Lecture_280
pdf
keyboard_arrow_up
School
University of Toronto *
*We aren’t endorsed by this school
Course
568
Subject
Information Systems
Date
Dec 6, 2023
Type
Pages
2
Uploaded by ColonelOysterMaster630
260
PCI Compliance
A Service Provider has a large mid-tier UNIX installation, like Solaris or AIX, that runs critical
areas of the payment process, including long-term data storage. For various reasons, encrypting the
data is not an option on these machines. How do we make this service provider compliant with PCI
Requirement 3.5?
This is a real-world example that comes up frequently. Encryption implementations have come
a long way. The words “my platform does not have a solution for encryption” are no longer valid
for platforms that can comply with PCI. When presenting the following control to customers, it is
shocking how fast they find a way to encrypt their data.
While systems like this could be bolstered by moving from discretionary access control (DAC) to
mandatory access control (MAC) to act more like a Mainframe, the requirements specifically talk
about storage. These days, most storage is somewhere on the network in a Storage Area Network
(SAN) and may not be physically connected to the host machine. MAC might help you in some
aspects of PCI DSS, but it may no longer be strong enough in non-Mainframe environments to meet
requirement 3.5.
A better option that wouldn’t affect system performance significantly might be looking at exter-
nal tokenization engines to protect the data while it sits on disk. Several companies have products
that would allow you to extend the life of those legacy systems (remember, they still must be main-
tained and be able to get security patches) through tokenization. This would help you outright meet
Requirement 3.5 and serve as a compensating control for Requirement 3.6 as it would not neces-
sarily apply.
Even if you were able to convince a QSA that switching to MAC is a fabulous compensating
control for 3.5, things are never that easy. Some security professionals inside companies love the
idea of converting to MAC as it allows them to have more granular control over their systems and
data. Practical ones know that converting an existing system requires so much effort that the costs
typically outweigh the benefits. In fact
conversion
is probably more like a
replacement
for a change
this large. This is a perfect example of how a compensating control might look good on paper (it’s
only three words when you use the acronym! “Convert to MAC!”), but in reality would be much
easier to just meet the implied requirement to encrypt that data (or build a new system from scratch
that begins with MAC).
A medium-sized retailer with less than 500 stores is struggling with Requirement 10.2.1.1 to
“capture all individual user access to cardholder data.” All of their data is stored in a large DB2
database that runs on a mainframe. They run massive batch processes at regular intervals, and their
space constraints prevent logging every single access to a row. Do you tell them to go back to their
board for new budget dollars to buy lots and lots of drive space to store logs?
Before we proceed, consider the intent of the requirement. Reliable logs are valuable in investi-
gating a breach quickly. Without them, it may take forensic examiners days, or even weeks, to deter-
mine the source of a breach. Once the source has been identified and analyzed, forensic companies
must attempt to determine how many card numbers may have been exposed. If there are no logs,
the assumption is that everything could be exposed, meaning that fines will add up pretty quickly.
The idea is not necessarily to make a log record that includes every single card number that is
accessed but to be able to identify which cards are accessed through the data contained in the logs.
Are you starting to get the hang of this thing? How about another example?
One more example, and then it’s time for you to get creative!
261
The Art of Compensating Control
If we were to log the actual query performed against the database during a batch process, with
knowledge of the date and time that the query was run and exactly what that query will do, we
should then be able to determine, with reasonable certainty, which cards were accessed. It’s com-
mon for batch processes to run on a daily basis, usually using the data from the previous day to
produce its output. If we must determine what could have been exposed from January 1 to January
8, we could look at the data that would have been accessed by that batch process during those days.
Logging the query, and all the other elements required by 10.2.2 about that action, would gen-
erate a reasonably accurate list of records that would use a fraction of the drive space required by
creating an entry that has every single record exposed (as well as bringing that log into expanded
PCI DSS scope where you have card numbers that must be protected! How circular!).
CASE STUDIES
Now that we have explored examples of what some humorous (yet invalid) compensating controls
look like and what acceptable ones might be, let’s walk through a couple of case studies to help us
further illustrate the process.
T
HE
C
ASE
OF
THE
N
EWBORN
C
ONCIERGE
Nora’s Newborn Nursery is a small chain of daycare centers specializing on infant and newborn
care, with minimal medical staff on-site to assist with minor issues that can come up while provid-
ing ongoing and routine child care. Her customers tend to be affluent and busy professionals that
can sometimes have strange schedules and benefit from a service designed to target professionals
with young children.
Nora founded her business on the principle that her customers should never have to worry about
the transaction process. Once a customer signed up for the service, they would leave a credit card on
file to be pre-billed for services to be rendered during the following week or month. Her customers
simply drop off the newborn, briefly discuss any problems or issues that are going on, and get on
with their day. Nora invested in some basic IT systems and a mobile app that allows her customers
to get reports on their children while care is happening, as well as schedule additional services like
routine checkups, wellness care, and seasonal immunizations. For those customers who choose not
to use the app, her systems can alert or update her customers via text message or e-mail.
Most of her customers pay monthly or weekly, so her transaction volume is projected to make her
a Level 2 merchant in the next 12 months. As a Level 4 merchant, she heard about PCI DSS through
a presentation at the local Chamber of Commerce, but has not implemented anything at this point
to comply with the standard.
Because she has a small IT staff, building sophisticated networks simply isn’t an option.
She calls a consultant and sets up some time to meet. During the first conversation, the consul-
tant describes how a centralized database and processing system could be valuable for her to invest
in so that each location doesn’t have to worry about on-site storage. In addition, she is looking
at Heathcare Information Portability and Accountability Act (HIPAA) Security and Privacy rule
compliance issues with the healthcare data she inevitably stores during the course of her business.
Nora, with advice from her consultant, decides that the best course of action is to invest in a
hardened, centralized computing infrastructure that houses both the applications and data that her
locations will use. She will continue to store information about her active customers in an encrypted
format, and ensure that hardened environment meets both HIPAA and PCI DSS compliance. For
her employees, they will connect to that environment through a virtual desktop infrastructure like
AWS Workspaces, Citrix, or VMWare Horizon. This allows her the freedom to implement any
number of IT solutions in her locations, such as removing PCs in exchange for iPads or other tablet
computers, or even allowing her employees to bring their own devices into the workplace. The con-
nection between the centralized location must be encrypted, and there must be adequate controls
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help