Chapter 5 Protect Cardholder Data
Solutions in this chapter:
The Payment Card Industry (PCI) Data Security Standard (DSS) requirement to protect cardholder data encompasses two elements:
The processes and activities necessary to meet these requirements and the specific sub-items spelled out by the PCI DSS, are simply the implementation of some of the fundamental components of a sound information security program. If you have already put into place the pieces of a solid information assurance program, or you are in the process of doing so, there won’t be a great deal of extra work to do. Your current processes and technology may very well serve to quickly allow you to comply with these requirements without a great deal of additional effort or cost.
In the arena of Information Security (Infosec) there are three fundamental tenets that form the basis for evaluating the effectiveness of the security controls we employ to protect our data. These three tenets are Confidentiality, Integrity, and Availability (CIA). Let’s discuss these briefly, as we will refer to them as we delve into the specifics of protecting cardholder data.
These three tenets of information security are referred to as a triad, because they are most commonly illustrated as three points of a triangle. (See Figure 1.1) All three principles must be considered as you manage your data. An undue degree of emphasis on one can lead to a deficiency in one of the others.
The most effective means of insuring that stored cardholder data is not exposed to unauthorized parties (confidentiality) is the encryption of that data. When implemented properly, the value of encryption is that even if an intruder is able to gain access to your network and your data, without access to the proper encryption keys, that data is still unreadable.
PCI standards dictate that stored cardholder data be rendered unreadable (encrypted), but allow you to implement compensating controls to mitigate the risk if you are unable to meet this requirement. Since encryption is such an effective and critical part of protecting data, we will discuss some of the details of encryption methods and the associated advantages and disadvantages.
Disk encryption software can be broken down into two high level categories:
Another option for encryption of key cardholder data is database (column-level) encryption.
Let’s examine the advantages and disadvantages of each as you consider how and where they might fit into your program for protecting cardholder data.
File- or folder-level encryption (or file system level) is an encryption system where specific folders, files, or volumes are encrypted by a third-party software package or a feature of the file system itself.
Full disk encryption (FDE) or “whole disk” encryption methods encrypt every file stored on the drive (or drives), including the operating system/file system. This is usually done on a sector-by-sector basis. A filter driver that is loaded into memory at boot, encrypts every file as it is written to disk, and decrypts any file that is moved off of the disk. This happens transparently to the end user or the application generating the files.
In order to ensure that stored cardholder data is protected from access by unauthorized parties, it is likely you will need to utilize both file-level encryption and FDE in your enterprise environment. In addition, access controls around databases and possible column-level database encryption may be needed. Every environment is different. What you need to do will be dependent upon your network and your current design.
FDE is more suited to protecting data on workstations and mobile devices, whereas file-level encryption is more useful as a method on storage devices. A well-designed information assurance program will prohibit storage or transfer of sensitive data to an employee’s laptop or desktop. While this kind of policy and practice would seem intuitive and obvious, it is abundantly clear that such practices are not always followed strictly. The much publicized cases of database managers or analysts putting thousands of clients at risk, because a laptop was stolen which had been used to download large volumes of sensitive data from a storage device, only serves to demonstrate this fact.
Figure 5.2 illustrates the difference in architecture between file-level encryption and FDE.
Ultimately, the most crucial element of cardholder data that needs to be rendered “unreadable” wherever it is stored, is what PCI DSS refers to as the Personal Account Number (PAN). This is the full account number that identifies both the issuer of the card and the cardholder account. PCI DSS 3.4 states “The MINIMUM account information that must be rendered unreadable is the PAN.”
This is not to say that other elements of cardholder data would not benefit from being encrypted. But since this data is necessary to be stored, it needs to be protected. Other items of data pulled from a card during normal business are never to be stored, and thus should not be residing in a stored database.
Column-level encryption allows a more granular approach to rendering the key cardholder data unreadable, by focusing on the specific data that needs to be protected.
The pursuit of protecting data from being exposed to unauthorized parties is rarely accomplished on a single level. As will all strong information assurance programs, the best approach is to think “defense-in-depth.” Multiple layers of protection are what guard you from having your plan and procedures defeated through a single point of failure. Column-level encryption might be the answer for a piece of your overall plan for compliance to protecting cardholder data, but it is unlikely to be the entire plan.
File-based encryption, FDE, and column-level encryption are the most well understood and the most commonly employed types of data encryption at this time. There are other possible solutions you need to be aware of, although the cost and design implementations may be more prohibitive.
