PCI Compliance, Again

[HCHTech]

Rambling alert: I am struggling a bit with focus, I know I don't want to say "do these things and you'll be compliant", but I don't want to dump it all back in their laps, either. What follows is a short description of the client and my random thoughts on some of the issues.


I've got my first client request to assist in their PCI compliance efforts. Having waged battle with this beast in my own business, I'm starting to compile a shortlist of to-do items. The business is a retail store with two locations. They have a POS system that runs on their register computers (the database is on a separate workstation), and the CC terminals are USB-connected to those computers. The two locations do not talk to each other (yet, anyway), so there are no existing VPN tunnels or anything like that. Each location has a single static IP, one has a Comcast business gateway and one a Verizon business gateway. Each location has one workstation that acts as the server for the POS, running Win7 Pro. There are 2 cash-register computers at each place, also running Win7 Pro that each run the POS software.

There is wireless at each location, used by employee phones, the store's background music system (which uses Pandora), the owner's laptop, and the part-time bookkeeper's laptop when they are present. They have security cameras and a DVR also on the network at each place. Of course there is remote access to the camera feeds so the owner can see it from home and from their smart phone.

No cardholder data is stored locally, but the encrypted data clearly is transmitted by the terminals over their systems.

I'm thinking the register computers and POS "server" should be on their own vlan at least, which requires a firewall capable of that (our goto would be a Sonicwall).

The POS vendor is not exactly playing nicely, the contact keeps spouting the line "we are encrypted end-to-end and we're compliant". I'm pretty sure we'll need a little more than their say-so.

The SAQ questions are maddening - it feels like there should be a question at the beginning somewhere that asks if you store any data locally, answer "no" and 68 of the next 75 questions should default to "N/A". Of course that would be too easy. They are clearly expecting help with the questionnaire - they don't even know what half the words mean, let alone what a "yes" answer entails for any of them.

They are on our monitoring system (we're using GFI) with the managed BitDefender, so I think the 12-month logging issue is taken care of, although I have to admit I've never actually tried to obtain any of that logging - I'll have to check out how that works.

The requirement to have separate user accounts for each employee that uses the system is a sticking point - the POS guy says that is covered by the login to the POS system, but I'm not sure about that - I suspect that separate Windows user accounts might be required as well. I wonder if I need to keep separate backups of the windows logs, too.

For my own shop, because I allowed remote access, I could not use a self-signed SSL cert and had to purchase a third-party certificate for the PCI scans to pass. I don't know if enabling the GFI-embedded teamviewer or the remote access for the camera feeds would trip this same requirement for a third-party cert.

I've been through quite a few of the documents available at pcisecuritystandards.org, but have yet to come across any sample company policies for things like changing the default logins on purchased equipment, changing passwords when employees leave, etc. I'm sure the client will be expect me to give them some kind of template...

Anyway, just thinking this all through is enough to give me a headache! Have any of you developed your own templates of materials? Willing to share or sell? I feel a bit like I'm re-inventing a wheel that must already exist somewhere.

 

[Markverhyden]

Are these PCI scan's running on the LAN? Or are they external, just scanning the public interface from the outside?

 

[HCHTech]

All external scans. Although I'm not sure they've had one yet - I think these guys have been ignoring the whole thing for the past year, they are being dinged with a higher rate because of (at least) failing to complete the initial questionnaire, and at least with my own experience, the scan doesn't happen until you schedule it from the portal.

 

[Moltuae]

Done loads of these, in very similar scenarios. I have one retail customer with a very similar setup, also with two separate locations, except they do have a VPN tunnel and they have numerous (proper) servers. I don't know if the rules are any different in the US but in the UK it's relatively easy to achieve/prove PCI DSS compliance.

The appointed compliance testing organisation in my case has always been SecurityMetrics. The process consists of filling in a questionnaire and allowing them to perform an external scan for open ports. If you can answer the questions satisfactorily and you have no open ports (or at least none that they consider a risk to security), you're good to go.

