PCI DSS Requirement 9: Upping Your Physical Security

Is your physical data security strong enough? 

Jen Stone, Security Metrics, physical security
Jen Stone
Security Analyst
Did you know that most theft of equipment containing sensitive data occurs in the middle of the day? That’s because it’s easier to steal data when staff is too busy to notice someone walking out of the office with a phone, laptop, or even a server.

PCI DSS Requirement 9 covers all aspects of physical security. Here are a few tips to make sure your physical security is PCI compliant.

SEE ALSO: 5 Tips to Boost Your Business’s Physical Security

Start an Inventory

You can’t protect cardholder data if you don’t know where it is. Start by creating an inventory of all systems that store, process, transmit or can affect the security of cardholder data. List applications running on these systems, including version number, so you can stay on top of known vulnerabilities. Identify the physical locations of these systems and who should have access to them.

Servers, firewalls, workstations and laptops are easy to remember, but keep in mind other items that need to be physically protected, such as:
  • Wireless access points
  • Network jacks
  • Telecommunication lines
  • External hard drives
  • Backups
  • Paper records
Remember that an inventory is just a snapshot in time. Put in place a method to update the inventory as things change, and track movement of equipment and removable media (such as backups) in and out of your environment.

Restrict and Monitor Access

Once you know what systems you need to protect, put controls in place that restrict access to them, like badge readers and keyed locks. Remember that employee access must be authorized and required for the employee’s job function. When visitors need to enter sensitive areas, make sure they are authorized and always escorted by an employee.

SEE ALSO: Keep Employees on a Need-to-Know Basis: A Look at PCI Requirement 7

It’s important to have a way to identify employees and visitors and tell them apart, such as badges. You also need a way to monitor and log anyone who accesses a sensitive area, such as video cameras and access logs.

Make sure you have a way to remove access when a visitor’s stay ends or an employee is terminated. Ensure that all physical access mechanisms, such as keys, access cards, etc., are returned or disabled.

Don’t Store Sensitive Information Out in the Open

Don’t store sensitive information (like payment card data) out in the open. For example, event-planning companies and caterers might use paper forms that contain customers’ credit card information. In these types of businesses, the card is typically charged and the paper order form is destroyed once the event is over.

If your organization collects credit card info in a similar manner, any paper forms should be designed to keep sensitive information separate from the rest of the order info.

POS Devices

If your organization has card-reading POS devices used in card-present transactions (e.g. swipe or dip), the PCI DSS includes specific requirements for protecting them:
  1. Maintain an up-to-date list of all devices, including physical location, serial numbers, and make/model.
  2. Periodically inspect devices to ensure they haven’t been tampered with. Make sure serial numbers match, and check that seals haven’t been broken.
  3. Provide training to help staff conduct good device inspections, detect suspicious activity around payment devices, and know what to do when third parties claim they need to work on the system.
SEE ALSO: This Video will help you better understand PCI Requirement 9 & Physical Data Security.

Securely Dispose of Data

The best way to keep cardholder data secure is not to retain it any longer than is strictly necessary. Create a schedule to review when it’s necessary to securely destroy media containing cardholder data when it is no longer needed.
SEE ALSO: How to Permanently Delete Files with Sensitive Data

Pro Tips! Here are some additional tips to follow for physical security:Tweet: Pro Tips! Here are some additional best practices to follow in physical security. http://bit.ly/2hYbne8 #pcicompliance #datasecurityTweet
  • Keep doors to secure areas closed and locked
  • Store mobile devices in secure areas when not in use 

  • Use screensavers and privacy monitors on computers 

  • Install and use blinds in office windows
  • Include physical security in your security awareness program
Need help with PCI compliance? Talk to us!

2017 Guide to PCI DSS Compliance

Jen Stone (MSCIS, CISSP, QSA) is a Security Analyst at SecurityMetrics with an extensive background in Information Security and 20+ years in IT. 
SSL to TLS v1.2: Tips for Migration

Make sure you update your encryption to the latest software by next year

Michael Simpson, SecurityMetrics
By: Michael Simpson
Security Analyst
Are you still using SSL encryption or TLS v1.0? If so, you’re putting your business at greater risk.

The PCI SSC now requires that all businesses be migrated from SSL and older versions of TLS to the new version of TLS (TLS v1.2) by June 30, 2018.

Here are some things you should know about the SSL to TLS migration.

What is TLS Security? What is SSL? 

SSL to TSLTransport Layer Security (TLS) and Secure Sockets Layer (SSL) are used to establish a secure communications channel between two systems. Basically, SSL and TLS encrypt information sent between web browsers and web servers, providing a secure path between channels for that data.

Why migrate? 

