Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: Payment Card Industry (PCI) Data Security Standard

  1. #1
    Junior Member
    Join Date
    Jul 2006
    Posts
    8

    Payment Card Industry (PCI) Data Security Standard

    Has anyone here worked on Payment Card Industry (PCI) compliance?
    What are the type of reports that we need to suplly for auditing?
    Is there any software tool that can generate such audit reports?

    Please help!

  2. #2
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,915
    Hey Hey,

    When I was at RECON last month I was on the edge of a conversation that a couple of people were having... They mentioned that a nessus scan meets PCI compliance..

    Also there's a company called CyberTrust that offers PCI Compliance Services... @ http://www.cybertrust.com/solutions/...ci_compliance/

    If I happen to come across more details, I'll let you know...

    Peace,
    HT

  3. #3
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    Welcome to hell my friend. See this link right from VISA.

    http://www.usa.visa.com/download/bus...dard.pdf?it=il|/business/accepting_visa/ops_risk_management/cisp.html|PCI%20Data%20Security%20Standard

    This is a list of all PCI info you'll ever want:
    http://usa.visa.com/business/accepting_visa/ops_risk_management/cisp_tools_faq.html?it=c|%2Fbusiness%2Faccepting_visa%2Fops_risk_management%2Fcisp_merchants%2Ehtml|View%20all%20CISP%20downloads

    There is a 50 page PCI document. The above link is simply an outline of all areas of compliance. If this doesn't scare the hell out of you I don't know what will.

    Have a look at the 50 page doc here:
    http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_PCI_Self_Assessment_Questionnaire.doc?it=il|/business/accepting_visa/ops_risk_management/cisp_tools_faq.html|PCI%20Self-Assessment%20Questionnaire

    The real doc (above) is a checklist type document written by someone who understands security. There is no gray area as in other "standards". You either meet compliance or you don't.

    PCI audits are VERY tough and as you may also know, so are the penalties for violations. More or less, VISA can decide how much to ding you per violation. Read the fine print.

    You will spend big time bucks meeting compliance especially if you don't segregate your network at the moment. Expect to do this at very least followed by a slew of firewall work.

    PCI auditors simply follow the checklist and tell you where you fail. Simple as that. If you use a vendor who happens to also sell security products, such as ISS or Symantec, expect them to offer you all kinds of solutions to the PCI gaps identified.

    Anyway, I estimate that it will take us around 2 years to be fully compliant. Oh and there is no "we're working on it...". VISA doesn't care where you are in the process, only if you have met the compliance line item.

    Have fun.

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  4. #4
    Junior Member
    Join Date
    Jul 2006
    Posts
    8
    Thanks Guys,

    Looks like i got a lot of reading to do, to separate the wheat from the chaff :-), until then if you guys get any more info on PCI let me know....

  5. #5
    Junior Member
    Join Date
    Jun 2006
    Posts
    10

    Not too bad

    Maybe Im used to PCI (or what had been CISP) audits, but they aren't bad. Most of the PCI requirements are pretty common sense, and depending on how large of a processor you are dealing with the requirements are actually negotiable. Having worked with some of the largest FEPs on PCI, they are able to get away with murder (storing CVV, storing complete acct info in the clear, non-operational firewalls, etc., etc.) If you work for a "mom and pop" shop merchant you won't have that luxury though.

    As far as what I see for audit reports, it depends on what is being auditing against. Many vendors in the security space are coming out with canned PCI reports in their products. For example wireless IPS vendors have a canned report.

    I give anyone going through PCI their first time two bits of advice. First is be prepared to sell your security. Granted I primarily work with very large FEPs, but Ive found its not as much what you have but more how you sell it to the auditors. Sad but true. The second is that PCI requirements are updated from time to time. Today it is mostly network security, but rumor is next year there will be more requirements around application development and security. I've also been told by auditors that the data-at-rest requirements will be updated. I would suggest you keep current between audits as they do change.

    Oh, and good luck.