Storage-level encryption is a hardware-based solution and is beneficial for encryption on the file level and directory level, and lends itself well to encryption of removable media and tape media. If your concern is that you are storing sensitive data and you don’t want or need to have the granularity of what is or is not encrypted, this could be of benefit.
If you choose to implement a hardware-based solution for simply protecting tape storage or to encrypt data as it flows between multiple devices, the one advantage that it brings is the reduction of resources for key management. Keys never leave the encryption appliance. Scalability is also a factor, as additional appliances can be added to the locations desired ad design and growth change.
WARNING
Don’t’ forget about portable storage devices that attach to laptops or desktops. Full disk encryption implemented with accompanying pre-boot authentication is the best way to protect data on a mobile system such as a laptop. What can undermine the protection, however, is the use of Universal Serial Bus (USB) storage devices, which can be easily attached and removed with sensitive data. There are some software-based solutions that can be configured to enforce encryption on any attached USB device. This can create hardship in some aspects, but it can also protect you from having your expensive encryption solution undone by a careless employee who stores sensitive data on an encrypted system, but then uses a non-protected USB drive to transfer the data, thus decrypting it as it is transferred to the device.
As in the case of protecting stored data, the most reliable and efficient way to ensure that your transmitted data is not intercepted (confidentiality) or modified (integrity), is to encrypt it during transmission. PCI Requirement 4 spells out some specific details as it relates to these procedures for communication.
Let’s take a look at some of the specific PCI DSS sub-items in order to illuminate some of the terminology and the implications.
This requirement states “Use strong cryptography and security protocols such as secure socket layer (SSL)/transport layer security (TLS) and Internet protocol security (IPSec) to safeguard sensitive cardholder data during transmission over open, public networks.”
An open, public network is essentially any network that contains any kind of gateway device that provides clients on that network wired connectivity to the Internet at large. This describes the networks of pretty much every business today. Anytime your cardholder data is transmitted over the Internet or any network you are unsure is secure, that data has to be protected.
The PCI DSS documentation specifically refers to the following as examples of open, public networks:
Let’s take a look at the specific protocols involved with securing data when transmitted over these various types of networks, and the way they are applied.
SSL refers to a protocol for message transmission known as secure sockets layer, and TLS refers to the protocol that recently superseded it known as transport layer security.
If you are hosting sensitive data on your Web site, you can protect the data by acquiring a digital Web server certificate and installing it on the Web server. Then you must be sure to allow traffic through your firewall on port 443, as this is the default port that SSL communications use.
SSL protocol can also be used to secure e-mail. This also entails the process of installing a digital certificate on your e-mail server. It’s important to remember that this only causes your Simple Mail Traffic Protocol (SMTP) traffic to be encrypted in transit. The actual e-mail message and attachment will not be. This is where file-based encryption would be of value.
Describing the technical differences between TLS and SSL is beyond the scope of this chapter. However, it works in much the same fashion as SSL does, and it is important to be aware of the following:
WARNING
Be aware that TLS only protects your e-mail messages between two TLS-enabled e-mail servers. If there are intermediate hops between the two gateways where your e-mail is relayed, the encryption is lost after it is forwarded to the next gateway.
Wireless networks are becoming much more common in the business (and home) community. Unfortunately, the security of the communication protocols was not nearly the priority that efficiency and ease of use were to developers of this technology. Things have progressed in recent years, but you have to be careful with wireless technology and be sure you have implemented encryption of the transmissions.
Section 4.1.1 of the PCC DSS specifically states, “For wireless networks transmitting cardholder data, encrypt the transmissions by using WiFi Protected Access (WPA or WPA2) technology, IPSec, Virtual Private Network (VPN), or SSL/TLS. Never rely on Wired Equivalent Privacy (WEP) to protect confidentiality and access to a wireless local area network (LAN).”
WiFi refers to particular types of wireless local area networks (WLANs), which utilize any of the 802.11 specifications of the Institute of Electrical and Electronics Engineers (IEEE). This covers pretty much any kind of modern wireless router, including ones designed for small office/home office (SOHO) use.
