This white paper reviews the basics of PCI, including who must comply, compliance requirements, validation requirements and penalties. It also examines key things to look for when selecting a PCI network testing service and introduces QualysGuard PCI.
WH I T E P A P E RTable of ContentsI. The Payment Card Industry Locks Down Customer Data II. Compliance Requirements of the PCI Data Security Standard III. Participation and Validation RequirementsIV. Selecting a PCI Network Security Testing ServiceV. Introducing On Demand PCI: QualysGuard PCIVI. Automating the PCI Validation Process233567WINNING THE PCI COMPLIANCE BATTLE A Guide for Merchants and Member Service ProvidersUntitled DocumentWinning the PCI Compliance Battle: A Guide for Merchants and Member Service Providerspage 2I. The Payment Card Industry Locks Down Customer DataThe last several years have seen an unprecedented assault on personal and nancial data that customers have knowingly or unwittingly entrusted to retailers, banks, service providers and credit card companies. Bank of America, BJ s Wholesale Club, CardSystems Solutions, Choicepoint, Citigroup, DSW Show Warehouse, Hotels.com, LexisNexis, Polo Ralph Lauren and Wachovia are just a few of the names that have been boldly exposed in the media and pummeled in the nancial markets after major data security breaches were revealed. Credit card data in particular has been compromised so frequently that calls for government intervention and regulation became widespread. Taking another approach, the payment card industry countered the criminal onslaught with a homegrown security initiative that is at once broader in scope and more granular in its requirements than any measures additional government regulation might have imposed. The Payment Card Industry Data Security Standard is a comprehensive security standard that establishes common processes and precautions for handling, processing, storing and transmitting credit card data. PCI, as it is almost universally known, was originally developed by MasterCard and Visa through an alignment of security requirements contained in the MasterCard Site Data Protection Plan (SDP) and two Visa programs, the Cardholder Information Security Plan (CISP) and the international Account Information Security (AIS). In September of 2006, a group of ve leading payment brands including American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International jointly announced formation of the PCI Security Standards Council, an independent council established to manage ongoing evolution of the PCI standard. Concurrent with the announce-ment, the council released version 1.1 of the PCI standard. The things that PCI is looking for are really the motherhood and apple pie issues of security making sure that firewalls are only passing traffic on accepted and approved ports, that servers are running only those services that really need to be live, that databases aren t configured with vendor-supplied defaults it s all standard security-assessment stuff. Diane Kelly, Vice President and Service DirectorBurton GroupUntitled DocumentWinning the PCI Compliance Battle: A Guide for Merchants and Member Service Providerspage 3II. Compliance Requirements of the PCI Data Security Standard The PCI Data Security Standard requirements apply to all payment card network members, merchants and service providers that store, process or transmit cardholder data. The core requirements are organized in six categories: Figure 1: PCI DSS Principles and RequirementsIII. Participation and Validation RequirementsWhile the newly-established PCI Security Standards Council will manage the underlying data security standard, compliance requirements are set independently by individual payment card brands. While requirements vary between card networks, MasterCard s Site Data Protection Plan and Visa s Cardholder Information Security Program are representative. They stipulate separate compliance validation requirements for merchants and service providers, which vary depending on the size of the company. Compliance levels are de ned based on annual transaction volume and corresponding risk exposure as outlined in gure 2. PCI DSSBuild and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parametersProtect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networksMaintain a Vulnerability Management Program 5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applicationsImplement Strong Access Control Measures 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder dataRegularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processesMaintain an Information Security Policy 12. Maintain a policy that addresses information security There s no other regulatory or industry compliance requirement that s quite this granular. PCI is kind of its own unique animal, but the data you collect in a PCI compliance scan can be useful in meeting many other kinds of audit and assessment requirements an ISO 27001 certification or a Sarbanes-Oxley audit, for instance. You ll be looking at many of the same things. After all, most compliance comes down to things like whether your firewall is correctly configured. Diane Kelly, Vice President and Service DirectorBurton Group Untitled DocumentWinning the PCI Compliance Battle: A Guide for Merchants and Member Service Providerspage 4Validation RequirementsAnnual on-site security audits MasterCard and Visa require the largest merchants (level 1) and service providers (levels 1 and 2) to have a yearly on-site compliance assessment performed by a certi ed third-party auditor. Annual self-assessment questionnaire In lieu of an on-site audit, smaller merchants (levels 2, 3 and 4) and service providers (level 3) are required to complete a self-assessment questionnaire to document their security status. Quarterly external network scans All merchants and service providers are required to have external network security scans performed quarterly by a certi ed third-party vendor. Scan requirements are rigorous: all 65,535 ports must be scanned, all vulnerabilities detected of level 3-5 severity must be remediated, and two reports must be issued a technical report that details all vulnerabilities detected with solutions for remediation, and an executive summary report with a PCI approved compliance statement suitable for submission to acquiring banks for validation. 1 All processors and all payment Required Annually * Required Quarterly gateways 2 Any service provider that is not in Level 1 Required Annually * Required Quarterly and stores, processes or transmits more than 1 million accounts / transactions annually 3 Any service provider that is not in Level 1 Required Annually Required Quarterly and stores, processes or transmits less than 1 million accounts / transactions annually LEVEL CRITERIA ON-SITE SECURITY SELF-ASSESSMENT NETWORK SCAN AUDIT QUESTIONNAIRE 1 Any merchant, regardless of acceptance Required Annually * Required Quarterly channel, processing more than 6 million transactions per year Any merchant that suffered a security breach, resulting in an account compromise 2 Any merchant processing between Required Annually Required Quarterly 150,000 to 6 million transactions per year 3 Any merchant processing between Required Annually Required Quarterly 20,000 to 150,000 transactions per year 4 All other merchants not in Levels 1, 2, Required Annually Required Quarterly or 3, regardless of acceptance channel MERCHANT & SERVICE PROVIDER LEVELS & VALIDATION ACTIONS* On-Site Security Audits may be conducted through Qualys PCI Consulting Partners - http://www.qualys.com/partners/pciFigure 2: Merchant & Service Provider Levels and Validation ActionsUntitled DocumentWinning the PCI Compliance Battle: A Guide for Merchants and Member Service Providerspage 5Validation Enforcement While non-compliance penalties also vary among major credit card networks, they can be substantial. Participating companies can be barred from processing credit card transactions, higher processing fees can be applied; and in the event of a serious security breach, nes of up to 500,000 can be levied for each instance of non-compliance. Since compliance validation requirements and enforcement measures are subject to change, merchants and service providers should closely monitor the requirements of all card networks in which they participate. IV. Selecting a PCI Network Security Testing ServiceAt rst exposure, PCI compliance and validation requirements can appear daunting, particularly the external scan requirement. Merchants can simplify the selection process by establishing a few key selection criteria. Three important things to look for in a PCI network scanning service are: Accuracy It s extremely important that a testing service be able to accurately identify real vulnerabilities and not generate a large inventory of false positives, each of which must be manually evaluated for remediation. False positives (and false negatives) can signi cantly and unnecessarily in ate the workloads and labor costs of maintaining PCI compliance. Ef cient vulnerability remediation process The service provider must offer tested and documented remediation processes for all identi ed vulnerabilities, and provide expert technical support assistance. Automated report preparation and on-line ling Automatic report preparation and electronic ling greatly simplify compliance administration and reduces the attendant workload. First of all, you have to use an approved PCI vendor, so that s pretty much a binary decision. Beyond that, customers really need to consider their comfort level with the service provid-er s methodology the way that reports are presented andthe level of transparency into the data collection process. Intrusiveness is also an important consideration: some scanning tools are more invasive than others, and customers need to be sure that these are low-touch processes that won t cause disruption on their networks. Reusability of the scan data in other security management processes and with other SIM tools is another thing to look for. This is good data they re getting, and it s applicable beyond PCI. Diane Kelly, Vice President and Service DirectorBurton GroupUntitled DocumentWinning the PCI Compliance Battle: A Guide for Merchants and Member Service Providerspage 6 Rose Ryan, J.D., a research analyst in IDC s Security Products and Services group, urges merchants to also consider the service provider s background and core expertise. The most successful vendors in this space have a history in security assessment and management as well as compliance services. I also think it s important to evaluate a provider s ability to adapt as requirements change, and look for good partnerships in