Diana Kelley and Ed Moyle, co-founders of the consultancy Security Curve, know a thing or two about compliance with the Payment Card Industry Data Security Standard. In this series of instructional videos, Ed and Diana step through each of the 12 PCI compliance requirements, review common questions that they hear when doing assessments, then finally address possible compensating controls that can be used if you cannot meet a given requirement.
Use the links below to jump directly to information on specific PCI compliance requirements:
PCI REQUIREMENT 1: FIREWALLS
The requirement calls for "stateful inspection" devices separating the Internet from the cardholder environment. Documentatation is also necessary to ilustrate how the firewalls are deployed and maintained. But do you need a firewall for every store? And what about the use of routers?
To meet PCI Requirement 2, you'll need to learn how to document a secure configuration by removing vendor-enabled passwords and unnecessary services. Security features like encryption for administrative connections will also need to be enabled. Diana Kelley and Ed Moyle review common questions and gotchas, including what to do with hosting providers.
Watch the Requirement 2 video PCI REQUIREMENT 3: PROTECT DATA
Simple enough, right? Not necessarily, especially with the infamous sub-requirement 3.4, which explains how to protect stored permanent account numbers. In this section, learn when to use encryption on cardholder data and when to store sensitive authentication data.
When your permanent account numbers are travelling over the Internet or other public network, that data needs to be encrypted. But what about WEP? Diana Kelley explains why it's usually easier to rely on TLS or IPsec.
PCI REQUIREMENT 5: ANTIVIRUS
You probably have this requirement taken care of. It's certainly important to scan for malware and viruses (and don't forget about spyware, too!). But what about antivirus for UNIX and mainframes? What about HIPS or POS systems? In this section, the PCI duo explain what kinds of tools and technologies will help you pass Requirement 5.
What does it mean exactly to "develop and maintain secure systems and applications?" Make sure that you're developing and testing applications using secure coding techniques. It's also critical to have processes to make sure that systems are secure against vulnerabilities. Also, external Web applications now require external code review OR an application firewall. But which is best?
PCI REQUIREMENT 7: RESTRICT ACCESS
This requirement is actually fairly intuitive. The important task is to have documented processes and policies in place that can prove that you've limited who has access to cardholder data. But do you need an automated access control system? Ed Moyle and Diana Kelley point out the main reason why organizations may not meet Requirement 7.
PCI REQUIREMENT 8: UNIQUE IDs
In a nutshell, Requirement 8 calls for individual identification for anyone and everyone who has access to cardholder data. In this section, the PCI experts review a common challenge: two-factor authentication for administration.
PCI REQUIREMENT 9: PHYSICAL ACCESS
For Requirement 9, basic physical controls are required for the facilities that process cardholder data. Does that mean cameras are required? Are retail locations exempt? Ed Moyle and Diana Kelley review common pitfalls, esepcially when comany cultures are resistant to badges.
Don't panic. Although the requirement calls for the tracking and monitoring of all access to network resources and card holder data, the main objective is to maintain system logs and have procedures that use and retain them. So does that mean you have to review the logs every day? Or do you need to use a log aggregator or correlation engine? Find out.
PCI REQUIREMENT 11:TESTING
PCI Requirement 11 is a popular one, according to Diana Kelley. According to this part of the standard you must conduct quarterly wireless and external scans, as well as annual penetration tests. Diana Kelley explains whether or not file integrity monitoring or Tripwire will help you meet Requirement 11. Also: do you know what happens if you miss a required test?
Last but not least, it's important that you author and maintain a body of policy documentation of how you will address the Data Security Standard requirements. One common question that seems to appear when maintaining a policy that addresses information security: How should new hires be screened? You may have a lot of documentation already, but there's a good chance that you don't have all that you need.
Watch the Requirement 12 video Diana Kelley is a partner with Amherst, N.H.-based consulting firm SecurityCurve. She formerly served as vice president and service director with research firm Burton Group. She has extensive experience creating secure network architectures and business solutions for large corporations and delivering strategic, competitive knowledge to security software vendors.
Ed Moyle is currently a manager with CTG's information security solutions practice, providing strategy, consulting and solutions to clients worldwide, as well as a founding partner of Security Curve. Ed was previously Vice President and Information Security Officer for Merrill Lynch Investment Managers (MLIM,) where he was responsible for coordinating all aspects of information security within the business unit. Ed is co-author of "Cryptographic Libraries for Developers", and a frequent contributor to the Information Security industry as author, public speaker, and analyst.