Slashdot Mirror

← Back to Stories (view on slashdot.org)

PCI Compliance

Posted by samzenpus on from the read-all-about-it dept.

Ben Rothke writes "It has long been rumored that manufacturers of items such as razors and batteries specifically produce their products to an inferior level in order to ensure repeat business. A similar paradox is occurring in the information security space where many are complaining that the PCI Data Security Standard (PCI DSS) is too complex and costly. What is most troubling is that such opinions are being written in periodicals and by people that should know better." Read on for the rest of Ben's review. PCI Compliance: Understand and Implement Effective PCI Data Security Standard Compliance author Tony Bradley pages 352 publisher Syngress rating 9 reviewer Ben Rothke ISBN 1597491659 summary Great for anyone who has PCI responsibilities or wants to gain a quick understanding of the PCI DSS requirements.

PCI came to life when Visa, MasterCard, American Express, Diner's Club, Discover, and JCB collaborated to create a new set of standards to deal with credit card fraud. PCI requires that all merchants and service providers that handle, transmit, store or process information concerning any of these cards, or related card data, be required to be compliant with the PCI DSS. If they are not compliant, they can face monetary penalties and/or have their card processing privileges terminated by the credit card issuers.

The primary purpose of PCI is to force organizations to embrace common security controls to protect credit card data and reduce fraud and theft. The following are the six primary control areas and 12 specific requirements of the PCI DSS:

Build and maintain a secure network

1. Install and maintain firewall configurations

2. Do not use vendor-supplied or default passwords

Protect cardholder data

3. Protect stored data

4. Encrypt transmissions of cardholder data across public networks

Maintain a vulnerability management program

5. Use and regularly update anti-virus software

6. Develop and maintain secure systems and applications

Implement Strong Access Control Measures

7. Restrict access to need-to-know

8. Assign unique IDs to each person with computer access

9. Restrict physical access to cardholder data

Regularly monitor and test networks

10. Monitor and track all access to network resources and cardholder data

11. Regularly test security systems and processes

Maintain an information security policy

12. Maintain a policy that addresses information security

A quick review of these 12 items shows that PCI is a textbook example of the fundamentals of information security. With that, PCI Compliance: Understand and Implement Effective PCI Data Security Standard Compliance is an excellent resource that provides the reader with all of the fundamental information needed to understand and implement PCI DSS.

The books 13 chapters provide the reader with a comprehensive overview of all of the details and requirements of PCI. The first three chapters provide an overview of the basics about PCI and the basic requirements of the standard. The following six chapters go into detail about each of the primary control areas.

In particular, chapter 6 provides a good overview of the PCI logging requirements. This requirement can be time-consuming to put into place. The author notes that a commonly overlooked but essential requirement, namely that of accurate and synchronized time on network devices. Enterprise information network and security infrastructure devices are highly dependent on synchronized time and PCI recognizes that correct time is critical for transactions across a network.

In a further discussion about synchronized time in chapter 9, the author unfortunately makes an error when he states that local hardware is considered a stratum 1 time source since it gets its time from its own CMOS. From an NTP perspective, only a device that is directly linked to a stratum-0 device is called a stratum-1. CMOS clocks are notoriously inaccurate and can't be relied upon.

The title of chapter 12 is both amusing and accurate 'Planning to fail your first Audit'. The irony is that so many organizations lack a CISO or formal business security program in place designed to protect corporate information assets. They don't focus on information security as a process, rather as a set of products or regulatory items to be checked-off. Yet, these same organizations are surprised when they fail an audit.

The book concludes in chapter 13 with the well-known observation that security is a process, not an event. The book astutely notes that it is impossible to be PCI compliant without approaching security as a process. Trying to achieve compliance without integrating the various aspects in an integrated fashion is bound to fail.

Overall, PCI Compliance: Understand and Implement Effective PCI Data Security Standard Compliance is a great book for one of the most sensible security standards ever. Anyone who has PCI responsibilities or wants to gain a quick understanding of the PCI DSS requirements will find the book to be quite valuable.

Ben Rothke is a security consultant with BT INS and the author of Computer Security: 20 Things Every Employee Should Know

You can purchase PCI Compliance: Understand and Implement Effective PCI Data Security Standard Compliance from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

115 comments

  1. Useful book by 2.7182 · · Score: 1

    But there are a number of typos in the glossary.

    1. Re:Useful book by xENoLocO · · Score: 4, Funny

      Who cares? I bought my copy with the author's CC, so it's not like I'm payin for it!

      --
      "The need to build the internet comes from something inside us, something programmed... something we can't resist."
    2. Re:Useful book by johnharrisyankee · · Score: 1

      Really???? Name two mistakes you found in the glossary!!!!!!!!

    3. Re:Useful book by kcbanner · · Score: 1

      You used 4 question marks therefor they cancel out. Next time use an odd number.

      --
      Obligatory blog plug: http://www.caseybanner.ca/
    4. Re:Useful book by johnharrisyankee · · Score: 1

      sorrrrrry, i haaaave an ollllld keyboard and it stickzzzzzzzzzzzzzzzzz :))))))))))))))))))))))

  2. "PCI" or "PCI" ? by bradgoodman · · Score: 2, Informative

    I don't think this is talking about the "PCI" that most of us know and love... :-O TMA!

    1. Re:"PCI" or "PCI" ? by hummassa · · Score: 5, Informative

      I don't think this is talking about the "PCI" that most of us know and love... :-O Yeah, editors should edit it, and it should read Payment card industry to differentiate it from Peripheral Component Interconnect...

      --
      It's better to be the foot on the boot than the face on the pavement. ~~ tkx Kadin2048
    2. Re:"PCI" or "PCI" ? by sulimma · · Score: 1

      Oh, so this is not about PCI compliance workshops? http://www.pcisig.com/events/compliance_workshop/

  3. It is too complex! by Anonymous Coward · · Score: 0

    PCI is far too complex for the little guys.

    1. Re:It is too complex! by cyphercell · · Score: 1

      No, it is not

      --
      Under the influence of Post-Cyberpunk Gonzo Journalism
    2. Re:It is too complex! by cyphercell · · Score: 1

      sorry I should have elaborated, there is plenty of COTS PCI/DSS compliant software packages, and there are lots of services that will store your customer's data, effectively alleviating you of liability (my favorite).

      --
      Under the influence of Post-Cyberpunk Gonzo Journalism
    3. Re:It is too complex! by tigre · · Score: 1

      Could you further elaborate? My experience with PCI/DSS-compliant COTS doesn't give you any of the features that the big guys have (e.g. storing a CC for use in future purchases), and I don't know any data storage services that can really get you off the hook, because you still need to control (and log) access to that data from your end. Unless the data storage provider handles the processing too, you still need to retrieve the data, and if you can do it, so can anyone who's hacked into your system.

    4. Re:It is too complex! by Anonymous Coward · · Score: 0

      lots of services that will store your customer's data, effectively alleviating you of liability (my favorite).

      OR... you could just not store my data. If it's so terribly expensive and difficult to store my credit card number, then don't. Use SSL to encrypt it as it moves from me to you and you to the payment clearinghouse, and then decide not to write the number down anywhere.

    5. Re:It is too complex! by cyphercell · · Score: 2, Informative

      the services are typically web-based, and do handle the full processing. A user logs in to the website, since it's a website access is logged and it's not your system that can be compromised. Otherwise you can store credit card numbers if you encrypt and password protect them, you can't store the CV2 number, which you can always bypass. Global Payments is a nice package for the little guy.

      --
      Under the influence of Post-Cyberpunk Gonzo Journalism
    6. Re:It is too complex! by johnharrisyankee · · Score: 1

      If PCI is too complex, then security is too complex.
      And if security is too complex for them.... take away their business license.
      If you can't comply with PCI, then as a vendor are not grown up enough to accept credit cards.