Funny thing is, the first time I had to deal with this and SecurityMetrics, the connections were already quite locked-down. I was blocking unsolicited incoming connections from unknown IPs and had the UTM gateway configured to stealthily ignore pings and port scan attempts and yet SecurityMetrics kept failing the scan. They argued that I had to allow their IPs to gain access so that they could scan for open ports, essentially lowering security ... bizarre.

As for the CC payment devices, we simply had to tell SecurityMetrics the model numbers to confirm they were compliant.

The entire thing is a pointless farce in my opinion. The tests really prove nothing. It seems it's really just a way for the CC companies to shift responsibility and blame. But, I get an hour or two's labour out of it a few times a year, just to re-run the scan and check everything is still secure, so I'm not complaining.

 

[resolvetech]

IMHO PCI is a joke. We all have to deal with it at some point for business clients; however, I've found the banks and security companies are not really in this to "secure" their customers. Rather, they are looking to make a few bucks or go through the motions of security.

It's amazing to me that when they get a letter from a merchant telling them they need to be in compliance they rip out their whole infrastructure if needed. Now (as their trusted advisor) try asking said client to upgrade their firewall for better security and they hem and haw. WTF?

The firewall is a great building block to security yet this is not normally and issue for security companies. For example, I've got a customer who recently passed PCI with Apple Airport that is few years old. Very little logging capabilities and stateful firewall. Seriously?

Merchants are worried about security and all they want to do is port scans and answer a few questions from a survey? Oh, and by the way security companies will be happy to set you up for their monthly port scans to make you feel secure. What a crock of ****!

 

[HCHTech]

If you just blindly answer "yes" to all of the SAQ questions without actually having the policies in place or the services disabled, or whatever each question is asking about, then you are not really compliant. If data was ever stolen and an audit conducted, you would be liable. This is the problem. I'm in the field now, so can't post example questions to illustrate my point, but I'll get to that later today.

In my own business, the scans failed last time because port 443 was open - when in fact, it was not. I did a "Shields Up" scan and posted the screenshot to prove otherwise, but they still wouldn't pass me unless I made a formal reply that "this port was not intended for public use" or something like that. What does that even mean?

Anyway back to my client - they really don't want to know how to build the watch on this one, but some understanding is going to be required. We'll see how that goes. At least I will get to sell them a couple of firewalls, and they will be better served by that protection regardless of the reason we used to pitch them.

 

[HCHTech]

Ok, Here's one tiny question among many from the Self Assessment Questionnaire ("SAQ"):

1.2.1 Is inbound and outbound traffic restricted to that which is necessary for the cardholder data environment?

From the glossary, Cardholder Data Environment means ("CDE") "The People, Processes and Technology that store, process or transmit cardholder data or sensitive authentication data.

So, the first question is "what traffic is necessary for the cardholder data environment?" Is email traffic necessary? I would argue that it is not, so if you allow email traffic on the same network that has your credit card machines, then you are NOT restricting traffic to only that which is necessary for the CDE.

So to answer this question "Yes", you have to separate out the CDE from the environment that sends and receives email. In my case, where the credit card terminals connect via USB to the register computers, that means that computer/terminal combination is treated as one environment and we cannot allow email to be sent or received from the register computers. If, for example, we had separate terminals which were connected to the network separately from the computers, then we could put them in their own VLAN and then email COULD be sent/received on the register computers. At least, it might be possible to separate those two functions.

You could take it further and say that no internet browsing is allowed on those computers as well since browsing traffic is not "necessary for the cardholder data environment". I KNOW my customer's employees browse from those computers when there are no customers to check out for normal business functions like ordering stock, tracking inventory, posting to company's business facebook page, etc. Following this question strictly would seem to prohibit that browsing to achieve compliance. So we would need to setup an additional computer that is on a separate subnet or on a VLAN in order to both pass PCI and let the employees do their jobs. We would probably also have to have a written company policy somewhere that prohibits email and/or internet browsing on the register computers.

This is 1 small question among dozens that could similarly be torn apart and shown to be impossible or at least very expensive to get a true "Yes" answer.

