How to accelerate PCI DSS compliance
With our software you can save your auditors up to 3 hours per device.
Click on the following to find out more about each requirement
- Requirement 2: Do not use vendor-supplied defaults for system password and other security parameters >
PCI DSS (Payment Card Industry Data Security Standard) is a compliance standard helping businesses in the payments industry to protect themselves from preventable attacks that can result in the exploitation of sensitive customer data. Any business that requires people, processes or technology to store, process / transmit cardholder data or sensitive authentication information must be PCI DSS compliant at all times. Although not a law in itself, failing to comply with PCI DSS means that if a security breach should occur in a business, it could be subjected to hefty fines, forensic audits or the termination of credit card processing privileges.
By complying with the PCI DSS it greatly reduces these risks and adhering to the requirements will protect both your business and your customers. PCI DSS compliance is more than just a set of rules on storing card numbers and associated personal data. Your system components (for example network devices, servers, computing devices etc.) will need to comply with PCI DSS, which includes vulnerability scanning amongst other things.
Why is compliance to these standards important?
In 2004 the major credit card brands American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc. founded the PCI SSC (Payment Card Industry Security Standards Council). Together they share responsibility for carrying out the work of the organization and have all incorporated the PCI DSS as part of their data security compliance programs. PCI sets the standards and offers best practice guidance on how to keep card details secure. By observing the compliance requirements, merchants and businesses can safely and securely accept, store, process and transmit cardholder data during a credit card transaction to prevent fraud and data breaches. The current full set of PCI DSS requirements are available on the PCI Security Standards Council website.
Do I need to be compliant?
Storing card or consumer data, or even if it only passes through your system may require you to be compliant. The FAQ section of the PCI DSS Compliance Guide helps determine this, but if you have a merchant ID that accepts payment cards, you must follow the PCI DSS compliance regulations to protect against data breaches. It is evident that breached organizations within the payments industry tend to have demonstrated a lower compliance to the PCI DSS requirements.
Access to financial data is attractive for cyber criminals, as they can easily convert data into money by using the data directly or selling it onto third parties. But with PCI DSS controls in place to secure the data, you can mitigate the threat of a data breach.
Who audits against PCI DSS?
Large businesses may have their own internal security assessor (ISA) within the business to conduct the audit, but smaller companies need to find a qualified security assessor (QSA), who is approved by the PCI Security Standards Council. A QSA will evaluate your security infrastructure and provide a risk assessment. From this, the QSA will establish priorities and you will then need to address the issues identified. There are a number of ways to assess compliance, from vulnerability scanning and penetration testing to physical assessment of security measures (e.g. locks on office doors). Where certain areas of the PCI DSS requirements require penetration testing assessment, auditors can use Titania Nipper software and be confident in the accuracy of the reports that are produced.
What are the compliance standards?
All businesses that hold, pass or process card data will fall into one of the four merchant levels based on Visa transaction volume over a 12 month period. The requirement levels range from establishing data security policies for your business and employees, to removing card data from your processing system. The PCI DSS specifies 12 requirements, which are organised into six control objectives relating to storage, transmission and processing of cardholder data. These are detailed below.
What information needs to be covered by compliance?
Developed and maintained by the PCI SSC (Payment Card Industry Security Standards Council), the requirements apply to;
"All system components included in, or connected to, the cardholder data environment. The cardholder data environment (CDE) is comprised of people, processes and technologies that store, process, or transmit cardholder data or sensitive authentication data. ‘System components’ include network devices, servers, computing devices, and applications.”
- PCI Security Standards Council
The first step of an assessment is to determine the scope of the review. The accuracy of the PCI DSS scope should be confirmed by identifying, and subsequently including, all locations and flows of cardholder data, and all systems connected to or that could affect the CDE (Cardholder Data Environment).
All systems and locations should be included in the scoping process, but it is common for network devices to serve multiple purposes, not just handling cardholder data, which can result in a large report that includes information not relevant to a PCI DSS audit.
It is also common practice to reduce the Cardholder Data Environment (CDE) as much as possible, keeping the sensitive data in a smaller set of systems, meaning the scope of each PCI DSS audit can also be reduced.
To focus the reports on the CDE, Nipper allows you to define your CDE by IP (Internet Protocol) address, CIDRs (Classless Inter-Domain Routing) or IP ranges. All of these technical options define a set of nodes or an IP address range representing the CDE. With this feature enabled, available through both settings and the Report screen, the audit report will be restricted to just rules, services, issues, etc. only affecting items included in the scope you have defined - saving both time and effort by excluding irrelevant issues.
For further information on IP Scoping with Nipper, refer to the ‘IP Scoping Guide’ section of the ‘Nipper- Beginner’s Guide document' in the support section of Titania’s website.
Get one step closer to PCI DSS compliance
Titania’s automated auditing software, Nipper, includes four specific report types that can be used together to create a vulnerability audit to address a number of PCI DSS requirements.
The report types included in the Nipper software are;
- Configuration Report
- Security Audit
- Vulnerability Audit
- CIS Benchmarks
The Configuration Report provides both high-level and granular, detailed information about the network devices included in the scope of the audit including; authentication details, SNMP details and routing information amongst other useful information.
Nipper Security Audit
Nipper’s own Security Audit highlights security issues on your devices, such as system default or weak passwords, with details of the cause and impact of the issue and, where applicable, provide remediation information.
Nipper’s Vulnerability Audit uses the NIST (National Institute of Standards and Technology) NVD (National Vulnerability Database) to identify software vulnerabilities against your devices’ operating system version.
Finally, if you have CISCO ASA, IOS12 or IOS15, Nipper uses the Center for Internet Security (CIS) Benchmarks as an industry best practice of security compliance, identifying failures in the benchmark against your assets and providing rationale, impact and remediation information for all tests performed. The CIS Benchmarks are directly referenced in PCI DSS Requirement 2.
Nipper reports directly support the audit of the network components against the PCI requirements.
Requirement 1: Install and maintain a firewall configuration to protect cardholder data.
The Configuration Report and Security Audit easily allow the following by selecting the relevant sections. You can select the relevant sections by using the easy-to-navigate contents list:
- 1) Identify all network services enabled on your scope
- 2) Identify all firewall and router rule sets, highlighting crucial information relating to permitted and denied network traffic
- 3) Review issues in the rule sets, such as Any-to-Any
Requirement 2: Do not use vendor-supplied defaults for system password and other security parameters.
The Configuration Report enables the listing of all user accounts and passwords (that are not encrypted) through the Authentication Section, this allows you to easily review unused accounts and security roles.
By including the Security Audit as part of your report, you evidence you have identified any insecurities in the devices included in your scope, (such as vendor-supplied default passwords, insecure protocol settings etc.)
Requirement 2 notes the need for an organization to meet and adhere to system configuration standards that are consistent with industry accepted hardening standards. This requirement directly mentions the Centre for Internet Security (CIS) amongst SANS and NIST. If you have CISCO ASA, IOS12 or IOS15 you can test your device against the CIS Benchmarks and use the results as evidence of verifying your device.
The report provides a quick pass or fail score against each of the tests defined by CIS, and for the findings, will provide you with evidence and remediation recommendations.
Requirement 6: Develop and maintain secure systems and applications.
The Vulnerability Audit can be used to identify software vulnerabilities known through the NIST NVD (the National Institute of Standards and Technology’s National Vulnerability Database - the U.S. government repository of standards-based vulnerability management data). This audit provides you with all the details known about the vulnerability such as;
- Issue Severity (Ranked and color coded)
- CVE number and references
- CVSS v2 information
- Summary information
- Affected devices from the scope
- Any vendor security advisories
The Security Audit highlights any issues where your user and password policies are in violation. The following parameters can be configured in the Security Audit settings:
- Minimum Password Length
- Password Complexity, such as character case, including non-alphanumeric characters, repeating characters, excluding common dictionary-based words and more
- Password Age (Minimum and Maximum)
- Password History and Expiry
- Session Lockout
Recording logs is a common way to monitor network resource access, which involves ensuring the correct time is logged for events to enable better issue investigation.
