pci dss essential guide

ECURITYECURITYSSI N F O R M A T I O NI N F O R M A T I O N

®

INFOSECURITYMAG.COM

I N F O R M A T I O N

�

PCI DSSESSENT I A L G U I D E TO

I N S I D E

5 Avoiding Audit Trouble: Getting PCI Compliant

13 PCI DSS 1.2 Answers Questions and Raises Others

17 Wireless Encryption in the Wake of PCI DSS 1.2

21 Is Tokenization the Cure-all for PCI Compliance?

25 PCI, Virtualization and Cloud Computing

30 Compliance Recycling

34 PCI Issues Priority Tool for Compliance

We’ll explain the new changes inVersion 1.2 and how the standard willtackle emerging technologies such ascloud computing and virtualization.

http://www.infosecuritymag.com

http://www.techtarget.com

contents

I N F O RMAT I O N S E C U R I T Y • ESSENTIAL GUIDE • PCI DSS1

F E AT UR E S

5 Avoiding Audit Trouble: Getting PCI CompliantCOMPLIANCE Having trouble with PCI compliance?You’re not alone. Auditors and audit survivors offertips for how to achieve it. BY DIANA KELLEY

13 PCI DSS 1.2 Answers Questionsand Raises Others

CHANGES The latest version of the standard provides clarityon wireless and Web application requirements. BY DIANA KELLEY

17 Wireless Encryption inthe Wake of PCI DSS 1.2

FROM WEP TO WAP Merchants using WEP networks musttransition to Wi-Fi Protected Access (WPA) security nolater than June 30, 2010. BY MIKE CHAPPLE

21 Is Tokenization theCure-all for PCI Compliance?

EMERGING TECHNOLOGIES The technology attempts to replacecardholder data with a token instead of a PAN. BY ED MOYLE

25 PCI, Virtualization and Cloud ComputingENFORCEMENT Compliance guidelines on virtualization willlikely be in a state of flux for some time. BY MICHAEL COBB

30 Compliance RecyclingBEST PRACTICES How to combine compliance effortsto manage PCI DSS. BY DIANA KELLEY

34 PCI Issues Priority Tool for ComplianceLATEST NEWS The PCI Prioritized Approach framework createsa series of milestones for companies workingon PCI compliance. BY ROBERT WESTERVELT

39 Advertising Index

ESSENTIAL GUIDE

PCI DSS

What’s Everyone yLooking at on Your

File Systems?File Systems?

Varonis Tells YoVaronis Tells You.

Learn More aboutLearn More about Varonis Solutionswww.varonis.com

pThe regulation

that keeps on givingBY KELLEY DAMORE

PCI DSS HAS BEEN HAILED by many as the clearest regulation/industry standard tofollow. It’s prescriptive in nature and relatively straightforward. There are 12requirements that must be adhered to and the requirements are typically associatedwith a particular security technology so you know what you have to do to becomecompliant and secure.Or do you? Many organizations that were PCI compliant, notably Heartland

Payment Systems, announced massive data breaches this year that call into questionthe security controls that PCI requires. Some organization overuse compensatingcontrols or outline the compensating control but never get back to fixing the issues.The sad truth is it comes down to this: on that particular day when the QualifiedAssessor signed off on the audit, organization X was compliant.To make matters worse, because this is a standard not a regulation set into law, it

is far more fluid. Changes can and will occur with the standard. It really isn’t everdone. For example late last year the PCI Council weighed in on securing wirelesscommunications andWeb applications. These are new additions to the standardthat companies must adhere to even if they met all the other requirements previ-ously. And if the organization is a large merchant they need to be assessed by anoutside QSA every year. Smaller companies need to do self-assessments.But it is not all doom and gloom. On the bright side the PCI Council is a living

and breathing entity, and they request feedback on the standard and areas of ambi-guity. For instance they are pulling together experts and a working group to talkabout how to secure some of the emerging technologies in the market includingvirtualization and cloud computing. Their executives answer questions and listento feedback. And because of the fines associated with PCI, this standard is takenseriously and can be a strong argument for budget in difficult and tight times.In this Essential Guide to PCI, we aim to outline what you need to know right

now.We drill down into the new requirements with PCI DSS 1.2, offer suggestionson how to pass an audit and what to consider when it comes to PCI and securingvirtualized machines and cloud services.We hope this Essential Guide to PCI is prescriptive and straightforward and we

promise we won’t be changing it or issuing any fines.w

Kelley Damore is the Editorial Director of Information Security and TechTarget’s SecurityMedia Group. Send your comments on this column to [email protected].

EDITOR’S DESK

IN FO RMAT I O N S E C U R I T Y • ESSENTIAL GUIDE • PCI DSS3

TABLE OF CONTENTS

EDITOR’S DESK

GETTING PCICOMPLIANT

PCI DSS 1.2

WIRELESSREQUIREMENTS

TOKENIZATION

PCI ANDVIRTUALIZATION

INTEGRATING PCIINTO COMPLIANCE

PROGRAMS

A NEW PRIORITYTOOL FOR PCI

SPONSORRESOURCES

mailto:[email protected]

Three Platforms.One Provider.

Complete Privileged Access Control.

Introducing the new BeyondTrust.A security strategy is only effective if it grows with your company. As enterprises deploy more Linux®, UNIX®, and Windows® in heterogeneous IT environments, managing sensitive data in these multi-platform infrastructures can be difficult, complex, and costly.

Meet the new BeyondTrust, a leading provider of Privileged Access Lifecycle Management solutions for heterogeneous environments. Our leading products protect sensitive and confidential data through an effective combination of privilege delegation, strict user access control, privileged password management, and secure audit trails. With solutions that prevent data breaches and achieve regulatory compliance, hundreds of Forbes 2000 companies rely on us to maximize their security while reducing complexity and administrative costs.

Try it free for 30 days at www.beyondtrust.com/pci

When it comes to managing risk, we have the key.

1-800-234-9072Copyright© 2009 BeyondTrust Software International, Inc. All rights reserved. BeyondTrust is a trademarkof BeyondTrust Software International, Inc. UNIX is a registered trademark of The Open Group. Linux is a registered trademark of Linus Torvalds. Windows is a registered trademark of Microsoft Corporation. All trademarks are registered in the United States and/or other countries.

BY ALL ACCOUNTS, compliance with the Payment Card Industry Data Security Standard(PCI DSS) is on the upswing. And media reports indicate the standard is gaining groundin the European Union, where many countries—the U.K. in particular—are stepping upcompliance efforts.

Yet successful PCI Report on Compliance (RoC) completion remains a confusingventure and elusive to many. Some of the confusion stems from the convoluted path ofaccountability. Although the PCI DSS is often touted as a one-stop standard, each of thefive major card brands continues to maintain separate compliance programs. Somebrands have announced heavy noncompliance fees in the form of penalties and highertransactions rates, but it is the acquiring banks that decide when and how to pass on these

Having trouble withPCI compliance?You’re not alone.

Auditors and auditsurvivors offer tips

for how to achieve it.

COMPLIANCE


TABLE OF CONTENTS

EDITOR’S DESK


PCI DSS 1.2


TOKENIZATION



PROGRAMS


SPONSORRESOURCES

AVOIDING AUDIT TROUBLE:

Getting PCICompliant BY D I ANA KE L L EY


TABLE OF CONTENTS

EDITOR’S DESK


PCI DSS 1.2


TOKENIZATION



PROGRAMS


SPONSORRESOURCES

fees to their retail and merchant customers. And despite the prescriptive nature ofPCI, the standard changes when updates are issued, and Qualified Security Assessors(QSAs) have room to interpret the standard. It’s not uncommon for a QSA’s inter-pretation of the standard to differ from that of the company under review.

Still, while PCI DSS compliance may not always be easy, it’s definitely achievable.

KNOW WHO’S WHOThe first step to tackling PCI DSS compliance is to understand who’s who in thePCI accountability chain; an organization may be surprised to learn who actuallydoes what. The five card brands that constitute the payment card industry areAmerican Express, Discover Financial Services, JCB International, MasterCardWorldwide and Visa. Each brand had its compliance program before PCI DSS, andeach continues to maintain those programs and exert final decision control overcompliance. However, all of the PCI brands have agreed to use the PCI DSS as abaseline for compliance evaluation to simplify the process for members.

In December 2004, the card brands issued the first version (1.0) of the DataSecurity Standard. The standard is not intended to replace the individual brandcompliance programs; rather, it is meant to be a single set of guidelines for entitiesthat store, process or transact credit card data. The assumption is that if an organi-zation receives a successful PCI DSS RoC, it’s compliant with any of the card brandprograms.

PA D S S

App LockdownNEW STANDARD FOCUSES ON COMMERCIAL PAYMENT APPLICATIONS.

RELEASED IN APRIL 2008, the first version of the Payment Application Data Security Standard outlinesrequirements that payment applications, such as point-of-sale systems, must adhere to. For those familiarwith Visa’s Payment Application Best Practices (PABP) program, which provides guidance on how to createpayment applications that protect cardholder data in accordance with the PCI DSS, there won’t be manysurprises in the PA DSS.

The majority of changes were renumbering and wording clarifications. However, some notableenhancements have been added such as listing code-analysis tools as an alternative option for testing.

Compliance to the PA DSS applies to COTS payment applications that are sold to more than one cus-tomer and don’t receive significant customization. At this point, the payment card brands still hold finaldetermination on whether the PA DSS is mandatory for all payment applications. However, Visa hasannounced a phased PA DSS compliance program that will require its merchants and processors to useonly PABP-compliant applications.

Single customer payment applications and applications developed in-house aren’t subject to the PA DSS,though they must meet the PCI DSS. The wealth of information in the PA DSS can help any team developmore secure payment applications, even if those applications aren’t required to be PA DSS compliant.w

—DIANA KELLEY


TABLE OF CONTENTS

EDITOR’S DESK


PCI DSS 1.2


TOKENIZATION



PROGRAMS


SPONSORRESOURCES

So that there would beone central point of contactfor PCI DSS matters, the fivebrands formed the PCI Secu-rity Standards Council (PCISSC) in September 2006. Thecouncil is led by a five-memberexecutive committee (one fromeach brand) and owns the offi-cial document repository for allthings PCI DSS. This includesthe standard, as well as collateralsuch as the self-assessmentquestionnaire, audit proce-dures, and since April, thePayment Application DataSecurity Standard (PA DSS)(see “App Lockdown,” p. 6).The council also maintainsgovernance over training andapproval for QSAs andApprovedScanning Vendors (ASVs).

Something many retailersfind confusing is that thecouncil is not responsible forcompliance or decisions relatingto compliance. The council hasno control over fees or penaltiesissued to retailers or processors,nor does it have any involve-ment in the service-level agree-ments between the cardbrands, the banks and theirmembers. That’s why DavidHogan, CIO of the NationalRetail Federation, was shootingat the wrong target when heasked the council for changesin primary account number(PAN) storage requirements.

The PCI DSS is the standard on how to protect PANs if they’re stored, but doesn’t addresswhether they need to be stored in the first place. That’s between the retailers/merchants,acquiring banks and card brands.

Organizations that need to validate PCI DSS compliance, such as Level 1 merchants withmore than 6 million Visa or MasterCard transactions annually, work with QSAs for validation.Prescriptive though the PCI DSS is, there’s still room for disagreement on specific controls and

A C C O U NTA B I L IT Y

Chain ReactionHere’s a guide for understanding who’s who in the PCI chainof accountability. You may be surprised to learn who actuallydoes what.

WHO

Card brands

PCI SecurityStandards Council

Issuing banks

Acquiring banks

Merchants/retailersand processors

Qualified SecurityAssessors

Approved ScanningVendors

WHAT

American Express,Discover, JCB,MasterCard, Visa

Independent organiza-tion led by the cardbrands with participa-tion from memberorganizations andadvisers

Banks that issue creditcards to consumers

Banks that enablemerchants, retailersand processors toaccept and processcredit card payments

Entities that store,process or transactcredit card data

Auditors that areapproved to issue RoCs

Vendors that have beenapproved to performPCI DSS compliancescanning

WHY

Individual complianceprograms; service levelagreements withbanks, retail-ers/merchants andprocessors; brand rep-utation

Maintain the PCI DSS,PCI PED (PIN EntryDevice), PA DSS andassociated content;oversight and gover-nance of QSA andASV training andapproval process

Issuing consumercredit cards

Governance to ensuremembers are PCIcompliant; fees andpenalties for failureto comply

Complying with thePCI DSS; validatingcompliance if Level 1

On-site assessmentof compliance to PCIDSS; interpretationof PCI DSS

External scans;issuing reportson scan findings


TABLE OF CONTENTS

EDITOR’S DESK


PCI DSS 1.2


TOKENIZATION



PROGRAMS


SPONSORRESOURCES

their implementation. For example, one end user reports that for requirement 3.4(render the PAN unreadable), his QSA refused to validate solutions that were notFIPS 140-2 certified. Though this federal certification provides a much higher valueof assurance from a data protection standpoint, it is not specifically required forcompliance by the PCI DSS Security Audit Procedures.

In cases like this, it may seem that the council is a good place to turn foranswers, but it’s not. The council has QSA feedback forms that companies areencouraged to fill out after audits, but these are used to determine if the QSA isperforming audits properly. Finding a company out of compliance for not usingFIPS 140-2 certified products is an interpreta-tion issue. And sometimes even QSAs feel alittle lost when looking for guidance. WilliamLynch, a manager and QSA at IT consultingfirm CTG, says he’s tried to go to the cardbrands and the council for help with interpre-tation: “They’re generally very reluctant toprovide specifics, and their responses can besomewhat slow. If I have an interpretationquestion, I usually discuss it with other QSAsfirst and contact the council as a last resort”(see “Chain Reaction,” p. 7).

GET TO KNOW THE QSAAs the person who issues the Report onCompliance (RoC) to the acquiring banks andcard brands, the QSA has quite a bit of power.Working effectively with the QSA can mean thedifference between attaining compliance andnot. The first place to go when looking for aQSA is the council’s site. For external validation, only council-approved QSAs maysubmit RoCs. Another option is to ask colleagues with whom they’ve worked, or askfor a QSA reference from your acquiring bank. Evaluate acquiring bank recommen-dations carefully, though. Some acquiring banks have relationships with assessororganizations that pay referral fees—which may indicate the bank is motivated tomake the recommendation simply to receive the fee.

Many organizations that have successfully completed PCI audits recommendtreating the QSA search like any hiring process. Include requests for references andprice quotes in the assessment criteria. And keep in mind that you’ll be workingclosely with the assessment company, so it’s important to have a good comfort levelwith its methodology. Another great tip from the trenches: consider two QSA firms,one for pre-assessment and one for the validation work.

Even if an organization does not wish to pre-assess with a QSA, it should conductits own pre-assessment. The PCI SSC Self-Assessment Questionnaire (SAQ) and thePCI DSS Security Audit Procedures are excellent resources. An IT professional whocompleted a PCI validation cycle for his company said, “By pre-assessing, we knew

“They’re generally veryreluctant to providespecifics, and theirresponses can be some-what slow. If I have aninterpretation question,I usually discuss it withother QSAs first andcontact the council asa last resort.”

—WILLIAM LYNCH, manager and QSA, CTG

where the holes were and could fill them before getting beat up in front of uppermanagement by the QSA.” Though not getting “beat up” can be a benefit of pre-assessment, it’s important to keep in mind that most QSAs aren’t aiming for humili-ation and failure. Pre-assessment gives organizations key knowledge regarding whatis important to QSAs during an assessment, especially with regard to documentation.By understanding where the QSA is coming from, IT professionals can engage in amore col- laborative relationship.

Documentation may not be exciting but reviewing documents is a cornerstoneof the QSA audit process. So be sure to include documentation review while work-ing on a gap assessment. This is particularly important for areas where there maybe interpretation or where compensating controls have been implemented. If a riskassessment process has been completed before implementing a control, be sure thesupporting documentation is there so the QSA can assess it properly. Otherwise, theQSA may fail your control.

A money-based “gotcha” to watch out for when working with a QSA is when theQSA claims a company won’t be validated as compliant if it doesn’t buy a specificvendor product from the assessor’s reseller. The tactic can be a softer sell, recom-mending the customer make the purchase rather than demanding it, but either wayit’s all wrong. QSAs that attempt to increase profits by requiring product purchasesshould be reported to the council.


TABLE OF CONTENTS

EDITOR’S DESK


PCI DSS 1.2


TOKENIZATION



PROGRAMS


SPONSORRESOURCES

M A N A G I N G L O G S

SIMs Stand OutREQUIREMENT 10.6 PCI REQUIRES DAILY LOG REVIEWS,SPURRING A BOOM IN SIMS SALES.

PCI COMPLIANCE IS “a process, not a product,” says Michelle Dickman, president and CEO of securityinformation management (SIM) vendor TriGeo Network Security. Yet, there’s no denying that a lot of prod-uct has been sold in the name of PCI.

Many of these purchases were a result of shoring up security controls in areas where they did notexist. For example, most companies have firewalls (Requirement 1) in their data centers, but many didnot have one at every retail site. Now, thanks to PCI, many do.

One product category, however, does stand out as particularly helpful, according to those who haveundergone PCI DSS audits: SIMs and log management tools. Requirement 10 calls for monitoring and test-ing of networks, and 10.6 specifies: “Review logs for all system components at least daily.” For a majorretailer with thousands of components in the cardholder data environment, meeting those requirementsjust wasn’t feasible without a log aggregation solution.

But simply centralizing all logs and alerts isn’t the end of the story, warns William Lynch, a managerand Qualified Security Assessor at IT consulting firm CTG. “Make sure the review process, accountableparties and documentation are in place to ensure that the review happens,” he says.w

—DIANA KELLEY

KEEP IT SIMPLEAn important step for a successful PCI assessment is to simplify the process bynarrowing the scope of the audit with zoning, experts say. Allan Carey, senior vicepresident of research at IANS, which has advised a number of companies on PCI,stresses that “one of the most important things an entity can do is to reduce scopewith proper network segmentation, including VLANs, air gaps and physical separa-tion.”When data must travel over public networks, such as the Internet and wirelessLANs, Carey advises companies to secure the transmission using encryption proto-cols such as SSL.

Segmentation was a key part of the National Aquarium in Baltimore’s strategy.As part of its PCI pre-assessment work, the aquarium reviewed two merchant func-tions that were operationally outsourced to third parties—the aquarium gift storeand food services—and decided to physically separate the outsourced merchantnetworks from the aquarium. This resulted in asignificant reduction in audit scope during theaquarium’s PCI validation work.

Another tip on the simplification front—one we’ve all heard—is don’t store what youdon’t need. But as Hogan’s plea to the PCI SSCillustrated, many retailers—due to their servicelevel agreements—are required to store PANsin a retrievable format for up to 18 months.Companies that don’t have that requirementhave simplified their PCI compliance by elimi-nating PAN storage. Others don’t have to hangon to the PAN for months but hold it for hours during authorization. Brady Deck-er, network engineer at the aquarium, suggests that banks and card brands “takethe merchants out of the security loop” by not having them store the PAN, evenduring the authorization phase. If a company must hold on to PANs for any lengthof time, Carey recommends “leveraging native database encryption capabilities tomeet [requirement] 3.4 before layering on a third-party solution that may degradeperformance or increase management complexity.”

In addition, make sure to really know what’s in your environment. Storiesabound of large organizations that found untracked spreadsheets with thousandsof credit card numbers when beginning their PCI assessment work. “Map thecredit card data flow” for the entire lifecycle of the data’s existence in your organi-zation, says Michael Gavin, security strategist for application security companySecurity Innovation. That means answering these questions: Where does theinformation come in? Where is it being stored? Who has access along the way?

THINK GLOBALLYAlthough PCI DSS is an internationally applicable standard, most of the PCI DSSnoise has been coming out of the U.S. That’s no longer the case. Since late last year,there has been a significant increase in PCI awareness in the U.K. and parts ofEurope. Some European countries still believe that the standard doesn’t apply or


TABLE OF CONTENTS

EDITOR’S DESK


PCI DSS 1.2


TOKENIZATION



PROGRAMS


SPONSORRESOURCES

An important step for asuccessful PCI assessmentis to simplify the processby narrowing the scopeof the audit with zoning,experts say.

is less important because of the useof a smart chip and PIN (personalidentification number) in Europeancredit cards. Chip and PIN doeschange the threat model, but notthe PCI DSS requirement.Whetherthe PAN was read from a magneticstripe, off of a smart chip, or typedinto a Web form, the PAN protec-tion requirements are the same.