    7. Re:It is too complex! by tiny1877 · · Score: 1

      What about recurring payments? I have my cellphone (as well as other payments) set to automatically bill every month. I'd kinda like that data to be secure...

    8. Re:It is too complex! by mike2R · · Score: 2, Interesting

      OR... you could just not store my data. If it's so terribly expensive and difficult to store my credit card number, then don't. Use SSL to encrypt it as it moves from me to you and you to the payment clearinghouse, and then decide not to write the number down anywhere.
      If it touches your webserver at all then you need to be PCI complaint, the only solution (to avoid having to certify your webserver) is to use an online gateway where you hand the customer off to make payment. This is how it's going for small ecommerce operations. Which is a pain if you are a small ecommerce operation which needs flexibility since you never get as much control using an online processor. For everyone else it's a good thing since most small shops really shouldn't be storing card details on a publicly accessible server since they simply don't have the necessary skills inhouse.
      --
      This sig all sigs devours
    9. Re:It is too complex! by einhverfr · · Score: 3, Informative

      I am not qualified to do an external audit but I do provide assistance to smaller businesses which need to do internal reviews, help understand what is required, etc.

      The PCI-DSS 1.1 is actually relatively flexible. It is possible to show that valid business needs preclude certain requirements (such as video surveillance of server rooms) and that any possible threats are being dealt with in other ways. See the appendix on compensating controls.

      Assuming you have somewhat competent help on security, about 80% of the work is in the area of documentation. You can't just be compliant, you have to document your policies, show that they are in fact compliant, and so forth.

      Honestly, I help small convenience stores to PCI-DSS security evaluations (as the equivalent of an internal audit-- my goal is to help them reach complaince, not to provide independant varification of such compliance). It is a pain, but not impractical. Most of the requirements are basic industry-standard best practices. Anything that is too overwhelming for the little guy can be dealt with in compensating controls.

      The key rules to minimize issues are:

      1) Store only what you need. The less you store, the fewer areas of concern you have.
      2) Build and maintain secure systems.
      3) Establish and defend appropriate security perimeters.
      4) Document, document, document.

      This isn;t rocket science. And quite frankly, 1-3 ought to apply to everyone anyway...

      --

      LedgerSMB: Open source Accounting/ERP
    10. Re:It is too complex! by einhverfr · · Score: 1

      You still have to worry about transport. And you have to worry about the security of every component that you transport things through. I generally recommend:

      1) Remove, to any extent possible, any questions of transport. Ideally, treat everything as a public network.

      2) If you want to store credit card track data for later approval (only storage subsequent to approval is prohibited), think twice or thrice about it. If it is necessary, though, there are compliant ways to do this.

      3) Review all logs regularly in order to ensure that protected data is not accidently ending up in the log.

      --

      LedgerSMB: Open source Accounting/ERP
    11. Re:It is too complex! by heinousjay · · Score: 1

      Yes, sure, but you're one person with a probable paranoia. Other people like having the number stored.

      --
      Slashdot - where whining about luck is the new way to make the world you want.
    12. Re:It is too complex! by mabhatter654 · · Score: 1

      excellent point, they should borrow the idea of "tickets" from Kerberos. That a vendor never sees the CC number, but rather the "ticket" number from the CC company that ties your cc# to their vendor# and can only be used for that transaction, or you could make reusable ones for a certain number of transactions before it's no good and store that number on the server.

    13. Re:It is too complex! by tiny1877 · · Score: 1

      Even better yet: Just like many CC providers allow you to create a one-time-use number for a transaction, they should create a system that you can create a one-vendor use number. Such as creating a number just for your cell-phone recurring bill, but locked to that vendor. One number for your cell, another for your broadband and another for your [insert random auto-billed payment here]. Then even if someone DID get that number, they'd have to figure out how to make it look like the payment is going to the right place.

      I assume there might be some other issues with just discarding the CC# after a transaction. For instance, if someone stole my CC# and used it fraudulently, I wouldn't want the site the offender used the card at to dump that info. I'd kinda like to know who used my card and where they shipped the goods so the authorities can track them down...

    14. Re:It is too complex! by johnharrisyankee · · Score: 1

      Many vendors, especially around logging and encryption are hawking their wares around PCI. They have data sheets on how to make their products around PCI.

      In fact, a lot of the data sheets have good info.

    15. Re:It is too complex! by johnharrisyankee · · Score: 1

      Kerberos is awesome, cept that it requires every app to be rewrittern.
      How else would you implement the tickets?

    16. Re:It is too complex! by kingradar · · Score: 1

      My problem is the thought of an external audit. I have sensitive user information on my network. I am charged with keeping that information secure. You don't keep that type of data secure by opening it up to outsiders and letting them run scans/traces/sniffs, or whatever else it is they do on your network while its transmitting sensitive data.

    17. Re:It is too complex! by einhverfr · · Score: 1

      It is informative to read the requirements on a quarterly scan.

      My reading of this and the audit requirements is that they do not open up the data to review. The scan is more along the lines of a vulnerability scan (from an external viewpoint), and the audit is an audit of your procedures and compliance with your procedures.

      Most small businesses don't need to worry about either of these, but as you grow....

      --

      LedgerSMB: Open source Accounting/ERP
    18. Re:It is too complex! by bobaferret · · Score: 1

      I'm currently in charge of making our buisiness PCI complient. It is a pain in the ass, but it is also the best way I have found to get the accountants to okay larger budgets to get what I need to implement decent security for the rest of the organization. I agree with the comment that compensating controls are the key. There are just certain things that make no sense for an office of 13 people, that make a great deal of sense for 50+. Also one of the things that has been helpful is the self audit for small comapnies. And I can't stress enough the PCI from a tech view, does not force you to do anything you shouldn't really be doing anyway. The other thing to remember is that your entire organization does not have to be PCI complient, only the networks and machines that have access to CC data. Translation VLAN and segmenting are your friends. Or just true physically seperate networks. One thing that I have not seen mentioned above, is that expcect a minimum of 6 months to implement this stuff from scratch, and that's in a perfect world. For almost 3 months we had someone working on the documentation fulltime. I would also suggest that you hire a consultant to help you, or atleast take tripwire up on their offer to audit you when you install their comercail software. Expect a decent website/pos to cost 25K for just hardware and OSS software. (Seperate firewall,webserver,db,and cc processing system) not to mention locking the closet door with that new deadbolt. We opted to not go for the man trap requirement, just finding a contractor who can put in an effective tiger pit with crushing walls proved to difficult.

    19. Re:It is too complex! by johnharrisyankee · · Score: 1

      >>I am not qualified to do an external audit

      So why not get the QSA cert. from the pci council?

  4. And for those wondering what PCI refers to by adamwright · · Score: 5, Informative

    It's "Payment Card Industry" (maybe in the USA this is a common term, but I've never heard it in the UK, to my knowledge). From the summary, I thought it was some kind of PCI (Peripheral Component Interconnect) bus level security (i.e. encrypted electrical transport), for DRM!

    1. Re:And for those wondering what PCI refers to by OptimusPaul · · Score: 2, Insightful

      I'm in the US and I've never heard of it. I was a bit confused at first thinking it was refering to the PCI bus. Learn something new everyday...

    2. Re:And for those wondering what PCI refers to by butters+the+odd · · Score: 2, Interesting

      I work for a retail chain that went PCI compliant recently. We had to put a separate firewalled network in each store, and that was very costly. Now it's a pain to access point of sale servers, because we can only access that network through a VPN. To those complaining about calling it PCI in the article, in the retail industry PCI means payment card industry. They are even worse than the RIAA. They bleed small to medium sized companies dry with their fees. You pay the fees, or you don't get to take credit cards. The only company that can afford to fight them is Walmart.

