This article discusses how to comply with PCI DSS 1.1 and how to sustain consistent ongoing enforcement using extrusion detection technologies.

I. Background

What is PCI DSS?

The PCI (Payment card Industry) Data Security Standard is designed to help protect the integrity of the credit card systems and to help mitigate the risk of fraud and identity theft to credit card holders. Adopted by both VISA and Mastercard (see the Mastercard SDP Program, PCI applies to card association members, merchants, and service providers that store, process, or transmit cardholder data. The scope of compliance is on systems for authorization and settlement where cardholder data is processed, stored, or transmitted, including:

• External connections into the merchant network
• All connections to and from the authorization and settlement environment
• All Data bases where more than 500,000 account numbers are stored.
• POS (Point of Sale) systems that are IP-based and have external Internet connectivity

For more information see the PCI Security Standard . In 2004 the major brands in the card payment industry agreed to adopt the CISP standard and requirements and a single industry standard in order to reduce the costs of implementation and assessment and increase the rate of adoption. Most organizations were required to meet all requirements of the PCI security standard by June 30th 2005 but it has not been clear sailing as mentioned in the Computerworld article Credit card data security standard goes into effect, but concerns about implementation.

Despite heavy fines for large acquirers who violate ($500,000 in fines per incident if data is compromised), much of the implementation is based on self-assessment and answering 75 yes-no questions which do little to mitigate the actual vulnerabilities and threats of disclosure.

What is Extrusion Prevention?

Extrusion Prevention (or data leakage prevention) systems are conceptually an outbound firewall, capable of detecting and preventing unauthorized network transfer of customer data. Implementing an Extrusion Prevention system enables business to comply with PCI  DSS and mitigate credit card data breaches without modifying existing network and transaction processing systems. An added benefit to extrusion prevention systems is the ability to monitor compliance with procedures and detect new vulnerabilities and new potential attackers in the network.

In the next section we review the data types and policies that are relevant the the PCI Data Security standard and conclude with a description of extrusion prevention business rules for PCI compliance.

II. Credit Card Information: Data Classifications and Policies

Personally Identifiable Information: Data Description and Policy

Examples

• Name
• Address
• Phone Number(s)
• Drivers License
• Social Security Number

Authorized Uses

• To provide customer service
• To ship products or deliver services to a customer
• To collect or process payment for products or services
• To facilitate planning or to support marketing plans

Authorized Channels for Communication

• Official Electronic Mail System of the Organization
• File Transfer Protocol
• Web Services

Controls

• Encrypt data when stored on magnetic media
• Encrypt data when transmitted over public networks
• Label as confidential when printed
• De-identify data when used for other than authorized purposes
• Retain data for no more than three years
• Destroy data upon three year anniversary

Credit Card information: Data Description and Policy

Examples

The following examples are for illustration and are considered the comprehensive set of Credit Card Information:

• Type of Credit Card
• Name on Credit Card
• Credit card Number
• Expiration Data
• Security Code

Authorized Uses

• To provide customer service
• To support accounting or reconciliation business processes
• To investigate fraud or criminal activities
• To collect or process payment for products or services

Authorized Channels for Communication

• Official Electronic Mail System of the Organization
• File Transfer Protocol
• Web Services

Controls

• Encrypt data when stored on magnetic media
• Encrypt data when transmitted over public networks
• De-identify data when used for other than authorized purposes
• Retain data for no more than three years
• Destroy data upon three year anniversary

Credit Card Magnetic Stripe Data: Data Description and Policy

Credit Card Magnetic Stripe data is information that is automatically read through an electronic credit card reader at the POS and includes Track I and Track II data. These two tracks contain the credit card information and the name of the individual authorized to use the card as well as some other service and issuer specific information. The Credit Card Magnetic Stripe Data is considered confidential to the owner and authorized user and can only be used to process a financial transaction. Only pre-authorized parties are allowed to receive Magnetic Stripe data and only through authorized communication channels.

Examples

The following examples are for illustration and are considered the comprehensive set of Magnetic Stripe Data:

• Track I Data - 56 Bytes
• Track II Data - 35 Bytes
• Personal Identification Number

Authorized Uses

The only authorized use for Magnetic Strip Data is to complete an automated, electronic financial transaction.
Authorized Channels for Communication

• File Transfer Protocol
• Private Line or VPN
• Web Services

• Electronic storage on magnetic media is not allowed - zero retention
• Encrypt data when transmitted over public networks

Credit Card Transaction Data: Data Description and Policy

Transaction data is collected at a point of sale and will often include items purchased, credit card information, date and time, authorization code and transaction amount. These transaction details are confidential to the organization and can only by used for specific purposes, which are listed below. Only pre-authorized parties are allowed to receive Credit Card Transaction data and only through authorized communication channels.

Examples

• Authorization Code
• Transaction Number
• Name
• Amount

Authorized Uses

• To process or collect payment for products or services
• To reconcile all financial accounting
• To provide customer service

Authorized Channels for Communication

• Official Electronic Mail System of the Organization
• File Transfer Protocol
• Web Services

Controls

• Encrypt data when stored on magnetic media
• Encrypt data when transmitted over public networks
• De-identify data when used for other than authorized purposes
• Retain data for no more than three years
• Destroy data upon three year anniversary

III. Extrusion prevention business rules for PCI compliance

Extrusion prevention is defined as unauthorized network transfer of sensitive data. An extrusion prevention system is deployed at network egress points and does not require modifications to the network or information systems. An extrusion prevention business rule is composed of four parts: detection (of content and network channel), policy (that fires when a violation is detected), prevention (of digital assets from being disclosed) and reporting (forensics: who, what, when and where of the violation).

• Content is defined as PII Data AND Credit Card Data as described above. PII and credit card content is detected in real-time using combined tactics of key-word in context, compound regular expressions and multi-dimensional content profiling in order to attain high levels of both precision (accuracy in describing relevant items) and recall (not missing a relevant item).
• Network channel is derived from the TCP/IP session envelope and is defined as data transfer from a source IP inside the network to a destination outside the network that is not SSH or SSL-encrypted. This can be further refined by defining authorized channels or so-called white-lists that describe pre-authorized parties that are allowed to receive Credit Card data and only through authorized channels. Typically, an authorized channel is defined as a tuple of user, network service, src IP, dst IP.
• Policy defines an enforcement action taken when a violation is detected; either alert or prevent. An alert is provided to the security analyst via an EPS console and/or to an external system management component.
• Prevention. The security analyst may also choose to mitigate by prevention; when a violation is detected, transfers of the session content are blocked on all TCP ports, preventing exploitation of back channels by an attacker, regardless of whether the attacker is a trusted insider or malicious code. Prevention on all channels mitigates the risk of card holder information leaving the network on an un-monitored back channel such as FTP or tunnelled HTTP.
• Reporting. The minimum requirement for forensics includes detailed session information and ability to retrieve the original content in-vitro. Forensics reporting for a large enterprise often requires integration with external systems. External systems integration may be as simple as generating syslog records or as complex as a requirement to integrate both reporting and configuration with an external SIM (security information manager) or MOM (network Manager of Managers).

IV. Summary

The frequency of unauthorized disclosure of PII and credit card data is rising to levels where check-box compliance is insufficient and risk mitigation becomes a must, however organizations need a solution for self-compliance, monitoring and active prevention at a reasonable price. Extrusion prevention provides a solutions that does not require changes to IT infrastructure at a price commensurate with transaction volume.