PCI DSS Part 5.2 - Requirements in Depth

Video Activity

This final video contains part 2 of the in-depth look at the PCI DSS requirements as well as a summary of the module. Requirements 7-12 consist of: - Restrict access to cardholder data. Implement principle of least privilege and need-to-know. Authentication using something I know, I have, and I am (biometrics). Utilize multi-factor authentication f...

Join over 3 million cybersecurity professionals advancing their career
Sign up with

Already have an account? Sign In »

1 hour 15 minutes
Video Description

This final video contains part 2 of the in-depth look at the PCI DSS requirements as well as a summary of the module. Requirements 7-12 consist of: - Restrict access to cardholder data. Implement principle of least privilege and need-to-know. Authentication using something I know, I have, and I am (biometrics). Utilize multi-factor authentication for extra strength. - Assign unique identifier to each person with computer access to the network. This allows for authentication and auditing. Passwords should be unreadable via one-way encryption. - Restrict physical access to cardholder data via physical controls. Maintain physical security policies, log visitors, use badges, implement a "clean desk" policy, and restrict media such as thumb drives that can cause data exfiltration. - Track and monitor access to network resources and cardholder data. Maintain an audit trail for all data access and secure logs to prevent modification. And most importantly, periodically review logs for suspicious behavior! - Regularly test security systems and processes. Perform internal and external penetration testing. Deploy file integrity checks to alert of unauthorized modification of critical system and other files. - Maintain a policy that addresses information security pertaining to both employees and contractors. The video concludes by pointing out the threats posed by social engineering. Humans are often the most vulnerable piece of an organization and they need to be educated about the risks they face. The overriding principle is: trust no one!

