PCI DSS Compliance - PCI DSS Requirements - PCI DSS Legal Compliance

June 28, 2021

The Cyber Rants Podcast

Episode #33: PCI Compliance - Do's and Don'ts

This week, the guys talk about a topic that everyone loves, PCI (Payment Card Industry) Compliance! They rant about PCI-DSS compliance levels and standards, plus what first timers need to consider when preparing for a PCI audit. PCI DSS Legal Compliance can be tricky, but the team is ready to share tips about how to make your PCI compliance process simpler throughout the year and how to deal with the QSA (auditor), especially when the auditor doesn't understand your environment.

Pick up your copy of Cyber Rants on Amazon.
Looking to take your Cyber Security to the next level? Visit us at www.silentsector.com.
Be sure to rate the podcast, leave us a review, and subscribe!

Mike's Headlines:

Fake DarkSide Campaign Targets Energy and Food Sectors

Attackers Take Advantage of New Google Docs Exploit

Hit by a Ransomware Attack? Your Payment May Be Deductible

Mysterious Ransomware Payment Traced to a Sensual Massage Site

USB-Based Malware Is a Growing Concern for Industrial Firms, New Honeywell Findings Show

Fake Text File can Load Malware on Computers

Hackers Are Trying to Attack Big Companies. Small Suppliers Are the Weakest Link

welcome to the cyber rants podcast where we're all about sharing the forbidden secrets and slightly

embellished truths about corporate cyber security programs we're ranting we're raving and we're

telling you the stuff that nobody talks about on their fancy website and trade show giveaways all

to protect you from cyber criminals and now here's your hosts mike rotondo zach fuller and lauro

chavez hello and welcome to the cyber ants podcast once again this is your co-host zach fuller joined

by mike rotondo and lauro chavez and today we are talking about the payment card industry

data security standards or pci dss compliance which is a topic that everybody loves

and everybody loves to deal with pci compliance so we're going to talk about that today but before

we do mike would you tell us about your spirit animal and why you chose that animal or kick us

off with the news whatever whatever you prefer would that be the honey badger what is it i was

going to say the banana slug but you know that's kind of personal for a podcast we don't want to

share okay well we'll settle for the news dark side is from people from the colonial plat ponyo

pipeline hacked long story short there's companies out there pretending to be dark side now sending

threatening emails saying that we have your data please pay us now 100 bitcoins if it's not paid

we're going to release it so now since imitation is a sincerest form of flattering apparently

darkseid's being flattered by a bunch of posers so be careful out there and you know verify with

your dark side customer service rep that you're actually been hacked i can't believe you brought

this story up you're going to blow my whole cover of trying to get money off everybody sorry man i

know you need to pay for the ranch you're you're dim side or or uh very lightly lit side yeah it's

not quite a dark side yeah it's a lot of dark side there you go it's like having a night light

a new hack from google attackers take advantage of new google docs exploit

according to avidon which is a security research firm analysts have recently discovered an exploit

vector in google docs that attackers use are using to deliver malicious phishing websites to victims

google docs page looks familiar to those who share google docs outside the organization however

it isn't that page it's a custom html page made to look like the familiar google docs share page

they want you to click on the download the document and once they do bad stuff happens

be careful how many google docs do you share with a bunch of people i mean that's what i'm

thinking it's like how many i mean i know google docs i get from everybody so i mean

how many google docs do you have to get to where this actually works i don't know i don't know

what they do is they redirect you to another login site and then steal your credentials so

i don't know this is all new we'll have to see what happens so be careful out there

here's bad news for those of us in the cyber security industry hit by ransomware attack your

payment may be deductible yep the fbi is doubling down on its guidance to effective business saying

don't pay cyber credit loans but the us government and infinite wisdom is also saying these ransomers

are now tax deductible uh deductions are usually allowed under law and established guidance as

it's a silver lining ransomware victims but those looking to discourage payments are less

happy about this they fear the deduction is a potentially problematic incentive for no kidding

that can entice businesses to pay ransoms against the advice of law enforcement at minimum they say

the deductibility sends a discordant message to businesses under duress officials warn it's common

sense that payments lead to more ransomware attacks once you're a victim you're always

a victim according to stephen nix of the the secret service this is just a bad idea but yep

you can write off your ransom good to know is the irs colluding with russia now is that what's

going on how could this possibly happen this is no idea this is absurd it's a business loss yeah

i mean that's what they're calling it it is it is but i mean i think it should be i think

