PCI-DSS: System Administration
PCI_DSS (Payment Cardholder Industry – Data Security Standard) is a proprietary standard (publicly available) aimed to guarantee information security within companies dealing with credit card data, belonging to operators like Visa, MasterCard, etc.
The standard is composed by 12 domains, corresponding to the main 12 requirements, in order to catalogue security controls (protection countermeasures):
|
# |
Domain |
Requisito |
|
1 |
Network Sec |
System & Network Security |
|
2 |
Hardening |
Customization of System default configuration |
|
3 |
Cypher |
Cardholder Data Protection |
|
4 |
TLS |
Transaction Data Protection |
|
5 |
Malware |
Management of Malicious software |
|
6 |
Vulns |
Develop & Maintain Secure Systems |
|
7 |
Know |
Data Access Control |
|
8 |
Access |
Sistem Access Control |
|
9 |
Physical |
Physical Access Control |
|
10 |
Monitor |
Network & Infrastructure Monitoring |
|
11 |
Sec-Test |
Periodic Test of Systems & Processes |
|
12 |
InfoSec |
Corporate Information Security Policy |
PCI-DSS & IT Components
The 12 PCI-DSS requirements should be applied to different IT components (Environments, Technologies and Communications), each of these are splitted by 3 items (respectively: Areas, Types, Flows), building a 3x3 logical infrastructure helping to address all IT elements to care about:
· Environments: logical areas delimited by different attributes of information statically within. According to requirement 9 “Physical Access”, these areas should be physically delimited, in order not to be forced apply PCI-DSS requirements to outside IT). There are 3 main areas:
o Internal: Inside. Cardholder data, together with core elaboration functions and access control mechanisms. Quite all PCI-DSS requirements should be applied to components within Internal Area
o External: OutSide. External world to which payment transactions are going to, using 1 cardholder information element for each one. No requirements could be applied to components of this area (because it is out of control); proper requirements should be applied to interfaces (i.e. Communications) between External and Internal Area
o Admin: close-to-Inside. Restricted area, nearby Internal; it is aimed to system management and monitoring
· Technologies: IT devices that provide cardholder data management capabilities. There are 3 main types, based on the usual elapsed time of data persistence:
o PCI-DB: cardholder data archive. It should be accessed in order to operate financial transaction; proper access control mechanisms should be in place (see requirement 3 Cardholder Data Protection
o Sys/App: cardholder data elaboration sistems (input, update, access control, deletion, etc). These should be properly configured and maintained (see requirements: 2 Modify Vendor supplied Defaults, 6 Develop & Maintain Secure Systems, 11 Regularly Test Sistems & Processes)
o Desktop: workstation for maintaining and monitoring components belonging to Internal area. These should be malware free (see requirement 5 Protect AgainstMalware)
· Comunications: interfaces between component belonging to Internal area
o DB-Access: Internal-Internal. Cardholder data access, in order to elaborate those in Sys/App. The principle “Need to Know” should be applied (see requirement 7 Restricted Access to Data)
o Int-Ext Comms: Internal-External. Access to Internal cardholder data alla infrastructure, in order to execute financial transaction. Most important item to care about for guaranteing operational security (see requirements: 1 Network and System Security, 4 Encrypt Trasmission of Carholder Data, 10 Track and Monitor all Access)
o Sys Access: Internal-Admin. Access to administration capabilities to Sys/App elements within Internal area. The maintenance and monitoring tasks should be strictly controlled (see requirement 8 Identify and Authenticate Access to Sistemi Components)
The requirement 12 “Information Security Policy” is a cross-over, to be applied to all components and to all items.