Video Transcription
now our next goal. To implement strong access control measures again, Access control is all about how a subject can access an object. So when we talk about access control, we have to think about elements. Usually, I refer to these elements as the I Triple A. We have to allow a subject
toe identify.
I'm Kelly Hander hand.
Now the problem with identification is it's not reliable. You can't count on that. Spoofing or impersonation is very, very easy if we stop it identification.
So the next step from identification is authentication. Authentication means prove it. You claim to be Kelly Hander Hand. Give me some form of proof, and authentication usually comes in the form of something. I know something I have or something. I am
so something I know's very commonly a pin or password.
Something I have might be. The payment card itself
could be a key or some other token device. And then something I am is tied to buy metrics, whether it's a thumb print, retina scan, whatever that may be,
the strongest form of authentication is to combine multiple factors. Give me something you have and it's something you know. That's why in most cases of the payment card. You have to have the card itself as well as a pen, or you get the card itself in a signature, which is considered to be biometric information.
But to factor or multi factor, authentication is the best.
So we identified then we authenticate then, based on proving our identity, we get authorized and authorized is really kind of the So what of access Control Authorization is where I'm allowed to do certain activities or access Certain resource is based on.
All right, the final step of the I Triple A is accountability or auditing, so we need to be able to go back in trace me based on my identity to specific actions on the network. So access control is usually brought about by the I Triple A.
So when we look at this, we want to make sure that access is restricted based on need to know and need to know very frequently goes hand in hand with the principle of least privilege. So you have just enough knowledge of resource is to do your job. That's need to know. So you don't get a patient's full
primary account number. You don't get their full Social Security number
to answer customer service claims. You have no need to know that extend of data so that information would be masked out
principle of least privilege. You have very few rights associate ID. So activities and actions you can perform those air bound to just the minimum you need to do your job.
So only allow access is the job requires. And make sure that we default once again, just like on our firewalls to deny all you have no access to files or activities except a small amount that Air Express expressly allowed. The default is you have no permission.
And if you need permission, I'll grab that
assigning a unique identify rhe to each person with computer access. And again, this goes back to accountability. If everybody in my office of five people has the same username, how do I know who did what? Right.
So everybody needs a unique identify or whether it's a user name, whether it's a user, i d
on account number, whatever that is. And when it comes to authentication, because again, if all I do is identify, that's very easy to spoof. So not only do You have to know the unique identify WR, but you have to authenticate with that. Give me a password.
Use a token device. Use a smart card
provided thumbprint, whatever that might be. So we're gonna require authentication. And ideally, again, the strongest type of authentication is to factor. And we want to make sure that two factor authentication is at the very least, employed for remote access.
We've already talked about the fact that
any time I allow someone to connect in remotely, I opened myself up to vulnerabilities.
Passwords should be unreadable, basically should be encrypted. That's why when you call your network administrator, if you forgot your password and you say, Hey, can you tell me what my password is? No Sure Can't. I can reset your password for you, but I can't tell you what your current password is. That's because it's stored in one way encryption.
uh, basically, we need to make sure that we've got proper authentication and password management in place for user's on administrators on all system components. And again, a lot of these principles air just sound security principles. They don't have to be unique to the payment card.
All right. Another element of strong access control.
Protect your facility using physical controls. They have procedures that keep people that should not be in a particular environment out. So if you're going into a card processing environment, they're stricter. Set of physical controls than perhaps to inner just the general
population portion of the building.
Have procedures in place that help employees identify who's a visitor and who's not. There should be very specific, often color coded visitor badges, as opposed to that badges worn by the rest of staff. There should be policies in place about badges being clearly visible where the badges should be located,
and so one.
Make sure that before going into sensitive areas that they're authorized, keep an audit trail. Have a visitor log of people who come and go
look at securing your information. A lot of places have a clean desk policy, so yeah, when you get up to leave your desk, go grab a cup of coffee. You have to walk out of your system, but also you have to put all your paperwork away so that anybody walking past would not gain access to information that sensitive
anything. Any type of media that's gonna hold payment card information needs to be secured, and we're really going to think very hard about restricting certain types of media. A lot of organizations restrict the use of thumb drives because they're so easy. You know, two problems with one, actually two benefits with thumb drives.
They help me bring in information,
and they helped me take out information
to downsides of thumb drives. They help me bring in and take out information. So most organizations are going to restrict that because of the possibility of me bringing in malicious materials on a thumb drive, but also on me, ex fil trading or removing sensitive information from the network.