it should be penalized you know not not great that shouldn't be deductible you got to pay more

yeah the next one i i have this because you know sex sells and this is an interesting story so

mysterious ransomware payment trust essential massage site uh ransomware targeting israeli

company has led researchers to track a portion of the ransom payment to a website promoting sensual

massages researchers discovered after they used ciphertrace to track the ransomware payments as

it flowed through different bitcoin wallets into a tip jar at the website rubratings.com

rub ratings is a website that allows you to tip massage and body rep providers in the u.s

each masseuse's profile includes a tip jar button that allows customers to leave bitcoin tip for

their recent massage next researchers assume that this is most likely a way to launder a ransomware

payment i would agree with that and i gotta assume that these guys are that's pretty smart creative

interesting it's better than your usual you know buying xbox games ratings though that's pretty

genius us-based malware is growing concern for industrial firms according to honeywell

the new number of cyber threats designed to use usb sticks and other external media devices are

as launching pads doubled in 2021 uh those threats 79 percent can be used to disrupt operational

technology systems that are generally shielded from the internet another piece of malware fake

text mail file can load malware on computers attackers are now using notepad icons with

right to left over right also known as rtlo to trick users into opening malicious attachments

with the unicode character that informs windows operating systems to switch letters from left to

right the latest threats use rtlo and the encode character u plus 202e to make a text file into

an advanced attack this is generally a malicious powershell script so be careful with notepad and

lastly hackers are trying to attack big companies soft small suppliers are the weakest link and this

is something that solid sector has been preaching for a while but defense companies are a prime

target for cyber attackers and sometimes poor security of smbs which is the small

business or supply chain could be giving them an easy weigh-in and one according to researchers

at blue voyage they examine hundreds of smb defense companies subcontractor firms and found

that over half had severe vulnerabilities with their networks including unsecured ports on

supported patch software and which basically all makes it vulnerable to data breaches of ransomware

so that's some news for today lauro awesome awesome thanks for that mike

a lot of good stuff out there uh or bad stuff i guess depends on how you see it

speaking of bad stuff yeah interesting one way or the other so this this week for exploitables i i

don't want to talk about it but wordpress plugins again so there's one for a survey questionnaire

it's a blind blind sql injection so if you're if you're running the pull survey questionnaire

voting system make sure you you update that plug-in and then there's also another one for

word wordpress the google maps plugin so there's a there's a stored cross-site scripting so if if

if people are visiting your sites and they're hovering over that google maps you can

be led led astray so if you're running if you're running any wordpress stuff make sure you're

checking out those that was the google maps plugin and then the poll survey questionnaire

and then i think i think another one that is kind of kind of interesting is the vmware vcenter

there's a remote code execution for versions six five through seven oh um and that's been validated

um in a poc so if you're if you've got vcenter and you're relying on that virtualization make

sure you're not running six five six seven or seven oh that you've upgraded off those

platforms because that's uh an injectable then the module is available for metastoid

for all of us to use and that's uh that includes the exploits want even more cyber ants

be sure to subscribe to the cyber rants podcast get your copy of our best-selling book cyber

rants on amazon today this podcast is brought to you by silent sector a firm dedicated to

building world-class cyber security programs for mid-market and emerging companies across the us

silent sector also provides industry-leading penetration tests and cyber risk assessments

visit silentsector.com and contact us today zach are we going to talk about my favorite topic today

we are pci compliance and you both happen to be pci professional certified and have done a lot of

this so let's talk about it let's dive deep into pci or as deep as we can in a handful of minutes

but talk about that and really for the benefit of those people that are have to become pci compliant

you know especially for the first time or they are pci compliant but are struggling to maintain

compliance so first of all when we're talking about pci how of course it's it's

payment card industry standards right if you're processing credit card data handling storing data

on their compliance requirements along with that right and the merchant banks enforce

this now how does somebody know the question for both of you is you know how does somebody really

know if they have to follow uh pci compliance requirements and once they know that they do

how do they know what level they're at good good question you want me to go mike yeah let's take

that i will take that question okay so so good so here's the thing is it if you know first off the

the the terminology used is store process transmit so if you're doing anything with credit card data

even if you're busting it out in an iframe to a peanut processor if you're in that in that

security supply chain of that processing storing or transmitting of that data then you're gonna

you're gonna fall under pci also if you're a service provider so maybe you're just um

providing a service maybe you're translating um imagery right to for accessibility or something

