PCI DSS ‘Business as Usual’ Practices Provide Guidance to PCI Hosting

Posted 10.2.13 by
wpadmin
Blog

PCI SSCSearchSecurity.TechTarget.com recently reported on the PCI SSC (Payment Card Industry Security Standards Council) and their first annual PCI Community Meeting to discuss the changes made in PCI DSS 3.0 that affects merchants, ecommerce and retailers that deal with credit cardholder data.

In an interview with PCI SSC Gen. Manager Bob Russo and their CTO (Chief Technology Officer) Troy Leach, they highlight the most-discussed proposed changes at the meeting, including the pain points of PCI compliant hosting outsourcing and integrating with different vendors:

To that point, one of the areas we see failures is, for example, where a merchant will have good intentions to meet the requirements, but then they merge with another company, the professionals in charge of PCI change roles and new IT administrators and senior managers come in. All the while they don’t think anything has changed, but the necessary network monitoring activity is no longer being done, or more people than necessary have access to admin passwords that should have been revoked. – PCI SSC CTO, Troy Leach

Communication and strategic planning with the PCI requirement matrix is key to avoiding gaps in security. Organizations can still take advantage of outsourcing benefits, like reduced cost and system management time, but only if partnering with a client-focused PCI compliant host that clearly defines roles and responsibilities when it comes to compliance and data security.

Leach also notes that the council’s ‘business as usual’ practices have been well-received. These practices are detailed guides to implementing the standards, and published in a document called Navigating PCI DSS. This is a great document that really explains both the technical side and the reasoning behind the requirement – including specifically how hackers can take advantage of systems that lack the required security technology.

One example is the PCI requirement:

2.2.1 Implement only one primary function per server to prevent functions that require different security levels from co-existing on the same server. (For example, web servers, database servers, and DNS should be implemented on separate servers.)

Note: Where virtualization technologies are in use, implement only one primary function per virtual system component.

Their guidance/reasoning for this standard is to ensure your system’s configuration standards and related processes address server functions that need to have different security levels, or that may introduce security weaknesses to other functions on the same server. An example is a database sharing a server with a web application would put the database at risk since the web app needs to be open for Internet traffic.

Another example is the PCI requirement:

3.4.1 If disk encryption is used (rather than file- or column-level database encryption), logical access must be managed independently of native operating system access control mechanisms (for example, by not using local user account databases). Decryption keys must not be tied to user accounts.

The SSC explains the characteristics of disk encryption, including the fact that disk encryption encrypts data in mass storage and automatically decrypts data when a user requests it. Disk encryption also intercepts OS read and write operations, and supplies data after a password is entered by the user. Therefore, they require that the disk encryption method can’t have a direct association with the OS, or it cannot have decryption keys associated with user accounts.

PCI Compliant Hosting White PaperLearn more about encryption in our Encryption of Cloud Data white paper. Or read our PCI Compliant Hosting white paper as it discusses the impact of the PCI DSS standard on data centers and server infrastructure, describes the architecture of a PCI compliant data center both technically and contractually, and outlines the benefits and risks of data center outsourcing, and vendor selection criteria.

Jason YaegerOnline Tech’s Jason Yaeger, Direct of Operations, will be on a virtual panel discussion with Bob Russo of the PCI SSC, as well as Brandon Dunlap of Brightfly, Inc. and Randal Asay of Catbird. Join them as they discuss the role that cloud service providers play in protecting cardholder data and inherent security issues involved on November 6 @2PM ET. Gain new insights on:

  • Emerging PCI security risks in the cloud
  • Processes for assessing risk when card data could potentially be stored in multiple locations
  • Recommendations for achieving PCI compliance across virtual environments
  • How to use a data-centric approach to reduce the cost and scope of PCI Compliance

References:
Navigating PCI DSS: Understanding the Intent of the Requirements, v.2.0 (PDF)
At 2013 PCI Annual Meeting, Hot Topics Include POS Security, EMV Chips

About Otava

Otava provides the secure, compliant hybrid cloud solutions demanded by service providers, channel partners and enterprise clients in compliance-sensitive industries. By actively aggregating best-of-breed cloud companies and investing in people, tools, and processes, Otava’s global footprint continues to expand. The company provides its customers in highly regulated disciplines with a clear path to transformation through its effective solutions and broad portfolio of hybrid cloud, data protection, disaster recovery, security and colocation services, all championed by an exceptional support team. Learn more at www.otava.com.

Get started with Otava now!

  • This field is for validation purposes and should be left unchanged.