Howes-IT-Going - PCI Compliance, Certification and Penetration Testing

The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment. Essentially any merchant that has a Merchant ID (MID).

PCI Compliance and Certification Steps:

1. Project Evaluation
2. Gap Analysis
3. Scans and Penetration Tests
4. Remediation Plan
5. Remediation Support
6. Offsite Audit
7. Onsite Validation
8. Draft Compliance Report
9. Admin Compliance Report

Visa USA & CEMEA - Service Provider Levels and Validation Actions

LevelDescriptionValidation Action
1Any service provider that stores, processes or transmits more than 300,000 Visa accounts/transactions* annually1>Annual PCI DSS onsite review
2>Quarterly network scan
3>Annual PCI DSS self-assessment questionnaire
2Any service provider that stores, processes or transmits less than 300,000 Visa accounts/transactions* annually.1>Annual PCI DSS onsite review
2>Quarterly Network Scan
3>Annual PCI DSS self-assessment questionnaire

* Includes all transactions, regardless of type / channel

Visa Asia/Pacific - Service Provider Levels and Validation Actions

Service ProvidersMore than 300,000 Visa transactions per yearLess than 300,000 Visa transactions per year
Onsite reviewMandatedRecommended
Quarterly network scanMandatedMandated
Self assessment questionnaireOptionalMandated

MasterCard - Service Provider Levels and Validation Actions

LevelDescriptionValidation Action
1All TPPs.
All DSE's that store, transmit, or process greater than 1,000,000 total combined MasterCard and Maestro transactions annually.
1>Annual On-Site PCI Data Security Assessment
2>Quarterly Network Scan
2Includes all DSE's that store, transmit, or process less than 1,000,000 total combined MasterCard and Maestro transactions annually.1>Annual PCI Self-Assessment Questionnaire
2>Quarterly Network Scan

Merchant Service Provider Levels and Validation Actions

Merchant LevelSelection CriteriaValidation ActionsValidated By
1Any merchant -regardless of acceptance channel - processing more than 6,000,000 Visa transactions per year Any merchant that has suffered a hack or an attack that resulted in an account data compromise Any merchant identified by any card association as Level 1Annual On-Site Security Audit and Quarterly Network ScanIndependent Security Assessor or Internal Audit if signed by an Officer of the company Qualified Independent Scan Vendor
21 million – 6 million Visa or MasterCard transactions per yearAnnual PCI Self-Assessment Questionnaire and Quarterly Network ScanMerchant Qualified Independent Scan Vendor
320,000 – 1 million Visa or MasterCard e-commerce transactions per yearAnnual PCI Self-Assessment Questionnaire and Quarterly Network ScanMerchant Qualified Independent Scan Vendor
4Less than 20,000 Visa or MasterCard e-commerce transactions per year, and all other merchants processing up to 1 million Visa or MasterCards transactions per yearRecommended Annual PCI Self-Assessment Questionnaire and Quarterly Network ScanMerchant Qualified Independent Scan Vendor
Note:
While compliance is mandatory for Level 4 Merchants, validation is optional but strongly recommended

Howes-IT-Going will perform a gap analysis and perform the required testing to be able to inform the client of the controls that need remediation to achieve PCI compliance. The assessment will include a review of the cardholder production network (including vulnerability and penetration testing) and supporting technical documentation. The assessment process may include interviews with company personnel to determine what PCI requirements are in place and where remediation is required. The first phase of the project will involve reviewing and validating the current cardholder network environment, policies and procedures against the PCI Data Security Standard (DSS). The methodology for validation will include: Review of current cardholder environment technology and security features; Mapping touch points to the corporate network; Examining access points and network components for security shortcomings from a PCI perspective; Verification that current documented controls meet the specific PCI DSS requirements; Scans and penetration tests to validate that the client has attained an appropriate level of security. For this phase, Howes-IT-Going consultants will require the following documentation from the client, Current network diagrams of the appropriate environments with respect to cardholder data; Firewall/router configuration details; Data retention and disposal procedures; Policy and Procedures for physical security; Encryption Key Management Policy; Incident Response Policy; Password Policy; Change Control Policy; Build/Patch Policy; Internal Security Testing Procedures. Howes-IT-Going will provide standard templates for the above mentioned policies and procedures, if so desired by the client.

The mission of the PCI Security Standards Council is to enhance payment account security by driving education and awareness of the PCI Data Security Standard and other standards that increase payment data security. The PCI Security Standards Council was formed by the major payment card brands American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. to provide a transparent forum in which all stakeholders can provide input into the ongoing development, enhancement and dissemination of the PCI Data Security Standard (DSS), PIN Transaction Security (PTS) requirements and the Payment Application Data Security Standard (PA-DSS). Merchants, banks, processors and other vendors are encouraged to join as participating organizations.

FREE and Paid PCI Resources

https://www.pcisecuritystandards.org/approved_companies_providers/approved_scanning_vendors.php

https://www.pcisecuritystandards.org/documents/ASV_Program_Guide_v2.pdf

https://www.pcisecuritystandards.org/training/asv_training.php

Vulnerability Scanners

Rapid7 neXpose - http://www.rapid7.com/products/nexpose/

SAINT - http://www.saintcorporation.com/

w3af - http://w3af.org/

Acunetix - http://www.acunetix.com/

Nikto - https://www.cirt.net/Nikto2

Network Testing

Cain and Abel - http://sectools.org/tool/cain/

Metasploit - http://www.metasploit.com/

Ettercap - http://ettercap.github.io/ettercap/

Nmap - http://nmap.org/

SSLSmart - https://github.com/gursev/sslsmart-1.0

Sslscan - https://github.com/DinoTools/sslscan

Web Application Testing

BurpSuite - http://portswigger.net/burp/

Paros Proxy - http://sectools.org/tool/paros/

BeEF - http://beefproject.com/

NTO SQL Invader - http://www.ntobjectives.com/research/web-application-security-testing-tools/nto-sql-invader-free-download/

Absinthe - http://www.the-m-project.org/docs/absinthe/

Sqlmap - http://sqlmap.org/

DirBuster - https://www.owasp.org/index.php/Category:OWASP_DirBuster_Project

http://sectools.org/tool/dirbuster/

Common Vulnerability and Exposures
http://cve.mitre.org/

Open Web Application Security Project (OWASP)
https://www.owasp.org/index.php/Main_Page

The SANS Institute
http://www.sans.org/

Microsoft's Base Security Site
http://www.microsoft.com/security/default.aspx

Security Focus Magazine
http://www.securityfocus.com/

Open Source Security Testing Methodology Manual (OSSTMM)
http://www.isecom.org/research/osstmm.html

OSSTMM Auditors - ISECOM Licensed Auditors
http://www.isecom.org/partnering/auditors/ila.html

Control Scan PCI and Security Terms

Availability
Compromise
Confidentiality
Exploit
Impact
Integrity
Threat
Vulnerability

Risk Ratings

Critical
High
Medium
Low

Info

Recon and Mapping

Enumeration and discovery of targets
Port Mapping and service identification
Application and Business Logic Discovery (web apps)

Discovery and Attack

Vulnerability assessment and analysis
Research public databases
Brute Force
Password Attacks
Target exploitation

Analysis and Findings

Findings reviewed for new targets
Risk Analysis performed on findings and rankings assigned
Report Writing
Secure Delivery

Detailed Penetration Testing Methodology

Recon and Mapping

ARIN, WHOIS, DNS and other publicly available sources
-Host/range discovery
-Application discovery
-DNS/reverse DNS grinding

Nmap
-Port mapping
-Banner grabbing/Service Identification
-Host discovery

Web Browsers
-web app business logic

CLI Utilities and Scripts
-DNS lookups, SMTP discovery, zone transfers
-Ping and traceroute

Client Provided
-Credentials
-Target ranges

Discovery

Acunetix, nikto, w3af
-Web application vulnerability scanning

BurpSuite, Paros
-Intercepting proxy
-Vulnerability scanning
-Decoder

Public Databases
-Google Hacking DB
-ExploitDB
-Product/application, manuals/documentation

DirBuster
-Directory enumeration

neXpose, SAINT
-Vulnerability scanning

Wireshark, TCPdump
-Traffic analysis

CLI Utilities and Scripts
-Telnet, netcat, custom

Attack

Hydra
-Login brute force/pw attack

BurpSuite, Paros
-XSS, SQL Injection, CSRF

BeEF
-Client-side attacks

Metasploit Framework
-Exploitation
-Post-exploit looting
-Maintain session
-Man-in-the-Middle

Sqlmap, Absinthe, NTO
-SQL Injection

Cain and Abel
-ARP Poisoning
-Man-in-the-Middle
-De-obfuscation

OS utilities, CLI and scripts
-RDP, Telnet, VNC, SMB
-Custom-developed scripts

Vulnerability Assessment

Reconnaissance

Network
-Running Services
-OS versions

Application
-Spidering results
-Code comments
-Application platforms

Discovery

Manual Discovery
-Security advisories, CVEs
-Packet analysis, intercept requests/responses
-Analyze code

Automated Discovery
-Vulnerability scans
-Fuzzing
-Google Hacking Database

Frequently Asked Questions and Answers

1. Who establishes the scanning requirements?

The PCI Security Standards Council (PCI SSC) is an organization formed by American Express, Discover, JCB, MasterCard Worldwide and Visa, Inc. It manages the Approved Scanning Vendor (ASV) program and develops the scanning requirements.


2. What is an Approved Scanning Vendor (ASV)?

An Approved Scanning Vendor (ASV) is a company that has passed rigorous testing requirements set forth by the PCI Security Standards Council. Only Approved Scanning Vendors can fulfill requirement 11.2 (external vulnerability scanning on a quarterly basis) of the Payment Card Industry Data Security Standard (PCI DSS).


3. Where can I go to learn more about the PCI Approved Scanning Vendor (ASV) scanning requirements?

You can find more information on the PCI Security Standards Council's (PCI SSC) website http://www.pcisecuritystandardscouncil.org.


4. Why do I need a vulnerability scan?

Per PCI guidelines, if you have external-facing IP address(es) that are connected to your cardholder data environment, then you require a quarterly vulnerability scan by an Approved Scanning Vendor. Typically, these are merchants that complete Self Assessment Questionnaire (SAQ) C or D.


5. How does your scanning service help protect me?

Scanning is designed to find threats and configurations that may cause your environment to be vulnerable to external attacks. Any threats identified are also accessible to those with malicious intent. Scanning provides you with as much information as possible to secure yourself against potential breaches or loss of data.


6. Should I white list your scanner IP addresses to ensure the scan will not get blocked?

You should white list the IP address range above or add the range to an allowed list to prevent our scan from being interrupted or blocked. Per the ASV Program Guide, any scan that has been blocked or filtered must automatically fail as "inconclusive" and will not provide you with thorough and accurate results for your environment.


7. How does scanning relate to my Self Assessment Questionnaire (SAQ)?

Scanning is typically required for any merchant that has external-facing IP address(es) connected to their cardholder data environment. Typically, these are merchants that complete Self Assessment Questionnaire (SAQ) C or D.


8. Who is responsible for determining the scope of my quarterly scan?

It is ultimately up to you to confirm the scope of your cardholder data environment for PCI compliance. Howes-IT-Going PCI Compliance Support can provide guidance, and an ASV is responsible for reporting any scoping discrepancies between the information you provide and the information found in your environment.


9. What do I scan?

You should scan any component that touches your cardholder data environment. Specifically, the ASV Program Guide states: In addition to providing all external-facing IP addresses, the scan customer must also supply all fully qualified domain names (FQDN) and other unique entryways into applications for the entire in-scope infrastructure. This includes, but is not limited to:

Domains for all Web-servers Domains for mail servers Domains used in name-based virtual hosting Web-server URLs to "hidden" directories that cannot be reached by crawling the website from the homepage


10. What does the scan do?

The scan first examines the targets you have specified for ports that are open to Internet traffic. It then looks within open ports for evidence of vulnerable applications and configurations within your environment. Examples include: outdated versions of software, Web applications that are not securely coded or misconfigured networks.


11. What is a threat (a.k.a. vulnerability)?

A threat, or vulnerability, is an identified security issue within your environment that is encountered during the scanning process. A threat can be "confirmed" (there is clear evidence that it exists) or "inferred" (patterns suggest that a problem may exist, but it cannot be determined with certainty).


12. What criteria are used to determine if my scan report is passing or failing?

Threats identified are scored using a standard Common Vulnerability Scoring System (CVSS) numeric rating - a global standard for reporting threat risk levels. The standard is based on a 0 through 10 scale, and any threat that has a CVSS base score of 4.0 or higher will fail. These scores are translated into a "risk rating" within the report ranging from 0 to 5, such that failing threats have a risk rating of 3 or higher.


13. What is the difference between a "compliant" and "passing" scan status?

A passing scan status represents a completed scan without any failing vulnerabilities (those with a risk rating of 3 or higher). A compliant scan is a passing scan that has been attested to by both the merchant and the ASV. To remain in compliance with the PCI scanning requirement, a compliant scan must be achieved on a quarterly basis.


14. Does the scan report contain guidance on how to resolve vulnerability findings?

The scan report will provide suggested remediation guidance for vulnerabilities that are listed with a risk rating of 3 or higher.


15. Will Howes-IT-Going help me fix the vulnerabilities?

Howes-IT-Going Support will provide guidance to the best of its ability, but cannot perform the remediation tasks.


16. What is a false positive?

A false positive is a threat flagged during the scan as a potential security risk that you subsequently disprove. When you dispute such threats, they are marked as false positives in the scan results.


17. What do I do if there is information in the scan results that I want to dispute?

If you wish to dispute a finding that caused your scan to fail, you may make an "ignore threat" or "dispute" request. Disputes should be stated concisely, and supporting evidence must be provided.


18. Will the scan affect my Website or POS system?

The scan is designed to be non-intrusive and should not disrupt a Website or POS system. Please contact Howes-IT-Going Support if you believe the scan is impacting your site or systems.


19. What is an IP?

An Internet Protocol (or IP address) is a numerical label that is assigned to devices in a network (like the Internet) so that they can be identified and communicated with.


20. What is a domain?

A domain is a collection of related Web pages, images, videos or other digital pieces that can be addressed using a URL. An example of a URL is www.Howes-IT-Goingpro.com


21. How does an IP address relate to a domain?

The domain name (or "www" URL) corresponds to a specific IP address. The advantage of a domain name is that it is always the same - even if the IP address it points to is dynamic and keeps changing.


22. What is the difference between a static and dynamic IP address?

A static IP address stays permanently assigned to the same computer or device, while a dynamic IP address changes periodically. The type of IP address you have depends on the type of service you have with your Internet Service Provider (ISP). Most IP addresses are dynamic - the number of addresses available is limited and ISPs charge more for a static IP address.


23. How do I find out if my IP address is static or dynamic?

If unsure about whether your IP address is static or dynamic, it is best to contact your Internet Service Provider, and they can inform you of the nature of the connection.


24. What do I do after I achieve a compliant quarterly scan?

Once you achieve a compliant scan, verify that there is a compliant SAQ on file for your account so that you can achieve full PCI Compliance for the quarter. You will also need to attest to your scan results following each passing scan.


25. Why do I need to attest to a passing scan results?

The Payment Card Industry has mandated that each merchant must confirm and validate the scan was run on their network. The whole attestation process can be as simple as signing your name.


26. Why is there a Special Note in my attestation?

A special note will be included in your attestation if a condition has been encountered that could represent a security risk. It is not sufficient to prevent compliance, but warrants your attention.


27. How long does a scan take?

The length of your scan depends on a number of factors, including the number of probes that are concurrently assessing your target, the number of ports open to Internet traffic, and the breadth and depth of your site. An average scan takes approximately 1-6 hours.


28. What does Load Balancer mean?

A load balancer is used in environments where two or more servers are performing the same function (e.g. serving pages for a Website). Load balancers direct traffic among the multiple servers so that each one is working at the same level.


29. What are hidden directories?

Hidden directories can only be accessed by entering their address directly into the browser address bar and cannot be directly accessed by clicking any link(s) on the Website.


30. How do I add additional domains/IP addresses to my scan scope?

If additional domains/IP addresses need to be scanned, contact Howes-IT-Going support so they can add those addresses to your account.


31. Can I modify the scan settings?

The only setting that can be modified is the scan speed.


32. What are the steps needed to achieve a compliant quarterly scan?

To achieve a compliant quarterly scan, a passing scan must be achieved (e.g. a scan with no failing threats of risk rating 3, 4, or 5). Next, you must attest to the scan, and then the ASV must attest to the scan.


33. What happens once my scan is complete?

Once your scan is complete, an email will be sent to the address you provided during the scan set up process.


34. Can I change the frequency of my scans?

If you have specified a domain/Website and/or static IP address as a target, your scan will be set up with the frequency originally specified by you or your ISO/Acquiring Bank. If you wish to change the frequency with which scans are run, please contact Howes-IT-Going Support. If you have a dynamic IP address, scans must be set up with a frequency of "run once," as the address must be updated each time a scan is run to ensure that it is accurate and current.


35. What do I do if my scan results contain failing vulnerabilities?

If your scan results contain failing vulnerabilities, you will need to either remediate (fix) them, or dispute them as false positives.


36. How do I dispute a vulnerability?

To dispute a vulnerability as a false positive, click on the vulnerability page icon within the "Scan Details" area. Please be prepared to provide supporting evidence (e.g. screenshot, log file, etc.) that substantiates your request.


37. If you approve a dispute (false positive) request, will it show up on my next scan?

If you have a compliant scan before a rescan occurs, approved disputes will not display for 90 days. However, if you rescan before you have a compliant scan, and your evidence is still valid, you will need to reapply prior evidence.



Steven C. Howes and Howes-IT-Going are NOT Responsible for Usage or Reproduction of ANY Copyrighted Software Titles.
This Webpage is for Educational and Discussion Purposes ONLY. Terms of use.

Go Back to:
http://Howes-IT-Going.com

This Webpage and Contents Created by Steven C. Howes © Howes-IT-Going 2012-2014 All rights reserved by respective owners.