Continued from Part 2, which covered requirements 5-8.
Requirement #9: Restrict Physical Access to Cardholder Data
A basic tenet of information security in any system is to prevent or limit physical access to information storage media as much as possible.
Physical access to the hardware storing cardholder data such as personal account numbers gives thieves an easy way to circumvent every protection measure at the edge of your network.Specific restriction measures in the PCI Security Standards Quick Reference Guide include:
- Facility entry controls that limit and monitor physical access to systems in the cardholder data environment.
- Enacting of procedures to allow personnel to easily distinguish between onsite personnel and visitors.
- Creating measures to ensure that all visitors are authorized before entering areas that store or process cardholder data. This includes a physical token that clearly identifies visitors as not being onsite personnel, and which they must surrender before leaving the facility.
- Log all visitors and maintain an audit trail of visitor information/activity. This log should detail visitor name, company affiliation, and which onsite personnel granted access. Records need to be maintained for at least three months, unless such records conflict with local laws.
- Keep all backups in a secure location, preferably offsite.
- Physically secure all media.
- Enforce strict control of internal and external distribution of any storage media connected to the cardholder data environment.
- Create a system for ensuring that management approves any movement of storage media from one secure area to another.
- Maintain strict control over the storage and accessibility of media.
- Destroy media when it is no longer needed for business or legal reasons.
The rules here are all about security for the server environment that hosts the cardholder data and the system components contained therein. Implementing these security guidelines internally can be difficult, as it adds expenses and complexity to the overall business strategy.
Here, a secure, Tier IV data center can be helpful in making meeting the PCI security requirement easy. Tier IV data centers employ a broad range of security controls that conform to the requirements of the PCI standard, including:
- Armed security patrols;
- 24/7 CCTV monitoring;
- Biometric security access points; and
- Secure storage for backups and system hardware.
Each of these security measures helps to prevent unauthorized access to the systems that process cardholder data, and keep hardware from leaving the data center.
Requirement #10: Track and Monitor All Access to Network Resources and Cardholder Data
Parts of this requirement have been addressed in some of the previous requirements, such as requirements #8 and #9. The goal of this requirement is to create an effective means of tracking activity for all cardholder data systems to create effective security forensics and vulnerability management.
Specific rules for this requirement include:
- Establishing a process for linking all access to system components to each user as an individual—this is particularly important for users with administrative privileges.
- Implementing automated audit trails for all system components for reconstructing the following events:
- All individual user access attempts for cardholder data;
- All actions taken by any individual with root or administrative privileges;
- Access to all audit trails;
- Invalid logical access attempts;
- Use of identification/authentication mechanisms;
- Initialization of audit logs; and
- Creation or deletion of any system-level objects.
- Record audit trail entries for all system components for each event, including:
- User identification;
- Type of event;
- Date and time;
- Success or failure indication;
- Origin point of event;
- Identity/name of affected data, system component, or resource.
- Synchronize all critical system clocks and times as well as implement controls for acquiring, distributing, or storing time data.
- Secure audit trails to prevent alteration.
- Review logs for all system components related to security functions daily.
- Retain audit trail history for at least on year—a minimum of three months of history should be immediately available for analysis.
Not only does there have to be a system for tracking identity, companies need a way to gather specific information about access attempts such as the IP address of the access attempt as well as record and keep that information safe for a long period of time.
An intrusion detection system (IDS) is a valuable tool for companies looking to track data access activities and log these events. With the right IDS tool, recording important forensic data security information for PCI compliance is made much easier.
Requirement #11: Regularly Test Security Systems and Processes
Hackers frequently exploit security vulnerabilities to steal payment card information from organizations of all sizes. The goal of requirement #11 is to have companies run thorough tests of their cardholder environment’s security so they can take steps to prevent future attacks that might leverage any weaknesses found.
According to the PCI Quick Reference Guide, to be compliant with this major control, companies must:
- Test for the presence of wireless access points and detect unauthorized wireless access points on a quarterly basis.
- Run internal and external network vulnerability scans at least quarterly and after any significant change in the network. Quarterly scans must be done by an approved scanning vendor (ASV), but post-upgrade scans can be done by internal staff.
- Perform external and internal penetration testing, including network and application-layer pen tests annually, and after any significant infrastructure or application upgrade/modification.
- Use network intrusion detection or prevention systems to monitor all traffic at the perimeter of the cardholder data environment as well as at critical points inside of said environment. Personnel must be alerted to any suspected compromises. IDS/IPS engines, baselines, and threat signatures must be kept up to date.
- Deploy file integrity monitoring tools to alert personnel to unauthorized modification of critical system files, configuration files, or content files. This software should be configured to make critical file comparisons every week.
Penetration testing of systems is a critical means of identifying potential weak points and remediating them quickly. To be effective, such testing needs to be thorough, with rigorous examinations of both system software and hardware for intrusion risks. This is why this requirement stipulates that an approved scanning vendor must be used to perform the quarterly check.
When vetting a scanning vendor to run your vulnerability tests, check for both the ASV designation on the PCI Security Standards website, and for their track record in actually identifying vulnerabilities/exploits in client systems.
Vulnerabilities are often created when new hardware or software components are added to a system. So, whenever you add a new system component, it’s important to at least run an internal vulnerability check. Although these checks don’t require you to use a PCI-approved scanning vendor, having one run the check can be useful for providing independent verification of system security.
A managed disaster recovery service can be helpful in meeting the final rule of this requirement. Some disaster recovery services can allow you to see what changes have been made to specific files since they record the changes made to all files at set intervals. Combined with IDS event logs, this can help your company easily keep track of major file changes.
Requirement #12: Maintain a Policy That Addresses Information Security for All Personnel
While most of the previous requirements demand a technology approach to maintaining security for cardholder data, this requirement focuses on creating policies for managing the human element in a business’ operations.
To maintain a policy that “addresses information security for all personnel,” companies are expected to:
- Establish, publish, maintain, and disseminate a security policy that addresses all PCI Data Security Standard requirements, including
- an annual process for identifying vulnerabilities and formally assessing risks; and
- a review that occurs at least once a year and when the data environment changes.
- Develop daily operational security procedures that are consistent with PCI DSS requirements.
- Establish and enforce usage policies for critical technologies to define their proper use by all personnel. This includes remote access, wireless, removable electronic media (CDs/DVDs, thumb drives, etc.), laptops, tablets, handheld devices, email and internet.
- Ensure that the security policy and procedures clearly define information security responsibilities for all personnel.
- Assign to an individual or team information security responsibilities defined by previous subsections.
- Implement a formal security awareness program to make all personnel aware of the importance of cardholder data security.
- Screen potential personnel prior to hiring them so as to minimize the risk of attacks from internal sources. This includes previous work history, criminal record, credit history, and reference checks.
In short, businesses need to create a strategy for addressing cardholder data security for all members of the organization based on their roles. This strategy should address all other requirements of the PCI security standard and be distributed to every member of the organization so they understand the necessity of strong security practices.
Individuals and teams should have clearly-defined accountability standards, and they should be aware of these standards and their consequences. When hiring personnel, thorough background checks need to in place to limit the risk of adding a security risk to your payroll.
Documenting your security processes, your training tools for employees, and how you distribute them is key for maintaining compliance with this particular PCI requirement.
Following all of the requirements of the PCI data security standard is a challenge, but it is a necessity for businesses that handle payment card information on a regular basis.
Having the right tools and information can help ensure that businesses meet these basic requirements, or even exceed them to maximize data security.