The Configuration Report gives you information about the NTP (Network Time Protocol) being used, and the Security Audit also highlights issues with that configuration, such as;
- Identifying if time synchronization is enabled
- Identifying that time synchronization is secure
Use the Security Audit section to evidence the testing of your network devices. Using a combination of best practices and industry experience you can identify your security issues and obtain the following information:
- Issue severity (ranked and color coded)
- Description of the finding
- Description of the impact of the finding
- Description of the ease of exploiting the finding
- Recommended remediation steps
Nipper Audit Reports
Nipper is also able to perform report comparisons. You can do this by saving your report in XML format (through the File > Save menu) and uploading this file during the report creation process.
This report then highlights security issues that were found previously, as well as newly identified issues on devices in the scope, confirming any remediation steps taken place since the previous report.
For further information on running a PCI DSS report in Nipper and interpreting its results, refer to the ‘How to audit for PCI DSS using Nipper’ document.
Paws software and other PCI DSS requirementsWhere Nipper assists with addressing a number of the requirements, it’s important to note that Titania’s Paws software also supports requirements – refer to the ‘PCI Requirements table’ to see where Paws complements the compliance reporting audit. The remaining PCI DSS requirements are not addressed by Nipper or Paws due to the nature of the compliance requirement:
Requirement 3: Protect stored cardholder data
Requirement 3 makes sure that anywhere cardholder data is stored, it is done so in a way to keep it secure whilst it is needed and then deleted when it is no longer required.
You will need to use strong cryptography for the encryption of data stored at rest (so if it is accessed by unauthorized parties, it cannot be read) and have policies in place for data retention, so that data is deleted when a certain period has elapsed.
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Requirement 4 requires encryption for transmission of cardholder data across open/public networks with sufficiently strong cryptographic methods so that if it was somehow captured by unauthorized parties, it cannot be read.
Requirement 5: Protect all systems against malware and regularly update anti-virus software programs
Requirement 5 is covered by our Paws software - This requirement is about making sure that endpoint systems (workstations, servers etc.) have up-to-date antivirus software installed, and that it is run regularly. Any systems that are considered to not be commonly affected by malicious software (such as proprietary systems) are also evaluated periodically to ensure that this is still true.
There are numbers of new virus’s and malware that are created all the time, and your software needs to be kept up-to-date to make sure it can detect them. Paws can help by identifying that antivirus is installed, as part of the PCI DSS Requirement, or it can be done in a custom policy simply by adding this check. QSA’s and security organizations will check that there is an up-to-date policy in place to make sure that antivirus is being updated on a regular basis.
Requirement 7: Restrict access to cardholder data by business need to know
Requirement 7 covers the ring-fencing policies around the cardholder data to ensure that access is only given to personnel and systems that require the information.
Requirement 9: Restrict physical access to cardholder data
Requirement 9 addresses physical access to the machines and devices that store or transport cardholder data, and that it is only accessible by those who require it. This could mean having appropriate locks on doors, and building entry authorization, as well as CCTV physically in place.
Requirement 12: Maintain a policy that addresses information for all personnel
Requirement 12 is about having and maintaining a Security Policy. It is predominantly about making sure that policy and processes are documented and disseminated to all relevant personnel.
Using Nipper to assist with PCI DSS compliance, your audit teams can save up to three hours per device (compared to manual testing). And with additional time saved per audit by utilizing IP Scoping within Nipper, the software will quickly identify the undiscovered vulnerabilities, and automatically prioritize risks to your organization. You can be assured you’re on the right track towards PCI DSS compliance with Nipper.
30 Day Free Trial
Start your free trial today just by simply filling in a few details and then activating your trial with no obligation.
Within the trial you will get:
- 30 days use
- Access to the full product set
- Audit against 2 of your own devices
- Demo mode available for unlimited demonstrations
- Support from our expert teams