AN TOÀN VÀ BẢO MẬT TRONG THƯƠNG MẠI ĐIỆN TỬ

EC335.O21.TMCL - GROUP 01 - PCI DSS

Student Name -ID

- 21522474 – Nguyễn Mai Hữu Phúc
- 21520513 – Nguyễn Thị Cẩm Tú
- 21522353 – Trần Ngọc Diễm My

I. Objective/ Overview
- PCI-DSS stands for Payment Card Industry Data Security Standard. The standard
is developed by the PCI Security Standards Council, which was formed in 2006.
- The PCI-DSS sets forth the minimum security features that must be in place to
limit the chances of a cardholder data compromise. Merchants that comply with
the PCI-DSS are less likely to suffer a breach event.
- All entities that store, process or transmit cardholder data must validate PCI-DSS
compliance. Merchants should work directly with their acquiring bank for
instructions on how to validate PCI compliance.

II. Requirements
1. Build and Maintain a Secure Network and Systems

1.1 Requirement 1: Install and maintain a firewall configuration to

protect cardholder data
Description:

- Firewalls protect internal networks by inspecting network traffic and comparing it

to a set of configured rules. Entities must review and update firewall configuration
rule sets every six months. Firewall rules must limit traffic to only those Ports and
services which are known, documented and required for business purposes. There
must be a business justification for any open port and service.

Solution:
- Verify and limit inbound and outbound traffic, thereby reducing the risk of
exposure to untrusted networks. You can set firewall configuration rules and
policies, keep track of network configuration changes, install personal firewall
software on any mobile devices, and more.
- Define and Document Firewall Rules: Create a policy stating that all firewall
rule changes require testing before implementation.
- Technology: Firewall management software (e.g., Cisco Firepower Management
Center, Palo Alto Networks Panorama) allows centralized configuration and
testing of firewall rules.

1.2 Requirement 2: Do not use vendor-supplied defaults for system

passwords and other security parameters
Description:

- Cybercriminals and bad actors have easy access to vendor supplied defaults. If
these default passwords and accounts are not changed and disabled they can be
used to exploit internal networks and compromise cardholder data.

- Wireless networks require that all default settings are changed including
passwords, passphrases, SNMP community strings, etc. All insecure or
undocumented services should be removed to ensure they cannot be exploited for
access to internal networks.

Solution:
- Create and configure strong passwords to secure devices and prevent intruders
from hacking your devices. You can also change vendor-supplied defaults and
remove or disable unnecessary default accounts before installing a system on the
network.
- Secure Configuration Management Tools: Leverage configuration management
tools (e.g., Ansible, Chef) to automate the deployment and management of secure
configurations across multiple systems, reducing the risk of human error.
- Implement Password Management: Utilize a password manager (e.g.,
HashiCorp Vault, CyberArk) to securely store, manage, and rotate complex
passwords for all systems.
 2. Protect Cardholder Data

2.1 Requirement 3: Protect stored cardholder data

Description:

- Eliminate storage of cardholder data in all possible circumstances. Cardholder data

should be limited to that which is required for legal, regulatory, or business needs.
Sensitive Authentication Data (SAD) can never be stored after authorization.
Sensitive Authentication includes the data on the magnetic stripe and EMV chip,
CVV, PIN / PIN Block.
- Cardholder data can be stored when necessary, but must be rendered unreadable.
Cardholder data includes the PAN (Primary Account Number), expiration date,
and cardholder name.

Solution:
- Periodically scan for regulated data in your CDE, set up data retention policies,
and prevent leaks via emails, removable media, and printers. Additionally, get
visibility into SSH and SSL environments and take control of the keys to preempt
breaches and compliance issue
- Encryption at Rest and In Transit: Encrypt all stored cardholder data using
strong algorithms like AES-256. Additionally, encrypt data transmissions
whenever cardholder information is transferred between systems.
- Technology: Encryption solutions like hardware security modules (HSMs) or
cloud-based encryption services can be used to secure data at rest. Secure
protocols like TLS/SSL can be used to encrypt data in transit.

2.2 Requirement 4: Encrypt transmission of cardholder data across

open, public networks
Description:

- Any transmission of cardholder data over public networks must be encrypted

using strong cryptography to avoid compromise by a cybercriminal or bad actor.
The encryption method in use must use a secure version and appropriate
 encryption strength. Primary Account Numbers can never be sent through end-user
messaging (i.e: Chat, email, IM, etc.).

