If you’re a small or medium business, chances are good that you fill out the Self Assessment Questionnaire (SAQ) for PCI compliance, and you probably have questions.
If you’re a small or medium business, chances are good that you fill out the Self Assessment Questionnaire (SAQ) for PCI compliance, and you probably have questions.
Security Analyst Marcus Call (QSA, CISSP, CISA, Security+) sits down with Host and Principal Security Analyst Jen Stone (MCIS, CISSP, CISA, QSA) to discuss:
Download our Guide to PCI Compliance! - https://www.securitymetrics.com/lp/pci/pci-guide
Download our Guide to HIPAA Compliance! - https://www.securitymetrics.com/lp/hipaa/hipaa-guide
[Disclaimer] Before implementing any policies or procedures you hear about on this or any other episodes, make sure to talk to your legal department, IT department, and any other department assisting with your data security and compliance efforts.
Hello, and welcome back to the SecurityMetrics podcast. My name is Jen Stone. I'm one of the principal security analysts here at SecurityMetrics. Very excited to have with me today Marcus Call.
Marcus is a colleague of mine that has had a lot of experience in various, parts of SecurityMetrics. And so when when we got asked to do this topic, it was, hey, there are a lot of people who are trying to fill out their own FAQs and struggling with it. Can we get somebody to to just come and talk to you about how to do that? And I was like, oh, I know the guy because he's done this.
Marcus, thanks for joining me.
Yeah.
Will you tell people a little bit about yourself?
Yeah. My name is Marcus. I've been at the company now for about seven years here at SecurityMetrics, and I started in our entry level support team.
My original role at the company was to help small merchants that were filling out their own SAQs to help them understand, what they were filling out. And so my role initially was to help people understand and navigate that site and the SAQ. And then over the time I've been here, I've I've moved through different portions and departments of the company. And now I'm an auditor here at SecurityMetrics over the last four years.
Well, thank you. And you know what I've noticed is that a lot of people, especially small merchants, these are entrepreneurs who know a lot of things. They know a lot about their business. And then all of a sudden, they're expected to also know a lot about PCI and a lot about technology in order to to do these SAQs, which is I mean, this the the learning curve for small business owners is just incredibly steep.
And so we want to acknowledge that if you're struggling with this, it's not because not because you don't have the brainpower to get it. It's because there this is just one more thing with one more set of skills that you have not yet been exposed to. And hopefully, we can give people the knowledge and skills that they can do it. And what's really rough about the FAQs and is that they start off with firewall questions, which can be they are some of the hardest questions.
So you jump in there and then and you get hit with this question. Okay. Is inbound and outbound traffic restricted to what is necessary for the cardholder data environment?
You know how many times I had a client that would call in to the the support center and and ask questions about this call this line item specifically.
Yeah. Because it has so it means a lot of things.
They don't know what inbound or outbound traffic is sometimes.
Yeah. Well, why why should they?
They've never had to deal with it.
So what is inbound and outbound traffic?
Inbound and outbound traffic. So what inbound and outbound traffic is when Internet traffic occurs, it's when I go to a website, I am sending a request or some number, some data across the Internet to a different server on the Internet. So if I wanna go to Google, I or SecurityMetrics, I would go to that website. I would type in www.securitymetrics.com, www.google.com, and I am sending traffic from my computer out onto the Internet. And then that website, SecurityMetrics, Google, whatever website you're navigating to, sends traffic back. So now there's outbound and inbound traffic.
Right. Exactly. But the other piece of this is one of the hardest things to get to really understand and clarify no matter what size of organization, and that is necessary for the cardholder data environment.
What is the cardholder data environment?
Well, the cardholder data environment is the environment in which you interact with credit card information. Now that's a very generic way of rephrasing cardholder data environment. Mhmm. But if you wanted to do it from a technical perspective, it's the network in which your, systems that interact with credit cards exist on.
Right. And and a lot of times we'll abbreviate it to CDE. Yeah. And so if you know what your CDE is, then you know what you're supposed to be answering the questions about because the CDE is what you're protecting. And so a lot of these requirements are about protecting the CDE. Mhmm.
But if you have a if you have a simple data flow so let's say you have, that you only take cardholder data on a single swiper device Mhmm.
And it's connected, into your network.
Right, then, of course, this question would be something that's in in scope. In scope means you have to answer it. So if you have to answer it for your cardholder data environment if it could in some way affect the security of the data that's flowing. Right? So that's how you kinda have to think of it. And sometimes we'll get people who are are like, I don't I just need to understand exactly what my CDE is, and then I can answer everything else. So sometimes we'll get people who will, like, engage us in a consulting.
I don't know if you've done some consulting. Yeah. Plenty.
And and so almost fifty percent of what I do for consulting is just helping people understand what their Helping them define their scope.
Mhmm. What their scope is, where that CDE is, what's connected to that CDE. And so that's what that's all about. That's a lot of words about one question.
Oh, yeah.
We could go on for days about just one specific section too.