Earlier versions of the 802.11 specifications for wireless communications used a technology know as WEP, which was found to be woefully inadequate as its encryption scheme was easily broken, and intercepting transmissions was a fairly trivial exercise for experienced hackers. WPA and WPA2 have both been implemented in versions of the 802.11 standards of 802.11i and beyond. WPA makes use of improved encryption standards and authentication methods. WPE should not be utilized, even though PCI DSS provides a list of compensation controls that should be utilized if it is employed.
IPsec is technically not just a protocol, but a framework or set of security protocols that operate at the Network layer of the Open Systems Interconnection (OSI) model. What this means in basic terms is that IPSec operates at the level of the network where devices that manage the destination of packets (like routers) operate. Accordingly, IPsec is well suited for securing the communication over a VPN.
A VPN can be described as a network that uses public infrastructure (like the Internet) to create a connection between a remote host or network to an organization’s main or home network. This is a much less expensive proposition than using dedicated leased lines to provide this kind of privacy. The way a VPN works is to set up a private “tunnel” using certain protocols, which causes the data to be encrypted at the sending end and decrypted at the receiving end. It can be configured in different ways, but typically involves the installation of connection software on the client, which establishes the secure tunnel to the home network, and network devices on the home network end to serve as the secure gateway.
Another option for VPN is SSL VPN. The main advantage of an SSL VPN solution is that it does not require any additional or specialized software package on the client end. A modern standard Web browser is all that is needed, which utilizes a small plug-in to the browser to configure it.
GSM refers to the communication system that is utilized to support mobile phone networks. GPRS is a wireless communication service that provides connection to the Internet for data transfer for mobile phones and computers. Where this might affect a wireless network and transmission of card data, would be the circumstances of utilizing a GSM/GPRS modem card in a laptop for connection to the Internet. If the requirements for implementation of the VPN and wireless protocols have been observed, it will satisfy issues related to these cards as well.
Tools & Traps …
TJX Data Theft Due to Insecure Wireless Encryption
In January of 2007, TJX Companies, which is the owner of several retails stores including TJ Maxx and Marshalls, reported a very large data breach of customer credit and debit card numbers that occurred between 2005 and 2007. TJX reported the theft of at least 45.6 million credit card numbers. Attackers were able to steal the data through an insecure wireless network at a Marshalls store in Minnesota. The Marshalls store’s wireless network, which connected their credit card processing hardware to the company’s back-end systems, was not protected with WPA encryption, but rather was still using the unsafe and outmoded WPE standard. Despite the fact that the WPA standard was introduced in 2002, and TJX had their backend systems protected, this vulnerability led to what is at this time the largest know breach of credit card data in history, given TJX a very dubious distinction.
The PCI DSS indicates that when you are unable to render cardholder data unreadable (encrypted) “due to business or technical constraints,” you may consider utilizing compensating controls to achieve compliance. Implementing such compensating controls as an alternative to encryption is no small task, however. The amount of planning and management that it will involve can end up being more costly than the investment and work of encryption. You should do a very careful cost/benefit analysis before you decide that attempting to implement the compensating controls listed in Appendix B of the PCI DSS is the way you want to go.
At a very general infosec level, a compensating control can be thought of as an internal control (which can be technical or procedural), which reduces the risk of a potential or existing vulnerability or weakness.
In terms of specific PCI context, this means making sure that locations and databases that are storing cardholder data, are segmented or protected from an organizations other systems by creating a perimeter around that stored data.
The PCI DSS requirement, which is spelled out in Section 3.4.1, however, refers us to Appendix B, which details the following specific requirements which must be met if compensation controls are utilized instead of encryption:
“Compensating controls may consist of either a device or combination of devices, applications, and controls that meet all of the following conditions:
Let’s break this down a bit and discuss what each of these mean and how you might approach implementation.
Remember that the key objective is to restrict the access to systems that house cardholder data to only those users and systems that require it.
Segmentation essentially means separating, putting more things in front of those systems. Putting the cardholder data systems in a separate subnet segregated from other parts of the network, is the kind of action that you could take.
Abstraction of data refers to the process of distilling data down to its essentials. In the PCI context, implementation of this would again be to pursue putting more layers in front of the data. A database, for example, could be set up to only have access through another piece of software that queries it, in which case, you could also put logical controls on who can utilize the software making the queries to the database.
Restricting access based on the IP address or MAC address would involve a network-level device such as a firewall. Systems that need access to a database are identified and included in an Access Control List (ACL), which allows them access. Restricting by IP address can be more difficult when utilizing Dynamic Host Control Protocol (DHCP), where the host IP changes versus the static IP addresses.