Bob Russo, general manager ofthe PCI council, notes that organi-zations in some countries, likeJapan, have spent a lot of time com-plying with security frameworks—such as the Information SecurityManagement Systems (ISMS)approach of ISO 27001 and 27002—and don’t want to spend time complying withan additional standard. The card brands, along with the council, are working toraise awareness that DSS is not optional and not replaceable by any other certifica-tion work.

If an organization has been concentrating only on U.S. operations, it’s time for itto start thinking globally and assessing all sites where card information is transacted.And if you are using a compliance framework, consider mapping the controls anddocumentation in place to those needed for the PCI assessment. Many companiesreport that “careful compliance recycling” can reduce overhead when certifying tonew and emerging standards.

PCI compliance may not be a simple art, but there are ways—like leveragingcompliance frameworks—to make it simpler. There are a lot of rules and require-ments for PCI, but the core goal is simple: protect credit cards on those digital“mean streets.”w

Diana Kelley is a partner with Amherst, N.H.-based consulting firm SecurityCurve. She formerlyserved as vice president and service director with research firm Burton Group. She has extensiveexperience creating secure network architectures and business solutions for large corporations anddelivering strategic, competitive knowledge to security software vendors.


TABLE OF CONTENTS

EDITOR’S DESK


PCI DSS 1.2


TOKENIZATION



PROGRAMS


SPONSORRESOURCES

ResourcesPCI Security Standards Council

Provides information on standards, QSAs and more.www.pcisecuritystandards.org

PCI Knowledge BaseOffers tips from research community.

www.knowpci.com

VisaIncludes list of validated payment applications.

http:/ /usa.visa.com/merchants/risk_management/cisp.html

http://usa.visa.com/merchants/risk_management/cisp.html

http://www.knowpci.com

http://www.pcisecuritystandards.org

We don’t have to tell you that enterprise security and compliance is serious business. From external and internal threats to compliance violations, the risks associated with the continuity of IT infrastructure and the usage of sensitive data and applications are huge. And the constantly shifting cyber threat landscape only makes it more difficult to protect your business.

The ArcSight SIEM Platform mitigates operational risk by providing scalable security, comprehensive real-time monitoring, and intelligent event analysis. With ArcSight, you’ll get the big picture so you can avoid the big problem. After all, keeping a business running is the only way to run a business.

Visit us at www.arcsight.com.

ArcSight Headquarters: 1-888-415-ARST © 2009 ArcSight. All rights reserved.

Which came first?

cyber criminals or Data breaches

iIN OCTOBER 2008 the PCI Security Standards Council, stewards of the PCI DataSecurity Standard, released version 1.2. PCI DSS version 1.2 is not a sweepingrewrite of version 1.1. Most of the changes listed in the summary document areclarifications of wording and terminology. Bob Russo, general manager of thePCI Security Standards Council, said of the group’s goal was “eliminating as manyquestions as possible.”

Some welcomed the changes, since some terms were poorly defined in the lastiteration, making them confusing and difficult to interpret. For example, Require-ment 6.6 of version 1.1 called for an “application-layer firewall.” Retailers and PCIassessors (QSAs) alike wondered whether an application-layer-aware firewall, likethe Cisco Systems Inc. PIX or ASA firewall, would suffice, or if it called for a Webapplication firewall like Barracuda Networks Inc.’s Web Site. Although the summarychanges continue to reference “application-layer firewall,” the Council issued specificguidance on the terminology in February regarding product type intended. TroyLeach, technical director of the PCI Security Standards Council, said that the testingprocedures for Requirement 6.6 in version 1.2 make it clear that the Council isreferring to Web application firewalls.

Other terms that received clarification and usage consistency makeovers areprimary account numbers (PANs) and “strong cryptography.” In version 1.1,“strong cryptography” is not defined, however, the audit/assessment proceduresused by QSAs did list “Triple-DES 128-bit and AES 256-bit” as examples.

CHANGES


TABLE OF CONTENTS

EDITOR’S DESK


PCI DSS 1.2


TOKENIZATION



PROGRAMS


SPONSORRESOURCES

The latest version of the standard provides clarityon wireless and Web application requirements.

BY DIANA KELLEY

PCI DSS 1.2AnswersQuestionsand RaisesOthers

Another tricky one: Does the PCI DSS apply to electronic media exclusively oris paper included? According to version 1.2, it applies to both electronic and papermedia that contains cardholder data. This will create additional work for thoseorganizations that had misinterpreted version 1.1 and kept paper media out ofscope during DSS compliance work.

Compensating controlsWhen enterprises are not able to meet the exact letter of the standard, they lookto controls that will provide the same level of protection. Perhaps the most well-known example of this is PCI Requirement 3.4, which requires that if PANs arestored, they must be either rendered unreadable (by one-way hashing or truncation)or encrypted (using strong cryptography).When many organizations found neither ofthese options was feasible, Appendix B of PCIDSS version 1.1 provided a list of acceptablecompensating controls that could be used inplace of those listed in the requirement.

Version 1.2 provides additional informationabout compensating controls and flexibilityoptions for other requirements. In the updatedstandard, Requirement 1 eases the timeline forreviewing firewall rules from quarterly to everysix months. And the 30-day patch cycle, fromthe often-dreaded Requirement 6, now has “added flexibility…by specifying thata risk-based approach may be used to prioritize patch installation.”Under version1.1, many retailers scrambled to install patches within 30 days, often short-circuitingtheir standard patch life cycle testing in an effort to meet the strict timeline. Athorough approach to patching, however, requires testing, prioritization, and arobust pre-production process, which can take longer than 30 days. The changeallows for risk-based approaches that may require more time.

Another welcome change concerns physical security. PCI DSS Requirement 9called for cameras to monitor “sensitive areas,” but was an area like a restaurantdining room—where credit cards are handed to staff—considered sensitive enoughto require a camera? How about a point-of-sale (PoS) cash register at a food courtkiosk? Under version 1.2, organizations now have more flexibility to select otheraccess control mechanisms when appropriate.

More requirementsWhile the clarification and compensating control changes are welcome, there aresome additional requirements in version 1.2. For example: “Wireless must nowbe implemented according to industry best practices (e.g., IEEE 802.11x) usingstrong encryption for authentication and transmission.” For those of you whothought perhaps the Council meant 802.1X, you’re not alone; I thought that atfirst, too, because 802.11x is a placeholder for upcoming standards and not anIEEE standard.


TABLE OF CONTENTS

EDITOR’S DESK


PCI DSS 1.2


TOKENIZATION



PROGRAMS


SPONSORRESOURCES

When enterprises are notable to meet the exactletter of the standard,they look to controlsthat will provide thesame level of protection.

Leach said 802.11x was used to indicate that upcoming versions of the DSSmay include recommendations for using emerging 802.11 standards, such as802.11i. So for more specifics, we’ll all have to stay tuned. On the plus side, version1.2 will continue to allow SSL/TLS and IPsec for protection of data transmissionsover both wired and wireless networks.

Some potential heartburn may come from this change regarding wireless net-work encryption: “New implementations of WEP are not allowed after March 31,2009…Current implementations must discontinue use of WEP after June 30,2010.”Wired Equivalent Privacy (WEP) has been broken for many years, so itmakes sense for the Council to call for an end to its use in cardholder data environ-ments, but many “out of the box” point-of-sale packages still commonly rely onWEP for proper operation. The two-year timeline for complete replacement ofthese systems may be too aggressive for retailers. If so, the Council will need toamend the timeline.

Finally, the antimalware requirement has been updated to include “all operatingsystem types.” Antimalware for Mac platforms and Unix/Linux are available, butoptions are limited. As for mainframes (like System z), there just aren’t options.For platforms like mainframe and some flavors of UNIX, organizations can considerlayering anti-malware protection by using gateways or other compensating controls.w

Diana Kelley is a partner with Amherst, N.H.-based consulting firm SecurityCurve. Sheformerly served as vice president and service director with research firm Burton Group. Shehas extensive experience creating secure network architectures and business solutions for largecorporations and delivering strategic, competitive knowledge to security software vendors.

I N F O RMAT I O N S E C U R I T Y • ESSENTIAL GUIDE • PCI DSS

TABLE OF CONTENTS

EDITOR’S DESK


PCI DSS 1.2


TOKENIZATION



PROGRAMS


SPONSORRESOURCES

15

Get in Control. Stay in Control.

McAfee, Inc. 3965 Freedom Circle, Santa Clara, CA 95054, 888.847.8766, www.mcafee.com. McAfee is a registered trademark of McAfee, Inc.,and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. © 2009 McAfee, Inc. All rights reserved.

you face tremendous pressure to secure your endpoints and servers from unauthorized applications and to comply with multiple security policies, operating procedures, and regulations such as the Payment Card Data Security Standard (PCi DSS) requirements.

look to Mcafee, the recommended choice of retailers and security assessors.

Download the Mcafee® application Control solution brief here. Find out how the world’s largest dedicated security technology company can help you get in control and stay in control.

http://www.mcafee.com/us/enterprise/products/risk_and_compliance/application_control.html

t

Wireless Encryptionin the Wakeof PCI DSS 1.2

Merchants using WEP networks musttransition to Wi-Fi Protected Access (WPA)

security no later than June 30, 2010.BY MIKE CHAPPLE

THE PCI SECURITY STANDARDS COUNCIL recently announced the imminent release of thePayment Card Industry Data Security Standard (PCI DSS) version 1.2. This revisionincludes a number of changes, updates and clarifications that affect anyone involved inthe storage, processing or transmission of credit card information. One of the major areasof change, however, involves the use of wireless networks to transmit cardholder data.

In the PCI DSS 1.2 Summary of Changes, the PCI Security Standards Councilannounced several adjustments to the wireless network security requirements:

• Wireless must be implemented using strong encryption for authentication andtransmission. The Council cites IEEE 802.11i as an appropriate example.

• Merchants are no longer permitted to deploy any newWired Equivalent Privacy(WEP) networks.

• Merchants usingWEP networks must transition toWi-Fi Protected Access (WPA)security no later than June 30, 2010.

