Solutions to Meet Your PCI Compliance Needs
Total Page:16
File Type:pdf, Size:1020Kb
Solutions to Meet Your PCI Compliance Needs A whitepaper prepared by Coalfire Systems and HP 1 | P a g e Table of Contents Executive Summary..................................................................................................................................... 3 The Payment Card Industry Data Security Standard ................................................................................... 3 PCI SSC Virtualization and Cloud Guidance ................................................................................................. 4 HP – Providing Software to Meet PCI Compliance Needs ........................................................................... 5 Identified HP Solutions ............................................................................................................................... 6 HP Solutions Mapped to PCI Controls ......................................................................................................... 6 Conclusion ................................................................................................................................................ 10 Appendices ............................................................................................................................................... 11 Secure Card Information Storage .............................................................................................................. 11 Secure Card Information Storage .............................................................................................................. 12 Secure Card Application Development ..................................................................................................... 14 Card Processing Platform Security Logging & Monitoring ........................................................................ 16 Card Processing Portfolio Attack Defense ................................................................................................. 19 Web-based Secure Card Application Vulnerability Testing ....................................................................... 22 2 | P a g e Executive Summary Security and regulatory compliance become business inhibitors for many organizations. Hewlett-Packard (HP), a global leader in information technology, has taken a leadership role in solving organizations’ challenges by bringing to the market selected products designed to assist organizations in achieving their security and regulatory compliance goals. This paper examines the capabilities of seven HP products in achieving Payment Card Industry (PCI) Data Security Standard (DSS) compliance. The following HP products underwent a capabilities review in alignment with PCI DSS version 2.0 by a PCI Qualified Security Assessor (QSA): Atalla Network Security Processor (NSP) Atalla Enterprise Secure Key Manager (ESKM) HP Fortify Software Security Center HP ArcSight ESM Compliance Insight Package for PCI TippingPoint Intrusion Protection System (IPS) & vController+vFW HP WebInspect This is the first phase in a project in which the overall goal is to validate the ability of selected HP and VMware products to meet PCI DSS requirements and provide customers with the necessary guidance to implement the solutions in creating a PCI compliant architecture. The Payment Card Industry Data Security Standard The PCI Security Standards Council (SSC) was established in 2006 by five global payment brands: American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. The payment brands require any merchant or service provider that transmits, stores or processes payment card information comply with the current version of the PCI DSS. In order to achieve PCI compliance, merchants and service providers must validate their compliance by assessing their environment against nearly 200 specific controls outlined in the PCI DSS, and a passing grade requires every control requirement to be in place. Failing to achieve PCI compliance can lead to fines, penalties or inability to process payment card transactions. The PCI DSS has twelve general requirements outlined as follows: 3 | P a g e PCI Data Security Standard – High Level Overview Build and Maintain a Secure 1. Install and maintain a firewall configuration to protect cardholder data Network 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability 5. Use and regularly update anti-virus software or programs Management Program 6. Develop and maintain secure systems and applications Implement Strong Access 7. Restrict access to cardholder data by business need to know Control Measures 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and Test 10. Track and monitor all access to network resources and cardholder data Networks 11. Regularly test security systems and processes Maintain an Information 12. Maintain a policy that addresses information security for all personnel Security Policy Achieving PCI compliance is not a simple task. It is difficult for many organizations to navigate the current landscape of information systems and adequately fulfill all PCI DSS requirements. There are few systems adequately assessed and documented by an independent third-party to determine how the systems fulfill various PCI DSS requirements. HP, working with VMware, is continuing its leadership role in the industry by providing reference architectures, services and products from the data center to the cloud to help clients meet their compliance needs. PCI SSC Virtualization and Cloud Guidance The PCI SSC has recently released guidance for organizations and Qualified Security Assessors (QSAs) on the controls required to properly secure virtual systems and meet PCI compliance requirements. Both the “Payment Card Industry (PCI) Data Security Standard – Requirements and Security Assessment Procedures v2.0” and “Navigating PCI DSS – Understanding the Intent of the Requirements v2.0” address virtualization, but it is the “Information Supplement: PCI DSS Virtualization Guidelines, June 2011” that provides the greatest amount of detail with respect to PCI DSS requirements. The general guidance provided by the information supplement is as follows: There are four simple principles associated with the use of virtualization in cardholder data environments: . If virtualization technologies are used in a cardholder data environment, PCI DSS requirements apply to those virtualization technologies. Virtualization technology introduces new risks that may not be relevant to other technologies, and that must be assessed when adopting virtualization in cardholder data environments. Implementations of virtual technologies can vary greatly, and entities will need to perform a thorough discovery to identify and document the unique characteristics of their particular virtualized implementation, including all interactions with payment transaction processes and payment card data. There is no one-size-fits-all method or solution to configure virtualized environments to meet PCI DSS requirements. Specific controls and procedures will vary for each environment, according to how virtualization is used and implemented. 4 | P a g e The paper goes on to further state: In order for in-scope and out-of-scope VMs to co-exist on the same host or hypervisor, the VMs must be isolated from each other such that they can effectively be regarded as separate hardware on different network segments with no connectivity to each other. Any system components shared by the VMs, including the hypervisor and underlying host system, must therefore not provide an access path between the VMs. PCI Council Information Supplement – Virtualization (June, 2011) The above guidance provides a means by which to assess the controls, but it does not eliminate the compliance challenges organizations must overcome when utilizing virtual technologies. HP – Providing Software to Meet PCI Compliance Needs Merchants and service providers who transmit, store or process payment card information are required to meet all of the 200 PCI DSS controls in order to fulfill the compliance standard for accepting payment cards. HP is working with VMware to provide solutions that help clients achieve their PCI compliance requirements with a robust set of security products, complemented by their Technology Consulting integration capabilities and key partners. HP Technology Consulting provides an integrated architecture framework that includes VMware and HP products as well as other partner products that allow customers to meet PCI DSS control requirements. The successful integration with infrastructure products will provide customers with a guide to successfully navigate the compliance landscape. PCI DSS Control Responsibility HP solutions documented in this study help customers meet 110 of 200 PCI DSS controls. The other controls must be met by infrastructure and Customer other products, as well as by the customer. Some Responsibility controls such as penetration testing, policies, and Infrastructure procedures cannot be met by a software or Products hardware solution and will always be the responsibility of the customer. Other controls may be supported by additional products and Compliance control gap services. satisfied by HP Products HP aims to identify the gap that HP and