Besides the new mandate, operating under SSL isn’t secure any more. There are several exploits that hackers have taken advantage of to steal data and install malware. If you don’t move to the latest encryption, your business could be in danger of losing sensitive data.

Since the release of SSL v3, unfixable vulnerabilities were identified. You may have heard of some of these vulnerabilities in 2014, including FREAK, POODLE, and WinShock. A more recent vulnerability called DROWN showed the growing need to migrate to more secure encryption protocols.

Migrating to the most secure version of TLS protects your business, your clients, and you. It’s more than just avoiding a compliance fine; it’s a matter of protecting valuable data.

How do I migrate?

The PCI Council offers great guidance on migrating from SSL and early TLS, as well as examples and recommendations on how to deal with this requirement in their Migrating from SSL and Early TLS information supplement.
If you have existing implementations of SSL or early TLS that you don’t need for regular business operations, immediately remove or discontinue all instances of SSL and TLS1.0. Do not use any new technologies that use these insecure transmission encryption protocols. It is highly recommended to configure systems to use version 1.2 of TLS and disable fallback to SSL or early TLS versions.

If you need to continue using SSL or early versions of TLS to continue regular business operations, here are some examples of what you can do: 

  • Encrypt data with strong cryptography before sending over SSL/early TLS (for example, use field-level or application-level encryption to encrypt the data prior to transmission)
  • Set up a strongly-encrypted session first (e.g. IPsec tunnel), then send data over SSL within the secure tunnel
  • Check firewall configurations to see if SSL can be blocked
  • Check all application and system patches are up to date
  • Check and monitor systems to ID suspicious activity that may indicate a security issue
Remember that by June 30, 2018, all merchants must be migrated completely from SSL to the latest version of TLS. Service providers have been required to support secure TLS connections since June 30, 2016.

Further tips to protect your card data online

Here are a few other actions you may want to take to make sure your sensitive data is secure:
  • Make sure coding is secure: review any coding your organization has created to make sure there are no vulnerabilities
  • Encrypt where needed: Make sure sensitive information is properly encrypted
  • Use unique credentials: having employees using the same credentials makes it that much easier for hackers to gain access to your CDE
  • Get a penetration test: a pen test is a great way to find holes in your security. To fight a hacker, you need to think like one
  • Work with an expert: If you’re not sure about some elements of security, or whether you’ve migrated to TLS v 1.2, talking to a Qualified Security Assessor would be a good move
Talk to us about data security!

Michael Simpson (QSA, CISSP, CCNP) is a Principal Security Analyst at SecurityMetrics and has been in the IT Security industry for 15 years. He has a Bachelor of Science in Computer Science and a Masters in Business Administration. 

2017 Guide to PCI DSS Compliance
SAQ D: The Basics of Protecting Card Data for Merchants


Learn what merchants must do to fill out SAQ D

Michael Simpson, QSA, CISSP
By: Michael Simpson
Principal Security Analyst
Payment Card Industry (PCI) Self-Assessment Questionnaire (SAQ) D is the longest SAQ mostly because it deals with securing electronic card data that businesses process, store, and transmit. It’s vital that businesses secure this data, which is why the process for filling out this SAQ is fairly extensive.
Here are some things merchants should know about SAQ D.

Who qualifies for SAQ D?  

SAQ D, PCI DSSSAQ D applies to merchants who don’t meet the criteria for any other SAQ type. This SAQ handles merchants who store card data electronically and do not use a P2PE certified POS system. Some examples include:
  • E-commerce merchants who accept cardholder data on their website
  • Merchants with electronic storage of cardholder data
  • Merchants that don’t store cardholder data electronically but that do not meet the criteria of another SAQ type
  • Merchants with environments that might meet the criteria of another SAQ type, but that have additional PCI DSS requirements applicable to their environment 

What requirements does the SAQ cover? 

Similar to SAQ C, SAQ D covers all 12 of the PCI DSS requirements as follows:
  • Requirement 1: Install and maintain a firewall configuration to protect data
  • Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
  • Requirement 3: Protect stored cardholder data
  • Requirement 4: Encrypt transmission of cardholder data across open, public networks
  • Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs
  • Requirement 6: Develop and maintain secure systems and applications
  • Requirement 7: Restrict access to cardholder data by business need to know
  • Requirement 8: Identify and authenticate access to system components
  • Requirement 9: Restrict physical access to cardholder data 
  • Requirement 10: Track and monitor all access to network resources and cardholder data
  • Requirement 11: Regularly test security systems and processes
  • Requirement 12: Maintain a policy that addresses information security for all personnel
Keep in mind that while many organizations completing SAQ D will need to be compliant with each requirement, some organizations with very specific business models may find that some requirements do not apply. Examples include:
  • Questions specific to securing wireless technologies only need to be answered if wireless is present anywhere in your network. (Requirements 1.2.3, 2.1.1, and 4.1.1)
  • Questions specific to application development and secure coding only should be answered if your organization develops its own applications. (Requirements 6.3 and 6.5)
  • Questions for Requirements 9.1.1 and 9.3 should be answered for facilities that have any area that houses systems that store, process, or transmit cardholder data. 