Comments?

 

[fencepost]

Define "necessary" and frankly for some things it can be tricky to determine. I'd locked down a bunch of things for outbound traffic from a customer's EMR/database server, and I just got a call from the EMR vendor asking me to unblock part of it - turns out they're using SSH tunneling for backups that I didn't even know they were doing, and I'd managed to block them.

 

[HCHTech]

Define "necessary"

Yes, precisely. In your case, are the EMR database backups "necessary" for the cardholder environment? It seems to me that the answer is NO. It's necessary for the EMR environment, but that's not what PCI compliance is concerned with. I feel like the only practical solution is to give up and answer "Yes", and then hope you don't get audited. I hate that resolution.

I spent a long working career dealing with the IRS Tax Code. The way it worked is that a law would be passed and the Tax Code would define some new rule - not unlike the SAQ question here. Then, the house and senate would debate the rule and ultimately agree through conference committee and issue regulations. Sometimes folks would sue or be sued over some regulatory point of compliance, so you also had the resolution of various circuit court rulings (which sometimes conflicted with each other!). So if you wanted to answer a question, you would read the rule, then read the regulations, and sometimes even go to the conference committee reports or court rulings to try an ferret out some detail that wasn't clear. It was all about interpretation, and you had places to go to guide your interpretation. This PCI world has the rules, but no where else to go to figure out those rules and how to apply them consistently or practically.

 

[trevm999]

Maybe the "people who process/transmit cardholder data" need email in order to do the rest of their job?

It must be easier in Canada. I haven't really had to deal with PCI. In my experience, either the POS provider takes care of it and let's you know what you can and can't do, or you have separate terminals and as long as they are compliant no one says anything?

 

[Markverhyden]

If it's an external scan you just need to make sure all ports are closed and ICMP is turned off. That way when they run the scan all they hear is silence. You can even test it yourself in advance using something Shieldsup. You also want to make sure their machines are managed and one can document anti-malware efforts.

Edit: Link to SAQ questionnaire B 3.1 which is what one of my customers is going through.

Edit: Guess it would help if I posted the link! LOL!!!

https://www.pcisecuritystandards.org/documents/SAQ_B_v3-1.pdf

 

[HCHTech]

I think the issue here is that all ports cannot necessarily be closed now, can they? If you are planning for this with a new business, for example, I can see the merit of getting a block of 5 IPs instead of just one and using one IP for CC traffic, and other IPs for the DVR security traffic, for example. If you are coming into an existing business/infrastructure and you only have one public IP address, then it definitely gets messier. Say I want to have https management for my firewall, there's an open port. VPN access for remote workers, there's an open port. Maybe they just have a NAS they want to be backed up to a 2nd NAS at the owners home, there's an open port.

I don't see a 3.1 in either the B or the B-IP questionnaire. do you mean 3.2.1 about deleting the data retrieved from the mag strip after authorization?

===========
Edit: Oh, I misunderstood. You are talking about VERSION 3.1 of the B questionnaire. I should note that there is a new version. The current one is version 3.2, dated April 2016.
===========

BTW, I just got off the phone with the PCI compliance division of my own merchant vendor (first data), and they unfortunately agree with me there should be no web or email traffic on a register computer that has a USB-connected terminal. For my retail customer, that's an ugly development.

 

[Markverhyden]

I think the issue here is that all ports cannot necessarily be closed now, can they? If you are planning for this with a new business, for example, I can see the merit of getting a block of 5 IPs instead of just one and using one IP for CC traffic, and other IPs for the DVR security traffic, for example. If you are coming into an existing business/infrastructure and you only have one public IP address, then it definitely gets messier. Say I want to have https management for my firewall, there's an open port. VPN access for remote workers, there's an open port. Maybe they just have a NAS they want to be backed up to a 2nd NAS at the owners home, there's an open port.

I don't see a 3.1 in either the B or the B-IP questionnaire. do you mean 3.2.1 about deleting the data retrieved from the mag strip after authorization?