UsingWEP encryption to “protect” a wireless network is a bad idea, and that fact should-n’t be news to anyone. Researchers have repeatedly discovered new flaws inWEP. The use ofWEP encryption was also responsible for the well-known TJX Companies Inc. breach, one ofthe largest thefts of credit card information in history. Up until now, the PCI DSS allowed theuse of WEP encryption with the presence of compensating controls, including quarterly keyrotation,MAC-based host restrictions, and the use of supplemental encryption.


TABLE OF CONTENTS

EDITOR’S DESK


PCI DSS 1.2


TOKENIZATION



PROGRAMS


SPONSORRESOURCES

FROM WEP TO WPA

For smaller networks,WPA-secured networks and 802.1x, authentication maybe a fairly trivial task to implement. In some cases, however, the work may requiresignificant infrastructure and/or payment system upgrades.

Converting to WPAWPA has been standard technology on all wireless equipment manufactured sinceSeptember 2003. For those using such equipment, converting toWPAmay be as simpleas changing a setting on the wireless access points and reconfiguring networkeddevices to access the new WPA network. However, for those using obsolete orspecialized hardware, this change may not be so simple; you may need to getthe manufacturer involved.

The good news is that everybody’s in thesame boat. Manufacturers that wish to supportpayment card applications must also supportWPA encryption if they intend to continueserving the payment card industry. The badnews is that nobody requires vendors to retrofitexisting equipment to accommodate theupgrade. Companies may find themselvessitting on a lot of expensive but obsoletehardware, with no option other thanupgrading it or ripping it out piece by piece.

Going “enterprise”The second task is a bit more subtle and tends to be ignored in the initial analysis ofPCI DSS 1.2. The summary states: “Wireless must now be implemented according toindustry best practices (e.g., IEEE 802.11i) using strong encryption for authentica-tion and transmission.” But what does PCI DSS 1.2’s reference and recommendation“industry best practices” for authentication mean for enterprise security managers?

From my perspective, it means that the use of a pre-shared key is not permissiblein all but the smallest and most well-controlled environments. Rather than using theauthentication method of the simpler WPA-Personal mode, where every device onthe network uses a single shared secret key, individual machine-based or user-basedauthentication should be put in place to protect network access. The use of WPA-Enterprise technology allows individual users or devices to be provisioned andde-provisioned without reconfiguring the entire network. It’s clearly a good securitypractice, but it can be difficult to implement for those who don’t have experiencewith it.

Enterprises that are already running a RADIUS and Active Directory environ-ment may be able to simply tie it in to the wireless infrastructure using 802.1x.Essentially,WPA-Enterprise allows you to avoid the security problems associatedwith a pre-shared key. Instead of all users sharing a single key,WPA-Enterprise uses802.1x to access an external authentication server to validate access requests usingthe credentials of individual users. Those that don’t have this technology in place willneed to think about the best way to deployWPA-Enterprise in their environments.


TABLE OF CONTENTS

EDITOR’S DESK


PCI DSS 1.2


TOKENIZATION



PROGRAMS


SPONSORRESOURCES

Manufacturers that wishto support payment cardapplications must alsosupport WPA encryptionif they intend to continueserving the payment cardindustry.

For example, you’ll probably want to first ensure that both your wireless infra-structure (access points, controllers, etc.) support WPA-Enterprise and then ensurethat your wireless devices (laptops, PDAs, etc.) are also compatible. You’ll then needto decide the appropriate authentication back end for your environment. In mostMicrosoft shops, you’ll want to configure RADIUS to authenticate against an existingActive Directory. Otherwise, you’ll need to find another source of user authenticationdata and integrate it with your RADIUS server.

Finally, you’ll need to devise a rollout strategy. One common approach is to standup theWPA-Enterprise network alongside your existing wireless networks and allowusers a transition period of several weeks before shutting off the legacy network. Formore practical advice on deployingWPA-Enterprise, read ControllingWLAN accesson a tight budget.

Summing upThe new wireless requirements imposed by PCI DSS 1.2 aren’t a surprise to paymentcard security professionals.We’ve been expecting them ever since the first release ofPCI DSS 1.0, and they represent best practices in wireless security. The time has nowcome to comply, and the council has set a clear deadline: June 2010. That mightsound far away, but the best advice I can offer you is to start planning now. If thechanges are simple, you’ll finish way ahead of the deadline and have plenty of timeto relax. However, if your infrastructure requires major changes, you’ll have thenecessary opportunity to plan and deploy those changes properly.w

Mike Chapple, CISA, CISSP, is an IT security professional with the University of Notre Dame.He previously served as an information security researcher with the National Security Agencyand the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor forInformation Securitymagazine and the author of several information security titles, includingthe CISSP Prep Guide and Information Security Illuminated. He also answers your questionson network security.


TABLE OF CONTENTS

EDITOR’S DESK


PCI DSS 1.2


TOKENIZATION



PROGRAMS


SPONSORRESOURCES

"#$%&'#(!)*+!*,-./01234!*154!6789:

!"#$%&'('#()#$(*+

!"#$%&'()*+#&%',-.)/#',-0

+29857;:< ,-./'&0."-

=419>81;74;5< 1.2(34-%#5 6./47#"24.(

?8502455< 81,(9"#:4;-<(0#=9/-=-2'."+(&-./'&(*-2-74'<5(

74'2-<<5(.2;(&-./'&(4=9"#:-=-2'(9"#%".=<

#-./,:445< >?@A

60@4< B.'4#2./5(C>A(=4//4#2(=-=*-"<5(D"4:.'-/+(&-/;

! "#$%&'%$%(&)*+',&-'.&*/0%(&$+1'%(-2313/. 4-'-5%4%'/&/**1&/0-/&36&-6&7*48(%0%'63$%&-6&9+-1.6:+-(,;&<%&'%$%(&

0-$%&%'7*+'/%(%,&-&63/+-/3*'&3'&=0370&-&/03(,>8-(/.&-+,3/&)*+',&6*4%/03'5&9+-1.6:+-(,&,3,'#/;!& ? E42.(F4'0&-//5(

1-24#"(34"-0'#"(#7(GE(H9-".'4#2<(.2;(G27#"=.'4#2(1-0$"4'+(

ABC4370D45

• 6#<'I-77-0'4:-/+(.0&4-:-(#2%#42%(GE(<-0$"4'+(.2;("-%$/.'#"+(0#=9/4.20-("4<J(=4'4%.'4#2(7#"(4'<(#K2(2-'K#"JL(

• 14=9/47+(D6G(0#=9/4.20-L(

• 81,(;#-<2M'(&.:-(.(<'.77(;-;40.'-;('#(GE(<-0$"4'+N(.<(.("-<$/'5(4'<(GE(;4"-0'#"(.2;(<+<'-=(.;=424<'".'4#2(

'-.=(2--;('&-(=#<'(.$'#=.'-;(K.+('#(J--9(4'<(<+<'-=<(<-0$"-(.2;(0#=9/4.2'

'458/75

• O$./+<P$.";(9"#:4;-<('&-(0#=9.2+('&-(.*4/4'+('#(0-2'".//+(=.2.%-('&- "4<J<(.<<#04.'-;(K4'&(.//(#7(4'<(

2-'K#"J-;(.<<-'<5(.2;(Q$40J/+(4;-2'47+(.2;("-=-;+('&#<-('&.'(."-(#$'(#7(9#/40+5(=4<0#274%$"-;5(#"(

#'&-"K4<-(:$/2-".*/-L(

• 8<(.(D6G(311I.99"#:-;(<0.2242%(:-2;#"5(O$./+<(=.J-<(4'(<'".4%&'7#"K.";(7#"(81,('#(0#2;$0'(4'<(.22$./(

<-/7I.<<-<<=-2'<(.2;(Q$."'-"/+(2-'K#"J(<0.2<L(

• O$./+<P$.";(9"#:4;-<(81,M<(<+<'-=(.;=424<'".'#"<(K4'&(.(9"#.0'4:-(K.+('#(9"#'-0'('&-(0#=9.2+M<(

2-'K#"J('&"#$%&#$'('&-(-2'4"-(:$/2-".*4/4'+(=.2.%-=-2'(/47-(0+0/-5(420/$;42%(.<<-'(;4<0#:-"+5(.<<-'(

9"4#"4'4R.'4#25 :$/2-".*4/4'+(.<<-<<=-2'(.2;(.2./+<4<5("-=-;4.'4#2(9/.2242%5(.2;(74S(:-"4740.'4#2L(

T-.;('&-(7$//(8=-"40.2(19-04./'+(,-./'&(0.<-(<'$;+(&-"-U((&''9UVVKKKLQ$./+<L0#=V0$<'#=-"<V<$00-<<

E41;2!-,;4!1B,87 F81/:5G!)*+!6,/870,25 129!;4340D4!1!3,-./0-4271;:!HIJ(1:!"'##!%;01/<

&''9UVVKKKLQ$./+<L0#=V<#/$'4#2<V904W0#=9/4.20-

(#'&%$#"

+**+('&%$#"!

<:;7589+2 &'/.-,

1*43210/.-,*+*)

0-,'#/.-,'%&#

-".0

45 9876 :

#"! +*$#)#''&%$#

<5;47;18>914= 1

5542058? < 9,18

/.-&;2.5<<-2'47

<544:,/.-# A@?>

<4@06 C5/.2#4'.B

! '+*))*(%$%'%$#"

%(%/'+*7'%%$-0

#%-432. .42"#74/6.5

.-&+".'2-=-/9=#0<-;4:#"9

<=."%#"9'2-=-:#"9=4&'

A

-'.:4"D5<"-*=-=2#4//4=A>

./3132-(%'1+$(%0/*.'-, -4

(30/-0730='3'*3/-+/36-,%

5<'47-2-*&'/.

;/-&+/-

*76-6336/-0/1**//'%4%5-'-

,( > 0/%4*6,'+*))*/3,+-./(-8

(-+:6.1-+96-%$36'%0%(84

!;/#',3,,(-+:6.1-+95'3 ? E

(%$%'%<;,(

5//-&0'4F.24E

#"#'0-"43"#42-1

54D0734CBA C

• '<6# I -77-

• +74/9=41

• -#;,18

.="#72G;2.<2#4'."-9HEG7#

<EG%24#%2#-:-4&0.+/-:4'0-

L-02.4/9=#0G6D

';-'.04;-;77.'<.-:.&'M2<-

+'4"$0-12#4'.

