Saturday, February 24, 2007

PCI Compliance Part 2 - Don't lose that credit card data!

Last week I discussed what PCI Compliance is and where it came from. Today we'll look at the details of the PCI Data Security Standards (DSS) and explain what each standard does to protect your clients' cardholder information. If you want to see how well your organization meets these criteria, contact your registration software provider or conduct the self-assessment questionnaire.

Below are the 12 major requirements of PCI Compliance, described in layman's terms.

Build and Maintain a Secure Network

Requirement 1: Install and maintain a firewall configuration to protect cardholder data
A firewall is an electronic barrier between the outside world (which is dirty) and your data (which is hopefully clean). Computers and servers are like houses with thousands of windows, called "ports". Data can flow in and out of these ports, for example, web browsers typically use port 80 for "http" requests and port 443 for "https" requests. A firewall is like a window shutter - it provides a barrier to traffic flow on the ports that you don't need to use.

Sophisticated firewalls can even close ports to specific types of data and can provide "dual-zone" protection. A dual zone firewall means that you can have one set of protection for your web servers (which must have ports 80 and 443 open to the world in order to deliver web pages) and a second set of more restrictive protection for database servers (which only need to communicate with the web servers and thus can be closed to the rest of the world). The more ports you close or restrict, the tougher it is for bad guys to get in.

It's like the battle for Helm's Deep in Lord of the Rings - Twin Towers. If the orcs get through the outer defenses, then they still have to breach the walls of the keep in order to get to your people. Yeah - it's exactly like that…

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
This requirement is so obvious that it is painful to write, but a surprising number of web servers use blank or system default passwords for their administrator access. Just ask my neighbor, who purchased a Linksys WI-FI router last year and still doesn't know that I get better access on his network from my laundry room than I do on my own network. (Actually, please don't tell my neighbor.)

Protect Cardholder Data

Requirement 3: Protect stored cardholder data
This requirement is really two parts:

  1. You can't store certain types of cardholder data at all, e.g. the CVV/CV2 number or PIN or magnetic stripe contents. You can only use that data one time for authentication, and then must remove the data from memory.

  2. Any data that you do store (Cardholder name, card number, expiration date, bank information) must be protected.
At Certain, if we need to store the full credit card number, e.g. because the event planner is going to provide it to the hotel for room guarantee purposes, then we first encrypt it using a 128-bit Blowfish cipher. This is a fancy way of saying that even if a malicious user were to get through our firewall and administrator passwords, then instead of seeing credit card numbers like 4111111111111111, they would get encrypted values like "A29D075CA20EF9E892045671ACBED93D8A". This won't do you a lot of good at

The PCI standard requires the your encryption key, the code which unlocks the encrypted value, to be stored only in temporary memory. That means that we have to enter the code phrase every time we reboot our servers, and there is nowhere on the physical drives that someone could read this key and decrypt the stored credit card numbers. Furthermore, registrants and administrators only see the last 4 digits of the credit card number on their screen (e.g. ******1111) and even the encrypted card information is deleted 90 days after the event ends.

Requirement 4: Encrypt transmission of cardholder data across open, public networks
Most internet users know the difference between "http" pages, which are transmitted in plain text across the Internet from your browser to the server, and "https" pages, which are encrypted by your browser prior to transmission to the server. Whenever we deal with credit card data, we use an "https" connection. This way if someone were to tap into your data lines and read the information passing between your computer and a web server (which is surprisingly easy to do), then they couldn't get any meaningful information.

Secure connections ("https") require the web site to have a secure certificate, which must be renewed periodically. For example, ours comes from Entrust:

Maintain a Vulnerability Management Program

Requirement 5: Use and regularly update anti-virus software
PCI requires companies to have anti-virus software on all servers and personal computers that collect, store, or transmit cardholder data. Modern anti-virus software is continually updated to protect against new viruses, and it scans the computer's files and data traffic for viruses, spyware, adware, and other undesirable programs that might be trying to collect credit card information for a malicious user.

Requirement 6: Develop and maintain secure systems and applications
Requirement 6 means that software vendors must follow processes that maintain their application at the highest level of security, for example:

  • Apply all security patches from software companies within 1 month of release

  • Subscribe to alert services for newly-discovered vulnerabilities

  • Separate development, test, and production environments

  • Develop applications within the best practices of the Open Web Security Project

  • Have an outside application security firm review code for common wulnerabilities
I'm tired of writing for today, so we'll cover the last 6 requirements next week.

No comments: