The business problem

Small businesses are put off by mega-costs of external auditors and confused by all the noise from technology vendors. Our PTA PCI DSS Self-assessment package is designed specifically for small businesses that process credit cards and need to improve their payment card security on a small budget.Click here for the free download

Abstract

There have been hundreds of high-profile data breaches over the past 3 years and in 2007 - a series of heavily publicized data breaches at the TJX retail chain (with over 45 million payment cards stolen over a period of 18 - 24 months. We are now witness to rapidly growing awareness of the need to mitigate internal and external threats to customer data.

On the heels of events like the TJX data breach in June 2007, Visa stiffened requirements for merchants and processors; ordering them to be compliant by September 30, 2007 or face fines of up to $25,000 / month.

PCI DSS is not just another checklist to keep the compliance police at bay, it is a way to protect customer data assets for merchants at all levels. The question is how merchants can use the PCI Data Security Standard effectively to reduce their data breach risk whether in a self-assessment or in the on-site audit required for Mastercard requirements for merchants .

In this article, we examine the challenges for risk reduction using the PCI Data Security Standard and show how PTA (Practical Threat Analysis) can help take the pain out of the planning and implementation process and reduce cost of the security investment. Practical Threat Analysis for PCI DSS 1.1 ("PTA PCI 1.1") has been used in several projects and was found to be productive in shortening risk assessment timetables and constructing risk mitigation programs for Level 2, 3 and 4 merchants.

The PCI Data Security challenge for merchants

Although there is clearly no silver bullet, TJX and other organizations might have been able to prevent their data breach events by building and enforcing an effective risk mitigation plan based on PCI DSS.

PCI DSS is not "one-size fits all"

The PCI standard combines best practices from the card associations. It tells retailers exactly what they need to do to be secure, without telling them where to start and how to prioritize threats against vulnerabilities. The standard does not consider how to balance the value of retailer payment data assets against his cost of implementing the security controls specified in the standard.

Large organizations that process and store large numbers of payment data face significant planning and implementation costs - their challenge is how to build a cost-effective risk mitigation plan starting from initial phases of planning and identifying which applications store payment card data. Identifying where payment card data is stored alone can be a daunting task.

Small and medium-sized merchants tend to be less aware than bigger companies to threats and have less security expertise and fewer resources to implement PCI. Their digital asset mapping tends to be simpler - their challenge is improving their understanding of how PCI requirements impact their business and how to reduce the threat of a data breach on a small budget.

The objective is not compliance for compliance sake

Once the exclusive domain of large institutions; Level 2, 3 and 4 merchants are now required to perform risk self-assessments as the card associations call on them to manage their payment card data better and prove it by complying with PCI DSS. The objective is not compliance for compliance sake. Used and maintained properly, PCI DSS 1.1 can be an effective way of reducing operational risk of handling payment card data. This article and the accompanying PCI PTA threat model and library will hopefully show how to attain this goal.

PTA (Practical Threat Analysis) was first introduced in a paper by Ygor Goldberg titled " Practical Threat Analysis for the Software Industry " published online at Securitydocs.com in October 2005. PTA provides a quantitative model of threats (stealing payment card data, manipulating transactions), vulnerabilities (insecure software, unreliable contractors), assets (payment cards, magnetic strip data) and countermeasures (firewalls, software security assessments etc). PTA supports models of multiple attacker types (hackers, insiders...), specific entry points and documentation to analyze the risk profile of a particular business.

The output of a PTA-supported risk assessment is a prioritized, cost-effective risk mitigation plan, i.e the best way for a merchant to spend his money in order to protect his business and comply with VISA and MasterCard regulations..