=#0+"#'./$%-";2.+'4"$0-<

<'4'/$<-".<.N+'4"$0-<EG#'

'4"#72#4'.%4'4=J<4"-02.4/9

=;.=-'<+<;2."#'0-"4;EG

LJ"#K'-22K#<

2#4'."'<424=• -#;,18

-2=.-'

57/854'

• P<+/.$O

J"#K'-2

<4K"-&'#

• G6D.<8

';-'.04;-;77.'<.-:.&'2<-

+.K;-'.=#'$.'<#=-&';-

+2.9=#0-&'<-;4:#"9;".$

'2-;4+/J04$Q;2.5<'-<<.;-J

L-/*."-2/$:-<

113 I 2-:%2422.0<;-:#"99.

<'45'/$<-".<.N+'4"$0-<EG#'

-"$0-<<=-'<+<<'49--J#'+

2.=+//."'2-0#'+'4/4*.-&'+

.'.&'-<#&'+;-=-";2.+74'

&%4."'<'4<-J.=<+/.$O5"#;2

=;.=-'<+<;2."#'0-"4;EG

'2.4/9=#0;2.

-&'-%. &'4K;-'.40#<<.<J<4"

$%472#0<4=5+04/#97#'$#-"

0$;2#0#',18"#7;".K"#7'&

2#4'."'<424=

<'47#//.&

"#5;-"

/.$22.<'4'0

7/-< I -<<.

• P<+/.$O

J"#K'-2

.R4'4"#4"9

=8//$7-&';.-T

E ,B14;,-2;14

K'-2+/"-'".$Q;2.<'2-=<<-

=-'<+<<M,18<-;4:#"9;".$

2/$:-"4'2--&''$#&%$#"&'J

2#4'. -=<<-<<.+'4/4*."-2/$:5

-<.0&'/.-,+'/.40-912.04"-=

8 52,078/,6+*)G5:/18F7 921

L<2.0<J"#K

0.#"9.&'4K<"#'."'<424=;.

+0-74/'2-=-%.2.=+'4/4*."-

#4'.4;-=-"5<4<+/.2.;2.'2-

U-"-&+;$'<- QLKKKVVU9''& 9 VV Q

:;1724-0/.-,314D0434;9

=#0-&''0-'#"9#'+.K-:4'0

-:#0<4;'-<<.%24;$/0245-/0+

'.0474"-:S47;2.5%2422./92#

-00$<V<"-=#'<$0V=#0L<+/.$ + V V

IH J /10;%##'":1( <

<M+2.9=

'-<<.5+"-

L2#4

<<-

E ,B14;,-2;14

.$QLKKKVVU9''& 9 VV Q

8 52,078/,6+*)5:/18F7 921

9=#0W409V<2#4'$/#<V=#0L<+/+ V V9 9

:;1724-0/.-,314D0434;9

-02.4/99

IH /10;%##'":1( <

http://www.qualys.com/customers/success

http://www.qualys.com/solutions/pci_compliance


STOP FOR A MOMENT and imagine what it would be like ifall of the sensitive data in your company suddenly wentaway. It wasn’t stolen; your company just found a way tooperate without needing to keep that sensitive data onhand. Sounds pretty sweet, right?

For everyone in the payment lifecycle, the sensitivedata our firms need to do business is like a giant albatross around our necks.We need toprotect it, constantly monitor who has access to it, and we live in constant fear of it gettingstolen. Financial-services firms such as card issuers and acquirers have it worst of all—wehave a vested interest in making sure our merchants are protecting the data, but we oftendon’t have direct control over whether or not they do.

So it’s no wonder a technology hitting the scene that promises to make all theseheadaches go away would get a lot of attention.While we’re all struggling to get and staycompliant with the PCI Data Security Standard, the idea that we could install some technologythat reduces the stress of protecting sensitive data has quite an appeal. And this is exactlywhat tokenization promises to do.

What is tokenization?To see how tokenization works and why it’s useful, it helps to compare how a typical paymenttransaction currently works versus the ideal of a fully tokenized scenario.When a customergoes to a company and hands off his or her card for authorization, the default scenario is thatthe merchant needs to keep the cardholder data on file to perform a variety of functions. Forexample, the merchant needs to keep a record of the account to settle transactions, processrecurring payments (like at a gym), modify or update the transaction amount based oninstructions from the customer (such as when a customer wants to add a tip to a restaurantbill), or issue refunds.

In this case, the cardholder data is necessary for a company to do business. But while it’snecessary, it also carries a serious compliance burden: much of the PCI DSS speaks directlyto the requirements related to that data storage.

SECURING PANs

The technologyattempts to replacecardholder datawith a tokeninstead of a PAN.

TABLE OF CONTENTS

EDITOR’S DESK


PCI DSS 1.2


TOKENIZATION



PROGRAMS


SPONSORRESOURCES

I S TOKEN IZATIONTH E CURE-ALL FOR

PCI Compliance?BY ED MOYLE

By contrast, tokenization attempts to minimize the amount of data the businessneeds to keep on hand; in this case, by replacing the cardholder data with a “token”—a randomly-generated value the merchant can use instead of the primary accountnumber (PAN). Since the token is not a PAN, and can’t be used outside the contextof that unique transaction with the merchant, it doesn’t have the same high level ofsensitivity that a PAN carries.

In a tokenization scenario, the organization outsources their payment process-ing to a service provider that provides a “tokenization option,” such as Shift4 Corp.,Electronic Payment Exchange, Merchant Link or Braintree Payment Solutions. Theservice provider handles the issuance of the token value and also handles the heavylifting of keeping the cardholder data locked down. Alternatively, a more in-houseapproach might leverage a product likenuBridges Inc.’s Protect to bring the service-provider functionality on premises.

Pros and cons of tokenizationThe relative benefits of a tokenization scenarioshould probably be pretty clear for folks who’vebeen worried about complying with the PCIDSS. Requirements like 3.4 (“Render PAN, atminimum, unreadable anywhere it is stored…”)go from being an “Oh my gosh” to a “Whocares.”Why? Because the token isn’t a PAN, andonce you make the switch, you’re no longer pro-cessing PANs, that requirement, as well asnumerous others in the PCI DSS that target datastorage, ceases to apply.

From an integration standpoint, companiesoffering these services are heavily incented to keep complexity down because itenables them to sell to smaller merchants and retailers with limited in-house technicalexpertise. This is good news for larger organizations as well. Now, no integration isever truly “seamless,” but since the majority of changes are on the backend (serviceprovider) side, changes to the merchant environment should be relatively few.

Given that, if you’re like many organizations, deploying a tokenization solutioncan be a more cost-effective way to meet PCI requirements than implementing ahost of technical security controls around data storage.While there are fees associatedwith the implementation of a tokenization solution, the reduced scope of complianceand the reduced need for storage-related technical controls is likely to wind up a netgain.

But just as there’s no such thing as a free lunch, there’s also no panacea—at leastnot in information security. In most scenarios, it’s the merchant who supplies thecardholder data to the service provider in order for the tokenization to occur. Thismeans the merchant does have a role in the transaction flow. And because the PCIDSS applies to everyone who stores, processes or transmits the data, they still havecompliance obligations.While it’s certainly true that those compliance requirements


From an integrationstandpoint, companiesoffering these services areheavily incented to keepcomplexity down becauseit enables them to sell tosmaller merchants andretailers with limited in-house technical expertise.

22

TABLE OF CONTENTS

EDITOR’S DESK


PCI DSS 1.2


TOKENIZATION



PROGRAMS


SPONSORRESOURCES

are less when dealing with tokens versus live PANs, organizations still need to makesure they comply with the requirements designed to protect data in transit, at leastfor the machines and processes involved in the transaction before tokenizationoccurs.w

Ed Moyle is a manager with CTG’s Information Security Solutions practice and a foundingpartner of consulting firm SecurityCurve. He is co-author of “Cryptographic Libraries forDevelopers” and a frequent contributor to the information security industry as an author,public speaker, and analyst.


TABLE OF CONTENTS

EDITOR’S DESK


PCI DSS 1.2


TOKENIZATION



PROGRAMS


SPONSORRESOURCES

AUTOMATE COMPLIANCE • SIMPLIFY SECURITY • UNIFY DATABASE SECURITY

LogLogic offers log-powered applications in compliance management,database activity monitoring and security event management that seamlessly integrate with our Open Log Management Platformand work together – delivering the industry’s only one-stop shop for corporate security, IT efficiency and compliance management.

UNLEASHLOG POWER

COMPLY, PROTECT & SAVE

FOR MORE INFORMATION

www.loglogic.comREAD OUR LATEST REPORT FROM BLOOR

www.loglogic.com/bloor

www.loglogic.com

http://www.loglogic.com/resources/analyst-reports/gartner-mq-and-critical-capabilities/thank-you.php


TABLE OF CONTENTS

EDITOR’S DESK


PCI DSS 1.2


TOKENIZATION



PROGRAMS


SPONSORRESOURCES

MAGINE THIS SCENARIO: You’ve successfully migrated all the company’s non-criti-cal applications, the internal infrastructure and the development center on to vir-tual servers. Management is happy because you’ve lowered both capital and oper-ating costs, increased energy efficiencies, as well as improved business continuity.

But like every business at the moment, your managers need you to reducecosts even further. They’re pushing for you to consolidate and run the mission-criti-cal applications, including the Internet-facing e-commerce ones, on virtualizedservers, too. But can you remain compliant with the Payment Card Industry Data

Security Standard (PCI DSS) while fully leveraging the business benefits of virtualization?

What PCI has to say about virtualizationThis is a problem many IT managers face, and there’s a distinct lack of guidance on virtu-alization from the PCI Security Standards Council. Version 1.2 of the standard, releasedin October, did clarify a number of issues, but it didn’t address virtualized environments.

To benefit from virtualization, virtual servers will typically have multiple functionsrunning on a single physical server. Section 2.2.1 of the PCI DSS, however, states that aserver should perform only one primary function. So, according to the standard,Webservers and database servers should each be implemented on a separate machine. For acompany that needs to be PCI compliant, those restrictions make the task of virtualizingan infrastructure a difficult one.

