PCI Compliance

Agenda
q PCI Compliance Overview and Setup (LAB 1)
q PCI Compliance Scanning (LAB 2)
q PCI Compliance Reporting (LAB 3)
q Web Application Scanning for PCI
q Self Assessment Questionnaire (LAB 4)
q Qualys Policy Compliance (PC) (LAB 5)
 PCI DSS BASICS

3 Qualys, Inc. Corporate Presentation

PCI Data Security Standard
Data Security Standard1:
• The DSS was built to provide a framework for cardholder
data security.
• It is an outline of requirements which are both technical and
operational to protect said data.

3. 1.
Report Assess

2.
Repair
1https://www.pcisecuritystandards.org/
PCI Stakeholders
Payment Brands – Defines Compliance Standards
Acquirer – Bank that verifies compliance
Approved Scanning Vendor – Required by PCI DSS for
performing PCI compliance scans
Scan Customer or Merchant – Responsible for defining
PCI scope and maintaining compliance with the PCI DSS.
PCI Security Standards Council

Founded in 2006 by American Express, Discover Financial Services, JCB

International, MasterCard Worldwide and Visa, Inc.

“The PCI Security Standards Council is a global forum for the ongoing
development, enhancement, storage, dissemination and
implementation of security standards for account data protection.”1

1https://www.pcisecuritystandards.org/
Role of the PCI SSC

PCI Security Standards Council

Certify Self Certify

Outline Approved Assessment Qualified
the DSS Scanning Questionnaire Security
Vendors Assessors
PCI Data Security Standard

Validated
Requirements

Requirements Recommendations

PCI
DSS
http://www.pcisecuritystandards.org
PCI DSS1
2. Do not use vendor
1. Install and maintain a 4. Encrypt transmission
supplied defaults for
secure firewall 3. Protect stored of cardholder data
system passwords and
configuration to protect cardholder data. across open, public
other security
cardholder data. networks
parameters.

5. Protect all systems

against malware and 6. Develop and maintain 7. Restrict access to 8. Identify and
regularly update anti- secure systems and cardholder data by authenticate access to
virus software or applications. business need to know. system components
programs.

10. Track and monitor 12. Maintain a policy

9. Restrict Physical 11. Regularly test
all access to network that addresses
Access to cardholder security systems and
resources and information security for
data. processes.
cardholder data. all personnel.

1Navigating the PCI DSS (v3.2) from

https://www.pcisecuritystandards.org/document_library?category=pcidss&documen
t=pci_dss
Approved Scanning Vendor

To become an Approved Scanning Vendor (ASV),

Qualys completed the following requirements:
1. Applied as a company
2. Completed the scanning vendor testing and
approval process
3. Executed an agreement with the PCI SSC
ASV Responsibilities and Requirements

§ Perform External Vulnerability Scan without IDS/IPS interference, and determine

if scan customer passed the assessment.
§ Submission of the Attestation of Scan compliance sheet.
§ No dangerous or disruptive testing (Scans do not intentionally alter or penetrate
customer environment).
§ Provide a means for the scan customer to dispute the findings of the ASV’s scan.
§ PCI reporting
§ Consulting with scan customer to determine if the IP addresses found are
included in scope.
§ Retain results for at least 2 years.
§ Perform Host and Service Discovery, OS Fingerprinting.
§ Account for Load Balancers.

**https://www.pcisecuritystandards.org/documents/asv_program_guide_v2.0.pdf
 PCI SCOPE

12 Qualys, Inc. Corporate Presentation

Cardholder Data Environment

• The cardholder data environment (CDE) is

comprised of people, processes and technologies
that store, process, or transmit cardholder data or
sensitive authentication data.
**The primary account number is the defining factor for cardholder data. If cardholder name,
service code, and/or expiration date are stored, processed or transmitted with the PAN, they
must be protected in accordance with applicable PCI DSS requirements.
Scope of PCI DSS
• PCI DSS applies to all system components that store, process, or
transmit cardholder data and/or sensitive authentication data.
• The PCI DSS requirements apply to all system components
included in or connected to the cardholder data environment.
• “System components” include network devices, servers, computing
devices, and applications.

**https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf
Network Segmentation

Network segmentation is not a PCI DSS requirement.

However, it makes good sense because it may reduce:
• The scope of the PCI DSS assessment
• The cost of the PCI DSS assessment
• The cost and difficulty of implementing and maintaining
PCI DSS controls
• The risk to an organization (reduced by consolidating
cardholder data into fewer, more controlled locations)

**Source: https://www.pcisecuritystandards.org/documents/pci_dss_v3.pdf
 QUALYS COVERAGE OF PCI DSS

16 Qualys, Inc. Corporate Presentation

Qualys Coverage of PCI DSS Requirements

o 11.2.2 External Scan (with Advanced Workflow)

• False Positive Submission
• Qualys Attestation
• Compliance Report Submission to Acquiring Bank
o 6.6 Web Application Scanning
o 1.1.6 Open Services Report
PCI Advanced Workflow

• Review scan results

• Remediate Vulnerabilities

Submit false positives

• Current Vulnerabilities
Approval

Request Review
• Compliance Reports

Counter-signed Attestation

Submit to acquiring bank

Certified report
Additional Qualys Coverage
Qualys Vulnerability Management (VM)
ü 11.2.2 External Scan (PCI Option Profile)
ü 11.2.1 Internal Scan
ü 6.1 Ranking of Internal Vulnerabilities (PCI Report Template)
Qualys Web Application Scanning (WAS) and Web Application
Firewall (WAF)
ü 6.6 Web Application Scanning
Qualys AssetView (AV)
ü 2.4 Inventory of in-scope components
Qualys Policy Compliance (PC)
ü PCI DSS Mandate (requirements 1 – 12)
 QUALYS PCI COMPLIANCE APPLICATION

20 Qualys, Inc. Corporate Presentation

Home Page
Compliance Network
Status
Scans

Navigation

Quick Answers
And Help
SAQ
Navigation

Click any section in the

left navigation pane to
see a list of options.
Users

All users have the same access privileges.

Symantec VIP

Use 2 factor authentication to access your account.

• Activate Symantec VIP for two-factor authentication.

• Download Symantec VIP app to your smart phone or tablet.
Account Settings

• Edit Merchant name

and address
• Add your bank’s
information –
Necessary for
submitting report
• Subscription
information
IP Assets

• View existing IP
addresses and
Domains.
• Add/Remove IPs
• View Out of
Scope IPs.
• Launch Discovery
Scan.
Getting started - IP Wizard
 PCI COMPLIANCE SCANNING

28 Qualys, Inc. Corporate Presentation

Qualys Cloud Platform
IaaS Providers

Cloud Asset

Internal Scanner
QUALYS PLATFORM
• Strong Data Encryption
• Firewalls
• IDS
• TLS communications
Internal
Asset
External Scanner Pool
External
Asset
Qualys User

Corporate Environment
Appliances support Vulnerability Management, Policy Compliance, and Web Application Scanning
PCI DSS Requirement 11.2

Run internal and external network vulnerability scans at least quarterly

and after any significant change in the network, such as:
• new system component installations
• changes in network topology
• firewall rule modifications
• product upgrades
PCI DSS 11.2.2
External Scanning

• “Perform quarterly external vulnerability scans, via an Approved

Scanning Vendor (ASV) approved by the Payment Card Industry
Security Standards Council (PCI SSC).
• Perform rescans as needed, until passing scans are achieved.”
Scanning Lifecycle
PCI Workflow for External Scanning

• Review scan results

• Remediate vulnerabilities
Log in
• Scan
• Run New Submit false positives
Asset Wizard • Open vulnerabilities
page Approval

Connect
and share • Open compliance Submit attestation
status page Counter-signed
Approval
Log in

• Scan

Submit to
Certified acquiring bank
report
PCI Network Scanning

Network scans target external facing hosts within your PCI

scope.
PCI Network Scanning
Scheduled Scans

Automate your PCI scans using the Qualys Scheduler.

Bandwidth Options

Bandwidth presets (High, Medium, Medium-Low, Low,

Lowest) allow you to control the amount of network
bandwidth consumed by the PCI scan traffic.
Scan Results

Download and view any scan result.

Vulnerability List

Search for
IP

Filtering
Mechanisms
Vulnerabilities

Severity Level
Vulnerability Details
Compliance Scanning Objective

So, what do we REALLY need to fix for PCI

compliance?
Answer: Fix the vulnerabilities with the fail flag.

Sort by PCI Fail Vulnerabilities.

Vulnerabilities – PCI Pass/Fail

• Qualys PCI uses the CVSS Base score provided

by NIST.
• If no CVSS score exists, the service provides one.
PCI Fail Summary
False Positives

• All false positives need to be submitted every quarter,

and approved by your ASV.
o Approved False positives carry a 90 day life
o Qualys PCI automates the false positive submission process
• Submit False positives 2 weeks before any deadline.
• Approved False positives will be displayed in your generated PCI
reports.
False Positive
Request for Review
• Submit request from 1. Scan your
environment.
“Current Vulnerabilities” list.
6. Reporting 2. Fix all
• Repeat steps two and three Process. vulnerabilities
multiple times, before
submitting a false positive
• Process repeats every 5. Verify 3. Rescan to
90 days. False
Positives are
verify all
vulnerabilities
approved. are fixed

4. Submit
False
positives.
 PCI COMPLIANCE
WITH
VULNERABILITY MANAGEMENT

45 Qualys, Inc. Corporate Presentation

Qualys Vulnerability Management (VM)

• 11.2.2 External Scan (PCI Option Profile)

• 11.2.1 Internal Scan
• 6.1 Ranking of Internal Vulnerabilities (PCI
Report Template)
Link PCI to VM
Scan with PCI Option Profile

Perform external scans (PCI 11.2.2) using an external scanner appliance.

Export External Scans to Qualys PCI

Export scan results to Qualys PCI in preview pane.

Alternatively: run final scan in the PCI Compliance application,

after verifying results in VM.
PCI DSS 11.2.1
Internal Scanning

• “Perform quarterly internal vulnerability scans and

rescans as needed, until all “high-risk” vulnerabilities
(identified in Requirement 6.1) are resolved.”
• Ranking of internal vulnerabilities changed from
recommendation to requirement (6.1 req.) on June 30,
2012
Internal Scanning Approach
Recommended:
1. Scan with “Initial Options” Option Profile
2. Report using PCI Scan Report Template
3. Remediate all High Severity (CVSS 7-10) Vulnerabilities
Internal Scan Report Template

• Scan internal systems for

PCI compliance (PCI
11.2.1) using Qualys VM
• Rank internal
vulnerabilities per the 6.1
requirement
Internal Scanning and Ranking
Scan Hosts
within Internal
PCI Scope

Report using the

Create a PCI
template to to
Scan Template
verify a clean
and run a report
internal report

Scan again to
Remediate the
verify those
“High”
vulnerabilities
Vulnerabilities
are fixed
 Lab 2

Mapping and Scanning

54 Qualys, Inc. Corporate Presentation

 COMPLIANCE REPORTING

55 Qualys, Inc. Corporate Presentation

Compliance Home

View Vulnerabilities

Overall

In Scope IPs Download Report of

Current Vulnerabilities
Report Flow
7. Submit
Report to 1. Scan
Acquirer

Reporting Workflow 6. Receive 2.

begins at step 4. Report
back from
Vulnerability
Remediation
ASV Process

Reports must be
submitted to your
5. Submit 3. False
acquiring bank on a Report for Positives
Attestation Process
Quarterly basis. 4.
Generate
Report
Reports – Reporting Wizard

• Use the Report Generation Wizard to “help you review

findings, perform required attestation, generate PCI
network reports that you can later submit to your acquiring
bank for PCI certification.”
 Attest to Scan Compliance

• Merchant/Service
Provider will
submit report to
ASV.

• ASV will sign

document.
Executive Report
Technical Report
Tracking Reports

• Generated
• Pending Review
• Attested
• Submitted
Submit to Bank

Once Qualys attests to your submission, you can then

submit the report to your bank.
Report Submission Contents

Report will contain the following:

1. Coversheet with Attestation of Scan Compliance from the customer and Qualys.
2. Executive Summary containing overall PCI score with any approved False Positives
and special notes.
3. Scan vulnerabilities details.
Acquiring Bank

• Validates
Merchant
compliance.
• Report to Credit
Card companies.
DSS – Open Services
Section 1.1.6

Documentation and business justification for use of all services,

protocols, and ports allowed, including documentation of
security features implemented for those protocols considered to
be insecure.”
Open Services Report

Identify Authorized and Unauthorized services.

 Lab 3

Compliance Report

68 Qualys, Inc. Corporate Presentation

 WEB APPLICATION SCANNING

69 Qualys, Inc. Corporate Presentation

DSS 6.6 In-Scope
Web Applications
Address new threats and vulnerabilities on an ongoing basis
and ensure these applications are protected against known
attacks by either of the following methods1

1. Reviewing public-facing web applications via manual or automated application

vulnerability security assessment tools or methods, at least annually and after any
changes. (Qualys WAS)
2. Installing an automated technical solution that detects and prevents web-based
attacks (for example, a web-application firewall) in front of public-facing web
applications, to continually check all traffic. (Qualys WAF)

1 https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf
Qualys WAS
Overview

Automated Testing (Fault Injection)

• Primarily syntax-based checks:
ü submit “specially crafted” characters
ü observe the server’s response

Supplements Manual Testing Results

• Automated tools effectively detect Web application bugs.
• Human beings are much better at discovering program
design flaws.
Automated Testing

Easily detected by automated tools:

• Cross site scripting
• SQL injection
• Command injection
• Misconfigurations

This represents 80 – 85% of Web application vulnerabilities.

Do Automated Tools Get Everything?

• Logic Errors and Design Flaws: point of authentication vs. point of

authorization
o Forced Browsing Links - user forces access to unauthorized link.
• Permission Errors: file system permissions have a significant
impact on application security.
o Public file share that has employee payroll and medical records.
These types of vulnerabilities typically require manual testing and
detection.
Web Application Scanning

WASC www.webappsec.org
divides Web vulnerabilities into
six categories
• Authentication
• Authorization
• Client-side Attacks
• Command Execution
• Information Disclosure
• Logical Attacks
Web Application Scanning
Introduction of Web Application Security
Testing a Web App for Vulnerabilities

• Targeted Protocols: HTTP and HTTPS (any port number).

• These are standard web app services and in most cases are open.
DMZ

Internal
Web Application Architecture

Application Database

Client
Browser
IE, FF, Web Server Application Legacy
Safari, iCab HTTP/H
Service
ec… TML

Application Merchant
Services,
etc
Qualys WAS Lifecycle

1. Define
the
Application

4. Report 2. Discovery
Scan

3.
Vulnerability
Scan
Qualys PCI
Web Application Setup

New Web applications are created in the ACCOUNT section of navigation pane.
Qualys PCI
Web Application Auth Record
Crawl via authenticated or non-authenticated user.

Best Practice: Test Web applications from the perspective of multiple user levels.
Qualys PCI
Web Application Scan
Qualys PCI
Web App Scan Results
View Scan results and report
 SELF-ASSESSMENT QUESTIONNAIRE

83 Qualys, Inc. Corporate Presentation

Merchant Level Requirements

Merchant Levels 2, 3, and 4 are eligible for the Security Assessment Questionnaire.
SAQ - A

Card-not-present Merchants, All Cardholder Data

Functions Outsourced
• Third party handles processing, storage, and/or
transmission of cardholder data.
• Merchant confirms third party handling of cardholder data
is PCI DSS compliant
• Merchant does not store or process cardholder data.
SAQ - B

Merchants with Only Imprint Machines or Standalone, Dial-Out

Terminals
• Does not transmit cardholder data over a network (either
internal or Internet).
• Standalone dial-out terminal not connected to other systems.
• No data stored in an electronic format.
SAQ - C

Merchants with Payment Application Systems Connected to the

Internet
• Company has a payment application system and an Internet
connection on the same device and/or same local area network
(single store LAN only)
• The payment application system/Internet device is not connected
to any other systems within
• Merchant does not store data electronically.
SAQ – C-VT

Merchants with Web-Based Virtual Terminals

• Company’s only payment processing is done via a virtual terminal
accessed by an Internet-connected web browser.
• Computer is isolated and not connected to other locations or
systems.
• Merchant’s VT is provided and hosted by a PCI DSS validated third
party.
• No electronic storage of data.
SAQ - D

All Other Merchants and All Service Providers Defined by a

Payment Brand as Eligible to Complete an SAQ
• All SAQ-eligible merchants not outlined in A, B,C, C-VT.
SAQ Tips

• Any answer of “No” is considered non-compliant.

• Yes, N/A, and Compensating Controls are the
other options.
• "Compensating controls may be considered when
an entity cannot meet a requirement explicitly as
stated, …but has sufficiently mitigated the risk
associated with the requirement through
implementation of other controls.”
PCI SAQ v3 Content
Qualys Security Assessment Questionnaire (SAQ)
 Lab 4

SECURITY ASSESSMENT QUESTIONNAIRE

93 Qualys, Inc. Corporate Presentation

 POLICY COMPLIANCE

94 Qualys, Inc. Corporate Presentation

PCI DSS Mandate

Addresses areas in all twelve (12) requirements of the PCI DSS.

 Lab 5

PCI DSS POLICY

96 Qualys, Inc. Corporate Presentation

 Thank You

training@qualys.com

97 Qualys, Inc. Corporate Presentation