incident response plan, 122123
information security management, 122
operational security procedure development, 121
policy detail handling, 121
See also Cardholder data protection
Self Assessment Questionnaire (SAQ), 4950, 235
Instructions and Guidelines document, 26
Self-assessment questionnaire (SAQ) Type A, 303304
under Requirement 12, PCI DSS, 305
under Requirement 9, PCI DSS, 304305
“validation for Type 1,”, 303
Self-Assessment Questionnaire (SAQ), 20, 54
Self-Assessment Questionnaire D (SAQ-D), 234
Server
for single purpose, implementation of, 6364
types of, 40, 191
Service code (SC), 109
Service providers, 1415
levels, 18
PCI DSS requirements on, 16
See also Merchants
Service Set IDentifier (SSID) broadcast, 133
Set group ID (SGID), 89
Set user ID (SUID), 89
Shared hosted environment protection, 6566
Shared hosting provider, 123124
SIEM tools, 211212
Simple Network Management Protocol (SNMP), 61, 136
defaults, 61
Single purpose server implementation, 6364
Site assessment. See Testing of controls, limitations, and restrictions
Small business, PCI DSS for
case study, 228229
cashless cover charge case, 229
E-commerce, 227
knee jerk reactions, 223
new business considerations, 225227
POS systems, 227228
scheme for SMB hardening, 228
traffic analysis, 228
SmartPay (MasterCard), 293
SMB hardening, scheme for, 228
SMS, 298299
Software-as-a-service (SaaS), 149150
SOX. See Sarbanes–Oxley Act
Special Interest Group (SIG), 39
Spider from Cornell Labs, 41
Splunk, 211212
Spoofing, 293
Spyware, 8
SQL injection vulnerability, 162
Square scheme, 294295
“SSID Hiding,”, 144
Start sentinel (SS), 109
Stealth rule, 56
Structured Query Language (SQL), 154, 190
Switches, 40, 53
Boolean configuration switches, 67
and firewall, 135
System defaults, 68
System security parameter configuration, 6465

T

Technology Improvement Program (TIP), 293
Technology Innovation Program (TIP), 19, 248250
Telnet commands, 65
nd Cisco routers, 90
Temporal score metrics, 261
Testing of controls, limitations, and restrictions, 150
Tools, for logging in PCI, 209213
Top Ten Web Application Security Issues Project
Traffic analysis, 228
Transport Layer Security (TLS), 117118
TrueCrypt, 112
Two-factor authentication, and Requirements 8.3, 7778

U

UK Lottery scams, 7
Unauthorized wireless devices, 139
and Requirement 11.1, 138
Unified Compliance Framework (UCF), 810
Unified Threat Management (UTM), 182
Uniform Resource Locator (URL), 195
UNIX-based systems, 88
Untrusted networks, denying traffic from, 5657
US vs Europe, payment schemes, 297298
User privilege violation vulnerability, 163
UTM. See Unified Threat Management

V

Validation
on card acceptance methods, 22
and compliance, 2023
compliance validation, annual assessment of, 248
of confusing requirements, 36
level of, 234235
of log review, 207
of PCI DSS controls, 169172
PCI DSS requirements, 21
Virtual local area networks (VLANs), 5960, 270
with ACLs, 270
Virtual Private Network (VPN), 98, 118119, 199
Visa, 20
Visa Compliance Acceleration Program (CAP) Fines, 236
Level 1, 236
Level 2 merchants, 236
Visa TIP, 248250
VMWare View, 47, 274
Voice over Internet Protocol (VoIP), 187188
Vulnerability assessment, 149150
Vulnerability management, 151152
antivirus log setting, 157
controls in PCI DSS requirements, 150151
ensuring antivirus mechanisms, 156
in information security, 151
in PCI, 151156
maintenance, 282284
National Vulnerability Database, 155
network vulnerability scanners, 152
processing stages, 152156
data acquisition, 153
mitigation, 154156
policy definition, 153
prioritization, 153154
updating antivirus programs, 156
use of vulnerability scanning tools, 152
Vulnerability scanning tool uses, 152

W

WAF. See Web application firewall
WAS. See Web application scanning
Web application firewall (WAF), 164165, 283284
in QA environment, 165
tuning, 165
Web application scanning (WAS), 162164
application scanner work, 163
commercial tools’ vendors, 162
free or open-source tools, 162
intrusive behavior, 162163
modern, 164
requirement, 163
user privilege violation vulnerability, 163
Web server
Apache web server, 118
log analysis, 190
Whole disk encryption, 268
Wi-Fi®, 132, 131
antenna, 143, 145
encryption for, 137
Evil Twin, 145
high-power card, 143
keys, 145146
networks, 133134
POS system, 139
signals, 141
technology, 140
Wi-Fi Protected Access (WPA), 120, 137
Windows Active Directory, 63, 8687
Windows and PCI compliance
enabling password protected screen savers, 87
inactive accounts in active directory, 86
password requirement enforcement, 8687
setting file permissions, 8788
windows file access control, 8486
Wired Equivalent Privacy (WEP) key, 132
disadvantages, 144
encryption, 133
Wireless network security, 132134
case study
detached POS case, 148
double secret wireless network case, 147148
expansion plan case, 146147
untethered laptop case, 145146
need for, 140142
in PCI DSS requirements
firewall installation, 135
incident response personnel, 136
physical protection, 138
policy document, 135136
Requirement 11.1, testing for unauthorized wireless, 138140
Requirements 1 and 12, documentation, 134
wireless installation, 136137
prevention measures, 143144
security functionality, 133
tools and best practices, 142143
WEP key
disadvantages, 144
encryption, 133
Wi-Fi networks, 133
wireless devices security of, Requirements 2, 4, and 9, 136138
encryption technologies, 136138
wireless technologies, 141142
Wireless network testing, Requirement 11.1, 166
Wireless scanning, 142, 143
tutorials on, 143
Wireless technologies, 141142
Wireless transmission, 119120
Wireless vendors, 137, 139
Worldwide Interoperability for Microwave Access (WiMAX), 142
WPA. See Wi-Fi Protected Access
WPA2 802.11 networks, 137
802.11a networks, 143
802.11b and 802.11g targets, 143
802.11i standard, 137
802.11i wireless network, 137, 147
for encryption, 144
with high-speed Bluetooth networks, 141142

Y

“Y,” clicking on computer, 315

Z

Zero-day” attacks, 155
Zigbee®, 142
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset