PCI Compliance can be daunting for new merchants or service providers. The PCI-DSS contains 12 requirements, with 412 sub-requirements and sub-sub-requirements covering over 115 pages. It begs the question, "Where do I start?"
Today we'll tackle Milestone 2: Protecting Systems and Networks.
Any system that is in scope for PCI DSS (if you don't know about scope, please see Part 1: Watching What You Store) needs to be isolated from systems that aren't, and especially from systems on the internet as a whole. To make this happen, you need to install firewalls. How many and what kind depend on the details of you network. You should definitely have one at the edge of your network between you and the internet. You also need one between your DMZ (we'll get to what a DMZ is in a minute), and any internal systems. If you are keeping some of your systems out of scope, you need a firewall between those systems and your in-scope systems.
What's a DMZ?
A DMZ, or De-Militarized Zone is a perimeter network separated from you internal network. Any system visible to the internet; web servers, FTP servers, mail gateways, should be placed on this network. Limiting inbound traffic to systems in the DMZ helps keep an outside hacking attempt from reaching into other parts of your infrastructure. For this reason, PCI DSS requires that all inbound connections from the internet be terminated inside the DMZ.
Once you have a firewall deployed, you need to configure it. Firewalls should be configured to deny traffic my default. Anything you need to allow should be explicitly added. When you do, be sure to document what you're allowing and why it was needed.
Most devices purchased today come ready to use, configured for the most common setup they would be used for. This can be convenient when you need to hit the ground running, but this simplicity can be a vulnerability. Devices like routers, firewalls, access points, and server remote access cards are often shipped with generic passwords, SNMP strings, and encryption keys that are shared across many devices from the manufacturer. Because all of these are readily available to anyone, they must be changed to ensure access to your new systems is protected. Default passwords should be changed, SNMP strings should be set to something unique to your organization, and default certificates should be regenerated or replaced, as anyone with access to the same hardware has copies of the private keys for those certificates as well.
When you're sending sensitive information (like say, cardholder data) over a network, it's important to make sure that data is only readable by its intended recipients. If the network your transmitting is the internet, or another shared network that are not exclusively under your control, the only way to ensure confidentiality is to encrypt the data before sending it. The PCI DSS requires encryption for the following data types:
Cardholder Data, including PANs, names, and expiration dates
Sensitive Authentication Data, including Track Data, PIN Block Data, and CVV codes
Authentication data like passwords, One Time Passwords, API keys, etc.
Any Remote Administrative protocol, like RDP, web management pages, and CLI console access.
The PCI DSS doesn't specify a single encryption method for this traffic, but the following ones are generally recommended:
For HTTP, Transport Layer Security (TLS) should be used.
For console access, options like SSH should replace telnet or rlogin
For FTP, TLS (FTPS) should be used, or replaced by SFTP (not the same thing).
For RDP , TLS should be used.
IPSec VPN should be considered for any protocols that can't be secure independently.
This is far from an exhaustive list, but covers a lot of the most common protocols.
Part of any defense in depth strategy is protecting servers and workstations from malicious software. Most people know they need Anti-Virus/Anti-Malware, but if you didn't the PCI DSS is here to tell you. You Do. At a minimum you need the following:
Anti-Virus must be installed on all commonly affected systems (i.e. servers, workstations, etc. running OSes that have know viruses in the wild; or really any platform that could run arbitrary software by default.
Anti-Virus must be capable of detecting and removing malicious software. This seems to be a no-brainer, but you should be looking for effective protection, not something to check a box.
Anti-Virus should be actively running, so schedule-only scanning won't be enough. You need on-access scanning.
Anti-Virus should be configured for regular system scans. So even with the on-access scanning, you need to configure regular scanning system wide.
Anti-Virus should be configured to update regularly. Outdated AV is just as bad as no AV at all. AV should be updated as often as practical preferably daily if not more often.
Anti-Virus settings should be protected from modifications by end users. Users should not be able to disable AV, or prevent scanning.
Everything above should be in place, and the details of where and how should be documented.
One of the most ubiquitous, but often misunderstood aspects of security is IAAA; that is Identification, Authentication, Authorization, and Accounting. Everyone knows you need a password to get into most computers, but IAAA is about more than just that. Every user should have their own username and password. No one should be logging in with a "shared" account or with an account meant for another user. This is because each users access should be only available to them, and any action taking with a user account should be traceable to a single responsible person.
Unique accounts also simplify the process of revoking access. If someone leaves your company, you need to revoke they access to your systems immediately. Do you know what to shut off, or what passwords to change? If they only had their account you do, otherwise...
Something you know; this is usually something like a password or PIN.
Special note on MFA selection: Many organizations are attracted to options like SMS or text messaging to add MFA to their systems. The appeal comes from the ease of configuration, and low cost of implementation. A word of caution though, SMS is considered a weak form of authentication, due to the large number of exploitable vulnerabilities all throughout the SMS platform. For this reason, the PCI DSS does not consider SMS a viable option for adding MFA.
An important aspect of any security plan is controlling physical access. The only saying in IT is "There's no security without physical security" Even the strongest security controls can often be bypassed if you have physical access. For this reason, you need to implement physical access controls.
You need to restrict access to locations and equipment where CHD is processed to only employees that need access. This includes server rooms, call centers, AR departments,etc. Notably, it does not include retail locations where only POS systems are being used. (Thankfully, as it would make going to the store a complicated endeavor). You can do this with keyed locks, badge readers, security guards, or any number of other control methods.
To protect your data and your infrastructure, you need to know what your protecting. What you need is an inventory. You need to track all systems and software in your infrastructure, from purchase to decommission. This inventory should reflect any systems that process CHD, and devices like card readers, encryption systems, etc. It should also include any system which these systems depend on (routers, switches, firewalls, authentication servers, storage systems).
You also need to know where your systems might have weaknesses. To that end, the PCI DSS requires that you run network vulnerability scans, both internally and externally at least quarterly. You also need to perform penetration testing internally and externally at least annually.