Another approach could be to utilize Network Access Control (NAC) methods. NAC technology exists in both hardware and software forms. It is a method where the NAC control sits in front of the subnet you are protecting. Security controls can be enforced and multiple checks for security requirements can be made. If the end point seeking admission to the subnet does not meet the requirement, it is denied access.
The implementation methods referenced in the previous section can also be utilized to restrict access to specific applications or services. Care should be taken here; methods targeted at such a low level can often backfire. Restricting based on a port that an application uses or a services, ends up causing some other application or service to fail which was not comprehended. A thorough researching of details should be made so as to not impact existing operational and network activities.
Packet filtering is a network-level activity, typically the work of a firewall. It is the process of dropping or allowing packets based on what the packet header says about its destination, source, its targeted port, or the protocol being used. Again, great care needs to be taken when working on this level. Some things can be identified easily as dangerous or unwanted, but simply “dropping” certain packets can often lead to applications not working, and it being difficult to determine the cause of the issue until someone thinks to examine firewall logs.
Even if your organization has the most fundamental information assurance program, it is likely that thought has been given to the organization of varying privileges and access based on user accounts and the groups they belong in. All operating systems and databases have the capability to restrict or allow users based on accounts and groups. This is a matter of designing the architecture, documenting it, and implementing it. Any good information assurance program starts with creating rules for access, procedures to demonstrate need for access, and implementation of auditing around when it is granted and when access is removed. No entity should have access to cardholder data without an express need for it.
This particular requirement is a bit difficult to achieve. It is essentially implying that any centralized directory for user groups and control is untrustworthy. This may or may not be the case in your environment, but the requirement pushes you in the direction of managing access locally. Most enterprise networks are designed to centrally manage accounts, and to grant access to resources based on domain accounts. Therefore it would entail a good deal of process work regarding procedures, documentation, and process to enforce management of accounts locally on the database server or on a dedicated (segmented) Active Directory. Care must also be taken to ensure that the local accounts comply with your own corporate requirements for password compliance as well as with the PCI DSS.
The most likely candidate for a technical solution for this requirement is a network-based or host-based Intrusion Prevention System (IPS). This may be technology you already have invested in for your network, as the technology is of benefit for protection and detection of all manner of threats on the network.
IPSes monitor network traffic and take actions according to predefined rules if the traffic activity it sees meets criteria that it deems to be malicious. Many organizations also employ security event management tools. This type of technology gathers information regarding activity on the network from various sources such as event logs, firewalls, IPSes, and Intrusion Detection Systems (IDSes), and aggregates the data to detect suspicious or harmful activity on the network. The operative word in most of these technologies and approaches is prevention. As it relates to detection of attacks, this also assumes that in addition to technology that detects activity (such as IDS and AntiVirus) that procedures are in place where logs are reviewed so that it can be determined if attempts at compromise have taken place.
The primary requirement in PCI DSS regarding cardholder data is to render the data unreadable. While encryption of data on your network may be expensive, or in some cases technically impractical, it should be pursued if at all possible. The alternative measures required to meet the standards in the form of compensating controls are not trivial to achieve. They essentially require you to put into place a significant amount of internal controls and additional layers of separation from the databases that house cardholder data. Implementing and maintaining the hardware, software, policies, and procedures necessary for this additional internal perimeter could become an odious task. Without great care in implementation, you could still end up not passing a PCI audit, and in the process could break necessary internal data flows, which are required for your processes to work.
Now that we’ve looked at the particulars of the PCI requirements for protecting cardholder data, and discussed some of the technologies and methods available to achieve compliance, let’s take a step back and briefly discuss your approach.
In many cases, organizations involved in handling PCI data existed and were involved with it before the PCI DSS came out. So, networks and architecture processes already existed. If you were designing your network and your plan from the ground up with PCI DSS in mind, you’d do it differently. Attempting to apply specific security standards after the fact is a different (and more difficult) proposition.
By utilizing some of the fundamental principles of developing a sound information management practice, you can avoid a haphazard approach that can lead to problems such as inefficiency, unnecessary cost, insufficient controls, or controls that are more restrictive than necessary.