The PCI Data Security Standard does not yet address virtualized servers or relatedaudit requirements, meaning that qualified security assessors (QSAs) must use their ownjudgment to determine whether organizations that implement virtualized servers meetthe PCI mandates. This less-than-ideal situation is compounded when you consider thatIT and security professionals themselves are still unsure of how virtualization changesthe risk profile of a system, especially when the technology has been described as onethat keeps “all the eggs in one basket,” due to the fact that a compromise of the VM host

EMERGING TECHNOLOGIES

PCI, VIRTUALIZATIONAND CLOUD COMPUTING

BY M I CHAE L COB B

Compliance guidelines on virtualizationwill likely be in a state of flux for some time.

i

comprises all the virtual servers running on it.

PCI virtualization specifications on the wayThankfully, this is a short-term situation, as a PCI Security Standards Council specialinterest group (SIG) for virtualization is currently taking shape. Its aim will be toaddress the challenges and issues associated with virtualization and PCI compliance,providing much-needed explanation in the same way the clarification documentregardingWeb application firewalls and code reviews had done in early 2008.

The virtualization SIG will solicit feedback from not only participating organi-zations, such as VMware Inc., Microsoft and other industry stakeholders, but alsothe security assessors that currently perform assessments. They will no doubt focuson the security of host servers. Any VM containing credit card-related data meansits host server is also in-scope. Other issues to be addressed include access control,monitoring and the security of remote console sessions to the VMs. Adequatesecurity for clones and copies of virtualized servers, such as those used for disasterrecovery and business continuity, should be covered as well.

The decision that will have the biggest effect on merchants will be whether vir-tualization provides adequate zoning and separation of functions. That choice willspecify if virtual servers are acceptable as longas they are only performing a single function.For example, will a merchant be able to run in-scope and out-of-scope virtual servers on thesame hardware? In such a situation, there wouldcertainly need to be a firewall in place to sepa-rate the virtual servers into zones.

One approach may be for a single hypervi-sor to only allow the compliant systems han-dling data covered by PCI, which would avoidthe non-compliant state of having multipleclassifications of data residing on the one stor-age medium. A current best practice is to not use virtual machines that run acrossmultiple secure zones on the same host. In the upcoming clarification document, itwill also be important to monitor not just the VM workloads, but also the hypervi-sors, using products such as those from Tripwire Inc. Comprehensive monitoringoffers reporting ability, which will certainly help towards demonstrating compliance.

It will be some time before the virtualization SIG is able to quantify the risksposed by a virtualized environment and establish auditing standards to assess hostservers and guest virtual machines. QSAs are used for auditing and assessing riskin highly segmented and layered architectures where duties and responsibilities arelargely separated and well-defined. The opposite is true in virtualized architectures,which means another auditing approach is necessary.

My view is that the most conservative approach would be to delay implementingvirtualization and wait for the findings and recommendations of the SIG in orderto ensure your chosen product doesn’t fail any upcoming revisions to requirements.When the PCI requirements for security in virtual environments are announced, it


The decision that willhave the biggest effect onmerchants will be whethervirtualization providesadequate zoning andseparation of functions.

26

TABLE OF CONTENTS

EDITOR’S DESK


PCI DSS 1.2


TOKENIZATION



PROGRAMS


SPONSORRESOURCES

will have some fairly broad implications for the whole cloud computing community.For those who are more bullish on virtualization, when researching some of the

virtualization security products coming onto the market today, I would recommendpaying particular attention to their management control features. For example, towhat degree can an organization limit the scope of permissions to specific objectsor parts of the infrastructure and grant the correct access rights to the right people,without violating the principle of “least privilege?” Separation of duties betweenhosts and VMs will be critical to achieve compliance.

To that end, administrators looking to get a head-start should be aware thatVMware, one of the major virtualization vendors, has launched the VMware Com-pliance Center website: an initiative to help merchants understand how to achieve,maintain and demonstrate compliance of various industry standards in virtualenvironments. I also recommend reading the case studies of companies that havesuccessfully passed compliance audits in their VMware environments. Good docu-mentation to prove there are sufficient controls in the virtualized environmentseems to be a common component of setups that have passed an audit. It’s alsoimportant to choose an assessor who understands security controls in a virtualenvironment and has experience in how they should be deployed.

The bottom line is that virtualization is a complex and evolving technology, andthose looking to implement virtualized systems in the near-term—regardless of thebusiness drivers, such as cost reduction, availability and resiliency—should be awarethat PCI compliance guidelines will likely be in a state of flux for some time. Thatmeans implementations may be forced to evolve as well.w

Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a

consultancy that offers IT training and support in data security and analysis. He co-authored the book

IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest

instructor for several SearchSecurity.com Security Schools and, as a SearchSecurity.com site expert,

answers user questions on application security and platform security.


TABLE OF CONTENTS

EDITOR’S DESK


PCI DSS 1.2


TOKENIZATION



PROGRAMS


SPONSORRESOURCES


TABLE OF CONTENTS

EDITOR’S DESK


PCI DSS 1.2


TOKENIZATION



PROGRAMS


SPONSORRESOURCES

Q & A

Cloud and Virtualized ServersPose Challenges for PCI ComplianceIN THE Q&A TROY LEACH, TECHNICAL DIRECTOR FOR THE PAYMENT CARDINDUSTRY SECURITY STANDARDS COUNCIL, EXPLAINS HOW A SIG HOPESTO ADDRESS THE CONFUSION. BY ROBERT WESTERVELT

Troy Leach, technical director for the Payment Card Industry Security StandardsCouncil recognizes a gap in the standard when it comes to addressing the securityof payment card data in cloud computing and virtualized environments. In aninterview Leach said he hopes a newly-formed special interest group (SIG) andan emerging technologies study will recommend ways the standard can addresssecuring payment data in the cloud. The council needs a better understandingof the rules and responsibilities within a virtualized server and whether or notvirtual segmentation in a network is appropriate segmentation, Leach said. Inaddition, the PCI SSC announced an expansion of its PIN Entry Device (PED)Security Requirements addressing unattended payment terminals and hardwaresecurity modules. The devices will now undergo thorough security testing, Leach said.

The PCI SSC has a special interest group (SIG) around virtualization security. What will itsultimate goal be, and what are some of the issues the group will be looking at?TROY LEACH: Just to take one step back, we have a wireless special interest group that hassubmitted a new wireless implementation guide. It’s a phenomenal document and I can’twait to put this in the marketplace. It provides a guide for any merchant that either haswireless in their environment and is making changes, or is implementing wireless. It’s arobust guide, and we hope to see the same from the virtualization SIG.I would assume the [virtualization group] will be tackling issues such as the chain of

custody and the rules and responsibilities within a virtualized server. They’ll probablydiscuss cloud computing. They’ll probably discuss virtual local area networks (VLANs)and whether or not virtual segmentation in a network is appropriate segmentation. It’ssimilar to another SIG we launched last month on scoping. So there may be some overlapwhen it comes to virtualization.

Is the SIG on scoping related to just virtualization issues or all network segmentation issues?LEACH: It’s going to include all scoping issues. This is going to be determined by themerchants and participating organizations and how they want to cover the topic. They havea very broad interest in different aspects of segmentation and reducing a PCI assessment.

If someone walks up to you and says they’re doing cloud computing, is there anything in thestandards as they are right now that you can point them to for guidance?LEACH: It’s a tough question.We have an emerging technologies request for proposal(RFP) that will explore some of these issues, and we’re going to see how virtualizationapplies.We try to stay technology agnostic, but we recognize that there are times whenyou have to call out certain types.


TABLE OF CONTENTS

EDITOR’S DESK


PCI DSS 1.2


TOKENIZATION



PROGRAMS


SPONSORRESOURCES

Q & A

We do have certain requirements that are a challenge. I think the one that most folkslook to is ‘one primary function per server’ and whether or not virtualization createsenough separation within those operating systems to have that one function per server.That’s a challenge for a lot of organizations.We’re seeing some new work with hypervisorsbeing able to hop from one operating system to another and whether or not antivirus atthat level is appropriate. There are a lot of challenges with that technology, and we’re hopingto have a position paper presented to us from the emerging technologies RFP by the end ofthe summer.

What are some of the challenges around network segmentation?LEACH: I think the first challenge many merchants face when they are segmenting is thatthey don’t know where their cardholder data is. The discovery phase of finding cardholderinformation, especially if you’re new to that type of discovery, can be quite a challenge. As aformer chief technology officer, I can say that sometimes I didn’t know if a marketing teamsomehow collected information or a business group collected information unbeknownst tosystem administrators and database administrators.We’re getting there. Many organizationsare now very cognizant of security and that it needs to be an ongoing practice, not just aonce a year validation.

The PIN Entry Device (PED) Security Program is expanding to include UPTs and HSMs. What arethese two new standards?LEACH: The PED standard is now plural, and we have multiple standards for those devicesthat actually record PIN transactions. The part of the program related to unattended pay-ment terminals (UPT) focuses on additional security requirements for those types ofdevices, like fuel pumps and movie ticket kiosks. These are transactions that are done with-out a cashier, and we recognize that there are additional physical and logical security con-trols that need to be in place for those types of devices.In addition, the hardware security module (HSM) is within the device itself. It manages

how that PIN is being handled by the device. For example, it encrypts the PIN from thepoint that it is taken from the device onto the processor and onto the acquiring bank.

If I’m a merchant and I already have some of these devices installed, what happens to thesedevices?LEACH: These requirements are going to be similar to the PED requirements, in that it willbe the responsibility of the manufacturer of those devices to go through and become vali-dated against these requirements. Many of these manufacturers are very aware of thesestandards. They’ve helped to vet the requirements themselves. So we anticipate that manyof these manufacturers will have the products go through the process with the laboratoriesreal soon.w

Robert Westervelt is the news editor for SearchSecurity.com.