  6. #6
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    I'm surprised to hear that you think the audits aren't bad. We've dealt with VISA before the audits and they took a hard line stance with us and stated that we either meet the requirements or we don't meet them. There was no room for negotiating or throwing dummy devices up just for the sake of a line item.

    We have roughly 8,000 hosts on the network I'm responsible for. We have 60,000 nodes overall (someone else's problem here). I wish I knew who you were dealing with to get by with "guidlines" instead of "requirements" on this stuff. It would make my life a heck of a lot easier.

    We've been selling to auditors for over a decade now. We understand that game very well. True enough on your observation.

    --Th13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  7. #7
    Junior Member
    Join Date
    Jun 2006
    Posts
    10
    Don't get me wrong, a PCI audit is a time consuming, costly, political, frustrating process but at the end of the day don't seem to truly increase security. At the size of business I work with, there doesn't seem to be any risk of getting shut down. Some of the smoke and mirrors (and outright lies) I've seen would probably make most people cut up all their credit cards. Its pretty sickening. Even by VISAs own numbers only about 20% of tier 1 merchants are compliant (> 6 million transactions per month). And thats with the violations they've actually caught.

  8. #8
    Junior Member
    Join Date
    Jul 2006
    Posts
    8
    Did you mention canned reports , how can u produce canned reports when the requirements keep changing in a dynamic environment.

    By the way just curious as to how these reports cover the 12 major requirements for PCI:

    1. Install and maintain a firewall to protect data.
    2. Do not use vendor supplied defaults for system passwords and other security parameters.
    3. Protect stored data.
    4. Encrypt transmission of cardholder data and sensitive info. across public networks.
    5. Use and regularly update antivirus software.
    6. Develop and maintain secure systems and applications (patch management)
    7. Restrict access to business data on a need-to-know basis.
    8. Assign a unique ID to each user with computer access.
    9. Restrict physical access to cardholder data.
    10.Track and monitor all access to network resources and cardholder data.
    11. Regularly test security systems and processes.
    12. Maintain a policy that addresses information security.

    how can we do audits when the requirements are so generalized, this is really tough on the merchants and sys admin guys

  9. #9
    Junior Member
    Join Date
    Jun 2006
    Posts
    10
    Very good questions, it looks like you are well on your way. Of course there is no single report that says "we are PCI compliant". If you find one, you'd be a rich man.
    What I refer to are point products that can report on a single aspect of your environment. For example if you have a wireless LAN and you have an overlay wireless IDS like Airdefense, you can run a canned report that says your WLAN is configured to meet PCI standards. There are also products like Vericept which monitor your perimeter for CC data. They have canned reports that outline the number of times someones information was emailed, IM'd, posted on a website, etc. Other examples are the numerous products which can run reports on the patch status of your systems, some of which are starting to develop canned "PCI" reports.

    Thats why when you ask for reports I say it depends on what aspect of your environment you want to report on. Are these tools necessary? No, but in large environments they can save you a lot of time.

    "how can we do audits when the requirements are so generalized, this is really tough on the merchants and sys admin guys"
    Welcome to an audit. I can't stress enough to have all your "ducks in a row" before the audit and be prepared to sell your security solution. The checklist posted by thehorse13 is an excellent start. If you go in prepared, it shouldn't be too bad.

    Lastly, if you are still concerned, you might hire a consultant that has gone through PCI audits with other companies. A competent consultant should be able to walk you through each requirement and give you an idea where you might have problems. Just make sure you do your homework and hire someone with experience.

  10. #10
    Junior Member
    Join Date
    Jul 2006
    Posts
    8

    Re:

    You are right, no single vendor can go the distance and claim complete support for all the requirements that the compliance regulators pose.

    There was this whitepaper from Symantec on PCIDSS
    (free registration is required to view the doc.) where he has mentioned that sections 1, 3 & 9 are not covered by Syamtec solutions.

    Also i can across many vendors like NetForensics , EventLog Analyzer , SenSage who provide compliance reports.

    But i guess, no software tool can entirely model all the nitty-gritties of the compliance requirements, but ofcourse they can only assist us to some extent, which makes the above tools useful for sysadmins / management during audits.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •