Organizations must increasingly demonstrate to their customers that they have sufficient protection, security, resilience, and privacy of their information, assets and systems, based on best practices. International information security standards applicable for all organizations such as ISO 27000 series or industry-specific information security standards such as PCI DSS and SWIFT were created for that reason. When organizations show their compliance to these standards, their customers acknowledge that they understand their risks, perform risk mitigation actions, create baseline security, and manage the risk on their systems. This does not mean that compliant organizations are free of risks or vulnerabilities, but they certainly have a better security posture than non-compliant organizations.
This chapter covers the main international standards related to information security that were created to be implemented worldwide, like ISO27001, ISO27002, or across certain industries like the Payment Card Industry Data Security Standard and SWIFT Customer Security Controls Framework.
ISO 27001 and ISO 27002
ISO standards are issued by the International Organization of Standardization and can be purchased at the ISO website (www.iso.org).
The current edition of ISO 27001 Information Technology, Security Techniques, Information Security Management Systems: Requirements1 was issued in 2013 and superseded the first edition issued in 2005,2 which preceded British Standard BS 7799 published by the British Standards Institution (BSI) in 1995.
According to ISO 27001, each organization should implement an information security management system (ISMS) and promote continuous improvement. This system should be designed according to each organization’s context considering internal and external aspects, business risks, interfaces, and dependencies.
Top management of each organization needs to be fully committed to the ISMS implementation by promoting and assuring that information security policies are aligned with the organization’s strategic objectives, internal processes, and needs to ensure the availability of the necessary resources through a properly documented and communicated information security policy. It is simply defined as “leadership and commitment” in the standard. In addition, top management must assign roles, responsibilities to ensure compliance with ISO 27001 requirements and report the ISMS performance.
You may also wonder about the definition of top management. It varies depending on the organizational structure, size, and responsibilities. In general, it should include the executive members responsible for taking strategic steps and deciding on behalf of the whole organization. In a significant number of countries with highly regulated markets, top management is also legally accountable for implementing an effective ISMS. Therefore, and considering that ISO 27001 is certifiable, as part of top management goals, organizations should certify their ISMS through an independent and accredited certification organization called a certification body .3 Additionally, ISO 27001 certification is becoming a requirement for many major organizations as part of their third-party risk assessment processes.
The organization must also delineate a security risk assessment process with established risk acceptance and performance criteria, and consistent, valid, measurable, and comparable results. You may also consider adding “improvable” to those criteria for continuous progress of the security posture in the organization (Figure 2-1). This risk assessment process identifies information security risks related to the potential loss of confidentiality, integrity, and availability, identifies each risk owner, its potential impact, and likelihood so its treatment can be prioritized.
ISO 27001 Risk management process
Each organization must implement and document the necessary in-house and outsourced processes to meet the information security objectives and requirements, ensure that these processes are executed as planned, control all planned changes, foresee the impact of unwanted changes, and take the appropriate mitigation actions to avoid potential negative impact.
Scope of the ISMS (clause 4.3)
Information security policy and objectives (clauses 5.2 and 6.2)
Risk assessment and risk treatment methodology (clause 6.1.2)
Statement of applicability (clause 6.1.3 d)
Risk treatment plan (clauses 6.1.3 e, 6.2, and 8.3)
Risk assessment report (clauses 8.2 and 8.3)
Definition of security roles and responsibilities (clauses A.7.1.2 and A.13.2.4)
Inventory of assets (clause A.8.1.1)
Acceptable use of assets (clause A.8.1.3)
Access control policy (clause A.9.1.1)
Operating procedures for IT management (clause A.12.1.1)
Secure system engineering principles (clause A.14.2.5)
Supplier security policy (clause A.15.1.1)
Incident management procedure (clause A.16.1.5)
Business continuity procedures (clause A.17.1.2)
Statutory, regulatory, and contractual requirements (clause A.18.1.1)
Records of training, skills, experience and qualifications (clause 7.2)
Monitoring and measurement results (clause 9.1)
Internal audit program (clause 9.2)
Results of internal audits (clause 9.2)
Results of the management review (clause 9.3)
Results of corrective actions (clause 10.1)
Logs of user activities, exceptions, and security events (clauses A.12.4.1 and A.12.4.3)
Considering its ISMS capabilities, each organization must adopt the best way to store and maintain these documents. It can vary from having hard-copy paper records (not very environment-friendly) to having a governance, risk, and compliance-vulnerability management tool managed by a team.
ISO 27001 performance evaluation is done by implementing monitoring, measurement, analysis and evaluation, internal audit processes, and management review.
The organization assesses its ISMS performance and effectiveness by determining what should be monitored and measured. Chapter 7 presents metrics that measure an organization’s security controls effectiveness. However, each metric threshold must be defined according to each organization’s risk appetite.
- a)
What needs to be monitored and measured, including information security processes and controls
- b)
The monitoring, measurement, analysis, and evaluation methods to guarantee valid results
- c)
The monitoring and measuring frequency and schedule
- d)
Who is accountable for monitoring and measuring
- e)
When the results from monitoring and measurement are analyzed and evaluated
- f)
Who is accountable for analyzing and evaluating the monitoring results
Information Security Policies
Organization of Information Security
Human Resource Security
Asset Management
Access Control
Cryptography
Physical and Environmental Security
Operations Security
Communications Security
System Acquisition, Development, and Maintenance
Supplier Relationships
Incident Management
Business Continuity Management
Compliance
Information Security Policies (Clause A.5)
This clause provides management guidance and support according to business requirements and applicable laws and regulations where the organization’s management must define and approve their information security policies. These policies must be published and disclosed to the organization’s employees and significant third parties (clause A.5.1.1).
These policies must be frequently reviewed according to established intervals or to ensure the policies’ effectiveness and suitability after major changes (clause A.5.1.2).
Organization of Information Security (Clause A.6)
Information security roles and responsibilities must be defined and internally assigned.
The organization must implement a segregation of duties to reduce the risk of undesired changes in the organization’s systems.
The organization must identify and maintain the appropriate channels with the authorities and special interest groups, like local CSIRT, relevant stakeholder’s collaborative information sharing initiatives (e.g., www.cybersechub.hk).
Information Security must be considered in all the organization’s projects.
The organization must also secure all remote access (telework) and mobile devices through the definition of a policy and the appropriate controls to protect the stored and processed information remotely accessed by their employees.
Human Resource Security (Clause A.7)
Organizations must implement appropriate processes to ensure the suitability of their employees and contractors to the roles before they are hired, during their engagement with the organization, and upon termination.
Before Hiring
The organization must implement an appropriate vetting process before hiring an employee by conducting background checks, such as criminal records, previous education and employment records, and reference checks, according to the perceived risk of the role.
The employment terms should also be presented to the future employee and contractors before hiring. These terms should include information security responsibilities and acceptable usage policy, including termination or reassignment.
Employees
The organization must also ensure that employees and contractors know their obligations by implementing an information security awareness and training program to advertise the related policies and procedures.
Employees must also be aware of the disciplinary actions for non-compliance with these policies and procedures.
Termination and reassignment
Employees and contractors must keep their information security responsibilities upon termination or reassignment. These responsibilities should be formally acknowledged during the onboarding process. The organization must have well-defined termination and reassignment processes to avoid situations like accumulation of privileges or terminated employees with active user accounts.
Asset Management (Clause A.8)
The purpose of this clause is to implement a suitable asset management system by identifying and classifying the organization’s assets, assigning responsibilities over those assets, and defining media handling procedures.
First, each organization must identify its assets and define and assign ownership and responsibilities by creating and maintaining an inventory of assets with the relevant information.
According to each asset classification, information and related assets’ acceptable use rules must be defined, documented, implemented, and disclosed across the organization. If applicable, employees and contractors must return the asset in their possession upon termination of their relationship with the organization.
Another important part of asset management is information classification . Organizations must classify and label their information, and the assets that process and store this information according to legal requirements and its value, criticality, and sensitivity. Organizations must also apply the security controls accordingly, including media handling controls and procedures like media transfer or disposal procedures.
Access Control (Clause A.9)
Organizations must implement physical and logical access controls to limit access to their information.
Primarily, organizations must establish an access control policy based on their specific context. This policy must be documented and frequently reviewed, considering the organization’s business and information security requirements.
All access to corporate resources like networks, systems, and applications must be granted on a “need to have” basis. Therefore, organizations must control access to networks and network services so their users can only access the resources they were explicitly authorized to use through user access management. To ensure the proper access rights assignment and revocation to all systems and services, these users must be formally onboarded and decommissioned through a user access provisioning process.
The assignment of privileged access to users must be restricted, monitored, and controlled.
User secret authentication information like passwords and soft and hard tokens must be controlled through a formal management process.
All user access rights must be periodically reviewed and removed upon termination or adjusted upon reassignment.
During the onboarding or reassignment process, users must acknowledge their responsibilities and be responsible for their authentication information according to the organization’s practices in using secret authentication information.
The organization’s access control policy must define how a secure logon procedure controls systems and applications.
Likewise, the organization must also define a password policy and implement a password management system to enforce the policy. The password policy must define password complexity, length, maximum age, minimum age, and reusability.
The use of programs that can override the systems and application controls must be limited and its use controlled.
Finally, organizations must also restrict and control access to their source code of programs.
Cryptography (Clause A.10)
Qatar National Cryptographic Standard from Qatar Ministry of Transport and Communications
The National Cryptographic Standards (NCS) from the Saudi Arabia National Cybersecurity Authority
NIST Cryptographic Standards and Guidelines (https://csrc.nist.gov/Projects/cryptographic-standards-and-guidelines)
Key management standards and procedures must also be defined to process cryptographic keys during their life.
Physical and Environmental Security (Clause A.11)
Organizations must implement several controls to avoid unauthorized physical access, deliberate or unintentional damage, or destruction of information and systems.
Physical security perimeters must be established to secure areas with critical and sensitive information and implement access control mechanisms and procedures to ensure that only authorized staff is allowed access. These perimeters must also be protected against other external threats like natural disasters, fire, floods, or power supply problems, among others.
In the same way, the remaining facilities must also be secured.
Exterior access points where external persons might enter the organization facilities, like delivery and loading areas, also have the appropriate access controls and, whenever possible, be separated from the processing facilities.
Access points such as delivery and loading areas and other points where unauthorized persons could enter the premises should be controlled and, if possible, isolated from information processing facilities to avoid unauthorized access.
Similar controls must also be implemented to protect equipment and assets and avoid operations disruptions. Access to equipment must be controlled to prevent unauthorized access. Well-maintained equipment must be protected from environmental threats, supported by well-designed power and data cabling protected against interception, interferences, and destruction. These assets cannot leave the organization’s facilities without previous authorization. When that happens, the organizations must also ensure that those assets are protected.
The organization must also implement controls and procedures to ensure that sensitive information and licensed software are not present when the assets are disposed of or reused.
Users have an important role in protecting the organization’s assets by ensuring that the assets are protected before leaving them unattended (e.g., log out or lock screen before leaving their workstations) and removing all items from their desks. These measures must be defined by a “clear screen and clear desk policy” that all employees and contractors must acknowledge.
Operations Security (Clause A.12)
To ensure reliable and secure operations of information processing facilities, organizations must document their operating procedures and ensure that users have access to them if they need to.
Business process, system, and facility changes must be approved, documented, and controlled. Resources must be monitored and their usage forecasted to adjust their capacity to maintain the desired performance.
The organizations must also have distinct development, test, and production environments to prevent unauthorized access, modification of the production environment, and disclosure of production data. Development and test environments should not be populated with production data.
Systems must be protected against malware by implementing several combined anti-malware controls in conjunction with adequate user awareness programs.
Communications Security (Clause A.13)
To ensure the security of data in transit, the organization’s networks must be managed and controlled. The necessary security mechanisms must be identified and implemented and service levels and management requirements regardless of whether these services are assured by organization resources or by third parties.
Networks should be segregated, and information exchange between the organization and third parties must be regulated by established agreements between the parties and in compliance with the organization-related policies and procedures. These agreements must address the organization’s confidentiality and nondisclosure requirements.
System Acquisition, Development, and Maintenance (Clause A.14)
Organizations must ensure that their security requirements are met by the acquisition, development, and maintenance processes. Information security is a core part of information systems during their life cycle, including systems or services provided over public networks.
These information security requirements must be considered in all new information systems and major changes to existing systems.
When the organization’s services or applications use public networks, the organization must implement the appropriate security controls against fraudulent activity, unauthorized access, disclosure of information, and conflicting situations with the service provider.
The organization must take the appropriate measures to avoid their applications or services transactions being illegitimately or accidentally misrouted, changed, disclosed, duplicated, or replayed.
Information security requirements must be integrated into the development process (security by design) by defining a software and system secure development and change policy (and security baselines) applied across the organization. This is done by implementing change control procedures to ensure that all changes are reviewed and tested before going live.
Acceptance criteria must be defined, and new systems or applications, new versions, and major changes must be tested before going live. Security functionalities must be tested during the development process.
Test data must be carefully prepared, and development systems should not be populated with production data.
Software package changes should be avoided or limited to strictly necessary and be formally approved and documented.
Outsourced development must be managed and monitored.
Supplier Relationships (Clause A.15)
Information accessed by suppliers must be protected through the definition and implementation of information security requirements that should be documented in an agreement with the supplier that must clearly state what can be accessed, processed, stored, and communicated by the supplier. The supplier service delivery must be monitored and frequently reviewed, and audited.
Any changes to supplier services must be managed and the risks re-assessed considering the information criticality and the related systems and processes.
Incident Management (Clause A.16)
Organizations must implement information security incident management processes and procedures and establish responsibilities for a fast and effective response to those incidents that should include their expedited reporting through the appropriate channels.
All the organization users, including external parties, must report any potentially suspect action or weakness through the appropriate channels. All information security events (reported or automatically generated) should be evaluated and eventually classified as information security incidents according to the organization’s criteria. Documented procedures, such as incident playbooks, must be established to effectively respond to information security incidents.
The information security management procedures must ensure that any information that might be used as evidence is identified, acquired, collected, and preserved.
The “lesson learned” during the resolution of each information security incident should be used by the organization to decrease the probability and effect of similar future incidents.
Business Continuity Management (Clause A.17)
Organizations must ensure their information security in any adverse situation where the organization’s information is kept secure during a contingency. Therefore, the organization’s business continuity management process must include information security requirements through established, documented, and maintained processes, procedures, and redundant controls, and their effectiveness frequently verified.
Compliance (Clause A.18)
To ensure compliance with legal and contractual requirements, organizations must conform to all matters related to information security with their legal and contractual obligations. To do that, organizations must identify all applicable legislative and contractual requirements, including intellectual rights, and define and document the best approach to meet those requirements for each system and software product.
The organization must protect all records from being lost, destroyed, falsified, accessed, or released without authorization, in compliance with the law, agreements with third parties, and business requirements. The organization must also enforce privacy and protect all personally identifiable information.
Cryptographic controls must be used in accordance with the law and other obligations, and all information security policies, controls, processes, and procedures must be subject to internal compliance reviews. Additionally, independent compliance reviews must be conducted regularly or after major changes.
Information systems compliance with the organization’s policies and standards must also be regularly attested.
ISO 27002
ISO/IEC 27002 provides additional guidance for ISO 27001 relevant controls implementation by helping organizations select and implement adequate security controls and develop their information security management guidelines.
ISO 27001 Security Controls Clauses
Clause/Category | Security Control |
|---|---|
A.5 | Information Security Policies |
A.5.1. | Management direction for information security |
A.5.1.1. | Policies for information security |
A.5.1.2. | Review of the policies for information security |
A.6 | Organization of Information Security |
A.6.1. | Internal organization |
A.6.1.1. | Information security roles and responsibilities |
A.6.1.2. | Segregation of duties |
A.6.1.3. | Contact with authorities |
A.6.1.4. | Contact with special interest groups |
A.6.1.5. | Information security in project management |
A.6.2. | Mobile devices and teleworking |
A.6.2.1. | Mobile device policy |
A.6.2.2. | Teleworking |
A.7 | Human Resource Security |
A.7.1. | Prior to employment |
A.7.1.1. | Screening |
A.7.1.2. | Terms and conditions of employment |
A.7.2. | During employment |
A.7.2.1. | Management responsibilities |
A.7.2.2. | Information security awareness, education, and training |
A.7.2.3. | Disciplinary process |
A.7.3. | Termination and change of employment |
A.7.3.1. | Termination or change of employment responsibilities |
A.8 | Asset Management |
A.8.1. | Responsibility for assets |
A.8.1.1. | Inventory of assets |
A.8.1.2. | Ownership of assets |
A.8.1.3. | Acceptable use of assets |
A.8.1.4. | Return of assets |
A.8.2. | Information classification |
A.8.2.1. | Classification of information |
A.8.2.2. | Labeling of information |
A.8.2.3. | Handling of assets |
A.8.3. | Media handling |
A.8.3.1. | Management of removable media |
A.8.3.2. | Disposal of media |
A.8.3.3. | Physical media transfer |
A.9 | Access Control |
A.9.1. | Business requirements of access control |
A.9.1.1. | Access control policy |
A.9.1.2. | Access to networks and network services |
A.9.2. | User access management |
A.9.2.1. | User registration and de-registration |
A.9.2.2. | User access provisioning |
A.9.2.3. | Management of privileged access rights |
A.9.2.4. | Management of secret authentication information of users |
A.9.2.5. | Review of user access rights |
A.9.2.6. | Removal or adjustment of access rights |
A.9.3. | User responsibilities |
A.9.3.1. | Use of secret authentication information |
A.9.4. | System and application access control |
A.9.4.1. | Information access restriction |
A.9.4.2. | Secure logon procedures |
A.9.4.3. | Password management system |
A.9.4.4. | Use of privileged utility programs |
A.9.4.5. | Access control to program source code |
A.10 | Cryptography |
A.10.1. | Cryptographic controls |
A.10.1.1. | Policy on the use of cryptographic controls |
A.10.1.2. | Key management |
A.11 | Physical and Environmental Security |
A.11.1. | Secure areas |
A.11.1.1. | Physical security perimeter |
A.11.1.2. | Physical entry controls |
A.11.1.3. | Securing offices, rooms, and facilities |
A.11.1.4. | Protecting against external and environmental threats |
A.11.1.5. | Working in secure areas |
A.11.1.6. | Delivery and loading areas |
A.11.2. | Equipment |
A.11.2.1. | Equipment siting and protection |
A.11.2.2. | Supporting utilities |
A.11.2.3. | Cabling security |
A.11.2.4. | Equipment maintenance |
A.11.2.5. | Removal of assets |
A.11.2.6. | Security of equipment and assets off-premises |
A.11.2.7. | Secure disposal or reuse of equipment |
A.11.2.8. | Unattended user equipment |
A.11.2.9. | Clear desk and clear screen policy |
A.12 | Operations Security |
A.12.1. | Operational procedures and responsibilities |
A.12.1.1. | Documented operating procedures |
A.12.1.2. | Change management |
A.12.1.3. | Capacity management |
A.12.1.4. | Separation of development, testing, and operational environments |
A.12.2. | Protection from malware |
A.12.2.1. | Controls against malware |
A.12.3. | Backup |
A.12.3.1. | Information backup |
A.12.4. | Logging and monitoring |
A.12.4.1. | Event logging |
A.12.4.2. | Protection of log information |
A.12.4.3. | Administrator and operator logs |
A.12.4.4. | Clock synchronization |
A.12.5. | Control of operational software |
A.12.5.1. | Installation of software on operational systems |
A.12.6. | Technical vulnerability management |
A.12.6.1. | Management of technical vulnerabilities |
A.12.6.2. | Restrictions on software installation |
A.12.7. | Information systems audit considerations |
A.12.7.1. | Information systems audit controls |
A.13 | Communications Security |
A.13.1. | Network security management |
A.13.1.1. | Network controls |
A.13.1.2. | Security of network services |
A.13.1.3. | Segregation in networks |
A.13.2. | Information transfer |
A.13.2.1. | Information transfer policies and procedures |
A.13.2.2. | Agreements on information transfer |
A.13.2.3. | Electronic messaging |
A.13.2.4. | Confidentiality or nondisclosure agreements |
A.14 | System Acquisition, Development, and Maintenance |
A.14.1. | Security requirements of information systems |
A.14.1.1. | Information security requirements analysis and specification |
A.14.1.2. | Securing application services on public networks |
A.14.1.3. | Protecting application services transactions |
A.14.2. | Security in development and support processes |
A.14.2.1. | Secure development policy |
A.14.2.2. | System change control procedures |
A.14.2.3. | Technical review of applications after operating platform changes |
A.14.2.4. | Restrictions on changes to software packages |
A.14.2.5. | Secure system engineering principles |
A.14.2.6. | Secure development environment |
A.14.2.7. | Outsourced development |
A.14.2.8. | System security testing |
A.14.2.9. | System acceptance testing |
A.14.3. | Test data |
A.14.3.1. | Protection of test data |
A.15 | Supplier Relationships |
A.15.1. | Information security in supplier relationships |
A.15.1.1. | Information security policy for supplier relationships |
A.15.1.2. | Addressing security within supplier agreements |
A.15.1.3. | Information and communication technology supply chain |
A.15.2. | Supplier service delivery management |
A.15.2.1. | Monitoring and review of supplier services |
A.15.2.2. | Managing changes to supplier services |
A.16 | Incident Management |
A.16.1. | Management of information security incidents and improvements |
A.16.1.1. | Responsibilities and procedures |
A.16.1.2. | Reporting information security events |
A.16.1.3. | Reporting information security weaknesses |
A.16.1.4. | Assessment of and decision on information security events |
A.16.1.5. | Response to information security incidents |
A.16.1.6. | Learning from information security incidents |
A.16.1.7. | Collection of evidence |
A.17 | Business Continuity Management |
A.17.1. | Information security continuity |
A.17.1.1. | Planning information security continuity |
A.17.1.2. | Implementing information security continuity |
A.17.1.3. | Verify, review and evaluate information security continuity |
A.17.2. | Redundancies |
A.17.2.1. | Availability of information processing facilities |
A.18 | Compliance |
A.18.1. | Compliance with legal and contractual requirements |
A.18.1.1. | Identification of applicable legislation and contractual requirements |
A.18.1.2. | Intellectual property rights |
A.18.1.3. | Protection of records |
A.18.1.4. | Privacy and protection of personally identifiable information |
A.18.1.5. | Regulation of cryptographic controls |
A.18.2. | Information security reviews |
A.18.2.1. | Independent review of information security |
A.18.2.2. | Compliance with security policies and standards |
A.18.2.3. | Technical compliance review |
PCI DSS
Have you ever thought of an internationally accepted standard that is a list of security controls? Well, PCI DSS is that standard. The Payment Card Industry Data Security Standard (PCI DSS) is a set of security controls released in 2004 by PCI SSC, founded by the major payment brands—Visa, MasterCard, Discover Financial Services, JCB International, and American Express. The fundamental goal of this standard was to secure cardholder data through numerous security controls to protect the data.
Card theft and fraud are always the main concerns of acquirers, issuers, and, of course, payment brands. The rise of the Internet in the 1990s and e-commerce already amplified those concerns. To protect card data, before PCI DSS, payment brands had their own compliance schemes—a list of security controls like Visa’s Cardholder Information Security Program, MasterCard’s Site Data Protection, or American Express’s Data Security Operating Policy with very similar goals: force merchant and payment service providers to have protection over the cardholder data and their environment. Although they had similar goals, the security controls they imposed were different. Instead of making the life of merchants easier, they became an obstacle to the progress of card transactions. Merchants had to comply with each compliance program of the payment brands in order to accept their cards.
Considering these constraints, the major payment brands aligned the compliance programs and policies into one standard to rule them all—PCI DSS.
The first version (v1.0) of PCI DSS was introduced at the end of 2004. All merchants accepting credit cards, as well as other payment processing organizations, were required to comply with the new standard. Later, the payment brands saw the need to establish governance of the standards, and they formed the PCI Security Standards Council. PCI SSC is now a global forum to maintain, develop and promote PCI standards to protect cardholder data. It is now led by a policy-setting executive committee, composed of representatives from the founding payment brands and strategic members, such as UnionPay. The standards are formed and developed with the help of feedback from several sectors. The board of advisors, which comprises representatives across the payment world like big merchants, major financial institutions, processors, and “participating organizations,” can provide feedback to the standards published by PCI SSC within the life cycle of the standard. With this feedback, PCI DSS v3.2.1 was published in May 2018 and v4.0 in 2022.
Although the PCI SSC has no legal authority to enforce compliance, it is the de facto requirement for any business that processes, stores, or transmits card transactions. Many, if not all, monetary authorities and banking regulation agencies mandate PCI DSS compliance for financial institutions and service providers and require merchants to be compliant.
Initially, it may seem that PCI DSS is a very hard standard to achieve and fully comply with. However, as mentioned earlier, PCI DSS does a good job establishing an objective standard on the security controls that fit nearly all environments. For example, many of the security frameworks that you find in this book only say, “create a password policy,” and leave the details to you, making it very subjective. In contrast, PCI DSS mandates that your passwords should be “at least seven characters.” For that reason, a more technical-oriented security professional would not have to struggle to understand the requirements.
There are many PCI DSS-related resources available online. The most useful would be the PCI DSS Quick Reference Guide,4 where you can have an overview of the standard, some details regarding the requirements, and some security tips. Another available resource is PCI DSS: an Integrated Data Security Standard Guide5 by Jim Seaman, which provides a detailed description of the history and evolution of PCI DSS and the security requirements.
- Build and maintain a secure network.
Requirement 1: Install and maintain a firewall configuration to protect cardholder data.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.
- Protect cardholder data.
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
- Maintain a vulnerability management program.
Requirement 5: Use and regularly update antivirus software.
Requirement 6: Develop and maintain secure systems and applications.
- Implement strong access control measures.
Requirement 7: Restrict access to cardholder data by business need-to-know.
Requirement 8: Assign a unique ID to each person with computer access.
Requirement 9: Restrict physical access to cardholder data.
- Regularly monitor and test networks.
Requirement 10: Track and monitor all access to network resources and cardholder data.
Requirement 11: Regularly test security systems and processes.
- Maintain an information security policy.
Requirement 12: Maintain a policy that addresses information security.
Goal 1: Build and Maintain a Secure Network
The purpose of this main goal is the protection of your outer perimeter. It contains requirements about firewall and router configuration (backups, having only stateful firewalls and anti-spoofing measures, NATing, etc.) and the proper change management mechanism of rules. It also contains requirements about the accuracy of your network diagram and all the data flows in the PCI DSS scope. You must know your environment well enough to ensure its safety and security.
Firewalls must be in place between any untrusted zones (including wireless networks) and cardholder data environment, and they should only allow business-need traffic to ensure a “layered defense” mechanism.
This requirement also mandates the presence of personal firewalls in portable computing devices (personal or company-owned) with connectivity to the Internet when outside the corporate network.
The second objective is to ensure the security of the system components (such as servers, databases, workstations, network devices, et al.). Apart from the mandate to change the vendor-defaults on the systems and applying hardening to the components, the standard also accepts that the organization may use an insecure implementation, such as having a legacy system that, if patched, the “nuke codes” will be revealed, or an ancient Java implementation that cannot establish a secure channel between two peers. However, in this case, the organization needs to implement “additional security features” to any insecure required service, such as encrypting the data itself while transferring it in a cleartext channel or implementing a network access control (NAC) solution that prevents an unauthorized device that may sniff the environment. It should be noted that this latter example is not valid for external networks but only internal networks that you have control over.
The second part of “know your environment well” refers to the inventory of the devices in the PCI DSS scope. The organization needs to maintain an up-to-date asset inventory. It would be very useful to keep track of the hardware and software, as the organization needs to take action on any end-of-life/end-of-support hardware and software.
It should also be noted that this requirement aims to minimize the risks and effects of compromise by instructing to only enable the necessary services, protocols, daemons and implementing one primary function per server. For example, consider a server that hosts both web applications and the database. If somehow the web server is compromised, it will be only a matter of minutes, if not seconds, to infiltrate the database. Whereas in a three-layered structure (e.g., front webserver, application server, database server), it may not be so easy to gain access to the data itself, if you have implemented additional security features, of course.
Goal 2: Protect Cardholder Data
Data-at-rest and data-in-transit protection are mentioned in this goal. The main objective of this goal is to safeguard the cardholder data, wherever it is stored or transferred to any untrusted location. The easiest method you may think of should be straightforward. Do not store cardholder data unless it is a must for you or your business.
Organizations that do not store cardholder data often get “not applicable” or “not tested” in many assessments, which is perfectly fine at the end of the day. However, if you are not sure if you are storing card data received from a defined or an unintended channel,6 you can use various tools to discover cleartext card data in many formats.
According to requirement 3.1, you should use these tools to perform discovery checks every quarter to make sure that no cardholder data is stored beyond its retention period. However, it is up to the organization to define a retention period based on business or legal requirements. Most financial institutions, such as banks, have five to ten years’ retention periods legally defined by their primary regulator. Whereas some service providers can choose to have card data not be stored in any of their systems so that related requirements become “not applicable.”
Most of the solutions can discover card data stored in a large number of different storage formats, including office documents, email clients, zip files, databases, file servers, shadow volumes, memory, audio files, and scanned files using optical character recognition (OCR).
One-way hashes based on strong cryptography (hash must be of the entire Primary Account Number (PAN))
Truncation (hashing cannot replace the truncated segment of PAN )
Index tokens and pads (pads must be securely stored)
Strong cryptography with associated key management processes and procedures.
Hashing Function
5555123456780004 | Original PAN |
|---|---|
+ | |
SHA-512 | Hashing algorithm |
= | |
f3ee23b6658e09a621b62346e3af7975 2e42e551bb4ad34b86f935b7de5df8ff 8c260a0dcd692d9ff6c541ec97aab628 359aae9cce501fb66ebc6d0d1adbcf54 | Hashed value |
Hashing Function with Salt
5555123456780004 | Original PAN |
|---|---|
+ | |
1amA5@LT | Salt |
+ | |
SHA-512 | Hashing algorithm |
= | |
4c4ef099af7ca33007eed77de996a3a7 e8ae3f3d48c5b59c075c086855065901 d9a5b2ee1079943f07ca33056cbd6dac 8a35eac60827e4eb6524ffb4b6ac45a3 | Hashed value |
The long string starting with f3ee23 can be cracked quickly, even with a home PC, if you have the rainbow table for SHA512 for all possible values. The preparation of the rainbow table would be pretty easy, considering that the original PAN is a 16-digit phrase. Whereas, if you add a “salt” to the PAN, it would take one octillion (1048) years to brute force this hash.
Hashing mechanisms can be used for fraud detection, where the fraud analyzer tool only needs a representation of the cardholder data, not the data itself. In the same way, the hashing can validate if the user has entered the correct PAN. The stored hash value is compared with the hash value of the user input if they match. Voilà.
Truncation
555512 | ****** | 0004 |
|---|---|---|
Issuing network (a.k.a. payment brand), IIN, and type of the card (debit, credit, or prepaid) | Truncated part | To distinguish the customer |
The first six digits contain the issuing network (a.k.a. payment brand), the Issuer Identification Number (IIN), sometimes referred to as the Bank Identification Number (BIN), and the type of the card (debit, credit, or prepaid). The last four digits give a good idea of who the customer is to the issuer bank. Although mathematically possible, there should not be two different individuals having two different cards with the same bank and same card type and ending with the same last four digits.
It is worth noting that hashed and truncated values should not be in the same environment (as per requirement 3.4.e), as it is quite trivial to find the actual card data even with the first digits of the hash data.16
Tokenization is substituting a sensitive data element with a non-sensitive equivalent, referred to as a token, which has no meaningful value for attackers. Unlike encryption, the tokenization process is not based on mathematical encryption algorithms with keys and such. It depends on the token vault (or card data vault), where the original card data is stored and mapped to the token. Of course, to secure the data in the token vault, the sensitive card data can be encrypted, but this is apart from the tokenization process.
In most use cases, tokens can be used one-to-one with the card data. Most card data fields accept only 16-digit numerical characters, so the tokens can also be adjusted to be 16 digits. The advantage of tokenization over encryption is that it can be decrypted if you have a large enough set of encrypted data (since it is a mathematical process). Whereas, there is no mathematical connection to the real sensitive data they represent for tokenization.
PCI SSC released an information supplement for tokenization17 that describes its implementation and security considerations.
Encryption is the process of using a mathematical algorithm to transform plaintext into a non-readable form called ciphertext . An algorithm and at least one key are required to encrypt and decrypt the information. Keys can be for data encryption (DEK) and key encryption (KEK).
AES – 128 bits or higher
TDES/TDEA – triple-length keys
RSA – 2048 bits or higher
ECC – 224 bits or higher
DSA/D-H – 2048/224 bits or higher
Encryption
5555123456780004 | Plaintext |
|---|---|
+ | |
1amAs3cR3tK3yPCI | Secret Key |
+ | |
AES-128 | Algorithm |
= | |
32iAkH4dNhdw25EOA/phoH34Fx62U1Fj69+N952fb8A= | Ciphertext in Base64 |
The “secret key” is the most crucial element in this process, so it can also be encrypted by a key encrypting key (KEK) to protect it further. A KEK should be at least as strong as the data-encrypting keys they protect. Both data-encrypting keys and key-encrypting keys should only be accessed by individuals having business needs: key custodians. They are responsible for managing the encryption of the environment. They must sign a formal document stating that they fully understand and accept their key management responsibilities. The access to the cryptographic keys must be restricted to reduce the possibility of a compromise. The keys must be stored within a secure cryptographic device, typically a hardware security module (HSM) or PTS-approved point-of-interaction device POS devices. Their distributions need to be secure; they should not be distributed in the clear and should only be distributed to key custodians.
Key management also includes the key management cycle , meaning that every key must have a cryptoperiod . The “life” of a key ends at the end of a cryptoperiod or when it is compromised or suspected of being compromised. In both cases, encrypting data with those keys must be ceased, and new keys must be generated to encrypt new data. The old keys must be securely archived with a KEK to access or verify old data.
In cryptoperiods, the lifespan of a key is typically based on many factors such as key length, block size, algorithm, the volume of data encrypted, and the threat. NIST Special Publication 800-57 has a helpful recommendation document19 for key management and cryptoperiods. Key custodians (or key managers) should decide on the cryptoperiods based on their needs and the environment.
The second part of the goal is to ensure confidentiality in transit of the card data. When card data is transmitted over open, public networks, secure versions of protocols (i.e., TLSv1.1 or above) with only trusted keys and certificates should be used. This ensures that the card data remains confidential if traffic is intercepted or sniffed. Open networks can be the Internet, any wireless technologies, including 802.11 and Bluetooth, cellular technologies, such as Global System for Mobile communications (GSM), code-division multiple access (CDMA), General Packet Radio Service (GPRS), and satellite communications. For example, if POS devices are connected to the Internet through 4G/5G, either the channel should be TLSv1.1 or above, or the data itself is encrypted per requirement 3. In general, both are applied to POS devices; that is, the data itself is encrypted with trusted acquirer keys, and most of the POS devices, if not all, support TLSv1.1 or above.
Qualys SSLLabs report of pcisecuritystandards.org
If the organization uses wireless communication in internal networks and is included in the scope, then the same strong cryptography principles must be applied. Weak encryption, such as SSL or WEP, should not be used as a security control for authentication or transmission.
The last part of the requirement disallows sending card data via end-user messaging technologies such as emails, chat, and instant messaging. These technologies are very susceptible to packet sniffing, and therefore card data can be compromised. If a business needs to transmit card data via those channels, card data must be secured (i.e., encrypted, hashed, truncated, or tokenized). In addition, there must be written policies and procedures to prohibit sending data in the clear.
The standard gives flexibility for the users of legacy POS devices, where TLSv1.1 or above is not possible for the channel encryption to use SSL or early TLS if it can be verified that these devices are not susceptible to any known SSL/TLS exploits. Organizations need to fill Appendix A2 of the PCI DSS, in this case.
Goal 3: Maintain a Vulnerability Management Program
This set of requirements is about protecting PCI DSS scope systems against malware and managing antivirus software or programs. The standard requires that antivirus software should be installed and kept updated on all systems that can be commonly affected by malware, viruses, worms, ransomware, Trojans, rootkits, and so forth. The “commonly affected” systems are susceptible to malware. In the past, it was thought that this impacted only Windows devices, however, now that is not the case. Organizations must consider having antivirus or anti-malware solutions for Linux, Mac, Android, and POS devices. There was recently discovered malware that exploits critical vulnerabilities on those devices. Security professionals should perform annual risk evaluations on their environment and systems, whether their systems are susceptible to malicious software or not.
They should also follow vendor security notifications, released CVEs, and security groups to determine whether the systems are at risk. Five to ten years ago, an AV solution would not be required for an Android mobile device. However, currently, there are more than enough evolving threats to these devices to consider installing an antivirus app on your personal mobile device as well.
The standard also considers that antivirus solutions should be capable of detecting, removing, and protecting against malicious software. Antivirus software and its definitions must be kept current and updated and generate logs as per the logging requirements. In addition, it should not be altered or disabled by users. Organizations may consider using endpoint detection and response (EDR) tools to proactively detect and stop malicious behavior. They are not dependent on signatures but behavioral analytics, machine learning, and heuristics. Their primary working mechanism collects data, analyzes processes, detects anomalies, and stops them before they can move horizontally through the network. EDR tools can also be very helpful for forensics and threat hunting purposes. They collect a significant amount of relevant information to detect the anomaly and notify IT security staff to investigate in detail.
Conventional signature-based AV solutions can also be applied to comply with the requirement. However, in that case, signatures need to be kept current to somehow overcome “zero-day” attacks, need to perform periodic scans, and as always, produce logs. The easiest approach to maintain those tools would be through centralized management. Security professionals keep track of the AV versions, signatures, online/offline status of the AV agent, and collect logs.
The second part of the goal is to develop and maintain secure systems and applications, focusing on vulnerability and patch management and secure software development.
Whenever you have sensitive (or valuable) data, you become the target of malicious actors. Those actors always try (and sometimes succeed) to exploit every vulnerability they find to infiltrate into systems, exfiltrate sensitive data or cause a disruption. This is what makes timely patching essential to the overall security posture of the Cardholder data environment. Security vulnerabilities that are not patched in a timely manner can cause ingress points for hackers, or worse, possible paths for lateral movement through the network. The standard mandates that the organization must have an accurate and efficient vulnerability management program that identifies the vulnerability classifies the risk, remediate, or apply patches in appropriate periods of time, having retests for the finding and keeping the systems up-to-date.
The same principle applies to developed software applications. The standard mandates that all internal and external applications be securely developed, following the industry-accepted best practices and security as an indispensable part of the Software Development Life Cycle (SDLC).
Requirements need to be planned or investigated. Although this is particularly for the function of the application, security needs to be incorporated into this phase. PCI DSS has requirements for protecting the card data and transmission of data. These requirements must be reviewed before the design.
The blueprint or design of the application must be in line with the security requirements.
During development, secure coding guidelines must be followed with proper change control processes, such as impact analysis, sign-offs, verification of tests, and back-off procedures.
Common coding vulnerabilities (addressed in PCI DSS 6.5.x) must be addressed, and code reviews are required. Developers can choose to use only mature libraries and review the Open Web Application Security Project (OWASP)23 guidelines to overcome most known issues.
Testing must include test cases to measure the effectiveness of the security controls on the sensitive cardholder data. The application can be run in production only after ensuring the security controls are in place.
Even if the whole process contains security, there are always new threats. The standard also acknowledges that and mandates using a web application firewall or periodically reviews or tests the systems via automated or manual web application vulnerability assessment solutions. Web application vulnerability assessment is different from penetration testing because web application vulnerability is more focused on web application–related attacks, whereas penetration testing can be done on all systems.
− Tenable.io | − AppSpider |
− Qualys | − WebInspect |
− Netsparker | − Acunetix |
− AppScan | − Burp Suite |
Web application firewalls are security devices that filter or block non-essential traffic at the application layer and monitor the actual web traffic for potential application-layer attacks. Regular firewalls typically have rulesets that allow HTTP or HTTPS web traffic to pass through to web servers without any inspection of the request. Conversely, web application firewalls can inspect the request (or payload) and detect if it contains any malicious code such as cross-site scripting (XSS), injection attacks (such as those using SQL), or forged HTTP requests that do not conform with IETF specs.24 Most web applications can also react to certain issues, such as providing a false web server name or hiding it completely to somehow increase the efforts of malicious intent.
Goal 4: Implement Strong Access Control Measures
In this goal, the primary idea is to provide proper identity management for users and ensure that only authorized users with a valid business need are accessing the card data (logically and physically) to minimize the risk of compromise.
As a principle, card data should only be accessed by individuals having a valid and approved business “need to know.” To achieve that, first, we need to properly identify the users by making sure that everyone uses a unique ID and a strong password that is difficult to crack. This also applies to the non-logical world, where we use badges, locks, and keys. Physical access to systems that store, transmit, or process card data should only be allowed to users with a business need by using either CCTV cameras or access control mechanisms (or both). PCI DSS does not disallow visitors, but all visits must be logged with identifiable information, and visitors must be distinguishable from on-site personnel, for example, by wearing a different colored badge, and they have to be escorted.
When assigning privileges to users, the least privilege approach should be used, where only necessary rights should be given, and for others, it should be “deny all.”
Proper user-authentication mechanisms (something you know, something you have, something you are)
Minimum password length
Password complexity (e.g., containing alphanumeric characters)
Password lockout conditions and duration
Password age and rotation requirements
Idle session timeouts
User verifications when providing new credentials
Random and unique first-time passwords and obligation to change them after first use
Strong cryptography for password storage and transmission
In addition, this requirement mandates that user accounts should be immediately revoked for terminated users, and they should be disabled if they are not active for 90 days.
One other highlight of this requirement is multi-factor authentication (MFA). The organization needs at least two of the three proper user-authentication mechanisms for any non-console administrative activity, either remote or on-premises. It should be noted that using one factor twice is not MFA. PCI SSC has comprehensive guidance on MFA33 published right after version 3.2 introduced a new requirement to use MFA on administrative activities in corporate networks.
The last part of this goal is physical security. It mandates that any physical media containing cardholder data, including backups, must be secured during use, accounted for, and securely destroyed when no longer needed. Protection of devices that capture card data, such as POS devices or PIN PADs, must also be maintained. For example, an accurate inventory must be present and proper training should be given to the users on detecting tampering.
Goal 5: Regularly Monitor and Test Networks
The fifth goal is to make sure that the systems, components, in-house built software are tested and monitored for any malicious activity that would compromise the system. The difference between this goal and goal 3 is the amount of manual work involved.
The first section contains the logging requirements for the environment. Organizations should build up a logging mechanism that would monitor all required activities so that breach attempts can be identified, tracked, notified, analyzed, and, if breached, the root cause can be found. After finding the root cause, appropriate security measures can be set up to prevent further cases.
Who did the action?
What was the action?
When was the action?
Was the user successful or failed on the action?
Where did the action begin?
What are the systems affected?
- User ID
It answers the question, “Who did the action?” For non-repudiation, it is essential to use unique usernames or at least have the ability to precisely correlate them with the users.34
- Event type
Examples include simply logging on to the system, accessing a card data in a database, a privilege escalation command, adding/deleting a user or a system-level object,35 an attempt to crack the password by brute force, or stopping/initializing/pausing of audit logs.
- Date and time
Organizations need to ensure the time is correct and consistent using a time-synchronization technique. NTP is the most common one. Time data is required to be protected from unauthorized modifications. It is a privileged action in most operating systems, so it creates an audit log when the time is changed.
- Indication of success or failure
Failures are as important as successes. It can be a good indicator for possible brute force attempts if multiple failures of logins are received for a particular username in a specific period of time.
- The source of the event
It can identify the root cause of the problem. Generally, this would be patient-zero in most cyberattacks.
- The identity of the data, system component, or a resource that was affected
To measure the extent of the compromise, it is essential to detect the impact of the incident.
Organizations are required to ensure the integrity of the logs by using file integrity monitoring (FIM) or a change-detection tool. As mentioned, one of the first things that hackers do is try to cover their trail. This can be effortlessly achieved by erasing or changing the logs in an unprotected environment.
All security incidents
Logs of all system components that store, process, or transmit cardholder data
Logs of all critical system components
Logs of all servers and system components that perform security functions36
The second part of the goal refers to the analysis of the environment to ensure that possible infiltration points are thoroughly and regularly tested and remediated.
One infiltration method is to somehow connect or attach an unauthorized wireless access point to the network or the system, so the malicious users gain access to the network. Wireless access points broadcast SSIDs, and it is possible to scan the environment for rogue wireless networks and identify the device’s location by checking the signal strength and noise levels. This manual approach is time-consuming for most organizations, where a person needs to visit every floor of the buildings in scope with a laptop to list the unknown wireless devices. To solve this problem, automated processes can be implemented. Some wireless access point vendors provide rogue wireless network scanning that lists “other” wireless devices detected in the organization’s premises. It is possible to filter out the known ones, which yields only the ones that need investigation. Additionally, to reduce the risk of these attacks, organizations should also install an NAC solution to the environment and disallow any unknown, unauthorized device to be connected to the environment.
Another infiltration threat surface is the external and internal networks. Although goal 3 mandates the implementation of a web application firewall (WAF) or perform web application scans, those scans would not find operating system vulnerabilities, and hackers can easily exploit those weaknesses to gain full control of the system. Hence, it is also crucial to run external and internal vulnerability scans at least quarterly and after any significant change in the network or system.
External vulnerability scans need to be performed by Approved Scanning Vendors (ASV)37 whose scanning solutions are tested and approved by PCI SSC. ASVs are qualified and responsible companies to perform external vulnerability scanning in accordance with PCI DSS requirements and the ASV guide.38 ASV scans are automated scans initiated from the Internet, where some manual review is required for the final quarterly attestation report. ASV scans should not impact the organization’s normal operation, and they should not penetrate the environment or change it intentionally. ASVs are also responsible for getting feedback from the organization on the findings or disputed scan results since the scan can produce false positives or findings that require more evidence from inside the network.
Moreover, although the scanned organization is ultimately responsible for the scope of the scan, ASVs need to consult with the organization if ASV discovers an external component that is not defined as in the scope defined by the organization. ASV scans should be non-intrusive and include host and service discovery with an operating system and service fingerprinting. The scope should be not only the public-facing web applications but also any public-facing system or system components such as firewalls, routers, DNS, and email servers, including their operating systems, POS software, and remote access solutions.
Internal vulnerability scans are important to quickly identify vulnerabilities, as there would be some firewall restrictions to certain ports during external vulnerability scans. In contrast, internal scans should be performed with none or very limited restrictions to the ports, making it easier to detect weaknesses. Many organizations use credentialed (or authenticated) scans to increase the detection rate, where a privileged account is provided to the vulnerability management tool. This tool uses authenticated remote queries (WMI, for example, for Windows machines or remote SSH commands for Linux), and identify exact versions of the services, applications, patches applied can be gathered and compared with the vulnerable versions. Plus, authenticated scans collect more information from the system, such as a list of the processes, users, or listening ports, which provides more information to the tool to detect exposures accurately. This process, however, can be frustrating in large organizations where credentials are mixed and managed by multiple different administrators. Nowadays, with the introduction of host-based vulnerability scanner agents, there is no requirement to enter credentials to address this constraint. It is even possible to scan the systems daily. It should also be noted that most of the vulnerability management vendors now support integration with privileged access management (PAM) tools or password vaults, where only access credentials to the vaults are provided, not the credentials to the actual system.
Internal vulnerability scans must be performed by qualified individuals, internal resources, or external third parties. For internal resources, organizational independence is required. To not violate segregation of duties, scans should not be performed by the individuals managing the systems.
In goal 5, there are also penetration testing requirements. Penetration tests are different from automated scans. It is a very manual process yet a more efficient method to find the actual weaknesses in the systems. Automated scans only report the known vulnerabilities, and most of them are signature-based. Whereas, in penetration tests, following specific methodologies, the tester tries many ways to infiltrate the system and hop to another system to make new attacks or exploit any privilege escalation vulnerability to penetrate further into the environment.
PCI DSS mandates the implementation of a penetration testing methodology that covers both application and network layers in the entire cardholder data environment and other connected critical systems. PCI SSC published comprehensive guidance on penetration testing,39 which can be used as a starting point for creating such a methodology.
Penetration testing methodology should also cover segmentation controls. Although it is not a requirement when isolating cardholder data environment from other non-related networks, it can significantly reduce the PCI DSS scope. Hence, the effort needed to be fully compliant and reduce the risk.
Goal 6: Maintain a Policy That Addresses Information Security
Information security policy
Risk assessments
Acceptable usage policies
Information security roles and responsibilities
Security awareness program
Information security perspective of employee vetting and onboarding processes
Tracking third-party service provider’s PCI DSS compliance
Incident response processes and training for incident response teams
Prioritization
Prioritization Milestones41
Milestone | Goals |
|---|---|
1 | Remove sensitive authentication data and limit data retention. This milestone targets a key area of risk for organizations that have been compromised. Remember – if sensitive authentication data and other cardholder data are not stored, the effects of a compromise are greatly reduced. If you don’t need it, don’t store it |
2 | Protect systems and networks, and be prepared to respond to a system breach. This milestone targets controls for access points to most compromises and the processes for responding. |
3 | Secure payment card applications. This milestone targets controls for applications, application processes, and application servers. Weaknesses in these areas offer easy prey for compromising systems and obtaining access to cardholder data. |
4 | Monitor and control access to your systems. Detect the who, what, when, and how concerning accessing your network and cardholder data environment. |
5 | Protect stored cardholder data. For those organizations that have analyzed their business processes and determined that they must store primary account numbers (PAN), this milestone targets key protection mechanisms for stored data. |
6 | Finalize remaining compliance efforts, and ensure all controls are in place. Complete PCI DSS requirements and finalize all remaining related policies, procedures, and processes needed to protect the cardholder data environment. |
PCI SSC also publishes other standards such as PCI Payment Application Data Security Standard, PCI PIN Entry Devices Standard, PCI Software Security Standards, and many more. Check out http://www.pcisecuritystandards.org for more information.
SWIFT: Customer Security Controls Framework
Society for Worldwide Interbank Financial Telecommunications (SWIFT) provides safe and secure financial transactions for member financial institutions. Each member institution is assigned a unique ID code that identifies the bank name and country, city, and branch. This ID is designated as Bank Identification Code (BIC).
In March 2017, in the scope of their Customer Security Programme (CSP), SWIFT released Customer Security Control Framework 1.0 (Table 2-7), defining a security baseline with 27 security controls (16 mandatory and 11 advisory) to be implemented by member financial institutions. Every time there is a change to the SWIFT connection architecture setup (or annually), each institution must conduct a self-assessment and attestation that all mandatory security controls are implemented and submit it to SWIFT. All member financial institutions had to be fully compliant through 2018.
Data exchange: The data transport layer between the organization back-office and the on-premises SWIFT infrastructure
On-premises SWIFT infrastructure: A group of specific SWIFT components managed by the member financial institution that includes systems, applications, network devices, tokens, removable media, and other related support hardware and software
Operators: The end users or administrators that interact directly with the on-premises SWIFT infrastructure
Operator workstations: The end-user or administrator computers to operate or manage the on-premises SWIFT infrastructure
List of SWIFT CSP CSCF v.1.0 Controls
Control or Section |
|---|
1. SWIFT Environment Protection |
1.1 SWIFT Environment Protection |
1.2 Operating System Privileged Account Control |
1.3 Virtualization Platform Protection |
1.4 Restriction of Internet Access |
2. Reduce Attack Surface and Vulnerabilities |
2.1 Internal Data Flow Security |
2.2 Security Updates |
2.3 System Hardening |
2.4 A Back-office Data Flow Security |
2.5 A External Transmission Data Protection |
2.6 Operator Session Confidentiality and Integrity |
2.7 Vulnerability Scanning |
2.8 A Critical Activity Outsourcing |
2.9 A Transaction Business Controls |
2.10 Application Hardening |
2.11 A RMA Business Controls |
3. Physically Secure the Environment |
3.1 Physical Security |
4. Prevent Compromise of Credentials |
4.1 Password Policy |
4.2 Multi-Factor Authentication |
5. Manage Identities and Segregate Privileges |
5.1 Logical Access Control |
5.2 Token Management |
5.3 A Personnel Vetting Process |
5.4 Physical and Logical Password Storage |
6. Detect Anomalous Activity to Systems or Transaction Records |
6.1 Malware Protection |
6.2 Software Integrity |
6.3 Logging and Monitoring |
6.4 A Intrusion Detection |
7. Plan for Incident Response and Information Sharing |
7.1 Cyber Incident Response Planning |
7.2 Security Training and Awareness |
7.3 A Penetration Testing |
7.4 A Scenario Risk Assessment |
SWIFT also defined four distinct secure zone architecture categories, types A1, A2, and A3, where the financial institution has variations of on-premises SWIFT infrastructure implementations and type B, where the financial institution has no on-premises (“no local footprint”) SWIFT infrastructure. Some controls are not mandatory depending on the type of architecture, being A1 the type with most mandatory controls and type B with the least mandatory controls.
A new total of 29 controls, with 19 mandatory controls and 2 new controls
- New mandatory controls
2.6: Security Operator Sessions
2.7: Yearly Vulnerability Scanning
5.4: Physical and Logical Password Storage
- 10 controls advisory (2 new)
- new advisory
1.3A: Virtualization Platform Protection
2.10A: Application Hardening
It also made available information on how guidelines should be interpreted and implemented and other clarifications about the existing controls.
Since then, two other versions have been released: SWIFT CSCF v2021 and v2022. The latest version defines one more reference architecture type, to a total of five. In the new architecture (A4), an application locally installed is used as an interface between the financial institution and the service provider (e.g., service bureau).
Guidance changes to Internet access
Extended third-party control to cloud providers, where the users are still accountable for their infrastructure security, and the financial institution must have the assurance from the third parties that the outsourced services and externally hosted infrastructure are compliant with the CSP security controls
The use of MFA becomes necessary to access any SWIFT service or application operated by a service provider
There are three types of assessments under the CSP (self-assessment, community-standard assessment, SWIFT-mandated assessment) for financial institutions to verify that their attestations correspond with their actual level of security control implementation. Self-assessment may be classified as non-compliant by January 2022. Community-standard assessments should be performed as of 2021, including independent external and internal assessments. Sometimes, the SWIFT CSP Assurance Team mandates financial institutions to have independent cybersecurity companies audit their compliance with CSP as part of the independent assessment framework, or SWIFT-mandated assessments. Those independent companies should have relevant knowledge and expertise to execute a cybersecurity-oriented operational assessment such as PCI DSS, ISO 27001, NIST 800-53, or other CSP assessments and have completed such assessments recently. Although it is not an exhaustive and authorized directory, SWIFT has a list of cybersecurity companies42 and CSP assessors43 registered to SWIFT.
Summary
To have a global standard for information security management that can be applied to organizations of any size or any industry, ISO created the ISO 27000 series, which includes legal, physical, and technical controls on managing the information security risks. Organizations can be certified by independent external bodies to demonstrate and validate that they follow the industry-accepted best practices.
For the payment industry, there was the need to have a consolidated standard to protect the card data, merchants, acquirers, issuers, and payment schemes, because each payment brand had its own merchant compliance program. PCI DSS was created to establish security controls for payment providers, and it has many technical requirements from top to bottom, designed to protect cardholder data. In many countries, compliance with PCI DSS is becoming a must for any organization that transmits, processes, or stores card data.
The need to define and comply with similar security baselines was also required for cross-border electronic fund transfers to respond to major incidents in the SWIFT system. For that reason, SWIFT published the CSCF and obliged members to be compliant with the framework to continue working with SWIFT.
It should be noted that these standards are generally accepted across several industries. However, some countries needed to publish their own standards to address specific requirements, which are explained in the next chapters.