What questions will I be answering? 

Here are some sample questions you will be answering. Remember that these are only a few of many.
    PCI SAQ, Self-assessment questionnaire
  • Is there a formal process for approving and testing all network connections and changes to the firewall and router configurations?
  • Are default passwords/passphrases on access points changed at installation?
  • Does all stored cardholder data meet the requirements defined in the data-retention policy? 
  • For TLS implementations, is TLS enabled whenever cardholder data is transmitted or received? 
  • Is anti-virus software deployed on all systems commonly affected by malicious software?
  • Is information security included throughout the software development life cycle?
  • Is the access control system(s) in place on all system components?
  • Are inactive user accounts either removed or disabled within 90 days?
  • Is the location where media back-ups are stored reviewed at least annually to confirm storage is secure?
  • Is viewing of audit trails limited to those with a job-related need?
  • Are quarterly external vulnerability scans performed?
  • Do security policy and procedures clearly define information security responsibilities for all personnel?

Additional tips

Here are some things you should consider when getting compliant with SAQ D:
  • Track your card data: make sure you know where your card data comes in and out of your business environment
  • Document policies: the more you document your policies and procedures, the more organized your business’s security will be
  • Consider a PCI audit: if you’re not sure you’re compliant, an audit can help you see where you’re lacking in security
  • Train employees: it's crucial that your employees are properly trained on security policies and procedures. 
Need help with PCI compliance? Talk to us!

Michael Simpson (QSA, CISSP, CCNP) is a Principal Security Analyst at SecurityMetrics and has been in the IT Security industry for 15 years. He has a Bachelor of Science in Computer Science and a Masters in Business Administration. 

SecurityMetrics 2017 Guide to PCI DSS Compliance
The Beginner’s Guide to Combat Phishing

Learn how phishers target employees and how to spot a scam. 

George Mateaki, CISSP, QSA
By: George Mateaki
Security Analyst
Social engineering isn’t always done in person; sometimes all it takes is for a single malware-infected email to cause havoc on a business’s entire network. That’s why phishing attacks are often so effective.

Here are a few things you should know about these types of attacks.

What is phishing? 

Phishing refers to a type of social engineering that happens primarily through emails. Hackers will send emails that often have links to malware.

The reason why phishing is effective is because it targets a big weakness in security: people. The best firewall in the world can’t help against an employee clicking on a malware-loaded email. Once one computer gets infected, if that computer is connected to the businesses network, the malware can spread throughout the entire network. It becomes even more dangerous when it spreads to computers with sensitive data.

For some businesses, all it takes is one infected computer to bring down an entire network.

SEE ALSO: Fighting Phishing Email Scams: What You Should Know

Common phishing tactics

So what phishing methodologies are put to use?
How do phishers target your employees?
A few common phishing tactics your employees should watch out for include:
  • Impersonation: a phisher may impersonate a higher-up, asking an employee for sensitive information/credentials, or ask the employee to wire money 
  • Contest winner: If you get an email claiming you won something you never even entered, it’s highly likely the email is a phishing scam 
  • The victim: This type of phishing email acts as an angry customer who supposedly sent you money in return for a shipped product. The email concludes with the threat that they will inform the authorities if they don’t hear from you
  • False bank notification: This ploy tricks you with a fake account notification, stating that an amount has been withdrawn from your account that exceeds your notification limit. It often gives you a convenient link that leads to a web form asking for your bank account number “for verification purposes”
SEE ALSO: Top 10 Types of Phishing Emails

How to spot a phishing email

So, you’ve received an email that seems a little strange. How do you know if it’s a phishing scam? Here are a few questions to ask.

When was it sent?
phishing email scams

Was it scheduled at a random time, such as 3 in the morning? Did you receive the email during business hours?

Do you know the sender?
If you’ve never heard of the sender or had any previous contact with them, it could be an indication of a scam, especially if they claim to know you.

Are the URLs slightly different?
Some phishers create domains to mimic larger, more established organizations. For example by adding an extra number like www.2target.com or www.bestbuy1.com, it may thwart the busied user into clicking a malicious link.

Does the content not match the subject?
This is a big red flag. If the subject line doesn’t match the content in the email, it’s a good indicator that the email might be a scam.

How is the grammar/spelling?
Does the email appear to have really bad grammar? Are many words misspelled? These could be indications of a scam.

As a basic rule of thumb, if something seems weird about an email, do not click on the link it offers or download anything. It’s better to be cautious than to risk infecting your entire business network.

