|PCI smacks SME out of the park. Source Flickr|
PCI-DSS compliance for SME's does not have to be prohibitively expensive and difficult. Like many tasks achieving compliance can seem daunting until you break it down into some smaller tasks and just make a start. I run a niche security consulting firm and have a bit of experience in this area having worked for major financials and founders of PCI, this some practical advice which will hopefully assist SME's with the difficulty and cost of compliance
Firstly one of the easiest ways to reduce your risk is to simply transfer it. If you do not store or process card holder data (i.e. any information that is on a credit card) you significantly reduce the risk. For your online transactions payment processors like RBS Worldpay will give you some code to embed in your site and they handle the entire transaction, you just pass the amount and they tell you success or failure. Your systems never touch any card holder data. Alternatively or in addition you could also offer options such as Paypal checkout, Google checkout and/or Amazon checkout. Again these offer you a bit of code in the form of a checkout or shopping cart button and handle all the payment details for you. All of these may charge you slightly higher fees but compare that to what you may have to spend gaining PCI compliance and also the what a major security incident would do your business. If you are an offline business also consider something like Square. It is a small device that plugs into your iPhone and allows you to take credit card payments. No data is left on your phone, everything is processed by them, you just get confirmations, receipts and reports.
If none of these options are right for you and you have to process credit card information on your systems, still the golden rule is minimize the amount of card holder data you store - there is absolutely no reason to store the card security code (the three digit number on the back of the card) for example and seriously consider whether you need to store the card number and expiry. Even if you provide a save card functionality - it is not difficult for a customer to enter their expiry and or card security code again and may even give them a feeling of increased security that will get you more sales. Even you do need to store a lot of the card holder data, consider for how long; e.g. if it just for refunds and 90% of those happen in the first month after purchase get rid of the data after that.
Practical and cheap path to compliance
So after all these tips on how to avoid or reduce the scope of what needs to be PCI-DSS complaint or I'll go onto say its actually not such a bad idea anyway. This is because ultimately PCI-DSS is just sensible security practices. Security is essentially common sense and just like you would lock your doors and buy an alarm to protect your valuable physical property, having a few good hygiene measures to protect your valuable information and that of your customers is just good business
PCI-DSS is ultimately 12 key requirements and the good news is if many of these things are starting to become built in by default:
Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect cardholder data - Firewalls are commodity products these days, you can buy an all in one device that give you a firewall, some intrusion detection (which can detect and alert to you to someone or a virus attacking your systems) as well as giving you VPN capability allowing remote working for your staff. They are also increasingly easy to configure via wizards. I am a fan of Juniper products in this space and the SSG5 gateway is a good place to start for most SME's. If you have a wireless network it is important that this is encrypted using WPA2 and goes through the firewall. The firewall can also assist you to setup network areas call Demilitarized Zones (DMZ) which enables you to prevents the systems that are holding card holder data from being directly internet access. Also by default stop people and systems getting to these highly sensitive systems unless you specifically allow them. Any laptops your have and if you're employees are allowed to bring their own computers make sure they have anti-virus software that updates automatically and a personal firewall. Again good news is there is free antivirus like Clam AV for Windows, Microsoft security essentials and Windows personal firewall is built into the later versions of Windows. Using all MAC's or running Ubuntu Linux will save your from having to worry about viruses (for now at least).
2. Do not use vendor-supplied defaults for system passwords and other security parameters - this is so simple but quite often a security hole that is exploited. Just get into the habit of when you buy any new hardware or install any new software change the default passwords - write it on a big checklist. Also remember any wireless devices and web admin pages like the admin page for that brand new firewall you bought. Use a password safe like lastpass.com or 1password which can generate a secure password for you and store it. Because both of these work in your browser and phone they are also always accessible. Back in the bad old days applications and operating systems came open and you had to lock them down. This does still occur to some extent but it is getting a lot better, especially the big ones like Windows come closed and more secure by default. If you Google CIC checklists you can find some good checklists for securely configuring all sorts of things like operating systems, databases etc.
Protect Cardholder Data
3. Protect stored cardholder data - if you are storing card holder data it really needs to be encrypted. This is not that easy to do thus emphasizing my points above of minimizing the amount you capture and store in the first place. Most likely any card holder data you have will be stored in a database - your application really needs to support encrypting this in the database, if you are buying off the shelf software this is a key point. If you have developed your own, hopefully your developers know how to find the crypto libraries on Git and not writing their own - if not maybe you should just buy something? The hardest part about encryption is also what you do with the access keys. Again I would suggest setting a strong password on your private keys and storing them in a password safe. Also anytime you display card data e.g. if you have a saved card function make sure the whole data is never shown, i.e. just the last 4 digits of the card number.
4. Encrypt transmission of cardholder data across open, public networks - the PCI council wimped out a bit with this requirement it really should be all networks but the most risky is open or public networks. If you Google Firebug you will see the recent spate of news about a really simple addon for Firefox that can allow anyone to capture the username and password of anyone using services like Facebook on open wireless networks like Starbucks offer. This is really avoid being vulnerable though, if you are using a wireless network it is simple to enable WPA2, most wireless routers will have a wizard that guides you through this. One of the biggest breaches of card data happened at TK Maxx where the breech was primarily due to use of a WEP wireless encryption - an old encryption algorithm that has been broken and should not be used. Enabling SSL (HTTPS green bar / padlock symbol) on your web pages is again very simple and cheap, just get a certificate from someone like godaddy and follow their instructions to install it.
Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software or programs - talked a bit about AV above, either run a MAC or install one of the many antivirus programs available. The big boys are Symantec, McAfee, AVG, Sophos. Free ones are Clam AV, Microsoft security essentials. Again the good thing is that all these AV products automatically update if they have an internet connection and schedule regular scans by default. A few years ago there was a lot viruses spreading via email but now thanks to better spam filtering and everyone having AV this is a lot less. To be honest most security professions do not take AV seriously anymore, although it is enough for PCI-DSS compliance. It will not protect against modern malware like Zeus. If you are concerned about this one of the things you can do an application whitelist, something like Lumension APP control is good piece of software
6. Develop and maintain secure systems and applications - part of this is pretty easy now - most software including the big ones like Windows, Office, Acrobat, Flash, Java, all the browsers support auto updates. If you leave this on and the have an Internet connection patches will automatically download and install. If you use a free vulnerability scanner like Nessus every week or so you can confirm that everything critical (e.g. accessible on the internet and holding card holder data) is patched up. The harder part is secure development- best way again avoid if you can when it comes to systems that handle card holder data. Buy off the shelf software, no guarantee of security but at least they are more likely to patch and you don't need to worry about secure development. If you have to develop in house get your developers some security training, organizations like SANS run some good courses, also plenty of free materials on sites like OWASP. Those sites will also teach developers how to do code reviews of each others code and if you are prepared to invest a bit more money in step 1 you could buy a web application firewall. These are not the easiest to configure but they will protect your websites even if your developers leave a few security bugs or take some time to fix them. Having some good change control processes like a system to record all changes, someone to approve them, all changes being done on a non production environment is again just good practices, it will mean your systems have less downtime and also help you comply with PCI-DSS
Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need-to-know - only people that need access to a system or information should get it. Pretty simple in theory, very hard in practice. Access controls are a pain to administer, to get something working it is easier if everyone has admin access - but this will hurt you not just for PCI but just when someone gets mad for not getting a raise and deletes a whole bunch of stuff. If you need to invest in a HR system soon, you can make this process easier by buying one that has a bit of Identity and Access Management (I&AM) built in. This means you can set it up so that based on a persons role in the HR system they have the access they need. If someone new joins with the same role or more importantly if the person moves roles or leaves the company removing them in HR should remove all their access. If you can't afford to automate, simple policy is that no one has any access unless they request it with a good business reason. Make someone in each area or department responsible for approving access to that area and department. Have a checklist for when people move jobs or leave so your remove their access
8. Assign a unique ID to each person with computer access - a shared password for a system is easy - hey Bob what is the password to get into that again? It makes life easy and business function when people are on leave or sick. But it does have the problem of if someone does something they shouldn't you have a hard time of finding out who that was. So give everyone their own ID to every system. Make sure you need at least a password to get into systems, if you allow remote access get something stronger like a Yubikey so if someone finds out the password they can't get into your systems
9. Restrict physical access to cardholder data - most places have reasonable physical security, things like locks on doors and a visitor log is pretty standard. Try to avoid ever writing card holder data to CD, DVD or a USB memory stick or storing on a :Laptop or mobile. If you must do it make sure it is encrypted. If it is in something like a spreadsheet PGP is a good option to encrypt the file. GNU-PGP is free, alternatively something like an Ironkey has hardware encryption is built in so you don't have to think about doing any extra. If you must backup to tape make sure it is encrypted and kept securely offsite, either pay someone to do this like Iron Mountain or keep it yourself in somewhere like a locked fireproof safe offsite. If you have someone a bit more technical something like an encrypted Truecrypt volume on a Dropbox is also a great solution for secure backup online.
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data - again something that has gotten easier with newer systems, most systems will now audit virtually everything by default and you need to allow specific access to these logs. Reviewing logs is one of the most painful and boring jobs ever invented, luckly you can get some software to make it easier. Try something called Splunk which makes it really easy to send all your logs to one place and then search through them like Google. Booking 30 minutes of someones time to do this every day is not too bad. You have to be able to search through at least 3 months worth of logs and keep them somewhere archived for 12 months. Again Dropbox is a cost effective and secure solution
11. Regularly test security systems and processes - Most vulnerability scans you can buy online for "PCI DSS" compliance are ripoffs. Find a reputable company using sites like ISC2.org or ISACA that specializes in smaller companies PCI-DSS testing and get them to test your systems at least annually, make sure this a manual test not just an automated scan plus canned report. Getting something like Nessus which I mentioned above and running this quarterly at least is also cheap and simple. Keep an eye on what is connecting to your wireless network which you can do through the admin screen of your wireless router and if you bought a firewall like I mentioned in step one it also has an Intrusion Detection System (IDS), which will detect and alert you if it detects something unusual. Again auto-update is crucial for this type of tool.
Maintain an Information Security Policy
12. Maintain a policy that addresses information security for employees and contractors - Google security policy examples and you will find plenty. SANS has some as well, adopting all the requirements of PCI-DSS as your policy is not a bad idea. Writing down what proper use of the computer equipment including the internet access, and email for your company is a good idea - just write it in plain English that your employees will understand. Tell them about it when they start and at least every year after that. If you use sub-contractors to handle your card data ask for their PCI-DSS compliance certificate. Have some plan for what to do when something goes wrong with security - that might just be a security consulting company you can call that will act quickly, just like a firebrigade. Do check your staff references before you hire them, if you can do a background and criminal record check - companies that do this are not that expensive - that would be a good thing.
One of the main things to remember about PCI-DSS is that they apply a risk based approach. It is pretty simplistic, just depending on how many transactions you process.
The table and requirements is as follows:
Level 1 Criteria
- Merchants with over 6 million transactions a year, or merchants whose data has previously been compromised
- Level 1 Validation Requirements: Annual Onsite Security Audit (reviewed by a QSA or Internal Audit if signed by officer of merchant company and pre-approved by acquirer) and quarterly network security scan
Level 2 Criteria
- Merchants with 1,000,000 to 6 million transactions a year
- Level 2 Validation Requirements: Annual Self Assessment Questionnaire, Quarterly Scan by an Approved Scanning Vendor (ASV)
Level 3 Criteria
- Merchants with 20,000 to 1,000,000 transactions a year
- Level 3 Validation Requirements: Quarterly Scan by an Approved Scanning Vendor (ASV), Annual Self Assessment Questionnaire
Level 4 Criteria
- Merchants with less than 20,000 transactions
- Level 4 Validation Requirements: Annual Self Assessment Questionnaire, Quarterly Scan by an Approved Scanning Vendor (may be recommended or required, depending on acquirer compliance criteria)
A QSA is a PCI-DSS auditor that checks that what you say in your self assessment is actually true - so remember if you do it, document it. If it is not documented it is not done. So if you are very small, less than 20,000 transactions you can get by with completing the self assessment questionnaire and doing a quarterly vulnerability scan. Remember though, while it is easy to say yes to everything and give yourself some wiggle room, if you do have a breach then is it really worth going bankrupt over? If your really do not want to do anything or cannot afford to then go back to some of the options I outlined at the start.
If you got this far, hope it was useful to you. The main PCI site: https://www.pcisecuritystandards.org/security_standards/documents.php
It has a lot of good information, quick reference guides, prioritized implementation plans and the self assessment questionnaires