PCI DSS

Why do we need a firewall? Besides the obvious, the Payment Card Industry (PCI) standard requires it; we need to reduce our risk by protecting our systems and networks from attempts to exploit known and unknown vulnerabilities.That all sounds fine for a formal response, but what are we really doing? We’re adding privacy to the internal network by restricting access to the systems on our internal network. A firewall is simply a noise filter or device that controls unwanted traffic into a company’s network from outside, and can play an important role by segregating sensitive areas from the rest of the company’s internal network.

Let’s take a look at firewall placement and configurations. Remember, this book isn’t meant to be an authority on firewalls, but it will give you some ideas. From time to time I’ll refer back to the PCI Self-assessment Questionnaire (SAQ) and/or the Security Audit Procedures to clarify.

This case study covers how PCI Requirement 11 was dealt with at a large retain chain in US Midwest.The Unnamed Retailer, Inc. did not perform any periodic network vulnerability scanning and didn’t employ the services of a penetrationtesting firm.Their IT security staff sometimes used the freeware tools to scan a specific system for open ports or sometimes for vulnerabilities, but all such efforts were ad hoc and not tied to any program. Upon the approach of PCI compliance deadline, the company had to start the scanning using the PCI-approved scanning vendor every quarter.

They chose to deploy a service-based vulnerability scanning from a major vendor.The choice of vendor was determined after a brief proof-of-concept study. Initially, they suffered from having no information or no knowledge of their vulnerability posture to having too much, since they decided to scan all the Internetfacing systems. Later however, they reduced the scope to what they considered to be “in-scope” systems such as those processing payments (few of those systems are ever visible from the internet, however) and those connected to such systems.

This case study is based on a major e-commerce implementation of a commercial scanning service, a penetration testing by a security consultancy, and a host IPS and file integrity monitoring on critical servers. Upon encountering PCI compliance requirements, Buy.Web, Inc. has assessed their current security efforts, which include the use of host IPS on their demilitarized zone (DMZ) servers as well as periodic vulnerability scanning.They realized that they needed to additionally satisfy the pen testing requirements as well as file integrity checking requirements to be truly compliant.Their IT staff performed an extensive research of file integrity monitoring vendors, and chose one with the most advanced centralized management system (to ease the management of all the integrity checking results).They also contracted a small IT security consultancy to perform the penetration testing for them.

The team also utilized their previously acquired log management solution to aggregate the host IPS and file integrity checking, to create a single data presentation and reporting interface for their PCI auditors.

Before we start our discussion of the role of vulnerability management for PCI compliance, we need to briefly discuss what is covered under vulnerability management in the IT industry. It appears that some industry pundits have proclaimed that vulnerability management is simple: just patch all those pesky software problems and you are done. Others struggle with it, since the scope of platforms and applications to patch and other weaknesses to rectify is out of control in most large organizations with compliance networks and large numbers of different products. However, vulnerability management is not the same as just keeping your systems patched. If you are busy every first Tuesday when Microsoft releases its batch of patches, but not doing anything to eliminate a broad range of enterprise vulnerabilities during the other 29 days in a month, you are not managing your vulnerabilities efficiently if at all.

One of benefits of PCI compliance is that your organization will not be fined in case of a compromise. If the post-mortem analysis shows that your company was still compliant at the time of the incident, no fines will be assessed, and you will be granted what is known as “safe harbor.” It is likely that your company will be taken to civil court regardless of your compliance status should a breach occur. However, a jury will be much more sympathetic to your company’s case if you can show that due diligence was practice by the virtue of PCI compliance.

More immediately, if your company is a Level 1 or Level 2 merchant, you may be eligible to receive a part of the $20 million in financial incentives from Visa. In December 2006, Visa USA announced their PCI Compliance Acceleration Program (CAP).Those merchants that demonstrate compliance by August 31, 2007, may receive a one-time payment incentive.