    3. Re:And for those wondering what PCI refers to by n+dot+l · · Score: 1

      From the summary, I thought it was some kind of PCI (Peripheral Component Interconnect) bus level security (i.e. encrypted electrical transport), for DRM! Same here. And when I first read "Visa" I read it "Vista" and had to stop and reread the sentence when I hit "MasterCard" (after the "WTF is MS doing with the credit card companies, I should stop reading right now and post something" moment of /.-style outrage).
    4. Re:And for those wondering what PCI refers to by archen · · Score: 1

      Whenever I see this topic brought up, most people haven't heard of it despite the fact that it's been swirling around for well over a year. So I wonder how effective this will actually all be. I've gotten a few vendors that have called who chime in with "Are you compliant with the new PCI regulations?" - attempting to panic me with some mystery regulation to get their foot in the door I suppose.

      Among one of the many things you are supposed to do (and this one is actually realistic), you are not supposed to serve credit card information using SSLv2 or below. Lighttpd has had an option for a while now specifically to do this:

      ssl.use-sslv2 = "disable"

      In Apache I think you need encryption = HIGH:MEDIUM (or something like that). I gave up on configuring Apache a while ago, so I can't recall off of the top of my head so I'm not entirely sure.

    5. Re:And for those wondering what PCI refers to by Jeff+DeMaagd · · Score: 1

      I've never heard of it either, and I have a credit card merchant account. The difference may be that I don't have any terminals, I'm a web-only merchant.

    6. Re:And for those wondering what PCI refers to by Anonymous Coward · · Score: 0

      The only company that can afford to fight them is Walmart.

      They bleed companies dry because of Walmart. They use their influence to keep costs high.

    7. Re:And for those wondering what PCI refers to by Jeff+DeMaagd · · Score: 1

      Maybe I've seen an instance of this. I think my parent's merchant account became more costly until they had the Address Verification System (AVS) enabled). I think it cut their fees down by 1% of the total transaction.

    8. Re:And for those wondering what PCI refers to by Anonymous Coward · · Score: 0

      I'm in India and I've heard of it.

    9. Re:And for those wondering what PCI refers to by renoX · · Score: 1

      Thanks a lot!

      Are the submiter or the editor dumb?
      It's very weird to allow such article to pass through without having PCI defined!

    10. Re:And for those wondering what PCI refers to by virtual_mps · · Score: 2, Insightful

      I work for a retail chain that went PCI compliant recently. We had to put a separate firewalled network in each store, and that was very costly. Now it's a pain to access point of sale servers, because we can only access that network through a VPN. Um, good. As a consumer, I'm glad that you can no longer directly access my credit card information from any node on your corporate network. Score one for the good guys (PCI).

    11. Re:And for those wondering what PCI refers to by Anonymous+Cow+herd · · Score: 1

      Agreed. I work for a fairly small company that classifies as a mid-tier vendor for PCI purposes, and while the requirements have been a pain in the butt to implement at times, the fact of the matter is that most of the stuff required is pretty necessary and really should have been implemented all along. A big part of the problem is that vendors have been by-and-large shielded from the real costs of identity theft, and as such haven't had any motivation to build in even the most rudimentary protections and processes. If anything, this is a textbook case of the free market working at it's finest (contrast with Sarbanes-Oxley) in that Visa/MC/Amex/Discover have tired of paying the price for vendors' lousy security, and have implemented a minimum security bar that businesses must meet in order to be considered secure enough to deal with PCI data, plain and simple. It's not a one-size-fits-all solution, and certainly not a panacea for online fraud, but it's a good start, and will force vendors to start addressing data security as an ongoing cost of business.

      --
      Ita erat quando hic adveni.
  5. OT, I know, but... by Anonymous Coward · · Score: 0

    "It has long been rumored that manufacturers of items such as razors and batteries specifically produce their products to an inferior level in order to ensure repeat business."

    ...Who the hell wants military grade razors and batteries? I'm perfectly fine paying the price I do for these items, as producing them to the standards they do also helps keep the price down.

    1. Re:OT, I know, but... by johnharrisyankee · · Score: 1

      You missed the point, this has nothing to do with mil spec.
      It is about poorly made products. I know Gillette can make a razor that lasts much longer, but then again, I would buy less, and they would make less.
      And talk about Duracell batteries, of course they could last much much much longer, but then again, people would buy less of them.

    2. Re:OT, I know, but... by jandrese · · Score: 1

      While that is probably true for razors, I don't it is the case that battery technology is a lot better than what you can buy in the store. There are better kinds of batteries, but they are more expensive and also for sale (usually advertised as being for high drain devices). Most of the advances in alkaline battery technology seem fairly incremental to me. You could easily end up paying twice as much for a battery that lasts 15% longer.

      --

      I read the internet for the articles.
    3. Re:OT, I know, but... by Anonymous Coward · · Score: 0

      I know Gillette can make a razor that lasts much longer, but then again, I would buy less, and they would make less.

      No- they'd sell MORE, and make MORE money.

      Think about it- if you could buy a disposible razor that lasted a month vs. one that lasted a day, wouldn't you buy it? Wouldn't all your friends buy it? In fact, wouldn't everyone buy it? So, Gillette captures the entire market.

    4. Re:OT, I know, but... by GuyverDH · · Score: 1

      I for one am glad that we don't have military grade batteries.

      I used them during my stint in the military, they sucked.
      We always bought bulk (Pick your favorite brand-name here) to take into the field with us.

      --
      Who is general failure, and why is he reading my hard drive?
  6. Costly... by BobMcD · · Score: 3, Interesting

    Regularly monitor and test networks

    10. Monitor and track all access to network resources and cardholder data

    11. Regularly test security systems and processes These two stand out as the most costly. Are they things you SHOULD do? Yes. Can you reasonably mark either of these as 100% compliant at any time? Maybe, but this isn't going to be pretty, or cheap...

    Lets look at #10 first. What does "all access to network resources" define out to be? These days EVERYTHING is a network resource, and not all of them are within the admin's control. Take the iPhone for example. Is the PCI-compliant admin supposed to certify that every iPhone on the company's network cannot be accessed by others, thereby turning it into a 'network resource'? How do I, as an admin, track that Joe and Jim transfered files peer-to-peer style between their phones? I assume that we have to then ban all these devices?

    It is _possible_ to comply with 'all access to network resources', but this is costly.

    Cardholder data, on the other hand, can be limited and is perfectly reasonable as a requirement.

    For #11, does 'regular' imply frequent as well? Does that compound with 'all network resources'? If so, this is a HUGE time sink. It could also be done, but this has a cost attached as well.
    1. Re:Costly... by Anonymous Coward · · Score: 0

      I believe you are intentionally mis-reading these requirements.

      It's very un-costly to not have a WiFi device in your store, thereby having a Default Deny policy for all iPhones. How is that expensive?

    2. Re:Costly... by Attila+Dimedici · · Score: 2, Insightful

      Lets look at #10 first. What does "all access to network resources" define out to be? These days EVERYTHING is a network resource, and not all of them are within the admin's control. Take the iPhone for example. Is the PCI-compliant admin supposed to certify that every iPhone on the company's network cannot be accessed by others, thereby turning it into a 'network resource'? How do I, as an admin, track that Joe and Jim transfered files peer-to-peer style between their phones? I assume that we have to then ban all these devices?

      It is _possible_ to comply with 'all access to network resources', but this is costly.

      I am pretty sure that when they say "network resource", I am pretty sure that they are talking about the network that the cardholder data is on. It is not necessary that all of your company's business goes on on the network that handles your credit card processing. As a matter of fact, it is probably a good idea if things like cell phones that access the company network, don't access the network that handles credit card data.
      --
      The truth is that all men having power ought to be mistrusted. James Madison
    3. Re:Costly... by BobMcD · · Score: 1


      Welcome to IT. Not all costs here are measured in dollars and cents, my friend. Uttering the phrase "No Mr Business Owner you may not sync your iPhone over your own network" does in fact bear a cost. It can be said successfully, but is no small thing.

      And that is only one example. There are millions:

      1) CFO selects the vendor

      2) Copiers replace printers due to 'company wide initiative'

      3) Partner insists on 'unlimited' access to the network

      Etc

      There are ways to deal with ANYTHING. But again, not using well-chosen and well-defined terms is costly. Lets keep the expectations clear, shall we?

    4. Re:Costly... by Anonymous Coward · · Score: 0
      Depends what you think is costly, I guess.

      See, the deal with PCI members (credit card companies) is that, if you don't comply, your credit card agreement says you're on the hook to reimburse anybody whose credit card gets p0wned due to your lazy, sloppy practices, plus some "administrative costs" for reimbursing them.

      Anyway, #10's not anything any decent sysadmin isn't doing already. If you'd like to see more details, all you need to do is accept the soul-stealing license agreement and you can read more details.

      Ditto for #11. Regularly means regularly. If some tests quarterly and some annually means frequently to you, then it means frequently. As I said, all you need to do is surrender your immortal soul to learn more.

      Oh, wait... this is Slashdot... never mind. Comment away.

    5. Re:Costly... by Amoeba · · Score: 2, Informative
      PCI is actually much less complex than other compliance standards like SOX, HIPAA, GLBA... If I had to choose a compliance requirement to deal with PCI would be my choice. Overall, it's the most sane compliance guideline I've seen which actually improves your overall security if done correctly. It's like being forced to be a good security-citizen with your data. Some clarification on your comments:

      Lets look at #10 first. What does "all access to network resources" define out to be? These days EVERYTHING is a network resource, and not all of them are within the admin's control. Take the iPhone for example. Is the PCI-compliant admin supposed to certify that every iPhone on the company's network cannot be accessed by others, thereby turning it into a 'network resource'? How do I, as an admin, track that Joe and Jim transfered files peer-to-peer style between their phones? I assume that we have to then ban all these devices?

      The requirement only applies to systems which hold or transmit CVV/PII and/or are on the same network segment as those systems with no mitigating security controls in place (firewalls, IDS/IPS, etc). Thos are your in-scope PCI systems. Your desktop at work? Not a PCI in-scope system unless your internal network is completely flat. The Oracle DB back-end to your webserver shopping cart? In-scope. The blog server in the same DMZ as your shopping cart? In-scope.

      For #11, does 'regular' imply frequent as well? Does that compound with 'all network resources'? If so, this is a HUGE time sink. It could also be done, but this has a cost attached as well.

      The intervals are defined in sections 11.2 (quarterly external testing by a qualified ASV, or after any significant change in PCI in-scope infrastructure) and 11.3. (annual penetration-testing requirement and after any significant in-scope infrastructure change).

      Believe it or not, the cost for testing is actually quite small compared to what most organizations need to fix with infrastructure and internal processes. The 11.2/3 requirements are mostly verifying that you are PCI-compliant and stay that way.

      The only problem I have with PCI is the fines for non-compliance. Currently I think it's around $25k/month, which for large organizations is almost a rounding error. And there is now way VISA etc are going to remove the merchant status from a huge income stream like Amazon or similar. There has been talk of instead changing the fine to a doubling of the transaction cost for non-compliant merchants. If your costs went from $.05/transaction to $.10/transaction and you are doing several hundreds of thousands or even millions of $ per day... that is a huge hit to the bottom line. If this fine structure ever comes to pass I will have klots of fun watching the ensuing shitstorm as companies fight to reach compliance. Amoeba

      --
      Do not taunt Happy-Fun Ball
    6. Re:Costly... by Qrlx · · Score: 1

      These days EVERYTHING is a network resource

      Everyone, let's welcome John Gage to Slashdot.

      Though I must say, I'm intrigued by your choice of username, and that your UID is even higher than mine.

    7. Re:Costly... by impver · · Score: 1

      You are right in that it is a time sink and has a high cost. You have to have all of this independently verified so you HAVE to pay someone to scan your systems for problems and they normally do it once, tell you whats wrong(sometimes very vaguely and with many false positives) and let you fix it. Then they scan again, rinse and repeat. Every time they do a scan you get charged and no matter what you do there will be false positives so it's almost always a 2 scan process. Now as for your statement about iPhones and such, the simple answer is you should have your credit card systems on a separate vlan that your normal corporate network should not touch. Simple as that (and that's not a hard feat). It would be absurd for a WAP or company lan for that matter to be able to communicate with your credit card servers. Vlan it off, allow access only from those servers that have to send/request information from your servers that store the credit card information. Remember, EVERY network/server/device that touches the servers with the credit card information has to be PCI compliant so it's in your best interest to keep them separate.

    8. Re:Costly... by ajs · · Score: 1

      It is _possible_ to comply with 'all access to network resources', but this is costly.

      Cardholder data, on the other hand, can be limited and is perfectly reasonable as a requirement.

      For #11, does 'regular' imply frequent as well? Does that compound with 'all network resources'? If so, this is a HUGE time sink. It could also be done, but this has a cost attached as well. It gets worse. PCI is a far-reaching set of requirements, when read in specific. It even has implications as far as how you run your business, outside of technical security.

      In general, companies tend to isolate the PCI-compliance requirements to a section of the company that simply doesn't interact with the rest of the company except through tightly controlled channels. This becomes even more important as you add on any fiduciary requirements from the U.S. Federal Government or privacy restrictions from the E.U., Canada or some other nations. It gets crazy, and eventually you just need to isolate the parts of your company that are going to have to become paperwork havens, and let the rest of the company operate.

      I have had friends who work on Wall Street and have to comply with Sarbanes/Oxley (too lazy to check spelling, sorry) and I have to say... PCI is ugly as sin, but not as horrible at that mess.
    9. Re:Costly... by Fulcrum+of+Evil · · Score: 1

      Partner insists on 'unlimited' access to the network

      Does that include the bit with series 70 data or do you not have to deal with that?

      --
      "We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
    10. Re:Costly... by scribblej · · Score: 1

      You are correct. I've been through PCI and before that, CISP. Our office network is not involved. The production network where card numbers go is heavily audited and tracked.

      OSSEC-HIDS helped a lot in the monitoring requirements, along with nmap and the LOG/ULOG targets in iptables.

    11. Re:Costly... by mabhatter654 · · Score: 1

      PCI is talking about the "network" that touches their money. The best way to handle things like iPhones is to make the POS network separate and hardened from everything else. If you have Wi-fi or such it's always treated as a hostile device... always. Then you don't have a problem.

    12. Re:Costly... by johnharrisyankee · · Score: 1

      How can that be? My company spends $25k per year on Gartner research and they told us that the IDS is dead.

    13. Re:Costly... by swillden · · Score: 1

      "No Mr Business Owner you may not sync your iPhone over your own network" does in fact bear a cost. It can be said successfully, but is no small thing.

      Bah, that's ridiculous. It's a very small thing, and should absolutely be done. It's not at all difficult to segment your network and isolate the systems that handle CC data from the rest of the office network, and only the most security-clueless admin would put the production systems on the same network segment that has the wireless AP you'd use for syncing an iPhone.

      Segment the network, configure the routers that touch the sensitive segment to log all accesses, then get an appropriate log analysis tool and use it regularly to identify any inappropriate usage. Segmenting the network and generating the logs is trivial. Analyzing the logs is harder, but one of the best security measures you can take.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    14. Re:Costly... by Matthew+Strahan · · Score: 1
      Yes. Auditors have to be quite careful about which devices are in scope and minimising the scope of what needs to follow the requirements greatly decreases the cost of being compliant.

      From the standard:

      These security requirements apply to all "system components." System components are defined as any network component, server, or application that is included in or connected to the cardholder data environment. The cardholder data environment is that part of the network that possesses cardholder data or sensitive authentication data. Adequate network segmentation, which isolates systems that store, process, or transmit cardholder data from those that do not, may reduce the scope of the cardholder data environment. Network components include but are not limited to firewalls, switches, routers, wireless access points, network appliances, and other security appliances.
      The standard itself can be read by simply going to the PCI Security Standards Council web site and following the links.

      (For the record, PCI auditing is part of my job)
    15. Re:Costly... by T_Tauri · · Score: 1

      "No Mr Business Owner you may not sync your iPhone over your own network" does in fact bear a cost. It can be said successfully, but is no small thing.

      Bah, that's ridiculous. It's a very small thing, and should absolutely be done. It's not at all difficult to segment your network and isolate the systems that handle CC data from the rest of the office network, and only the most security-clueless admin would put the production systems on the same network segment that has the wireless AP you'd use for syncing an iPhone.

      Segment the network, configure the routers that touch the sensitive segment to log all accesses, then get an appropriate log analysis tool and use it regularly to identify any inappropriate usage. Segmenting the network and generating the logs is trivial. Analyzing the logs is harder, but one of the best security measures you can take.
      No small thing for large companies with large IT departments but for all the small startups with a single IT person it might well be a lot cheaper in time (and money) to say no to iphones and any wireless for that matter. No need to have extra firewalls between wireless points and the rest of the network, no need to monitor wireless access points, no need to change passwords for the access points ever quarter and every time somebody that knows the password leaves the company.

      I can very easily see a case for the systems admin saying "No Mr Business Owner you may not sync your iPhone over your own network" because of the DSS. Not that this is a fault of the DSS - Its general good practice to secure things but the DSS has the teeth to actually get best practice inforced through securing or dissabling certain things like wireless.

      When I was looking at the DSS a while ago I decided to pull the wireless from our network purely for this reason. We could have managed to secure and monitor it but I could not see a case for it as it was rarely used. Only one person has even asked about it since then so I guess I was right...
    16. Re:Costly... by johnharrisyankee · · Score: 1

      >>>Every time they do a scan you get charged and no matter what you do there will be false positives so it's almost always a 2 scan process.

      Negotiate, Negotiate, Negotiate. Yes, it can be expensive, but you can negotiate and quickly lower the price.

  7. Just like HIPAA or Sarbanes-Oxley... by ErichTheRed · · Score: 1, Troll

    ...PCI is an excuse to hire the KPMGs, Accentures and EDSs of the world. They will charge you $xM for "experts" to put in controls and make your systems secure. All the while, only a few percent of your card transactions are fraudulent. The thing about PCI is that you can't just take the hit for fraud anymore...you get smacked with huge fines for every leaked credit card number, etc.

    I'm not a big believer in the whole "identity theft" hype -- if someone steals your credit card numbers or social security number, just get copies of your credit reports, make the appropriate phone calls, and the problem goes away.

    From what I've seen, PCI's just a consultant-employment excuse. Anyone can still write down credit card numbers and sell them. Maybe forcing the card industry into adopting a secure payment system in the first place would be a better way to go. Overall though, having no standards is bad too, so that's definitely what PCI is good for.

    1. Re:Just like HIPAA or Sarbanes-Oxley... by cyphercell · · Score: 1

      Actually, it's a reaction to TJ-Max (and others) losing 45.7 million credit and debit card numbers. http://www.msnbc.msn.com/id/17853440/

      --
      Under the influence of Post-Cyberpunk Gonzo Journalism
    2. Re:Just like HIPAA or Sarbanes-Oxley... by ScentCone · · Score: 4, Informative

      if someone steals your credit card numbers or social security number, just get copies of your credit reports, make the appropriate phone calls, and the problem goes away

      Never had it happen to anyone you know, huh? The problem doesn't just "go away" if your checking account is cleaned out right when you need to make a mortgage payment. It doesn't just "go away" if this happens to you during your job application cycle, especially to a secure or trusted position. It can take months or years to clean up after something like this, and you have to watch it like a hawk pretty much for the rest of your life.

      --
      Don't disappoint your bird dog. Go to the range.
    3. Re:Just like HIPAA or Sarbanes-Oxley... by gEvil+(beta) · · Score: 4, Informative

      Exactly right. It can take years to clean up. And if your stolen information is used on the other side of the country, you need to file police reports with the appropriate authorities in that other city/county/state. And guess what, they'll probably want you to come into their offices in person to do it. And if you don't have a copy of the appropriate police reports, the big three reporting agencies won't even want to hear from you, cos you're obviously just wasting their time (remember, you are not their customer--the credit companies are). Yeah, it's no problem to get crap like this removed from your record. I'm usually not the type of person to say this sort of thing, but I really hope ErichTheRed has his identity stolen some time so he can see just how "simple" the whole process is...

      --
      This guy's the limit!
    4. Re:Just like HIPAA or Sarbanes-Oxley... by johnharrisyankee · · Score: 1

      >>>>..PCI is an excuse to hire the KPMGs, Accentures and EDSs of the world. They will charge you $xM for "experts" to put in controls and make your systems secure.

      Well.... If the merchants would have been smart enough to do a basic level of security in the first place, they would not have to spend such $$$$. In fact, this is a good fine and penalty for them since they were derelict in their duties in the first place.

      >>>>All the while, only a few percent of your card transactions are fraudulent.

      But one hacking breech makes ALL of the card holder data info vulnerable.

    5. Re:Just like HIPAA or Sarbanes-Oxley... by johnharrisyankee · · Score: 1

      What????? The TJMAXX hack occurred under a year ago.

      PCI is a few years old. In fact, had TJMAXX been PCI compliant, they would never have had a breech.

    6. Re:Just like HIPAA or Sarbanes-Oxley... by blahplusplus · · Score: 1

      "From what I've seen, PCI's just a consultant-employment excuse. Anyone can still write down credit card numbers and sell them."

      The truth of the matter is, criminals will always find a way. You can setup hidden cameras in strategic locations inside businesses now-a-days, and use software to rip CC #'s. There's been a problem with retailers and other places that use credit cards for payment having their employee's (and sometimes employers) enabling fraud.

      The truth of the matter is, any electronic payment that uses a plastic card with you full name on it can leak information. That's what I like about cold hard cash - it may be annoying to many businesses today, but you don't have to worry about your name, or electronic identification information being harvested.

  8. Maybe they do know. by Spazmania · · Score: 2, Interesting

    For those who didn't catch the acronym, PCI = payment card industry, i.e. Visa, Mastercard et al.

    many are complaining that the PCI Data Security Standard (PCI DSS) is too complex and costly. What is most troubling is that such opinions are being written in periodicals and by people that should know better.

    Maybe the opinions got it right. I lead the systems administration team for an organization which does a tremendous number of credit card transactions. PCI DSS compliance is a joke. You answer a long questionaire, much of which has no relevance (virus scanner for your Linux web server!?). Next you submit to a black-box scan of your exterior network interface by an external auditor who does nothing more than run Nessus against your address space. Then they hassle you about all the faulty Nessus hits. Yes we are running SSL IMAP and no it doesn't have any known security vulnerabilities despite the rank 7 nessus hit documented by a URL that returns a 404 error. Commence eyeroll.

    --
    Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
    1. Re:Maybe they do know. by whoever57 · · Score: 1

      PCI DSS compliance is a joke. You answer a long questionaire, much of which has no relevance (virus scanner for your Linux web server!?)
      Whoever drew up the questionnaire is not competent. From the document:

      5.1 Deploy anti-virus software on all systems commonly affected by viruses (particularly personal computers and servers)
      Note: Systems commonly affected by viruses typically do not include UNIX-based operating systems or mainframes.
      You may argue about whether the term "UNIX-based" includes Linux, but unless the questionnaire makes a distinction regarding ssytems "commonly affected by viruses" then it is not compliant with the original requirements.
      --
      The real "Libtards" are the Libertarians!
    2. Re:Maybe they do know. by The_Doughboy · · Score: 1

      I feel your pain, I had to deal with this for ages, one of our Internal Firewalls honeypots if you scan it. And its an out the box feature from the manufacturer that they haven't created the ability to turn off yet. For us PCI compliance is mostly about the legacy data, where a couple minutes of physical access on various Point of Sale servers you can rack in a few years of credit card data. Also retail outlets like to share their passwords and the turnover is huge, so its pretty hard to give everyone their own account if they are only going to be there a day or two before they decide that it isn't all that cool to work at our store.

