In light of the increasing popularity of baking, with high viewing figures of programs like the ‘Great British Bake Off’ , I thought I might take the opportunity of putting together the recipe for the PCI DSS Layer Cake!
Much like making a wedding cake, PCI DSS compliance requires multiple different ingredients, processes (mixing, stirring, icing, etc), guidance (recipes, cooking instructions, etc.), technologies (oven, food processor, icing bag) and is layered on top of each other.
However, in the case of PCI DSS it is consisted of 10 layers, inside a cake box, within a carrying box, see figure 2.
The effectiveness of PCI DSS, starts with ensuring that we have a well-designed and robust base layer:
- 1.1 – 1.5
Establish and implement firewall and router configuration standards onto a secure network design.
Having planned and designed how the supporting network is going to look, we can then start applying the supporting secured systems:
- 2.1 – 2.6
Security harden all Cardholder Data Environment (CDE) systems and remove or disable unnecessary default accounts before installing onto the network; maintaining an up to date asset inventory.
Now that we have established the base layers, we can start to add the Tier-3 layer that defines this as being our ‘PCI DSS Wedding Cake’ – the cardholder data:
- 3.1 – 3.7
Secure Cardholder data retention and disposal processes.
Tier 4 addresses the requirements for taking the cake out of the box:
- 4.1 – 4.2
Safeguard sensitive cardholder data during transmission over open, public networks, using strong encryption.
Next comes the layer for searching anything that might need to touch the wedding cake:
- 5.1 – 5.4
Deploy anti-virus software on all systems commonly affected by malicious software.
With the basis of a tasty cake having been made, we need to ensure that any changes to the cake are well-managed and that we keep up to date with any new recipe ideas, trends whilst continuing to check whether the ingredients remain edible, and well-decorated.
- 6.1 – 6.7*
Vulnerability, patch & change management (*Web Application Test/Web Application Firewall).
For Web Applications, this is a good place to align the mandated 6.6 control requirement for either a WAF or annual Web Application test, as a component of the annual penetration test.
Tiers 7 & 8 covers who is allowed to see the cake and how we restricted the access to it:
- 7.1 – 8.8
Limit access control, based upon legitimate business need to know, using strong logical access controls.
Tier 9 represents the cake box that is there to protect our beautifully baked and decorated from harm:
- 9.1 – 9.10
Use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment, securely destroying/deleting when no longer required.
Having all the supporting layers in place our gorgeous cake is ready and stored away, for that big day, tier 10 is the safeguard layer to provide protection from accidental or deliberate activities, which might undermine the look and taste of our cake. Will we be able to detect the early signs of anyone who naughtily try to dip their fingers in our cake, for a sneaky taste? Effective monitoring will ensure that we can either identify ‘who done it!’ or, more importantly, identify the early signs of someone being tempted into trying a mischievous tasting – enabling us to shout at them or close the box on their fingers, before they ruin our cake:
- 10.1 – 10.8
Implement time synched monitoring of all access to system components, to each individual user, using secure automated linked audit trails.
With a cake being a perishable item, it is vital that the ‘icing on the cake’ would be the testing processes. For example, ensuring that nobody has cut a rogue hole in the box, ensuring that checks are made to ensure that the ingredients have not gone bad, through periodic observations and independent inspections. For example, in the PCI DSS world organisations should have very little issues identified, should there be secure networks & systems; robust vulnerability management, etc.
- 11.1 – 11.6
Security testing of the supporting systems, through quarterly wifi checks; quarterly internal and external vulnerability scanning; annual penetration testing; Intrusion Detection System/Intrusion Prevention System (IDS/IPS) and change detection.
This layer represents the ‘icing on the cake’, providing the confirmation that all the people with responsibilities are carrying out their roles and responsibilities effectively and in a timely manner. In addition, the assignment of highly skilled penetration testing engineers, ensure that you can be forewarned of any vulnerabilities that could be exploited.
BEING FOREWARNED IS FOREARMED!
The Squirrel’s nuts!
Therefore, if you have isolated your cardholder data systems and personnel from everything else, so that you’re able to focus your internal vulnerability scans towards your internal segmented CDE , are you doing the same for your internal penetration testing?
Remember segmentation testing is a completely different ‘ball game’ – testing to confirm that it is not possible to hop between the out of scope network and the in scope network!
Being that PCI DSS has been developed to address the technology, people and processes; unfortunately, in the current version, requirement 11 is missing one perspective (and frequently the biggest risk) – The Human Factor!
As a result, there are control requirements for testing the supporting systems but there are none to test the effectiveness of the human systems.
In fact, there is only a single reference to social engineering testing!
All of these layers are then enveloped within a clearly identifiable and well known carrying box – A.K.A. formally documented policies and procedures.
- How good is your recipe book?
- How are your baking skills?
- Do you need assistance from experienced Mary Berry's, Gordon Ramsey's or Mr Kipling's?
Okay, so we now have a good understanding of how PCI DSS is constructed and how it fits together, but is this truly enough?
PCI DSS provides a baseline of controls, upon which to safeguard your cardholder data business operations
To contact Nettitude’s editor, please email firstname.lastname@example.org