PTA provides important benefits for PCI DSS risk assessments (whether by a self-assessment or on-site audit by a certified PCI assessor):

1. Business impact analysis: PTA enables business decision makers to state asset values, calculate risk profile and consider controls in familiar dollar values. This transforms security from a technology acquisition process into a business decision process for implementing processes and systems that reduce risk.
2. Reusable: The PTA database enables merchants to easily change their PCI threat model as the business evolves and perform PCI quarterly self-assessments and "what-if" analysis on control scenarios.
3. Robust: The user friendly PTA Professional application produces management reports of risk profile at any time with the click of a button.
4. Effective: recommends the most effective security countermeasures and their order of implementation. PTA helps a stay focussed on spending money according to business priorities; the PTA optimized risk mitigation plan can save as much as 80% of the cost of security implementation.

The PTA calculative threat modeling application and reporting system is available as downloadable freeware at the PTA Technologies download page. The PTA PCI DSS 1.1 package which includes the threat model, the library and the attached documents is available for free download at PCI DSS 1.1 Self Assessment with PTA; and is licensed under the Creative Commons Attribution License .

Effective risk self-assessment for Level 2, 3 and 4 merchants

If you're a Level 2 merchant (processing 1-6 million transactions annually) or a Level 3 merchant (processing more than 20,000 e-commerce transactions) or a Level 4 merchant (everyone else), you are certainly aware that Visa and MasterCard require an annual self-assessment of risk to payment card data. PTA PCI 1.1 is the right way to perform a self-assessment. The results are stored in a database and reports can automatically be produced for management or external auditors. When your business grows and new systems are added or changed, you can easily return to the model and recalculate your up-to-date compliance exposure, for example, when your quarterly network scan uncovers new system vulnerabilities.

How does PTA PCI 1.1 work?

The PTA PCI threat model contains all of the PCI DSS controls pre-mapped to merchant vulnerabilities. For example Section 5 - " Systems may be affected by viruses and malware" maps to vulnerability " Malicious viruses can enter the network e.g. via employees e-mail activities". The corresponding countermeasures to the vulnerability are " 5.1 Deploy anti-virus software on all systems commonly affected by viruses" and " 5.2 Ensure that all anti-virus mechanisms are current and actively running"

PTA PCI 1.1 includes sample assets and threats that enable merchants to use the threat model and perform a self-assessment optimized for their specific business. For example, a merchant with an online Web site would require Web application security to mitigate application exploits but a merchant with no e-commerce operation and extensive physical POS installations would need to focus on physical security since the Web security is not relevant to his business.

During the self-assessment, a merchant uses the PTA database baseline to define the relevant vulnerabilities and their $ business impact. PTA helps the business chose the best countermeasures for his budget using the PTA Optimized Risk Mitigation Plan report.

Choosing cost-effective controls for protecting card holder data

After completing a self-assessment, the crucial question is what security controls should you implement? Should you buy database firewall technology or should you focus on restricting access based on users need to know? A PCI DSS process can be as simple or as involved as a company wants but there are always far more available controls than threats. As a result, merchants at all levels, find themselves coping with the long list of controls provided by the standard.

The PTA PCI 1.1 optimized risk mitigation plan guides security implementations:

• Mitigating trusted insider threats. The major threat to data breach remains internal (either intentional or by accident) not by malicious external hackers. Masking and encryption can be effective countermeasures to internal threats and a PTA PCI 1.1 optimized risk mitigation plan pinpoints which business units and applications are best served by masking and encryption. A software security assessment methodology with PTA is described in this article from the Institute of Internal Auditors - The Enterprise Software Risk Analysis: Your Defense Against Data Security Threats
• Justification for compensating controls. A level 1 merchant can use PTA PCI 1.1 to help build the business justification the card associations for use of compensating controls to achieve compliance when encryption cannot be implemented.

While a company with deep pockets might decide to implement the entire checklist of controls, most merchants and processors must get the most for their security investment i.e. reduce total cost of ownership. Implementing additional controls does not necessarily reduce risk in an ongoing operation. For example, beefing up network security (like firewalls and proxies) and installing advanced application security products, is never a free lunch and tends to increase the total system risk and cost of ownership as a result of the interaction between the elements and inflation in the number of firewall and content filtering rules. The result of providing inappropriate countermeasures to threats is that the cost of attacks and security ownership goes up, instead of risk exposure going down.

PTA PCI 1.1 enables a risk analyst to discuss risk in business terms with her client and construct an economically justified set of security controls that reduces risk in a specific customer business environment. A company can execute an implementation plan for security controls consistent with its budget instead of an all-or-nothing checklist implementation that may impact its competitiveness.

How we created PTA PCI 1.1

PCI DSS 1.1 contains 12 sections, where each section describes a security policy and list of security controls. For example, Section 1 deals with the need for a firewall and contains a list of firewall best practices.

We needed to map the PCI DSS 1.1 data model to the PTA threat model concept that is composed of threats, vulnerabilities, assets and countermeasures. We observed that the top-level items in each section mapped nicely to PTA vulnerabilities and that the sub-items were controls that translate directly to PTA countermeasures. For example the PCI item 1.0 "Requirement 1: Install and maintain a firewall configuration to protect cardholder data" corresponds to network vulnerability "Sensitive areas within a company internal network may be accessible from the Internet"

This vulnerability is mitigated by corresponding countermeasures in the PTA threat model database. In order to simplify (yet retain all of the original best practices) we cataloged top-level controls as countermeasures and the relevant sub-items as Attached Documents (that can be accessed by double clicking on the name of the document or clicking on the Open Document button). Double clicking on the attached document for the countermeasure: "2.1 Always change vendor-supplied defaults before installing a system on the network" opens a Microsoft Word document with a detailed description of how to protect systems including changing default vendor passwords, eliminating unnecessary accounts and protecting wireless environments.

After mapping the PCI DSS 1.1 data model to the PTA vulnerabilities and countermeasures, we then built a baseline PTA threat model by adding corresponding threats and assets. We then converted our model into a generic PTA risk expertise library by using the "Save as Library" function. The baseline threat model PCI_DSS_1.1_Base_Model.thm is intended for use in self-assessments and by PCI risk assessors in developing customized business threat models. The PCI_DSS_1.1_Library.thl can used by current PTA Professional users in order to integrate PCI DSS entities into their business threat model and create an integrated risk model for the entire enterprise.

Self Assessment with PTA PCI 1.1, step by step

Doing a risk assessment with PTA PCI 1.1 is faster, easier, more robust and lot more fun than with an Excel spreadsheet or with the Microsoft Word self-assessment form.

A PCI DSS 1.1 risk assessment with PTA involves a two-stage process:

• Stage 1 is a "first cut" review of the existence and completeness of key documentation of systems that store payment card data and how they are vulnerable to internal and external threats. This is done by cycling through the PTA threat model, tagging top-level vulnerabilities with a status and storing appropriate documentation in the model, while linking to the appropriate entity.
• Stage 2 is a detailed, in-depth audit that tests existence and effectiveness of control policies as well as their supporting documentation. Controls that already exist would be marked as Already Implemented in PTA Professional Edition countermeasures detail screen. Controls needing work would be tagged with action-required status (see the tagging option of the PTA tool).

Using the PTA application for a self-assessment

Here is how you would use PTA PCI 1.1 in a self-assessment (after installing the PTA Professional Edition freeware on your Windows PC).

Extract the PTA PCI 1.1 zip file into a dedicated folder. The zip contains the PTA PCI threat model and attached documents.

• Step 0 - Fire up PTA.
• Step 1 - Open the "PCI_DSS_1.1_Base_Model.thm" data model in its entirety and get started using the sample model as your baseline; before you exit, don't forget to save the model under a new name ….
• Step 2 - Create assets with valuations
• Step 3 - Enter the costs of countermeasures; the model that we provide is agnostic; we understand that each organization has their own estimates of how much a control policy should cost.
• Step 4 - Run the "Optimized Risk Mitigation Plan" report.
  Congratulations! You have just built a cost-justified plan of controls compliant with PCI DSS 1.1.
• Step 5 - Refine the model. Return to the model periodically and test effectiveness of your risk mitigation program. For a structured methodology of continuous security assessment see the article Practical software security assessment

   

  For more information - Download the PCI DSS 1.1 standard in PDF format here: PCI DSS v1.1 Specification