    3. Re:Maybe they do know. by breimann · · Score: 1

      Every year we have an auditor spend a few days going over all of our logs and network access rules to maintain our ROC. He even checks the patch history of servers having card holder data and inactive users still in AD.

    4. Re:Maybe they do know. by morgan_greywolf · · Score: 1

      Systems commonly affected by viruses IOW, systems running OSes produced by one Microsoft Corporation.

      --
      My blog
    5. Re:Maybe they do know. by mike2R · · Score: 1

      I got the feeling that they designed the form mainly to scare small companies into using an online gateway. This to be honest is a good thing IMO.

      --
      This sig all sigs devours
    6. Re:Maybe they do know. by johnharrisyankee · · Score: 1

      >>>>Whoever drew up the questionnaire is not competent. From the document:

      What??? Whoever drew up the questionnaire really knows what they are talking about.

      >>> 5.1 Deploy anti-virus software on all systems commonly affected by viruses (particularly personal computers and servers) Note: Systems commonly affected by viruses typically do not include UNIX-based operating systems or mainframes.

      What that means is AV only on Microsoft products. I can be pci compliant and not need AV on my Cray, AIX, HP/UX systems.

      >>> but unless the questionnaire makes a distinction regarding ssytems "commonly affected by viruses" then it is not compliant with the original requirements.

      What do you mean?

    7. Re:Maybe they do know. by whoever57 · · Score: 1

      >>>>Whoever drew up the questionnaire is not competent. From the document:

      What??? Whoever drew up the questionnaire really knows what they are talking about.
      You are confusing the specification document with the questionnaire drawn up the the OP's consultants. The original specification does state that anti-virus is only relevant for some platforms, but I interpreted the OP to say that that the questionnaire he had to complete did not make this distinction. The questionnaire should have been derived from the original specification, yet, it appears that the derivation had flaws.
      --
      The real "Libtards" are the Libertarians!
    8. Re:Maybe they do know. by Anonymous Coward · · Score: 0

      You are not differentiating between what you need to do for the formal portion of the audit (the parts you mentioned) and the work you have to do for the self-auditing step. the fact of the matter is that it WOULD be extremely costly to do a thorough audit for everything that the PCI standards require, but such an audit is NOT required, you are expected to do the right thing and truthfully self-audit. It is entirely possible for a company to lie in their self-audit or fudge the meaning of the (as you have confirmed and I agree) vague requirements so that you "comply" with minimal or no changes.

      I have two beliefs regarding the PCI standards: first, if you know what you are doing, the PCI standards require what you should already be doing if you are following best practices. Therefore if you are a company complaining about the cost of compliance, I have lost confidence in the security of my data with your company. Second, because of the self-audit portion of compliance, being certified compliant does not actually guarantee that the company is keeping cardholder information safe. In my opinion, the only thing that gives this compliance standard any teeth is that if you actually lose some data, auditors will come back and do a more thorough check and find that you lied on your self-audit. I doubt you would get out of your fine at that point, and you open yourself up to much bigger trouble.

      A few other points based on my own personal experience: the standards kicked in a long time ago, and I know for a fact that many companies are not in compliance. If you make an "effort" to get into compliance and are big enough, you are given ridiculous amounts of leeway toward compliance. Secondly, it is possible to comply with the wording of the PCI compliance standards while being totally completely unsecure. Lastly, I admit that it is possible that it could cost a ton of money to rehaul credit processing for a really large company, so some companies could have legitimate complaints about the cost; but the changes really are best practices, so it really should be done.

    9. Re:Maybe they do know. by johnharrisyankee · · Score: 1

      I still don't see what the supposed flaw is.

    10. Re:Maybe they do know. by charlesnw · · Score: 1

      Right. I am not sure if the GP really knows about PCI compliance or is blowing smoke. If his organization does a "tremendous number of credit card transactions" and he "leads the systems administration team " then I worry about that organization and team.

      Also you can perform your own scans. An external vendor is not required. You simply need someone certified in PCI vulnerability assessment. In a large organization, a security team should have one or more people with this certificiation.

      --
      Charles Wyble System Engineer
  9. Sauce for the goose... by UncleTogie · · Score: 3, Insightful

    I'm going to have to call foul here. Working with point-of-sale systems, we deal with PCI compliance in software regularly, so I've tried to keep up with the PCI regs as it pertains to the software packages we sell.

    It's a blatant double-standard. They want to lock down EVERYTHING downstream from them, with accountability, yet even after numerous break-ins, apparently have not applied the same standards to *themselves*.

    On the flip side, most of our customers couldn't give a rat's kazoo about compliance, and would do without it 'cause of various inconveniences... {You can only transfer CC-orders twice per order, per spec...} We get buy-in by explaining the penalties if they're caught, and let 'em know that while it may be IMPROBABLE, it's quite possible.
    --
    Don't tell me to get a life. I'm a gamer; I have LOTS of lives!
    1. Re:Sauce for the goose... by FlatLine84 · · Score: 1

      I don't know what verticals you work with in POS. But for us and the hospitality industry, it's been a PITA for compliance and pre-authing tip amounts. It seems like restaurant owners are freaking at the fact they can't pre-auth over 20% on the invoice to guarantee some form of tip...

    2. Re:Sauce for the goose... by UncleTogie · · Score: 1

      Yup. The pre-auth's bit us in the rear a few times, but that order-transfer is the EVIL one. Example: Pizza joint. Cashier takes a phone order and gets CC number. Driver takes the order, cashier transfers it over. The issue? When the wrong driver is transferred to, or swaps deliveries with another driver. You can't transfer the order anymore, by rule. So, now due to PCI compliance, the numbers for the driver deliveries end up bolloxed. We've had clients literally yelling over the phone about this. It'd be nice if they could design the PCI standard with real-world, real-life use in mind.

      --
      Don't tell me to get a life. I'm a gamer; I have LOTS of lives!
    3. Re:Sauce for the goose... by Anonymous Coward · · Score: 0

      In the same boat, except that my complaint is more that they are forcing rules that are totally appropriate for huge data centres, on small mom & pop restaurants.

      I love the regulations, and if they can be built into a turn-key software package, I'm all for them. But there is just no freaking way that "Joe" of "Joe's Pizza" is going to understand that he needs to rotate his DBA password every 3 months and read his Windows event viewer to look for any suspicious activity

  10. PCI = PITA (but in a good way) by tehSpork · · Score: 1

    I do server admin and light coding work for a small company that has a primarily web-based business. Going through ScanAlert not only do we have a nice logo to put on the website but we also get a list of stuff that could cause problems such as XSS and software package vulnerabilities (and can check to see if problems are fixed after we've patched the problem).

    The thing is, obtaining PCI certification is not that hard. Any decent web admin should already be halfway there, the rest is just locking down applications and making sure you keep on top of the software installed on your server(s).