When the data is no longer needed, we destroy it and minimize the data that we store. We've already talked about that, making sure that we have good destruction mechanisms. You know, deleting files is not destroying data. We need to have some mechanism in place. Whether it's dig out, sing or zero is Asian or
physical destruction of these drives to make sure that the material was destroyed.
Our next requirement,
we're gonna monitor and test our network. Risk management is never over. We're always thinking about new risks as they're popping up and when I designed a secure infrastructure, which, secure for today may not be secure for tomorrow. So we have ongoing testing, ongoing, monitoring,
ongoing analysis.
So we have to be able to have an audit trail trace things back to a particular user. I d make sure the audit trails are protected from an integrity standpoint. Attackers love to go back and clean up audit logs, so there is no indication they were there. We've gotta protect against it.
Review logs for security functions. Now, this sounds ridiculous. Of course, if I'm gonna log events that I'm going to review the logs not so fast. Many times administrators review the logs when there's been a problem. When if we had a proactive policy to review logs,
especially for security related events,
often we could prevent an attack because many times their steps leading up to the actual compromise. If we're very vigilant and we're proactive with reviewing these dogs, often we may be able to thwart an attack security functions we need to review it. Lee Staley
also retain your audit history. Now certain organizations are required to maintain it. You know for different amounts of time based on the law. But P C I. D. S s. You want to take your audit trail history for a least one year and have three months being readily available. Sui Mai archive
things after three months, but that
three months, the last three months needs to be something that we can review as necessary.
Also, with testing and monitoring, we want to make sure that we're checking for common vulnerabilities like unauthorized access points. Why would I go through all the trouble of trying to crack into your encrypted wireless network compromised the key, be able to decrypt the data
when all I have to do is to put an access point
on your network called If your company ABC called Company ABC,
the majority of users are going to connect to the access point closest to them.
So depending on where I can put that access point, I can all but assure you I'm gonna have a number of users connect in so much easier. So physical access, you know, blocking that's gonna be step in the right direction. But with wireless technologies today,
I don't have to be inside your building. I could be on the outside. I could be in the parking lot.
So we want to conduct the vulnerability assessment we want to do. A site survey before we put our wireless access points out, we want to make sure that they're in a secure location, usually the center of the building, so agains and common security practices we want to do vulnerability assessments and penetration tests.
Ah, vulnerability assessment is sort of a scan of particular systems
or of a network segment looking for weaknesses. The penetration test takes things a step further and essentially says, All right, these weaknesses exist. Can I penetrate them? Can I get through? Okay, so we want to conduct those tests on a regular basis. Other tools that help US intrusion detection and prevention systems.
Reviewing those logs, reviewing firewall logs, logs of our connective ity devices
again. If you're gonna go through the trouble of tracking this information, go back and review it
and protect the logs for integrity issues
and then our last element. Our last requirement satisfies the goal to maintain an information security policy again. This is a essentially a statement, if you will, from senior management it's generally gonna be broad in nature that's going to dictate
the company's general approach
to security. It's gonna get buy in for security and ultimately that will give way to more particular policies in relation to certain issues or systems on the network. So this policy that's gonna address the requirements and talk about how we as an individual organization,
are gonna get these requirements met how we're gonna implement security controls,
that becomes very important.
Now, we're not gonna meet our goals without meeting our objectives. And that's the difference between an objective and a goal. A goal might be to have a secure network while our objectives are how How do we do that? What does that mean? So we're gonna implement this particular policy, and we're not gonna
allow certain systems to connect to the Internet. We're gonna implement this piece, and we're gonna encrypt our dad and so on.
So we want to make sure that our policy includes objectives, not thes pie in the sky, goals of what we ultimately want.
Usage policies for employees facing systems Make sure our users know how their toe access what they're allowed to do under systems. What they're not allowed to do again, setting out what's compliance and what's noncompliance. And if there is noncompliance, what are the repercussions for that?
Make sure our policy directly addresses specific security responsibilities off our employees. Are contractors and really any guests within our
other things? Make sure that we were assigned responsibility to particular individuals, that we have a security officer and a security team. We want to make sure that there are folks specifically designated the responsibility of security.
Ah, and it's their job to do the risk analysis or or it's their job to make sure that the policies
are developed and implemented.
Other things that we can do screen our employees before hiring background checks, credit checks, making sure that we're putting the right people in place
and finally having an incident response plan. No matter what we do, there will always be a vulnerability based on the information that we store and the various threats that are out there. If there's a will, there's a way.
So what we have to do is we have to protect ourselves and our systems and our information
in the best way we possibly can, and then we also You know, I've always heard
expect the best plan for the worst or something, something like that. I may be paraphrasing badly, but ultimately I think it's hope for the best. Expect the worst. So the idea is, we do everything we possibly can and put our security mechanisms in place. And then we have a backup plan, that incident response plan,
