SP-026: PCI Full Environment
Legend: The Payment Card Industry (PCI) Data Security Standard (DSS) is a well established set of security requirements which must be applied when businesses store, transmit or process payment cards issued by the major payment brands (for example Credit or Debit Cards from Visa, Mastercard, JCB, Diners and Amex). The standard is released on a 3 year cycle and the next version (v3) is expected to be available in Autumn 2013.
This pattern highlights the main control considerations for Cardholder Data Environments (CDE) where the organisation accepting card payments will be responsible for their PCI-DSS compliance due to direct integration of the payment platform with their e-Commerce or Point of Sale systems.
Description: The PCI-DSS standard includes 12 primary control objectives which are supported by approximately 200 detailed requirements:
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Use and regularly update anti-virus software or programs
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need to know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security for all personnel
For purposes of compliance the PCI council recommend a lifecycle based around three steps: Assess, Remediate and Report.
- Assess: take an inventory of your IT assets and business processes for payment card processing and analyze them for vulnerabilities that could expose cardholder data.
- Remediate: fix the vulnerabilities identified.
- Report: compile records required by PCI DSS to validate remediation and submit compliance reports to the acquiring bank and global payment brands you do business with.
Given the focus of PCI-DSS a number of controls families are of key importance; Configuration Management which is necessary to understand the environment you will secure (establish PCI Assessment Scope, PCI Requirements 1 & 2), Access Control which underpins PCI requirements 7 & 8, Audit and Accountability to determine the necessary audit events and monitoring (Reqts 10), Certification Accreditation and Security Assessments (Reqt 11), Physical and Environmental (Reqt 9) and Systems and Information Integrity (Reqt 5 & 6). PCI-DSS does not focus on availability requirements and therefore these are not represented within the mapping provided in the OSA controls catalogue
This pattern is designed in accordance with the fundamental architectural principle that you should minimise the attack surface against cardholder data, reducing the data flows to the minimum necessary to support business processes. By logically and physically restricting access to the cardholder data environment, you can ensure that data is maintained in a segregated and secured area, with a clearly defined scope to manage security and compliance activities.
Assumptions: This pattern assumes that you have a basic working knowledge of PCI-DSS requirements and if not that you will go and download the standard and spend a couple of days properly reading it...
Typical challenges: PCI-DSS is a proscriptive and detailed security standard. You need to ensure that you fully understand the scope of the Cardholder Data Environment with accurate network diagrams that show the relevant systems with Cardholder data flows. You'll need to demonstrate to the Qualified Security Assessor (QSA) that there are suitable control points that delimit the CDE. These control points (e.g. firewalls, remote access servers etc) will be checked as part of the assessment to confirm that the scope represented is accurate.
- Documentation will need to be accurate and current, you may wish to check this in advance of the assessment. Many aspects of documentation are interlinked, for example Build Standards will be needed to meet the PCI requirements on vendor defaults, but also play an important part in implmenting effective File integrity monitoring (11.5)
- You will need to provide evidence of control operation- make sure you have the repeating activites in place such as quarterly security scans
- Encryption requirements may be challenging, think carefully during the design phase about how you can secure data within the environment and the best approaches to key management
- You may need to make use of compensating controls in your environment if there are specific PCI-DSS requirements that cannot be met due to business process requirements that conflict. This is permissible if the QSA assesses the risks and determines that the original intent of the control is still met. You cannot meet the requirement using other PCI-DSS requirements, you must have a different compensating control!
Indications: Apply this pattern where you are a Merchant or Payment Services Processor storing, transmitting or processing Payment Cards.
Contra-indications: Do not use this pattern where you plan to reduce the compliance scope using tokenisation (SP-027), or remove the environment from scope using a 3rd Party Payment services gateway (SP-028)
Resistance against threats: This pattern is designed to resist the threat of non-compliance with the PCI-DSS v2.0 requirements. It provides a good basis for securing a confidential data set against motivated criminal actors.
PCI Security Standards Council
ROC Reporting Instructions gives guidance for QSAs when assessing environments
FAQ for PCI
OSA controls catalogue mapping to PCI-DSS v2
Related patterns: SP-027: PCI-DSS Tokenisation, SP-028: PCI-DSS Use of 3rd Party Payment Services Gateway
Classification: Card Payment Services, Financial, Point of Sale, e-Commerce
Reviewer(s): Vinyl Wasp , Aurelius
AC-02 Account Management
AC-06 Least Privilege
AC-18 Wireless Access Restrictions
AC-19 Access Control For Portable And Mobile Devices
AU-02 Auditable Events
AU-06 Audit Monitoring, Analysis, And Reporting
AU-08 Time Stamps
AU-09 Protection Of Audit Information
CA-02 Security Assessments
CA-07 Continuous Monitoring
CM-02 Baseline Configuration
CM-03 Configuration Change Control
CM-08 Information System Component Inventory
IR-01 Incident Response Policy And Procedures
MP-03 Media Labeling
MP-06 Media Sanitization And Disposal
PE-03 Physical Access Control
PE-07 Visitor Control
PS-03 Personnel Screening
RA-03 Risk Assessment
RA-05 Vulnerability Scanning
SC-07 Boundary Protection
SC-09 Transmission Confidentiality
SC-12 Cryptographic Key Establishment And Management
SC-13 Use Of Cryptography
SI-02 Flaw Remediation
SI-03 Malicious Code Protection
SI-04 Information System Monitoring Tools And Techniques
SI-05 Security Alerts And Advisories
SI-06 Security Functionality Verification
SI-07 Software And Information Integrity
SI-09 Information Input Restrictions