    While their port requirement is somewhat absurd for anyone trying to run everything (web, email, dns) on one box (no more than 10 open ports, tcp and udp are counted separately) it is a pretty nice service and makes my employer more comfortable with their business, if the credit card companies get a kick out of it then all the better. :)

    1. Re:PCI = PITA (but in a good way) by sjhwilkes · · Score: 2, Informative

      At the lowest level, yes it's trivial. However it's a graded program:

              * Level 1-Visa U.S.A. and MasterCard World Wide transactions totaling 6 million and up, per year, and any merchants who experienced a data breach.
              * Level 2-Visa and MasterCard transactions totaling 1 million to 6 million per year. (The new requirement expands the number of Level 2 merchants to include former Level 4 merchants.)
              * Level 3-Visa and MasterCard e-commerce transactions totaling 20,000 to 1 million per year. (The new requirement expands Level 3 to include former Level 2 merchants who process fewer than 1 million e-commerce transactions per year.)
              * Level 4-Visa and MasterCard e-commerce transactions totaling up to 20,000 per year. (The new requirement decreases the number of Level 4 merchants.), and all other merchants, regardless of acceptance channel, processing up to 1 million Visa or MasterCard transactions per year.

      As you process more the burden of compliance increases. It's not that hard though, and mostly common sense if you don't want to go out of business anyway. I agree with the author that the key point it getting companies to see that this is in their interests, rather than just a checklist to address once per year, and that the auditor can be an asset rather than someone to be deceived until they give a pass mark.

  11. !bus by Anonymous Coward · · Score: 0

    PCI is not a bus. You can't just get on it and ride it around all day without paying for it. And when it comes time to pay, there need to be standards...

    1. Re:!bus by EvanED · · Score: 1

      It's not a truck either. You can't just dump stuff on it.

  12. Workarounds... by tempest69 · · Score: 2, Informative

    Regularly monitor and test networks

    10. Monitor and track all access to network resources and cardholder data

    11. Regularly test security systems and processes

    These two stand out as the most costly. Are they things you SHOULD do? Yes. Can you reasonably mark either of these as 100% compliant at any time? Maybe, but this isn't going to be pretty, or cheap...

    Lets look at #10 first. What does "all access to network resources" define out to be? These days EVERYTHING is a network resource, and not all of them are within the admin's control. Take the iPhone for example. Is the PCI-compliant admin supposed to certify that every iPhone on the company's network cannot be accessed by others, thereby turning it into a 'network resource'? How do I, as an admin, track that Joe and Jim transfered files peer-to-peer style between their phones? I assume that we have to then ban all these devices?

    It is _possible_ to comply with 'all access to network resources', but this is costly.

    Cardholder data, on the other hand, can be limited and is perfectly reasonable as a requirement.

    For #11, does 'regular' imply frequent as well? Does that compound with 'all network resources'? If so, this is a HUGE time sink. It could also be done, but this has a cost attached as well.

    The network admin would then consider the COMPANY'S NETWORK to be an OPEN Network, and treated as such.. The network admin would consider the PCI network to be the server and the endpoints, where firewalls would need to remain in place, and appropriate measures taken to ensure that the OPEN network is unable to decrypt the data transmissions. So basically the all access to network resources becomes more survivable, making the #11 much easier to handle as well.

    Storm

    1. Re:Workarounds... by BobMcD · · Score: 1


      That's pretty solid, actually. Except perhaps that the App won't like that config and the vendor will never have heard of doing it that way before.

      It would be rare to see the network that houses the workstations to be considered 'open'.

      You'd pretty much be forced to go thin-client, too.

      Again, assuming this is your only reason for implementing these measures, costs will attach...

    2. Re:Workarounds... by 2bitcomputers · · Score: 2, Insightful

      Nope, what the OP described is exactly how we handled our PCI requirements. The corporate LAN is treated as a DMZ. Otherwise we would have had to install SNORT on every workstation, back up logs from every workstation, install trip wire on every work station to make sure log files are not altered. require two factor auth on every workstation, the list goes on. PCI compliance is a HUGE PITA. I (thanks /.) actually understand how computer security should work, but IMHO PCI rules are specifically worded so that you are forced to contract it out to a "PCI certified" consultant for $200 an hour. The whole thing is a fucking scam.

      --
      -- Please insert another quarter
    3. Re:Workarounds... by wfberg · · Score: 1

      Why is there credit card information on your workstations? Seriously wondering; I'd expect transactions to only hit some web and database servers (which should have logging, firewalls etc.); if people are looking at lists of transactions, the last 4 numbers of cards should suffice to read out to customers, that's the sort of thing I'd expect to happen on workstations.

      --
      SCO employee? Check out the bounty
    4. Re:Workarounds... by Fulcrum+of+Evil · · Score: 1

      This is the alternative to locking down the CC using servers - you need to log access to anything that could access the servers that use cc data and, if you don't have an isolated network, that includes everything. Even the laptop some sales guy brings in for a sales pitch.

      --
      "We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
    5. Re:Workarounds... by BobMcD · · Score: 1


      I don't the issue would be that there IS data on the workstations, but proving that there cannot be. If you can't prove that, you'd have to assume that there is.

    6. Re:Workarounds... by 2bitcomputers · · Score: 1

      If you can SSH from your desktop to the DB server without having to use a VPN it is considered in-scope for PCI.

      --
      -- Please insert another quarter
    7. Re:Workarounds... by alcourt · · Score: 1

      Having gone through PCI audits, I agree they can be a nuisance, but mainly if you do not have an organization dedicated to audit response[1]. Responding to an audit requires professionals who actually work closely with every auditor, not just once a year, and are literally preparing for audits year round and are a central point for all audits. I found the PCI audit refreshing for the preciseness compared to the SOX audit which was more of a "hope the auditor interprets policy the exact same way you do."

      The precise phrasing is to remove the most common problem in audits, vague requirements resulting in uneven interpretation from company to company. For example, it is no longer questionable if logs must be stored on a central log server, it is explicit. The preamble clearly spells out what servers are in scope. I don't have to guess anymore. Yes, I've been the one farmed out to a subsidiary to help them figure out ways to comply with some PCI requirements, but it was something of a "explain what we figured out that passed our audit, help them tweak it for their environment in a way likely to pass their audit." The newness of PCI is why people are rather nervous, that and the very draconian listed penalties. Frankly, the penalties need to be that strict to prevent larger companies from deciding it is cheaper to pay the fines than to comply. In a few more years, these cross-company security audits will become better understood by a larger group of administrators and managers and the methods of compliance will be better understood.

      It really is primarily a case of good practice. It is very possible to comply without any use of commercial software or open source tools that aren't fairly well known and mature today.

      [1]: Yes, I do work on an audit response/organizational security team.

      --
      "I may disagree with what you say, but I will defend unto the death your right to say it." -- Voltaire
  13. What Security by Anonymous Coward · · Score: 0

    They try and make everything downstream "more secure" but yet they roll out cards that just need to be within a 2" proximity of a card swipe while never checking to see if the person using it is allowed.

  14. balance by WwWonka · · Score: 1

    Having worked for a multi-billion dollar mutual fund company as the head of network security I saw first hand the many paradoxes of standards vs reality, as I am sure we all have in the security field.

    1. Receive "quality" industry wide standard and procedures that are meant to protect and secure.
    2. Huddle around a conference table and try and dissect what this means for the company.
    3. Try and find the cheapest and best "close to scenario" for complying with the standards.
    4. Implement and cheer that "WE HAVE COMPLIED!"
    5. secretly mumble and complain under our breath that this is f$#ked and no where near as secure as it should be.

    Watching a company, such as the one I worked with budget out and just squeak by in complying with ad-hoc measures and procedures left a huge distaste in my mouth for data security in corporate America.

  15. PCI isn't that bad to implement by analogueblue · · Score: 2, Informative
    I led an effort at a Fortune 100 company to bring their online storefront and it's backing systems into compliance with the PCI Standard. We started with doing a gap analysis, implementing the changes and improvements, doing an internal audit, and then an external audit for Visa.

    The requirement language is sometimes a little vague but by using your best judgement and putting your security and customer hats on, it isn't too hard to figure out.

