Learn how to protect stored and transmitted card data. 

By: George Mateaki
Security Analyst
CISSP, QSA
What do you do with your card data once you receive it? How is it transmitted to other areas? Are you securing these areas?

These are all questions that can be related to PCI Requirement 4.

This requirement covers secure data transmission, especially when doing it over open and public networks. Businesses should be aware of how their card data is transmitted and through which networks.
Here are some things to keep in mind when fulfilling PCI Requirement 4.
Tweet: Here are some things to keep in mind when fulfilling #PCIDSS Requirement 4. http://ow.ly/2JEL309UAPaTweet

Keep track of your PAN

You need to identify where you send cardholder data. Information like Primary Account Numbers (PAN) and magnetic stripe data should be stored securely and encrypted. Some common places PAN is sent include:
  • Processors
  • Backup servers
  • Third parties that store/handle PAN
  • Outsourced management of systems
  • Corporate offices
SEE ALSO: How Much Credit Card Data do You Store? (It’s More Than You Think.)

Stop using SSL/TLS where possible

The PCI SSC released a policy that states you should transition from SSL to early TLS to secure versions of TLS by June 30, 2018.

If your business is using SSL/TLS, you should stop and update as soon as possible. These latest versions of web coding have several vulnerabilities. You should contact your terminal providers, gateways, service providers, and acquiring bank to see if the applications and devices you use have this encryption protocol. Applications that use SSL/TLS may include:
  • Virtual payment terminals
  • Back-office servers
  • Web/application servers
Follow for more data security articles like this
If you need to keep using SSL/TLS, here are a few tips to protect your data:
  • Upgrade to a current, secure version of TLS configured not to accept fallback to SSL or early TLS 

  • Encrypt data with strong cryptography before sending over SSL/early TLS (i.e., use field-level or application-level encryption to encrypt data prior to transmission) 

  • Set up a strongly-encrypted session first (e.g., IPsec tunnel), then send data over SSL within the secure tunnel 

  • Check firewall configurations to see if SSL can be blocked 

  • Check that all application and system patches are up-to-date 

  • Check and monitor systems to ID suspicious activity that may indicate a security issue 

If you have existing implementations of SSL and early TLS, you need to have a Risk Mitigation and Migration Plan in place. This document will help you detail your plans for migrating to a secure protocol and the controls you have in place to reduce the risk.

SEE ALSO: DROWN Attack and SSL: What You Need to Know

Additional tips

Here are a few other things to consider when fulfilling Requirement 4:
  • Secure wireless network: make sure not just anyone can get into your wireless and make sure all endpoints are secure
  • Update keys and certificates: make sure your security certificates are up to date and your encryption keys are also properly protected
  • Work with your service providers: you want to ensure they are also following proper procedures to make sure your data is safe
  • Train employees: make sure your employees are aware of what should be updated and what types of web encryption shouldn’t be used anymore
It’s important to keep your data safe while your storing and transmitting it. Make sure your web encryption is updated and all possible vulnerabilities are mitigated is one way to ensure data protection.

Need help getting PCI compliant? Let’s see how you’re doing so far!

George Mateaki (CISSP, CISA, QSA, PA-QSA) is a Security Analyst at SecurityMetrics with an extensive background in Information Security and 20+ years in IT.

Tuesday, March 14, 2017