BTW, I just got off the phone with the PCI compliance division of my own merchant vendor (first data), and they unfortunately agree with me there should be no web or email traffic on a register computer that has a USB-connected terminal. For my retail customer, that's an ugly development.

Valid points. In the end it is all about risk management. I know for a fact that some major retailers have email and a web browser running on POS terminals. Granted they are completely locked down via GP and routing rules. And we all know the big boxes write their own tickets.

I'll have to remember that about multiple IP's for a site that needs to provide services like VPN. Very good point for the small businesses.

 

[HCHTech]

@Moultae - I just realized that my customer here is using Security Metrics as their vendor, too! I wonder how many of these companies are out there - based on this, I'll bet the answer is "not very many". haha. My vendor is FirstData so there are at least two!

 

[Markverhyden]

trustwave.com

 

[Moltuae]

I think the issue here is that all ports cannot necessarily be closed now, can they? If you are planning for this with a new business, for example, I can see the merit of getting a block of 5 IPs instead of just one and using one IP for CC traffic, and other IPs for the DVR security traffic, for example. If you are coming into an existing business/infrastructure and you only have one public IP address, then it definitely gets messier.

Yeah, a single public IP does make it more complicated. I would restrict general access to as many ports as possible and either setup VPN accesses for those who need access from anywhere/everywhere and/or create firewall rules to restrict open port access to specific incoming IP addresses.

In my case, this particular retail customer (with the similar scenario) has a /28 block of public IPs (about 13 usable) at site#2, which helped immensely. At site#1 however, due to the site's rural location, we're stuck with a single public IP address for now (we've been waiting about 3 years for BT to make a 'short haul data services' connection between the two sites ... but that's another story!). Other than CCTV though, site#1 didn't require much in the way of external access. I locked-down the required ports as best I could but, as far as passing the test goes, I probably went a little further than necessary. I found that that not all ports needed to be closed and, when providing SecurityMetrics access to the open ports, the scan would still achieve a pass status. They seem to be only interested in certain ports, specifically those known to be used by malware or for remote access, which to me makes the whole thing even more farcical because a port is a port ... pretty much any port can be used for any purpose.

If the CC readers are fully PCI DSS compliant and no CC data (or other sensitive customer data) is stored on-site, I would just do what you need to do to appease them and pass the tests. Unless such data is being stored, in my opinion, the tests are irrelevant and should not apply anyway. In my case, even if I was completely incompetent at securing my customer's networks and there was a major breach, in the worst case an attacker may be able to gain access to company's financial and sales data which, while not good for the company, would be of no relevance or consequence to the CC processor.

@Moultae - I just realized that my customer here is using Security Metrics as their vendor, too! I wonder how many of these companies are out there - based on this, I'll bet the answer is "not very many". haha. My vendor is FirstData so there are at least two!

Ha! Have fun dealing with Security Metrics! They're a complete joke. They're probably all the same to be fair, but I did enjoy arguing with them: "so, let me get this straight, you need me to lower my security to allow your scans to run so that you can test my security!?".

I suspect there's only a handful of similar vendors since they seem to be appointed/approved by the CC companies, otherwise I think there would probably be many more. It's just money for nothing.

 

[HCHTech]

I hear you. I'm sure getting a passing scan is doable with some effort, frankly at this point I'm more concerned with the questionnaire. I have sample "company policies" I can give them to complete, put in the employee manual and never see the light of day again. That's ok. What I'm concerned with is the other stuff. In my example above, for example, I am directly involved. To answer yes to that question AND get sleep at night, I have to disable the ability to browse and get email. As soon as I tell them they will need an additional computer at the checkout counters just so the employees can do their jobs, they are going to balk. I suppose it's no different than many other things we deal with. "If you want to do [insert task here], you have to buy [insert product here].

I'm going to go through the checklist and make an formal impact analysis for them. Then, I'll be off the hook and they can move forward.

 

[Markverhyden]

A cheap droid tablet easily solves the web and email problem.