    I actually found the requirements a great tool to convince upper management that they need to invest the time and money into really cleaning up the security of the site and backing systems. Most of the gaps were things that should have been fixed, but always fell behind the latest marketing push project for budget and resources. The threat of large fines made it possible to do a thorough analysis and overhaul, resulting in a much more secure system.

    Most of it is really common sense:
    • Limit and log access to your production systems that deal with credit card information
    • Encrypt PII and credit card data, in storage and transit
    • Don't keep your encryption keys in CVS with anonymous access turned on, etc...
    • Use firewalls and keep your machines and networks secure
    • Make sure your world facing applications don't have nasty SQL or XSS injection vulnerabilities
    • Log financial action related stuff, and keep the logs around in a reasonably safe from tampering fashion


    I think that while the actual wording and guidelines could have been handled better it provides a pretty good start at a baseline of security, and is a good tool to force companies to really address security, instead of always focusing on maximizing profits all the time.
  16. FWIW: Razors: what is secret is how long they last by jerryasher · · Score: 2, Insightful

    As I recall from a class a long time ago, all of those n-bladed hexi-flexi razors are built to very high technology standards. It was apparently a $1B and bet your company kind of investment by Gillette to initiate these sorts of razors and create the machines that could do the sort of precise welding needed.

    The razors themselves are high tech and excellent quality -- they don't want you to cut yourself which would be bad for repeat business.

    What is kept very secret is how the manufacturer thinks they should last. To create repeat business, they won't tell you to replace the blade daily, weekly, or monthly. They'll let you decide.

  17. pci compliance or how to annoy a sysadmin... by jaydestr0 · · Score: 1

    as a sysadmin for a managed hosting company the PCI compliance issues we run into are 99.9% of the time not even real legit issues that would be of a major risk to a credit card processing website. most of them are simply flag checks of versions of software that are installed. most of the time, say on a RHEL system the actual version numbers remain old and the required patches are backported into the rpm. almost any time i get the "OMG I AM SO OUT OF DATE" request from a client it means i simply have to paste the rpm information and sending a link to the errata. "you are fine, you are not going to be hax0r3d, your biz is not completely dead." companies that provide "free security scans" for your average web server colo normally just send total bullshit that just get people in a frenzy for no reason.

  18. Good Standard by Nitroryder · · Score: 1

    PCI is a good model for any company to follow who would like to secure sensitive data and audit, log, and track usage of said data. Most of the requirements are items that a good IT department should have in place to begin with. Part of the process is implementing an Information Security Policy in which all employees, contractors, or third parties must adhere to if they connect to your network. This is something that TONS of companies lack to begin with, and it brings an awareness of data sensitivity to your user base. Not all that bad if you ask me.

    One negative thing that it does do is make it really hard for small e-tailers who use 3rd party carts and check out processes to make the jump to a fully owned supply chain. In that case, it can be costly.

  19. Huh? by jd · · Score: 1
    What's love got to do, got to do with it? Love needs a protocol and a protocol can be broken.....

    Ok, I'll never make the top 40, but seriously the most recent PCI "standards" (I think they're at 2.1) have a LOT of vendor extension hooks, making me think that PCI is going to go the way of CORBA and SQL - standards only on paper and not in practice. Besides, the latency is high (and that's according to Intel!) and the signaling system has become nightmarishly complicated.

    The alternatives seem to be HyperTransport and VXI, neither of which are either widespread or perfect by any stretch.

    --
    It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
  20. Banks are basically cowardly parasites ... by slapphappe · · Score: 1

    PCI compliance is (a) a sensible set of rules to better protect the privacy and security of credit card transactions but, more importantly, it is (b) a new mechanism for banks to levy astronomical fees against non-compliant merchants and (c) build a self-serving governance consulting industry which will promote the rather profitable idea that banks are outside of the loop when bad things happen in the payment card industry.
    First off, banks are parasitic business -- they do not typically kill the host. While they may threaten to cut merchants off, they are more about generating fees and mitigating risk. The threat of being cut off is simply to make the huge non-compliance fines seem like the more palatible alternative.
    Next is: Since when is a bank blameless when somebody impersonates us and takes money out of our account? They've invented the "identity theft" thing to explain that what was stolen was our identity, not the money we entrust them with -- and which they disbursed to a third party without our proper authority. So we have to fix the fraud which was actually perpetrated against the bank by that third party, even though we were in now way involved in the fraudulent transaction. We should insist on calling this a monetary theft, to restore the notion of bank robbery, which it really is. PCI compliance will further insulate banks from their responsibilities to account holders. All risk will, by additional agreements, be transferred to either the merchant and the cardholder when things go wrong. Nice business when you can get it, even if it takes a bit of PCI collusion to set it up!

  21. batteries and blades... by Anonymous Coward · · Score: 0
    "It has long been rumored that manufacturers of items such as razors and batteries specifically produce their products to an inferior level in order to ensure repeat business."

    Living in New England, and being an employee of one of the two groups of battery/blade companies, I can tell you that rumor is bullsh*t.

  22. Real World PCI Compliance by Mondor · · Score: 1

    Although I agree with you, there is one point I could add: the banks themselves are mostly not PCI compliant.

    Yes, Visa and Mastercard push banks and payment processing companies to be PCI compliant, but they offer to check compliance through procedure called "Self audit". That is - you have to tell them you are compliant. So of course everyone is.

    I was responsible for PCI compliance in one payment processing company in north Europe, so I know what it's like - a list of sometimes dumb rules you have to implement. Some standards you have to implement are already insecure (SHA-1, for example) and some things became more secure but you just can't use them, because authors of that standard have no clue it can be done in a secure way. For example - you have to say goodbye to FTP in your network, no matter how hard you are protecting the line and how advanced your server is. So PCI standard essentially is obeying dumb principles of basic security at very high cost. There is much you can do better, yet it won't be PCI compliant.

    Lack of de-facto PCI compliance means that bank can use the "PCI compliance" factor to prove that its network/environment is extremely secure and so it's your fault that money were stolen. If you would see what I've seen about real PCI compliance in north Europe banks, you would have a serious risk of becoming paranoid.

  23. Management problem by threaded · · Score: 1

    PCI is NOT a problem for techies, it is a problem for managers. Several places I've worked there has been intense pressure to circumvent PCI because it all appears as 'non-functional' requirements on their charts.

    I've even seen one place recycling client data as test data: those customers were seriously peeved about the odd charges and paybacks on their bills. Which was why I was brought in. Try explaining to a management team that a bug isn't in the code but in their technique.

    --

    threadeds blog

  24. doing this now - here's what's wrong by Anonymous Coward · · Score: 0

    lol I'm doing this now and even I misread the title. It is a huge pain but it's also what we should have been doing all along, when I started doing POS support (coming from a corp. environ) I was amazed at how horrible security was and it's caused by failures all along the chain.

    It's the fault of the program vendors (I'm working with Aloha mostly and its design from the ground up is god awful) the integrators (for doing things the easy way instead of the right way) and the consumers (retail owners) for not understanding why any of this matters and wanting, like all end users, for things to be simple when, sometimes, they just can't be as simple and easy as they'd like.

    For example, 1 pcanywhere login for all stores with identical short passwords and no encryption on top of a system built around open file shares with no firewalls and default user names and passwords for system accounts that the POS program uses to access resources (including all CC info and log files) which is, amazingly enough, aloha and hello. and that's just the start. I could go on for pages and pages.

    So yes it's a ton of work but it's shit that should have been done right the first time, it's a ton of work b/c it's never been done right and now they're trying to catch up.

    oh, i guess I should post anonymously now...

  25. Disabled security so they can scan you by Anonymous Coward · · Score: 0

    The PCI group that is to "certify" our F100 company, wants all IDS and AV disabled so they can scan the systems without being blocked and locked out. It seems that when security is enabled (doors locked, guns loaded and aimed) the PCI scanning systems get blocked from access. Their solution is to disabled security and then scan the systems, then report that your systems are vulnerable!!!