If you see a phishing email, take the following steps:
  • Don’t click on any links or open attachments
  • Don’t try to reply to the sender
  • Report the scam (forward the e-mail to FTC-spam@uce.gov)
  • Delete the email from your computer
  • If you do business with a company mentioned in the email, you may want to call them and ask if they would like you to forward the email to them, so they may take further action

Tips to avoiding phishing scams

What can you do to combat phishing scams? Here are a few things to do to help you and your employees be ready.
  • Train employees: Do quarterly training meetings on avoiding and combatting phishing. Send daily reminders to employees to keep those tactics fresh in their mind
  • Test employees: Send out a “phishing” email to see how employees react. Hire an ethical social engineer to test employees on their training
  • Segment networks: keeping your card data environment separate from other networks is a good way to avoid potential breaches. This prevents your entire network from being vulnerable to malware should one employee fall victim
  • Use unique usernames and passwords: If your employees all share credentials, all a hacker has to do is gain access to one employee’s credentials to cause damage to your business
Need help with data security? Talk to one of our consultants!

SecurityMetrics 2017 Guide to PCI DSS Compliance
PCI Requirement 8: Combatting Weak Passwords and Usernames

PCI requirement 8

What do you need to do to be compliant with Requirement 8? 

Jen Stone, CISSP, QSA
By: Jen Stone
When was the last time you changed your password on your computer? A few months? A few years?

You’re not alone. For many people, and businesses, not changing and sharing passwords is a fairly common practice.

But to be compliant with PCI Requirement 8 and secure your businesses’ data, you need to have proper password and username management.

Here are a few things you should do.

Use unique usernames and passwords

PCI requirement 8
It’s important to use different passwords for different services. This way, if one service is
compromised, your credentials can’t be used to access information from other services.

From a business perspective, merchants must implement unique usernames. When people share usernames, they also share passwords, which means the credentials are no longer secret, making shared accounts much more vulnerable to social engineering attacks. On top of this, businesses can’t identify exactly who performed a specific action in their systems when a pool of people share a single set of credentials.

Set lockout rules

PCI requires accounts to be locked after six consecutive failed login attempts. Accounts must stay locked for thirty minutes, or until a system administrator resets the account. This helps prevent several kinds of brute-force attacks.  If an attacker only has six chances to guess the correct password, their attempts will likely fail. Once locked out, they will move on to an easier target.

SEE ALSO: 5 Tips to Boost Your Business’s Physical Security

Use complex passwords

If a password isn’t sufficiently complex, it’s much easier for an attacker to gain access to an environment. An attacker may try a brute-force attack against a system by entering multiple passwords (via an automated tool entering thousands of passwords within a matter of seconds) until one works.

The PCI standard requires you to change passwords at least once every 90 days, and have at least 7 characters, including an upper- and lower-case letter. Other standards recommend requiring longer passwords and adding numbers and special characters. Passwords that fall short of these criteria can easily be broken using a password-cracking tool.

In practice, the longer the password and more character formats, the more difficult it will be for an attacker to crack a password.

SEE ALSO: How to Do Passwords Right: Password Management Best Practices

Create passphrases

Short passwords are easy to crack, even when they include numbers and special characters, so security professionals recommend much longer passwords than many people are in the habit of using. This means turning to phrases, instead of words.

You should use phrases to help you remember what your password is. For example the phrase, “I like eating 3 oranges in the morning while sun tanning” can be turned into “Ile3oItMwST!”
Your passwords should never contain words found in the dictionary.

Implement multi-factor authentication

requirement 8
System security should not be based solely on the complexity of a single password. No password should be considered uncrackable. That’s why implementing multi-factor authentication is an important part of securing remote access, and it’s a requirement under PCI DSS.

Configuring multi-factor authentication requires at least two of the following three factors:
  • Something only you know (e.g., a username and password, PIN) 

  • Something only you have (e.g., hardware token, smartcard) 

  • Something only you are (e.g., fingerprint, ocular scan) 

Examples of effective multi-factor authentication for remote access include: 

  • The remote user enters their username and password, and then must enter a one-time password (OTP) sent to them on their smartphone. 

  • The remote user enters their username and password, and then must use a unique dynamic number found on an RSA SecureID token. 

SEE ALSO: New Multi-Factor Authentication Clarification and Supplement: The Principles You Should Know

Your authentication mechanisms should be independent of each other (e.g., physical separation). This is so access to one factor does not grant access to another. Reason being: if one factor is compromised, it does not affect the integrity and/or confidentiality of any other factor. 

Need help getting PCI compliant? Talk to us! 

Jen Stone (MSCIS, CISSP, QSA) is a Security Analyst at SecurityMetrics with an extensive background in Information Security and 20+ years in IT.