like that so that the blind and the deaf may be able to get their bills too right so they they're

services like that and so if you fall under that supplier kind of paradigm you're also going to be

kind of susceptible to pci dss but but to find your levels out processing the payments

you're going to have a payment gateway and you've probably got a merchant bank already that you're

doing business with or a couple of them those merchant banks are going to have representatives

for pci they're more than likely going to reach out to some aspect of your business or have

already to basically relate to you that you're funneling so many you know transactions and it's

going to put you in a certain level right but you can find those levels out each payment card

provider each each credit card company writes to discovery american express visa mastercard

they're gonna um have different requirements for level one level two level three and level four

i think all of them are consistent mike except for like mastercard right now they aren't didn't

massacre the weird winners of discovery i don't know anyways one of them's like the oddball i

think it's just going i think it is yeah one of them's like kind of an oddball that just kind of

wants you into certain millions for certain things but yeah it's like over six millions like a level

one and then somewhere between one and two is like a level two and those are going to require those

level ones are gonna require you to have that on-site assessment but uh yeah your bank should

tell you your merchant bank should say hey this is where you're at well a lot of them a lot of now

i'm sorry let me cut you off but there's a lot of like the smaller companies now if you just sign up

to process credit cards you're gonna get an email from you know trustwave or somebody like that

saying congratulations you've been signed up to do pci with us fill out these forms

it's it's becoming automatic um where you don't really even have a choice so if you

them the question becomes is when can i do a sac a and then move on to the different sacks right so

and then you know get to the granddaddy of all sac d's which are painful to say the least big d

yeah the d we used to refer to that as that's what we call detroit when i looked in michigan

but that's another story altogether anyway the sag d is the monster and uh

and so what you need to do so basically the easiest thing to do for pci compliance is you know

what i think actually let me step back the biggest trap that most people run into is they spend all

this time they get pci compliant and then they don't follow through after they achieve compliance

it needs to be an operationalized activity where it is continually done where evidence

is continually gathered where vulnerabilities are continually tracked because we don't want to have

a nightmares like we lauro and i have both experienced at companies where it's you have

the audits due in january and you start the audit process in november and you are working christmas

eve reconciling vulnerability relate vulnerability and documentation and all sorts of things because

your internal resources that manage your audit is completely income competent and you know that's

just kind of a nightmare so you want to avoid it at all i'm speaking of a specific person but i

will not name names now we don't name those people they are the unnamed mike they knew who they are

though because they probably listened to this and they're like i used to work with that guy and

yeah we know you are but he who shall not be named the he who shall not be named still have dreams

dreams they're more like nightmares always up in cold sweat

okay here's the thing is that pci is going to require you to take evidence

as an example if you're proving segmentations in place okay you're going to have you're maybe

going to open up a command terminal you're going to run you're going to write traceroute command

try to go to that network and you're going to run a icmp ping command try and go to that

network right to demonstrate that the firewall is blocking packets you're going to have to have

those screenshots taken to demonstrate that you've done that right or the assessor is going to want

to want you to do it while they're while they're shoulder surfing you here's the thing is you can

make these evidence profiles and farm them out to all your teams and now they're collecting the

stuff throughout the year and like mike said that operationalized approach is what's going to save

you and you're two and three and beyond because like everything else these are forever machines

i mean as long as you're in the supply chain of storing processing or transmitting you're you're

in for this forever right i mean you can't put the cap back in the box yeah and the other thing

is that you need to keep your operational people aware of how to do it because i can

you know i can personally attest to how many times i've gotten questions well how do i provide that

evidence again i didn't you know i did it last year but i don't remember how if you keep them in

the mode of providing it every quarter they know what to provide you you know it's defined and you

know the other thing that i have to say drives me nuts is create an actual evidence library

based on the criterion required all right number one here's the data for number one here's the

data for number two and then just put it all in an organized format put it by quarter put it by

date put it by requirement and that way it's easy to find instead of that same person who shall not

be named putting it all in one giant folder with no particular rhyme or reason or naming convention

that made it fun to look through yeah at least name at least name the screenshots for crying out

loud yeah for cheese and rice please please just name your screenshots what else can we talk about

that's that's good for starting companies well i'm glad you asked because i'm just asking what

what people ask us right um people generally ask what are the requirements at the various different

levels in other words and and the way i see it of course is like when do you need to bring in a qsa

when do you need an actual asv to do the scans versus you know you can do them yourself or

