Sunday, August 21, 2011

First things first

Although it is a mandated standard in the payment card industry, PCI-DSS (Payment Card Industry Data Security Standard) has two major myths from my point of view: first that the knowledge we have of the standard is generally very poor and secondly we think it is very difficult to comply with. The purpose of this blog is to clarify these myths as well as provide with additional information regarding the guidelines and the news that appear related to PCI-DSS.

In general, the objective of this blog is to elaborate a roadmap for PCI-DSS compliance so that it could be addressed it as expeditiously as possible. The ultimate goal is that this blog is a guide to comply with PCI-DSS in a month. Yes, in a month. Adopt the 'yes, we can "of President Obama and following step by step you will see yes that it is possible.

How will I do it?

The standard consists of 12 requirements, and although I'll create a blog post for each of them in this specific post I will not even name them because it is easy to get anywhere and specially at the official website:

http:/ /

I'm not even going to follow the PCI-DSS requirements as they appear in the normative, no. I will focus on steps that must be taken within the organizations to comply with the requirements. In other words, I am going to generate a PCI-DSS compliance 'roadmap', in order to comply with PCI-DSS in a month.

Assuming that the organization which needs to comply with PCI-DSS is either a bank, a service provider or a large retailer; the first step is the creation of a Multidisciplinary Group, in which members included are from Security Systems, Production / Operations, Development and of course, endorsed by the management team because everything starts there. Additionally, include a PCI-DSS specialized consultant with expertise.
Now the group is identified, What’s next? The idea for this group is that everyone is focused on the part which is directly his/her responsability, but at the same time, communication channels should be defined because there are tasks that require the involvement of heterogeneous groups from the organisation. At this first meeting the most important tasks or those that take longer should be assigned to each member. Finally, the group must meet (meetings should be only 1 hour the maximum) on a weekly basis at the latest. If our goal is to meet PCI-DSS in 1 month, the frequency could become on a daily basis.

What are the first tasks to be addressed? How should these be distributed?

1. Creation / Release of a Security Policy

Although this is the last requirement of PCI-DSS, for me its the key aspect. An information security policy must be defined (and of course, documented) and is approved by the management so that it is mandatory for the entire organization. In further blog entries, I will provide details on how to carry them.

2. Analyze / Monitor networks and applications that are accessible from the Internet.

For this work, it is NOT necessary at first that it has to be done by a company that is a certified ASV (Approved Scanning Vendors). The idea here is to have a first idea of ​​where we are, what we face and begin to solve problems. I mean in order to be able to have a gap analysis for PCI-DSS.

3. Inventory of equipment, systems and network diagrams

In this task, the staff representing production or IT will describe and provide details of the network infrastructure, inventory of equipment (if not already done) and network devices (firewalls, routers, etc) and specially identify all network segments to where we can find data card. This will be obtained together, of course, with the next task.

4. Inventory of applications or systems that use the data card

Staff from software development, operations and eventually IT should identify applications or systems which are used to transmitt, process or store card data and also indicate where these applications are being executed. If it is a virtualized environment we should not be concerned at first, later I will create a specific entry for these cases.

5. Inventory of data storage elements containing data card

Staff from software development, operations and systems will eventually determine where card data is being stored and how it is stored (in clear or protected in some way). If we are not 100% sure about if data is stored by using strong cryptography, we assume data is stored in clear.

6. Evaluate corporate antivirus solution, malware, etc..

This is the requirement 5 of PCI-DSS. The key question is no longer to have an antivirus solution, since all organization do have it, but the antivirus should also provide malware protection, which alerts administrators when a virus is discovered and registers audit logs of all these actions, and if possible, that this log could be accessed through a centralized console.

As an initial approach, these tasks are the most adequate ones. In future blog entries we will see the following tasks to be addressed and where possible, recommend which tools could be used to help with the process.

As for the tasks set forth above, the recommended tools are:

• Text Editing: MS-Word (commercial) / Open Office Writer (free)

• Lists / Spreadsheets: MS-Excel (commercial) / Open Office Calc (free)

• Diagrams: MS-Visio (commercial)

• Antivirus: Panda (commercial)

In summary, we see that at first, the work is more oriented to research and document than the tools installation and to create procedures.

All mentioned trademarks are property of their respective owners.