-
July 10th, 2006, 07:57 AM
#1
Junior Member
Payment Card Industry (PCI) Data Security Standard
Has anyone here worked on Payment Card Industry (PCI) compliance?
What are the type of reports that we need to suplly for auditing?
Is there any software tool that can generate such audit reports?
Please help!
-
July 10th, 2006, 09:10 AM
#2
Hey Hey,
When I was at RECON last month I was on the edge of a conversation that a couple of people were having... They mentioned that a nessus scan meets PCI compliance..
Also there's a company called CyberTrust that offers PCI Compliance Services... @ http://www.cybertrust.com/solutions/...ci_compliance/
If I happen to come across more details, I'll let you know...
Peace,
HT
-
July 10th, 2006, 11:32 AM
#3
Welcome to hell my friend. See this link right from VISA.
http://www.usa.visa.com/download/bus...dard.pdf?it=il|/business/accepting_visa/ops_risk_management/cisp.html|PCI%20Data%20Security%20Standard
This is a list of all PCI info you'll ever want:
http://usa.visa.com/business/accepting_visa/ops_risk_management/cisp_tools_faq.html?it=c|%2Fbusiness%2Faccepting_visa%2Fops_risk_management%2Fcisp_merchants%2Ehtml|View%20all%20CISP%20downloads
There is a 50 page PCI document. The above link is simply an outline of all areas of compliance. If this doesn't scare the hell out of you I don't know what will.
Have a look at the 50 page doc here:
http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_PCI_Self_Assessment_Questionnaire.doc?it=il|/business/accepting_visa/ops_risk_management/cisp_tools_faq.html|PCI%20Self-Assessment%20Questionnaire
The real doc (above) is a checklist type document written by someone who understands security. There is no gray area as in other "standards". You either meet compliance or you don't.
PCI audits are VERY tough and as you may also know, so are the penalties for violations. More or less, VISA can decide how much to ding you per violation. Read the fine print.
You will spend big time bucks meeting compliance especially if you don't segregate your network at the moment. Expect to do this at very least followed by a slew of firewall work.
PCI auditors simply follow the checklist and tell you where you fail. Simple as that. If you use a vendor who happens to also sell security products, such as ISS or Symantec, expect them to offer you all kinds of solutions to the PCI gaps identified.
Anyway, I estimate that it will take us around 2 years to be fully compliant. Oh and there is no "we're working on it...". VISA doesn't care where you are in the process, only if you have met the compliance line item.
Have fun.
--TH13
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
July 11th, 2006, 06:58 AM
#4
Junior Member
Thanks Guys,
Looks like i got a lot of reading to do, to separate the wheat from the chaff :-), until then if you guys get any more info on PCI let me know....
-
July 11th, 2006, 02:31 PM
#5
Junior Member
Not too bad
Maybe Im used to PCI (or what had been CISP) audits, but they aren't bad. Most of the PCI requirements are pretty common sense, and depending on how large of a processor you are dealing with the requirements are actually negotiable. Having worked with some of the largest FEPs on PCI, they are able to get away with murder (storing CVV, storing complete acct info in the clear, non-operational firewalls, etc., etc.) If you work for a "mom and pop" shop merchant you won't have that luxury though.
As far as what I see for audit reports, it depends on what is being auditing against. Many vendors in the security space are coming out with canned PCI reports in their products. For example wireless IPS vendors have a canned report.
I give anyone going through PCI their first time two bits of advice. First is be prepared to sell your security. Granted I primarily work with very large FEPs, but Ive found its not as much what you have but more how you sell it to the auditors. Sad but true. The second is that PCI requirements are updated from time to time. Today it is mostly network security, but rumor is next year there will be more requirements around application development and security. I've also been told by auditors that the data-at-rest requirements will be updated. I would suggest you keep current between audits as they do change.
Oh, and good luck.