whatever the case may be but let's talk a little bit about the requirements at the lowest level

and the highest level and the difference between the two gross okay i'm kidding i'm just i'm just

the messenger here i'm just semester no i just joke for everybody out there anyway so

um good so i guess the rule to live by with pci is that if you're processing more than i'd say

a million or two million a year you're gonna want to be you're probably gonna be in that

in that level one level two situation where your merchant banks gonna require you two things are

gonna require you to have that asv which is an authorized scanning vendor means i've paid money

to pci and taking a little class and how to run a vulnerability scanner i'm just saying it's not it

doesn't mean anything it's just they're on the list they've paid to be on the list of

authorized vendors to do your scanning for you okay on that list they get you got to

pay a lot to be on that list okay we're i'm in flat i said we're not on that list

like cause we just get a lot of money for it yeah yeah a ridiculous amount of money to be on their

list that's okay i don't care about lists i still get in the club you know what i mean anyway so

here's the thing to remember about the asb is that you the the scans required for the level one and

level twos right there are one clean scan recorder okay what that means is that like our scanner has

a pci template in it that you run against a set of targets it's not going to give you all of the

detailed information that other type of scan templates might use okay now this may vary by

scanning vendor but essentially what you don't want is you don't want any criticals or highs to

show up on that report that you give to the bank because you're going to do this once a quarter

and that scan's got to go to your representative at your your acquiring bank right your merchant

bank and they're going to they're going to take that they're going to file it away and you've got

to provide four of those a year and then at the end of the year you're going to have to submit

your um sac d typically is what it's going to be with uh what they call an executive summary on top

which is the report on compliance as a whole the rock the big thing the big d the big sac d right

with from uh from a from an authorized vendor qsa right another thing that you pay to be on

the list for of qsas but they'll they'll charge you to come in and write all this documentation

up for you and you're gonna have to submit that to your acquiring bank with the q for scan at

the end of the year and so that that's like the requirement for if you're processing a lot

of credit cards if you're not if you're just you know onesie twosie you're little then you can do

a sake right i mean so there's a lot of sacks and maybe we should have another show just to talk

about the differences between the a the c the aev you know all of these different variations

that they have depending on what yeah exactly what part you play so that if you go to their website

they have a very clear chart that tells you the differences of where you fall but but to be honest

we typically see two things people are doing a sac a self-assessment no scanning walking

through it's a limited subset of the pci dss so a sake is i'm going to guess probably like 50

of the 400 requirements that are in there some odd right 380 some odd requirements so it's a

small subset so the a is the littlest one and that's where we see everybody start

and then if you really want to if you really want to be mature about it then you do a

self-assessment d you do the big d the big sack d on yourself come on see where you fall the monster

sexy monster with that have a dungeon raid to get the sack d monster yeah the side d has full 329

controls on it is that what it is yeah feels like 400 whatever well i'm looking at their

site so that's what that's what they're saying they're heavy controls though they should count

1.3 controls or so well the amount of work you got to do and i guess real quick you have any

other questions to throw out zach because i've got a course like of course share your wisdom

please okay so for everybody starting out with pci this is something that that is a pitfall

trap for everyone especially if you have a not a very good assessor i don't want to say they're

i just i want to use the term lucy okay there's not all assessment firms are treated equal and in

the struggle to find qualified individuals today those those certain individuals may lessen their

oh they may lessen their their needs right to get people to just do the job right so be careful of

the assessor you get because you may get contest okay so there are two pitfalls that pci put into

their framework that they rely on you the organization or you the the individual who

owns the business to to figure out two things one is what network segmentation is to you

inside of your organization seriously pci will tell you that you can use network segmentation

to limit scope we will never recommend that you limit scope it's a bad idea it makes you weak in

spaces that you don't focus these frameworks in okay so we don't recommend that you limit scope

but if you're going to do it you're going to have to use network segmentation most organizations

already have a lot of network segmentation for dmz and other sorts of things pci doesn't explain

what network segmentation is they are not the fortified body right they're not the standard for

what segmentation is and so you have to define the type of segmentation how you've done vlans

and network segmentation inside of your infrastructure in a one-page dock and what

this is going to do is this is going to provide your methodology of segmentation for your business

so if an assessor comes in and tries to argue typically they're not a technical individual

they may come in um misguided and try to argue a fact about the segmentation

and you'll be able to deliver that and show that it's there

the other thing is a significant change pci is going to tell you that you need to do things

like penetration test after significant changes they don't define what a significant change

is and north can they for every organization right so again this is a place where i've seen

not not competent incompetent assessors come in and challenge who did what for a pen test based

on what the change was and they're basically making decisions on what they consider as

significant changes for your business you don't want to give them that opportunity so you want to

you want to take the opportunity ahead of time to define what you consider significant changes that

would warrant things like a penetration test okay for your infrastructure and your architecture not

all architectures not all businesses are deployed to the same architecture right we're all using a

classic computing i get that unless you you've got some cool quantum computer thing now but

probably not we're all on classic computing so there's so many there's only so many architectural

designs that you can go to but they're not all created the same and so you need to define what

those significant changes are for your specific architecture your specific applications and those

are two absolute places that are going to get that an assessor will come in and have i guess wiggle

room to misbehave is the term i'll use mike is that fitting yeah i mean here here's the thing and

i'll be a little more blunt tomorrow qsa assessors are not gods okay you can argue with them you can

tell them they're wrong you just have to be able to back it up with data that shows that they're

wrong and why they are not allowed to dictate to you how your infrastructure works it just does

it they do not have that power they think they do but i mean i i feel back to an assessor that

i dealt with who was asking me how a software package worked when i point blank said how have

you never installed software and he said no i've never installed a piece of software so that's the

level that sometimes you're dealing with and you really need to push back sometimes on these guys

or girls or whatever yeah you need to support but you need to have an informed

reason why you're making that decision you need to have it documented you need to have it well

thought out and you need to have just strength and confidence you need data that you can push back

um or the way that you do things that you can push back another thing is you know not to

dub talent lauro saying says don't segment or don't don't limit scope i will say this

there is a case where you do limit scope when you are first doing pci because of the amount

of lift that is required to become get a whole organization especially a larger organization pci

compliant you can start out with limited scope then expand out from there well not to not to

dovetail on your dovetail in my dovetail but how many organizations have we seen that have

actually finished that out once they've got their scope in place and certified right very very few

yeah they so don't so certainly certainly that's uh the one case but you know go through with it

after you've limited the scope yeah well that's the thing is that you have to follow up right um

but i mean you know large organizations where the sales guys are telling people oh yeah we're 100

pci compliant altogether and then the technical side of it does not have the ability to get that

way because of an internal business structures that are preventing them from doing these things

you got to have coordinated messaging and it needs to be driven from the top if the intent is to be

fully pci compliant the sales arm is not the one that's going to drive that it should not

be driving it should be the security arm the cfo the cso cio whatever should be driving that

effort because of the lift required in it you can't have sales people out there saying yeah

we'll be 100 pci comply in six months and go from ground zero so oh gosh you know we well we've run

into that right i mean we have promises right it's always the sales person's fault no matter

what happens in a business just just put it on just delay it on sales always sales always sales

excellent point so pick a qsa that has a technical background if you can uh get somebody that knows

about the environment that you're working with and that way you probably will have less headache

but uh you know you might not get to choose who it is so if that's the case have your evidence

back it up collect it continuously throughout the year don't make it a one time lift

before we wrap up what are your any final words of wisdom well it's just a heads up

is that pcidss3 dot whatever is out right now four comes out in march so of 2022 so

beware if you are already pci compliant that there are changes coming there are changes every three

years right yes always to pci yeah um let's see last thought words wisdom oh yeah so if if

if you really want to be uh get ahead of this then have a print out of all your users

what permission status they have or print out of all your assets you know who owns them um have a

printout of all your document libraries ready to go right all those things will need to go

inside the report on compliance at the top and a nice diagram of your infrastructure if you don't

if you don't have that already so and and if you don't want to do any of that then you know don't

don't take payments there you go there you go okay cows and chickens for payment instead of credit

cards it works it works in some parts of the world so yeah i use guineas yeah there you go thank

you all for listening hope you learned something about pci compliance hope this is helpful for you

if you are faced with that and just keep in mind a lot of the same principles here in pci

apply to other compliance requirements as well so you don't have to reinvent the wheel every time

but hopefully this helped if you like podcast subscribe reach out let us know your comments let

us know topics you want us to to talk about and we were happy to share the information that we've

learned along the way so thank you for joining us and we will connect again next week take care

Episode #33: PCI Compliance - Do's and Don'ts

Send Us Your Questions & Rants!

Categories

Archives

Transcript