the consultant community for remediation referrals. Smaller companies should also search out specialized PCI offerings from established security management providers that help make PCI compliance affordable. V. Introducing On Demand PCI: QualysGuard PCI One such specialized solution is QualysGuard PCI, a network scanning, security assessment and reporting platform delivered on QualysGuard, the industry-leading on demand solution for vulnerability management and policy compliance. QualysGuard PCI is provided on demand as a Web application with no hardware or software to be installed and maintained on the customer network. It allows merchants and service providers to complete all validation requirements. Using QualysGuard PCI users can easily complete and submit the PCI self-assessment questionnaire online, and perform pre-de ned PCI scans on all external systems to identify and resolve network and system vulnerabilities as required by the PCI standard. Figure 3: QualysGuard PCI DashboardQualysGuard PCI is certi ed by the PCI Council for network scanning and PCI compliance validation, and is used worldwide by merchants, security consultants and network-certi ed PCI auditors. Consultants and security auditors can use QualysGuard PCI in their practice to help clients achieve compliance in an ef cient manner. For us, the major advantage of an online service like QualysGuard PCI is that it s accessible from everywhere in the world. That lets us perform the external network scan as part of our onsite work with a customer. Another advantage is the fact that it is tailored specifically for PCI compliance evaluation, including the reports. That saves us time and saves the customer money. Stephan Engelke, Security Consultantand PCI AuditorExcelsis Business Technology PCI compliance is extremely intimidating for organizations relying on the payment card industry for the majority of their transactions. The QualysGuard PCI On Demand platform reduces the cost and complexity of security and compliance for organizations through the software-as-a-service model. Dr. Michael G. Mathews, CTOCynergisTekUntitled DocumentWinning the PCI Compliance Battle: A Guide for Merchants and Member Service Providerspage 7 Qualys, the Qualys logo and QualysGuard are registered trademarks of Qualys, Inc. All other trademarks are the property of their respective owners. 10/06www.qualys.comUSA Qualys, Inc. 1600 Bridge ParkwayRedwood ShoresCA 94065T: 1 (650) 801 email@example.comUK Qualys, Ltd. 224 Berwick AvenueSlough, BerkshireSL1 4QTT: +44 (0) 1753 872101Germany Qualys GmbH M nchen AirportTerminalstrasse Mitte 1885356 M nchenT: +49 (0) 89 97007 146France Qualys TechnologiesMaison de la D fense7 Place de la D fense92400 CourbevoieT: +33 (0) 1 41 97 35 70Key features of QualysGuard PCI include: An online self-assessment questionnaire that lets the user revisit the questionnaire as often as necessary, and enables collaboration with other members within the organization. Unlimited PCI scanning for all systems within the user account. An organiza-tion can scan all external systems on a quarterly basis or on as needed basis in order to reach compliance. PCI reporting that delivers executive level and technical reports as de ned by the PCI standard. Online ling that automatically noti es the acquiring bank when a merchant achieves PCI compliance. A friendly and fast process to address and eliminate false positives detected during scans. But the most important feature of QualysGuard PCI is the Six Sigma level of accuracy made possible by the industry s most complete vulnerability knowledgebase, an encyclopedic inventory of thousands of known vulnerabilities that covers all major operating systems, services and applications. The result is a current error rate of less than 3.4 defects per million production scans. VI. Automating the PCI Validation Process Achieving PCI compliance may seem at rst like an insurmountable task, but in fact the PCI Data Security Standard requirements represent fundamental security best practices that should be observed by any organization with IT systems and data to protect. Because networks are always connected, new devices are constantly being added, and new vulnerabilities are discovered daily, the possibility of exploitation is ever-present. PCI delivers best practice approaches that help keep companies on top of this ever-evolving situation, ensure compliance, and secure cardholder information stored within their networks. For additional information and a 14-day free trial on how Qualys On Demand PCI can help make PCI compliance an automated, effective process for continuous security improvement, visit Qualys on the Web at http://www.qualys.com/products/qgpci/. With Tribune s distributed organizational structure and heterogeneous environment, we needed a rapid and economical way to scan for and eliminate server vulnerabilities. The QualysGuard PCI On Demand platform and the services of CynergisTek are helping us to verify the PCI compliance of our IT infrastructure. Dr. Joshua Seeger, CIOTribune Broadcasting Since our business is PCI compliant, I was familiar with and had used other PCI compliance services. I was very surprised at the thoroughness of the scan from Qualys. It discovered issues that had not been brought to my attention from other compliance scans. Sam Lehrfeld, CIOKneeDraggers.com Inc.