The first step in achieving your data privacy goals is to identify what data you have and classify it in terms of its sensitivity. There are multiple levels that data can be classified on, but for the purposes of PCI, you need to determine what is and is not cardholder data, and then break down the elements further in terms of sensitivity. You might break it down such as:
You can classify your data in any way that makes sense to you, but the most important thing to be aware of is the requirements in PCI DSS Requirement 3 in terms of what is required to be treated as sensitive or not. Your subsequent steps of organization will be based on your decisions here.
Databases will house cardholder data, but where else might it be? Flat files that are results of batch processing, log files, backup tapes, and storage networks may all house sensitive information.
Ask the following questions:
Answers to these questions will determine if you have to make changes in your architecture to minimize the cost and work to protect the data.
Too often, data breaches take place simply because people and applications have access to data they do not need. You have to balance the need for access with the proper control on that access to keep doing business. Answer these questions:
Now that you have identified what data you have, where your data is located, and who and what needs to access it, you can define information-handling policies based on what, where, who, and how. This is where you establish such things as policies, standards, guidelines, and procedures. The details of implementing this are beyond the scope of this book, but numerous resources exist which provide help on how to approach this in an organized way. It may also be of help for you to engage a professional organization or consultant versed in this to help you write and publish these. This will be the cornerstone of your approach to your information assurance plan.
We’ve approached the protection of the cardholder data from PCC DSS from a high-level, principle-driven approach. The PCI data security standards are published and available, and you need to be familiar with them in detail to insure you are compliant.
Let’s take a moment to review what would be considered the absolutes detailed in Requirement 3.
As part of your development of policies, you will establish a data retention policy. This is a crucial piece of an information assurance plan. There is no need to store sensitive data longer than business, legal, and regulatory requirements dictate.
Once a transaction has been authorized or “cleared,” there is no justification for storing any of the following sensitive data:
The first six digits and the last four digits are the maximum that can be displayed. (Point of Sale restriction may be more demanding that this standard.) This is focused on the storage, retrieval, and display of the number.
This requirement is most easily achieved by encryption. But other methods are allowed, such as a one-way hash, truncating, and padding.
PCI DSS details 12 different items for the proper management of encryption keys. These will not be detailed here other than to point out that this is again something that would be included in your policies. They include processes, procedures, and who the custodian of these keys would be. The management of encryption keys is probably the most resource-intensive aspect of encryption. Some methods of encryption make this simpler than others. Consider this aspect and make sure you ask the right questions of potential vendors when considering your encryption solution(s).
Complying with the PCI DSS requirements is not a trivial task. Many organizations are still not compliant and risk fines and data breaches as a consequence. With the proper preparation and execution of your plan, you can protect the information you have been entrusted with. Keep these key components in mind:
The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www.syngress.com/solutions and click on the “Ask the Author” form.
Q: What happens when I have my environment assessed for compliance?
A: An audit for PCI DSS Compliance is very similar to other kinds of process audits. Make sure you have your processes and procedures documented. An assessor would check your environment to make sure that you follow the procedures you have documented, and that sensitive data is being secured properly.
Q: Is there any way to prepare for assessment and make sure I’ve covered everything?
A: In addition to being thoroughly familiar with the PCI DSS documentation, the PCI Security Standards Council also provides a handy. Self Assessment Questionnaire to assist organizations in their overall review of the environment. It can be downloaded from https://www.pcisecuritystandards.org/pdfs/pci_saq_v1-0.pdf.
Q: Are problems with PCI DSS Requirements 3 and 4 a common cause of PCI standards compliance failures?
A: Yes, failure to properly secure sensitive data at rest, and failure to properly encrypt and secure it during transmission, are the most common sources of failure in compliance to PCI DSS standards. In November of 2006, Visa USA Cardholder Information Security Program (CISP) issued a bulletin which underscored this fact, specifically focusing on improperly installed and maintained point-of-sale (POS) systems.
Q: What are the “low hanging fruit” issues I can take care of first to secure sensitive data?
A: Take care of any and all access to data from the outside. There should be no direct access to a POS system. Ensure that wireless routers are secured and configured properly. Remove remote access software that employees may have installed to make work convenient.
Q: How do I make sure that the secure configuration I put into place stays that way?
A: It is wise to utilize come kind of “configuration management” software solution such as Tripwire, if possible. You can configure such software to alert you to, or generate reports on, changes in configuration of accounts, files, and logs. You can even configure it to force changes back to the original version, if desired. This can be time consuming to implement, but can protect you from unexpected and unwanted changes that threaten the security of your environment.