an incident response team. The folks that carry out the procedures as documented in the plan.
What happens if there is a breach or some other type of incident that needs to be planned and well documented? It needs to be reviewed to make sure its current, and it needs to be kept up today. Now, those are the 12 requirements that P. C. I. D. S s lines up and specifies,
and those requirements those requirements all maps specifically to different security golds.
One other thing that I would add before we wrap this chapter off. It's just a quick word on social engineering. No matter what technical controls you put in place, which your firewall settings are your encryption standards, your authentication, your access controls,
no matter which of those elements and hopefully all of those requirements of P. C. I. D. S s.
No matter which of those are met,
there will always be a human element.
And a chain is only as strong as its weakest link.
And there is no security mechanism you can put in place that the right person or maybe the wrong person
can't bypass.
Social engineering is all about trickery. It's all about impersonation. It's all about pretending to be a trusted source. So you implement, need to know in principle of Lise privilege. But if I can convince you that I have a legitimate need to know, or
that this privilege should be associate ID
or should be given to me,
I can bypass some of the security mechanisms. So what? We want to make sure that we understand how very prevalent social engineering is in today's world. You know, whether it's through a spoofing Web page, whether it's through a caller sales representative.
I mean, you know,
let me show up at your building and tell you that there's been complaints of a gas leak. I need access to your processing room where the server is whatever you know. So the idea is we have to train our people. And one of the things that we're starting to see is 22%
of large organizations. Uh, I'm sorry. 22% of all breaches for large organizations. Come is a direct result of social engineering. We have to train our people. We have to make them aware of the vulnerabilities and just some words on how we prevent social engineering.
Definitely trainer people
and one of things will train them before giving out sensitive information require multi factor authentication. You've given me your name. Give me the last four of your social. Give me. Show me a card. Give me a thumbprint, swipe
whatever that might be That's reasonable to do. I need you to prove your identity to me in multiple ways.
One way is not enough. And generally I would prefer that you give me something from more than one type
And remember the type something I know something I have and something I am. So give me a something you have into something you know, you know, again a t m card and depend. Trust no one. And and I hate to say that I'm that cynical these days, but I pretty much am,
uh, and regardless of who that individual pretends to be, you know, when I say trust no one. I mean, I don't trust anyone that you don't have direct knowledge of. So I call on the phone and I pretend to be the vice president of the organization or whatever that is. You know,
if you're ever in doubt, go to your security team,
ask management. No one should ever frown upon you for following company policy. And if company policy says don't disclose this information, you don't disclose the information. And if it appears to be an urgent situation again, call management. Call your security team.
If it winds up being a bad decision. Don't have your name associated with it.
The last point that I would pass along to you is we all make mistakes, every one of us. And I'll tell you, you know, the phones were ringing. I've got 15 cases I'm working on, somebody's asking me, standing my chair, asking for information, and the next thing you know, I've accidentally divulged
some sensitive information over the phone. I didn't mean Thio. I just my brain didn't catch up with my mouth. And that happens from time to time.
We all make mistakes
if a mistake is made or if you even think of mistake may have been made. You just four did an email, and now that you think about it, maybe that wasn't a good idea.
Call your security team immediately. Trust me, your security team would rather know ahead of time, as opposed to after the fact once something becomes a problem. So maybe I've installed software on my system and then I think better of it. Call verify if someone needs to come out. It's much
easier to solve a problem in the early stages
than it is in the latter stages. So social engineering is something anybody can fall prey to. Just be careful. Use good sense.
Don't take somebody's word for Grant and make them prove their identity through multiple forms. And if you make a mistake of your security team, so that's our material on the payment card industries, data security standard and how we want to protect payment card information. Very sensitive information that compromise can lead toa identity theft
billions of dollars like we've seen in fraud numerous other issues. So we need that PC idea, says The 12 requirements that we've already talked about are going to dictate how we approach the protection. Now again, it's more of a framework than it is a specific methodology. So we have some flexibility
in how we implement it,
but we must adhere to the guidelines. Don't forget. Social engineering for your internal employees is always going to present a risk. So we train our people on what to do to prevent compromise of information and what to do in case there has been compromised.
Also, Not only do we train our staff, we hold them accountable.
We audit. We see if people on her team are giving out information, we hold them accountable and we re train if necessary.
So I hope this information has been helpful to you. Let's make sure that we're proactive in all of our attempts to protect our patients are payment card information and our customer data. I wish you good luck

This series covers the framework governing the self-regulated payment processing industry. Compliance with these standards is critical. Learn the 12 elements of the framework and how they pertain to risk management in relation to cardholder data.

Instructed By