Lecture_280

.pdf

School

University of Toronto *

*We aren’t endorsed by this school

Course

568

Subject

Information Systems

Date

Dec 6, 2023

Type

pdf

Pages

2

Uploaded by ColonelOysterMaster630 on coursehero.com

260 PCI Compliance A Service Provider has a large mid-tier UNIX installation, like Solaris or AIX, that runs critical areas of the payment process, including long-term data storage. For various reasons, encrypting the data is not an option on these machines. How do we make this service provider compliant with PCI Requirement 3.5? This is a real-world example that comes up frequently. Encryption implementations have come a long way. The words “my platform does not have a solution for encryption” are no longer valid for platforms that can comply with PCI. When presenting the following control to customers, it is shocking how fast they find a way to encrypt their data. While systems like this could be bolstered by moving from discretionary access control (DAC) to mandatory access control (MAC) to act more like a Mainframe, the requirements specifically talk about storage. These days, most storage is somewhere on the network in a Storage Area Network (SAN) and may not be physically connected to the host machine. MAC might help you in some aspects of PCI DSS, but it may no longer be strong enough in non-Mainframe environments to meet requirement 3.5. A better option that wouldn’t affect system performance significantly might be looking at exter- nal tokenization engines to protect the data while it sits on disk. Several companies have products that would allow you to extend the life of those legacy systems (remember, they still must be main- tained and be able to get security patches) through tokenization. This would help you outright meet Requirement 3.5 and serve as a compensating control for Requirement 3.6 as it would not neces- sarily apply. Even if you were able to convince a QSA that switching to MAC is a fabulous compensating control for 3.5, things are never that easy. Some security professionals inside companies love the idea of converting to MAC as it allows them to have more granular control over their systems and data. Practical ones know that converting an existing system requires so much effort that the costs typically outweigh the benefits. In fact conversion is probably more like a replacement for a change this large. This is a perfect example of how a compensating control might look good on paper (it’s only three words when you use the acronym! “Convert to MAC!”), but in reality would be much easier to just meet the implied requirement to encrypt that data (or build a new system from scratch that begins with MAC). A medium-sized retailer with less than 500 stores is struggling with Requirement 10.2.1.1 to “capture all individual user access to cardholder data.” All of their data is stored in a large DB2 database that runs on a mainframe. They run massive batch processes at regular intervals, and their space constraints prevent logging every single access to a row. Do you tell them to go back to their board for new budget dollars to buy lots and lots of drive space to store logs? Before we proceed, consider the intent of the requirement. Reliable logs are valuable in investi- gating a breach quickly. Without them, it may take forensic examiners days, or even weeks, to deter- mine the source of a breach. Once the source has been identified and analyzed, forensic companies must attempt to determine how many card numbers may have been exposed. If there are no logs, the assumption is that everything could be exposed, meaning that fines will add up pretty quickly. The idea is not necessarily to make a log record that includes every single card number that is accessed but to be able to identify which cards are accessed through the data contained in the logs. Are you starting to get the hang of this thing? How about another example? One more example, and then it’s time for you to get creative!
261 The Art of Compensating Control If we were to log the actual query performed against the database during a batch process, with knowledge of the date and time that the query was run and exactly what that query will do, we should then be able to determine, with reasonable certainty, which cards were accessed. It’s com- mon for batch processes to run on a daily basis, usually using the data from the previous day to produce its output. If we must determine what could have been exposed from January 1 to January 8, we could look at the data that would have been accessed by that batch process during those days. Logging the query, and all the other elements required by 10.2.2 about that action, would gen- erate a reasonably accurate list of records that would use a fraction of the drive space required by creating an entry that has every single record exposed (as well as bringing that log into expanded PCI DSS scope where you have card numbers that must be protected! How circular!). CASE STUDIES Now that we have explored examples of what some humorous (yet invalid) compensating controls look like and what acceptable ones might be, let’s walk through a couple of case studies to help us further illustrate the process. T HE C ASE OF THE N EWBORN C ONCIERGE Nora’s Newborn Nursery is a small chain of daycare centers specializing on infant and newborn care, with minimal medical staff on-site to assist with minor issues that can come up while provid- ing ongoing and routine child care. Her customers tend to be affluent and busy professionals that can sometimes have strange schedules and benefit from a service designed to target professionals with young children. Nora founded her business on the principle that her customers should never have to worry about the transaction process. Once a customer signed up for the service, they would leave a credit card on file to be pre-billed for services to be rendered during the following week or month. Her customers simply drop off the newborn, briefly discuss any problems or issues that are going on, and get on with their day. Nora invested in some basic IT systems and a mobile app that allows her customers to get reports on their children while care is happening, as well as schedule additional services like routine checkups, wellness care, and seasonal immunizations. For those customers who choose not to use the app, her systems can alert or update her customers via text message or e-mail. Most of her customers pay monthly or weekly, so her transaction volume is projected to make her a Level 2 merchant in the next 12 months. As a Level 4 merchant, she heard about PCI DSS through a presentation at the local Chamber of Commerce, but has not implemented anything at this point to comply with the standard. Because she has a small IT staff, building sophisticated networks simply isn’t an option. She calls a consultant and sets up some time to meet. During the first conversation, the consul- tant describes how a centralized database and processing system could be valuable for her to invest in so that each location doesn’t have to worry about on-site storage. In addition, she is looking at Heathcare Information Portability and Accountability Act (HIPAA) Security and Privacy rule compliance issues with the healthcare data she inevitably stores during the course of her business. Nora, with advice from her consultant, decides that the best course of action is to invest in a hardened, centralized computing infrastructure that houses both the applications and data that her locations will use. She will continue to store information about her active customers in an encrypted format, and ensure that hardened environment meets both HIPAA and PCI DSS compliance. For her employees, they will connect to that environment through a virtual desktop infrastructure like AWS Workspaces, Citrix, or VMWare Horizon. This allows her the freedom to implement any number of IT solutions in her locations, such as removing PCs in exchange for iPads or other tablet computers, or even allowing her employees to bring their own devices into the workplace. The con- nection between the centralized location must be encrypted, and there must be adequate controls
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help