-
July 11th, 2006, 04:58 PM
#6
I'm surprised to hear that you think the audits aren't bad. We've dealt with VISA before the audits and they took a hard line stance with us and stated that we either meet the requirements or we don't meet them. There was no room for negotiating or throwing dummy devices up just for the sake of a line item.
We have roughly 8,000 hosts on the network I'm responsible for. We have 60,000 nodes overall (someone else's problem here). I wish I knew who you were dealing with to get by with "guidlines" instead of "requirements" on this stuff. It would make my life a heck of a lot easier.
We've been selling to auditors for over a decade now. We understand that game very well. True enough on your observation.
--Th13
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
July 11th, 2006, 05:58 PM
#7
Junior Member
Don't get me wrong, a PCI audit is a time consuming, costly, political, frustrating process but at the end of the day don't seem to truly increase security. At the size of business I work with, there doesn't seem to be any risk of getting shut down. Some of the smoke and mirrors (and outright lies) I've seen would probably make most people cut up all their credit cards. Its pretty sickening. Even by VISAs own numbers only about 20% of tier 1 merchants are compliant (> 6 million transactions per month). And thats with the violations they've actually caught.
-
July 12th, 2006, 07:13 AM
#8
Junior Member
Did you mention canned reports , how can u produce canned reports when the requirements keep changing in a dynamic environment.
By the way just curious as to how these reports cover the 12 major requirements for PCI:
1. Install and maintain a firewall to protect data.
2. Do not use vendor supplied defaults for system passwords and other security parameters.
3. Protect stored data.
4. Encrypt transmission of cardholder data and sensitive info. across public networks.
5. Use and regularly update antivirus software.
6. Develop and maintain secure systems and applications (patch management)
7. Restrict access to business data on a need-to-know basis.
8. Assign a unique ID to each user with computer access.
9. Restrict physical access to cardholder data.
10.Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.
12. Maintain a policy that addresses information security.
how can we do audits when the requirements are so generalized, this is really tough on the merchants and sys admin guys
-
July 12th, 2006, 02:27 PM
#9
Junior Member
Very good questions, it looks like you are well on your way. Of course there is no single report that says "we are PCI compliant". If you find one, you'd be a rich man.
What I refer to are point products that can report on a single aspect of your environment. For example if you have a wireless LAN and you have an overlay wireless IDS like Airdefense, you can run a canned report that says your WLAN is configured to meet PCI standards. There are also products like Vericept which monitor your perimeter for CC data. They have canned reports that outline the number of times someones information was emailed, IM'd, posted on a website, etc. Other examples are the numerous products which can run reports on the patch status of your systems, some of which are starting to develop canned "PCI" reports.
Thats why when you ask for reports I say it depends on what aspect of your environment you want to report on. Are these tools necessary? No, but in large environments they can save you a lot of time.
"how can we do audits when the requirements are so generalized, this is really tough on the merchants and sys admin guys"
Welcome to an audit. I can't stress enough to have all your "ducks in a row" before the audit and be prepared to sell your security solution. The checklist posted by thehorse13 is an excellent start. If you go in prepared, it shouldn't be too bad.
Lastly, if you are still concerned, you might hire a consultant that has gone through PCI audits with other companies. A competent consultant should be able to walk you through each requirement and give you an idea where you might have problems. Just make sure you do your homework and hire someone with experience.
-
July 13th, 2006, 08:01 AM
#10
Junior Member
Re:
You are right, no single vendor can go the distance and claim complete support for all the requirements that the compliance regulators pose.
There was this whitepaper from Symantec on PCIDSS
(free registration is required to view the doc.) where he has mentioned that sections 1, 3 & 9 are not covered by Syamtec solutions.
Also i can across many vendors like NetForensics , EventLog Analyzer , SenSage who provide compliance reports.
But i guess, no software tool can entirely model all the nitty-gritties of the compliance requirements, but ofcourse they can only assist us to some extent, which makes the above tools useful for sysadmins / management during audits.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|