TABLE OF CONTENTS

EDITOR’S DESK


PCI DSS 1.2


TOKENIZATION



PROGRAMS


SPONSORRESOURCES

gGOING “GREEN” is becoming a way of life for many of us. The “reduce, reuse and recycle”approach can help save materials and decrease impact on the environment.In compliance work, the concepts of reducing work and “reusing” existing controls

can also be applied.Many organizations have invested time and effort to implementISO 27002 controls and certify against 27001 Information Security ManagementSystem (ISMS) processes. Others have adopted the IT management techniques fromthe UK Office of Government Commerce (OGC), known as ITIL. And many organi-zations have made significant investments to create a standardized complianceframework for use across business units and divisions.Although compliance with the Payment Card Industry Data Security Standard

(PCI DSS) cannot be accomplished by using another framework or methodologyexclusively, organizations have found that they can leverage valuable mappingsbetween existing frameworks.Additionally, some of the policies and tools implementedfor PCI DSS may provide unexpected compliance benefits for other initiatives.David Howell, senior manager of compliance solutions at RSA, the security divi-

sion of EMC Corp., said he’s observed a desire for compliance normalization. Com-panies are looking for a “common framework that can be used to eviscerate the wallsbetween disparate compliance programs,”Howell said, “defining commonalities sothat pieces can be leveraged.”Reuse can work bidirectionally. Controls implemented for PCI DSS can be used

for other initiatives in the organization, and controls implemented before or inde-pendently of PCI DSS may be reusable as part of PCI DSS validation work.Examples of PCI DSS controls that can be reused are policies and procedures

related to protection of sensitive data. PCI mandates that sensitive authenticationdata cannot be stored after the authorization phase, but primary account numbers(PANs) can. Requirement 3.4 of the PCI DSS provides specific details on how PANsmust be stored in order to achieve compliance. Implementing these specifics can bea challenge, involving the use of native encryption on databases, or a cryptographicgateway or library to encrypt the data before passing it to the database for storage.

BEST PRACTICES

How to combine complianceefforts to manage PCI DSS.

BY DIANA KELLEY

Compliance

Recycling

Such encryption requires key management, and PCI DSS also details rules regardingproper key storage, aging and control.With sophisticated storage protection in place,a number of companies have found that the techniques in Requirement 3.4 can beapplied to other sensitive data in the organization.Michelle Stewart, manager of data security for AirTran Airways, discovered some

unexpected benefits from using PCI DSS controls. Monitoring systems that were putin place for PCI DSS became valuable tools for the operations and audit teams.Information from network and host scans were used to identify “devices that weren’tin compliance with company policy,” Stewart said. The increased visibility providedby the tools helped AirTran enforce policy management for non-PCI DSS-relatedinitiatives like ensuring that no unwanted applications, such as streaming radio, wererunning on the corporate network. Stewart said savvy companies can leverage ITspending intended for PCI DSS compliance for work beyond PCI DSS and card dataprotection.The relationship between ISO 27001/27002 and PCI DSS is a little more complex,

but worth investigating, especially for organizations that are ISO 27001 certified. ISO27001 is a methodology for managing a security program using the Plan-Do-Check-Act (PDCA) quality control cycle. Organizations that build security programs canuse ISO 27001 to certify their ISMS approach tothe standard. ISO 27002, on the other hand, is alist of controls. The PCI DSS is something of amix of the two; it encompasses both technicalcontrols and defines management techniquesand approaches.While a company could befully ISO 27001 certified, that is no assurancethat it is also PCI DSS compliant. Since controlsin ISO 27001 are adopted based on an organiza-tion’s risk assessment determination, the finaldecision regarding which controls to implementrests with the organization itself. PCI DSS is notthat flexible; controls listed in the standard aremandatory for compliance.However, if a company is ISO 27001 certified, it is likely that the organization has

already implemented many of the controls that PCI DSS requires. Though the twoaren’t aligned, an organization could perform a gap assessment of existing controls,such as those implemented from ISO 27002, to the mandatory PCI DSS controls.Sections A.10, A.11 and A.12 of the ISO standard focus on more technical controls,and this is where the majority of the overlaps occur. The end result would be a deltahighlighting additional controls required for PCI, potentially streamlining complianceand assessment work. Another benefit for ISO 27001 certified organizations is thatextensive documentation is required. Insufficient documentation is a core reason thatcompanies fail PCI DSS compliance, so having it in place for ISO will make the PCIcompliance work easier.Finally, the Unified Compliance Framework (UCF) is an interesting approach to

compliance. Developed by Dorian Cougias and Marcelo Halpern, UCF attempts tohelp companies streamline compliance work by mapping normalized controls and


The relationship betweenISO 27001/27002 andPCI DSS is a little morecomplex, but worthinvestigating, especiallyfor organizations thatare ISO 27001 certified.

31

TABLE OF CONTENTS

EDITOR’S DESK


PCI DSS 1.2


TOKENIZATION



PROGRAMS


SPONSORRESOURCES

management approaches. In February 2008, the group behind UCF published a“harmonization” that integrates the PCI DSS Self-Assessment Questionnaire (SAQ)v1.1 and PCI DSS requirements into the UCF. Companies using the UCF as a meta-compliance framework may find the integration document helpful for normaliza-tion and mapping between the two. The document is available to all PCI QualifiedSecurity Assessors (QSAs) as well as UCF subscribers.Compliance is a cornerstone to a healthy IT environment. Consider “going green”

when it comes to compliance. In other words, rather than throwing out previouscompliance work when new regulations comes along, look for areas where controlsand policies can be mapped and “recycled” for applicability to the new mandates.w

Diana Kelley is a partner with Amherst, N.H.-based consulting firm SecurityCurve. She formerlyserved as vice president and service director with research firm Burton Group. She has extensiveexperience creating secure network architectures and business solutions for large corporationsand delivering strategic, competitive knowledge to security software vendors.


TABLE OF CONTENTS

EDITOR’S DESK


PCI DSS 1.2


TOKENIZATION



PROGRAMS


SPONSORRESOURCES

Building Trust Around The Globe When you want to establish trusted relationships with anyone, anywhere on the internet, turn to thawte. Securing Web sites around the globe with:

• strong SSL encryption • expansive browser support • multi-lingual customer support • recognized trust seal in 18 languages

thawte offers outstanding value on a full range of of digital certifi cates. Secure your site today with a thawte SSL Certifi cate.

www.thawte.com

© 2009 thawte, Inc. All rights reserved. thawte; the thawte logo; it’s a trust thing; thawte, and other trademarks, service marks, and designs are registered or unregistered trademarks of thawte, Inc. and its subsidiaries and affi liates in the United States and in foreign countries. All other trademarks are property of their respective owners.

www.thawte.com

tTHEPCI SECURITY STANDARDS COUNCIL has issued a new tool designed to walk companiesthrough the compliance process by setting a series of six milestones companies mustmeet before being signed off as compliant by a security assessor.

The milestones were set by weighing certain risk factors and threats to creditcard data that often lead to a breach. The PCI Prioritized Approach framework ismeant to be used as a roadmap to give merchants a prioritized check-off list, saidBob Russo, general manager of the PCI Council. Russo said the tool could helpimprove communication on compliance progress between merchants, qualitysecurity assessors (QSAs) and acquiring banks.

“It will keep track of how close to being compliant you are so when youracquirer asks if you’re doing something with this you can actually show someprogress and let them know how close you are to being compliant,” Russo said.

Heartland breach highlights PCI limitations: The benefits of complete PCI andthe necessity of full compliance are now being widely questioned, says Eric Ogren,principal analyst, The Ogren Group.

PCI is about eliminating data, not securing it. Former QSA turned Forresteranalyst John Kindervag calls PCI a “communicable disease.”Anything introduced tothe network is in PCI scope if credit card systems aren’t segmented.

The PCI Council issued version 1.2 of PCI DSS in October. The standards wereupdated to address wireless security, antivirus use and the review of firewall rules.

LATEST NEWS

The PCI Prioritized Approach frame-work creates a series of milestones

for organizations working onPCI compliance.

BY ROBERT WESTERVELT

PCI CouncilIssues PriorityTool forCompliance


TABLE OF CONTENTS

EDITOR’S DESK


PCI DSS 1.2


TOKENIZATION



PROGRAMS


SPONSORRESOURCES

Russo said he doesn’t anticipate another update (version 2.0) until 2010.Ultimately, the council hopes the PCI Prioritized Approach framework helps

acquiring banks track merchant compliance. The new tool is available on theCouncil’s website. It consists of a downloadable worksheet that allows merchantsto sort through specific PCI DSS requirements by a priority list of milestones.

The priority list starts by listing steps merchants must take to ensure creditcard data isn’t stored followed by ensuring technologies are in place to secure theperimeter, payment applications and othersoftware that may contain credit card data andthe monitoring and access to systems. If mer-chants determine that credit card data must bestored, the fifth milestone offers a checklist forprotecting the information. It covers the protec-tion and storing of cryptographic keys to prop-erly maintain inventory logs. The final mile-stone deals with conducting applicationpenetration tests and reviewing controls andprocedures.

“There are many merchants out there thatknow how important PCI DSS is, but they needa little help,” said Lib de Veyra, vice president,emerging technologies at JCB InternationalCo., and chairperson of the PCI StandardsCouncil. “This is a good way to approach it bydealing with the highest risks first.”

While PCI DSS should be pretty clear to ITpros and compliance executives, the new tool should prove valuable to companiestrying to prioritize compliance initiatives based on risk factors, said Jack Santos, anexecutive strategist with the Burton Group who has had experience with PCI proj-ects. Santos said compliance initiatives are continuing at many firms despite thedown economy.

“Security is one area in this down economy that is holding its own,” Santos said“In fact there may be even a slight increase in security spending because people aremore worried than ever about data leakage and breaches.”w

Robert Westervelt is the news editor for SearchSecurity.com.


“Security is one area inthis down economy that isholding its own,” Santossaid “In fact there may beeven a slight increase insecurity spending becausepeople are more worriedthan ever about dataleakage and breaches.”

—JACK SANTOS, executive strategist, Burton Group

35

TABLE OF CONTENTS

EDITOR’S DESK


PCI DSS 1.2


TOKENIZATION



PROGRAMS


SPONSORRESOURCES

http://www.SearchSecurity.com

Total control over your network infrastructure and endpoints

100 Superior Plaza Way, Suite 200 Superior, CO 80027 P: 303.381.3800 www.stillsecure.com ©2002-2009 StillSecure® All rights reserved.

Comprehensive network security products and services that protect your organization from the perimeter to the endpoint

PCI compliance with StillSecure products and services:

StillSecure has helped numerous organizations comply with PCI and other info-security regulations. StillSecure products and services help you comply with 8 of the 12 top-level PCI requirements and dozens of specifi c sub-requirements.