Solution:
- Evaluate and assess the network which stores, processes, or transmits cardholder
data against applicable PCI DSS requirements. And makes sure that the
information in transit across public networks is completely protected by an
end-to-end 256-bit AES encryption.
- Secure Protocols for Payment Processing: Utilize secure protocols like Secure
Remote Payment (SRP) or Payment Card Industry Data Security Standard (PCI
DSS) compliant APIs provided by payment processors. These protocols ensure
secure communication during online payment transactions.
- Technology: Payment processors typically offer various secure integration
methods. Choose solutions that are compliant with PCI DSS and provide strong
encryption for data transmission.

3. Maintain a Vulnerability Management Program

Vulnerability management is the ongoing process of identifying and
addressing weaknesses in your payment card system's security. This
includes finding flaws in procedures, system design, and internal controls
that could be exploited by attackers.

3.1. Requirement 5: Protect all systems against malware and regularly

update anti-virus software or programs
To protect against malware, all vulnerable systems (like desktops and servers) must have
up-to-date anti-virus software that runs continuously and scans regularly. Logs are
created to track activity. Users cannot disable anti-virus without special management
approval. Clear policies and procedures on this are essential for everyone to understand.
- Solution: Automate anti-virus software installation across network devices. You
can also perform periodic evaluations to identify and evaluate evolving malware
threats in systems, and take necessary actions against these threats.
 3.2. Requirement 6: Develop and maintain secure systems and applications.
Identify software and system vulnerabilities and apply appropriate security patches.
Vulnerabilities related to custom software can be avoided by applying software lifecycle
(SLC) processes and secure coding techniques
- Solution: Scan, identify, and assign risk rankings to newly discovered security
vulnerabilities, and automatically update critical patches with zero human
intervention.
4. Implement Strong Access Control Measures

4.1. Requirement 7: Restrict access to cardholder data by business need to

know.
The principle of “need to know” means that an individual only has access to the least
amount of data necessary to perform their job function. This access is based on roles.
This principle extends to access to system components which should be set to “deny all”
users not specifically granted authorization.
- Solution:
Use role-based access control (RBAC) capabilities to define and assign access to
chosen users with well-defined permission levels. You can also restrict privileges
to the least necessary needed to perform job responsibilities.

4.2. Requirement 8: Identify and authenticate access to system components

All users must authenticate access to system components using a unique ID. This ensures
accountability for all actions taken. Passwords must be strong, containing a minimum of
7 alphanumeric characters.
Multi-Factor Authentication (MFA) must be implemented. MFA requires a second piece
of authentication in addition to a password. This typically looks like a code sent to a
device, biometric scan, or key fob/smart card.
- Solution: Get reports on the status of user accounts, including that of inactive
users, to ensure that users who have been terminated are removed from file access
lists.
You can also define parameters to create passcode policies, configure passcode
settings, enable two-factor authentication, maintain inventory logs for all
identity-related activities, and more.
 4.3. Requirement 9: Restrict physical access to cardholder data.
Video monitoring and/or access control must be used to control and monitor physical
access to secure areas within the cardholder data environment. Access data must be
retained for 90 days unless prohibited by law.

Any media containing cardholder data must be destroyed when no longer needed. For
example, paper forms containing cardholder data should be shredded when they have
passed the defined retention period. Also maintain a list of point of interaction devices
and protect them from being tampered with or replaced.

- Solution: Maintain inventory logs related to media containing cardholder data that
aid in conducting periodic media inventory audits, which enables you to destroy
that media when it is no longer required.
5. Regularly Monitor and Test Networks

5.1. Track and monitor all access to network resources and cardholder data

5.1.1. Short description: Requirement 10 mandates the implementation of logging

mechanisms to record and monitor all individual access to systems that store, process,
or transmit cardholder data. It aims to create accountability by linking actions to
individual users and ensuring that all activities, especially those with administrative
privileges, are traceable

5.1.2. Solution: (- With Technology, Specific Solution)

- Set up audit trails to link system access to individual users (one of two main
solutions)

TECHNOLOGY
● Operating System Logging:
Windows:
Event Viewer: https://learn.microsoft.com/en-us/shows/inside/event-viewer
Group Policy:
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/sec
urity/threat-protection/auditing/basic-audit-object-access
Linux:
Auditd:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/sec
urity_hardening/auditing-the-system_security-hardening
Systemd: https://ioflood.com/blog/install-journalctl-command-linux/
macOS:
Console: https://support.apple.com/guide/console/welcome/mac
Auditd: https://docs.freebsd.org/en/books/handbook/audit/

● Application Logging: Most applications have their own logging options in the
settings.
● Network Monitoring: Use network monitoring tools like Wireshark, tcpdump, or
Nmap
● User Access Management (UAM): Use UAM solutions like Active Directory,
OpenLDAP, or FreeIPA.
● Intrusion Detection System (IDS): Use IDS solutions like Snort, Suricata, or
Zeek.

+ Automate audit trails to log specific user activities, access attempts, and system
changes
(one of two main solutions)

TECHNOLOGY
● Operating System Logging Tools: Most operating systems come with built-in
logging tools to track user and system activities. Examples:
Windows: Event Viewer, Group Policy Auditing
Linux: Auditd, Systemd journal
macOS: Console, Auditd
● Application Logging Tools: Many applications also have their own logging tools
to track user activities within the specific application.
● User Access Management (UAM) Solutions: Most UAM solutions offer logging
functionalities to track user activities, including access, configuration changes, and
other actions. Examples:
Active Directory: Windows Event Viewer, Group Policy Auditing
OpenLDAP: Audit logs, Access Control Lists (ACLs)
FreeIPA: Audit logs, Access Control Lists (ACLs)
● Intrusion Detection System (IDS): An IDS monitors network and system activity
to detect suspicious behavior that might indicate an attack. IDS typically logs
information about these events, including the associated user (if identifiable).
Examples:
Snort: Snort logs, alerts
Suricata: Suricata logs, alerts
Zeek: Zeek logs, alerts

● Log Management Solutions: Log management solutions centralize the storage,

security, and analysis of logs from various sources, including operating systems,
applications, UAM, and IDS. These solutions simplify log management and
analysis, enabling more efficient security incident investigation. Examples:
● LogRhythm: https://logrhythm.com/
● Splunk: https://splunkbase.splunk.com/app/748
● Elastic Stack (ELK): https://www.elastic.co/

+ Record detailed audit entries for all events, including user ID, event type, and
outcome.

+ Synchronize all system clocks using time-sync technology.

+ Protect audit trails from alteration.

+ Regularly review logs to spot unusual activities, with daily checks for critical
events.

+ Keep audit history for one year, with three months readily accessible.

+ Service providers must quickly detect and report security system failures

+ Document and disseminate security policies and procedures to all relevant

personnel.
5.2. Regularly test security systems and processes
-Short description: Requirement 11 mandates that organizations conduct frequent
tests on their security systems and processes. This includes vulnerability scans,
penetration testing, and the use of intrusion detection and prevention systems to
monitor network traffic. The goal is to maintain a robust security posture by
adapting to new threats and changes in the environment
- Solutions:
+ Quarterly check for and inventory all wireless access points; have a response plan
for unauthorized detections.
TECHNOLOGY
● Network Discovery Tools: These tools scan your network to identify all
connected devices, including WAPs. Popular options include:
Angry IP Scanner (Free and Open-Source): https://angryip.org/download/
Advanced IP Scanner (Freeware): https://www.advanced-ip-scanner.com/
Nmap (Free and Open-Source): https://nmap.org/ (Requires command-line
knowledge)
● Wireless Network Controllers (WNCs): If you have a managed Wi-Fi network,
your WNC might have built-in discovery and management features for your
WAPs.

+ Conduct quarterly internal and external vulnerability scans; address found

vulnerabilities and ensure passing scans.
+ Annually perform both external and internal penetration tests, and after significant
changes; test segmentation controls semi-annually.
+ Use intrusion detection/prevention to monitor and protect the network; keep
security measures current.
+ Implement mechanisms to detect unauthorized changes to system files and
configurations.

6. Maintain an Information Security Policy

6.1. Maintain a policy that addresses information security for all personnel
- Short description: Requirement 12 mandates the creation and upkeep of a
comprehensive information security policy that is communicated to and
 understood by all personnel. It serves as the foundation for the organization’s
security practices and outlines the expected behavior and responsibilities of staff
regarding data protection
- Solution:
+ Create and share a security policy, review it annually or with environmental
changes.
+ Conduct annual risk assessments and after significant changes to identify and
evaluate risks.
SPECIFIC SOLUTION:
● FMEA (Failure Mode and Effect Analysis): A structured process for identifying
potential failure modes within a system, analyzing their effects on operations, and
prioritizing mitigation strategies.
● Risk Scoring Matrix: Assigns scores based on the likelihood and potential impact
of a risk. This helps prioritize risks and allocate resources for addressing the most
critical ones.

+ Formulate policies for the proper use of critical technologies by all personnel.
+ Define information security responsibilities within the security policy for all
personnel.
+ Assign specific information security duties to designated personnel or teams.
+ Run a security awareness program to inform all personnel about security policies.
+ Pre-employment screening to reduce internal security risks.
+ Manage and oversee service providers handling cardholder data.
+ Service providers must confirm their responsibility for cardholder data security in
writing.
+ Develop and be ready to execute an incident response plan for system breaches.
+ Service providers should conduct quarterly reviews and document them.