For information on how we can help you become PCI compliant visit http://stillsecure.com/pci/index.php

StillSecure delivers:

Network security products Managed security services Professional services

Simplify your PCI compliance program

FREE ½ day PCI consultation Email [email protected] today

http://stillsecure.com/pci/index.php

mailto: [email protected]

TECHTARGET SECURITY MEDIA GROUP


TABLE OF CONTENTS

EDITOR’S DESK


PCI DSS 1.2


TOKENIZATION



PROGRAMS


SPONSORRESOURCES

SR. VICE PRESIDENT AND GROUP PUBLISHERAndrew Briney

PUBLISHER Josh Garland

DIRECTOR OF PRODUCT MANAGEMENTSusan Shaver

DIRECTOR OF MARKETING Kristin Hadley

SALES MANAGER, EAST Zemira DelVecchio

SALES MANAGER, WEST Dara Such

CIRCULATION MANAGER Kate Sullivan

ASSOCIATE PROJECT MANAGERSuzanne Jackson

PRODUCT MANAGEMENT & MARKETINGCorey Strader, Jennifer Labelle, Andrew McHugh

SALES REPRESENTATIVESEric Belcher [email protected]

Neil Dhanowa [email protected]

Patrick Eichmann [email protected]

Jason Olson [email protected]

Jeff Tonello [email protected]

Nikki Wise [email protected]

TECHTARGET INC.CHIEF EXECUTIVE OFFICER Greg Strakosch

PRESIDENT Don Hawk

EXECUTIVE VICE PRESIDENT Kevin Beam

CHIEF FINANCIAL OFFICER Eric Sockol

EUROPEAN DISTRIBUTIONParkway Gordon Phone 44-1491-875-386www.parkway.co.uk

LIST RENTAL SERVICESKelly WeinholdPhone 781-657-1691 Fax 781-657-1100

REPRINTSFosteReprints Rhonda BrownPhone 866-879-9144 [email protected]

INFORMATION SECURITY (ISSN 1096-8903) is pub-lished monthly with a combined July/Aug., Dec./Jan.issue by TechTarget, 117 Kendrick St., Suite 800,Needham, MA 02494 U.S.A.; Phone 781-657-1000;Fax 781-657-1100.

All rights reserved. Entire contents, Copyright ©2009 TechTarget. No part of this publication may betransmitted or reproduced in any form, or by anymeans without permission in writing from the pub-lisher, TechTarget or INFORMATION SECURITY.

ECURITYSI N F O R M A T I O N

®

EDITORIAL DIRECTOR Kelley Damore

EDITOR Michael S. Mimoso

SENIOR TECHNOLOGY EDITOR Neil Roiter

FEATURES EDITOR Marcia Savage

ART & DESIGNCREATIVE DIRECTOR Maureen Joyce

COLUMNISTSJay G. Heiser, Marcus Ranum, Bruce Schneier

CONTRIBUTING EDITORSMichael Cobb, Eric Cole, James C. Foster,Shon Harris, Richard Mackey Jr., Lisa Phifer,Ed Skoudis, Joel Snyder

TECHNICAL EDITORSGreg Balaze, Brad Causey, Mike Chapple, PeterGiannacopoulos, Brent Huston, Phoram Mehta,Sandra Kay Miller, Gary Moser, David Strom,Steve Weil, Harris Weisman

USER ADVISORY BOARDEdward Amoroso, AT&TAnish Bhimani, JPMorgan ChaseLarry L. Brock, DuPontDave DittrichErnie Hayden, Seattle City LightPatrick Heim, Kaiser PermanenteDan Houser, Cardinal HealthPatricia Myers, Williams-SonomaRon Woerner, TD Ameritrade

SEARCHSECURITY.COMSENIOR SITE EDITOR Eric Parizo

NEWS EDITOR Robert Westervelt

ASSOCIATE EDITOR William Hurley

ASSISTANT EDITOR Maggie Wright

ASSISTANT EDITOR Carolyn Gibney

INFORMATION SECURITY DECISIONSGENERAL MANAGER OF EVENTS Amy Cleary

EDITORIAL EVENTS MANAGER Karen Bagley

http://www.techtarget.com


http://www.parkway.co.uk







Your One Stop Shop for All Things Security

Nowhere else will you find such a highlytargeted combination of resourcesspecifically dedicated to the success oftoday’s IT-security professional. Free.IT security pro's turn to the TechTarget Security Media Group for the information they require to keeptheir corporate data, systems and assets secure. We’re the only information resource that providesimmediate access to breaking industry news, virus alerts, new hacker threats and attacks, securitystandard compliance, videos, webcasts, white papers, podcasts, a selection of highly focused securitynewsletters and more — all at no cost.

Feature stories and analysis designed to meetthe ever-changing need for information onsecurity technologies and best practices.

Learning materials geared towards ensuringsecurity in high-risk financial environments.

UK-focused case studies and technical advice onthe hottest topics in the UK Security industry.

Information Security strategies for theMidmarket IT professional.

www.SearchSecurity.com www.SearchSecurity.com

www.SearchSecurity.co.UKwww.SearchFinancialSecurity.com

www.SearchSecurityChannel.comwww.SearchMidmarketSecurity.com

Technical guidance AND business advicespecialized for VARs, IT resellers andsystems integrators.

Breaking news, technical tips, security schoolsand more for enterprise IT professionals.

sSec Fullpg Ad:Layout 1 2/5/09 11:39 AM Page 1

www.searchsecurity.com

www.searchsecurity.com

www.searchfinancialsecurity.com

www.searchsecurity.co.uk

www.searchmidmarketsecurity.com

www.searchsecuritychannel.com

ArcSight, Inc.See ad page 12• White Paper: Achieving PCI Data Security Standard (DSS) Compliance

• Product Brief: ArcSight PCI Protection Suite

• Product Brief: ArcSight PCI Logger

LogLogicSee ad page 24• LogLogic Database Security Manager

• LogLogic Corporate Brochure

• Database Security and Log Management: A Foundation for Health Information and Quality of Care

McAfeeSee ad page 16• McAfee Application Control

• McAfee Change Control

• McAfee PCI Pro

QualysSee ad page 20• QualysGuard PCI Trial

• PCI Compliance for Dummies eBook

• Winning the PCI Compliance Battle Whitepaper

BeyondTrust CorporationSee ad page 4• From Trust to Process: Closing the Risk Gap in Privileged Access Control

• Preventing Data Breaches in Privileged Accounts Using Access Control

SPONSOR RESOURCES


TABLE OF CONTENTS

EDITOR’S DESK


PCI DSS 1.2


TOKENIZATION



PROGRAMS


SPONSORRESOURCES

Control Access. Control Risk.

http://www.beyondtrust.com/

http://www.qualys.com

http://www.mcafee.com

http://www.loglogic.com

http://ad.doubleclick.net/clk;217644565;10410959;i?http://www.arcsight.com

http://www.bitpipe.com/detail/RES/1250881709_653.html?psrc=SRS

http://www.bitpipe.com/detail/RES/1234832376_858.html?psrc=SRS

http://www.beyondtrust.com/

http://www.qualys.com/forms/whitepapers/winning_pci_compliance_battle/?leadsource=407880

http://www.qualys.com/forms/ebook/pcifordummies/?leadsource=407880

http://www.qualys.com/forms/trials/pci_compliance/?leadsource=407880

http://www.qualys.com

http://www.mcafee.com/us/medium/products/risk_and_compliance/pci_pro.html

http://www.mcafee.com/us/medium/products/risk_and_compliance/change_control.html

http://www.mcafee.com/us/medium/products/risk_and_compliance/application_control.html

http://www.mcafee.com

http://www.loglogic.com/documents/white-papers/reymann-healthcare-executive-brief.pdf

http://www.loglogic.com/documents/loglogic-corporate-brochure.pdf

http://www.loglogic.com/documents/product-brochures/loglogic-database-security-manager.pdf

http://www.loglogic.com

http://ad.doubleclick.net/clk;217644522;10410959;b?http://www.arcsight.com/collateral/ArcSight_PCI_Logger.pdf

http://ad.doubleclick.net/clk;217644474;10410959;h?http://www.arcsight.com/collateral/ArcSight_SolutionsBrief_PCIDSS.pdf

http://ad.doubleclick.net/clk;217644443;10410959;d?http://www.arcsight.com/library/download/whitepaper-pci-data-security-standard-compliance/

http://ad.doubleclick.net/clk;217644565;10410959;i?http://www.arcsight.com

thawte Inc.See ad page 33• Extended Validation - the New Standard in SSL Security

• Sign your Code and Content for Secure Distribution Online

• Get a Free SSL Trial Certificate from Thawte

VaronisSee ad page 2• 10 Things IT Should Be Doing (but isn’t)

• Stop SharePoint Administrative Chaos

• 30-Day Varonis DatAdvantage Free Trial

StillSecureSee ad page 38• PCI compliance with StillSecure products and services

• PCI compliance: A technology overview

• PCI requirements met by StillSecure® solutions

SPONSOR RESOURCES


TABLE OF CONTENTS

EDITOR’S DESK


PCI DSS 1.2


TOKENIZATION



PROGRAMS


SPONSORRESOURCES

http://www.stillsecure.com/

http://www.varonis.com/

www.thawte.com

http://www.stillsecure.com/pci/matrix.php

http://www.stillsecure.com/docs/StillSecure_PCI_Technology_whitepaper.pdf

http://www.stillsecure.com/pci/index.php

http://www.stillsecure.com/

http://www.varonis.com/pages/start/evaluation/index.html?Campaign_Id=61&Activity_Id=61

http://www.varonis.com/pages/start/2009-sharepoint-whitepaper-offer/index.html?Campaign_Id=11652&Activity_Id=12080

http://www.varonis.com/pages/start/10-things-it-should-be-doing-whitepaper/index.html?Campaign_Id=7641&Activity_Id=10721

http://www.varonis.com/

https://www.thawte.com/ucgi/gothawte.cgi?a=o29520423617049007

http://www.thawte.com/code-signing/index.html

https://www.thawte.com/ssl-digital-certificates/extended-validation/info.html

www.thawte.com