So if you got to that question and went, I don't know. There's good reason for it. It's okay to get help. Alright.
So here's another one, and I love this one, because wireless networks, Here's here's the thing. Are perimeter firewalls installed between all wireless networks and the cardholder data environment? And are these firewalls configured to deny or, if traffic is necessary for business purposes, permit only authorized traffic between the wireless environment and the CDE. So so the question is, what is this about firewalls between your wireless environment and your CDE?
Or why is that even important?
Well, wireless in general is an insecure network. Right? Like, if I have my computer, which happens to be on on wireless right now Mhmm. And I'm communicating on the same Wi Fi that you're on Mhmm. You would be able to listen to whatever I'm sending. And if it's encrypted, maybe you wouldn't be able to inherent nature of wireless, it's completely listenable by anyone else out there.
Yeah. And so that's why we care about it. We it's kind of a bad idea to use it no matter how you try and secure it because it's really hard to secure, and and you're leaving information out there for people to see. And so you wanna have firewalls to make sure if you have wireless and in your in your organization anymore, in your small business let's say you have a small business.
And we see all the time you've got your guest wireless Mhmm. And you're not guest wireless.
Yep.
And we just wanna make sure there's a firewall that's protecting the data flow between there.
And oftentimes that that wireless network that is set up for the guest wireless and the employee Wi Fi, is usually actually a firewall itself where you can use that same wireless, access point to segment those two networks. All this is asking is really, are you doing something to segment those two networks?
Right. And sometimes it it requires a slightly more expensive Wi Fi solution in order to do that. Yeah. But it's worth it because of the protection you get, the security you get from, from a slightly more expensive wire, wireless, solution.
Okay. So let's hop from the ones. Anything that starts with one is all about your network. And so then we're going into twos. The twos are all about, did you harden your systems? Are you are you changing passwords?
That type of thing.
And the first one we get is, do system configuration standards include all of the following? And then there's a whole list of things. And people say, what the heck is a system configuration standard? What does that even mean?
I I think this might be one of the hardest things from my experience explaining to some of the small merchants that I've worked with because a lot of these small mom and pop shops or merchants that are using a computer just to enter credit card through a virtual terminal. Mhmm.
Oftentimes they aren't creating configuration standards for the one computer they're using in their their entire environment.
Oftentimes they might not have even set up that computer in the first place. They probably picked it up at their local Best Buy or whatever their local electronic store is Yeah. And had them configure it.
Right.
And so when you start talking about configuration standards, it's what are you what are the rules for setting up a new system on your network? Mhmm. What are the rules for securing that system in your environment?
And these people that didn't set it up, they don't know how to work with computers. The heart one of the hardest things is to create a policy or standard or a procedure Mhmm. In regards to those computers that they never even worked with.
My favorite question to ask, if it's a third party so a lot of these little, smaller merchants will use third party IT solution.
Yeah.
And which is great. I mean, as long as your third party IT understands some basics about security. Because sometimes you have third party IT that does not do security. They just do let's make it work and make it function, but they don't do the part about let's make it secure. And so, I'll say, okay. Ask your third party what configuration standard they use to set up your systems.
And if they don't have an answer for that, probably they didn't think about the security of it. Or not to, you know, besmirch a lot of groups, but this is the answer they'll get. We used CIS.
Did you?
And there's very easy ways to determine if you did or not. Within within a couple minutes, we can scan a computer and tell if you follow the CIS standards or not.
Yep. We have tools for that, but you probably don't. So how would you know? And so, really, all you can do is know that you need to ask what configuration standard was followed. And at the very least, if you're using a computer system to enter cards into, then you need to ask, okay.
Are there any passwords here that more than more than one person knows? Was anything changed? Was anything locked down?
If if you don't know how to answer those questions, then probably it wasn't set up to any kind of a configuration standard. So you're just from very high level.
So you'll wanna kind of dig into that. What are these configuration standards? Don't don't, don't just kinda blow past and say, yeah. Yeah. Yeah. Because something is hard to understand.
You need to know what each of these, things means and it before you go on to the next question.
Definitely. You you you said something there that that reminded me of something when I was working as a entry level support technician.
And, one of the things that, when you're you're helping someone fill out their self assessment questionnaire, it's the merchant is responsible for filling it out. So I can never tell a merchant what answer to select because I don't have the information about their environment. Right?
But what I would frequently tell them is the goal is to be able to answer yes or maybe not applicable to every question on the self assessment questionnaire.
And, unfortunately, sometimes what I've seen is some of these merchants hear that. They don't even wanna hear anything else I have to say, And they click, yeah. Yeah. Yeah.
Yeah. Yeah. Yeah. Because they they don't want to learn about firewalls or security standards or anything like that.
They just wanna get this over with. And I get that. So unfortunate.
Yeah. No. I get it. It's it's just one more thing that they have to deal with. And so they kind of do this internal risk assessment and and say, well, I'm just gonna say yes and walk away, and hopefully nothing bad happens. Unfortunately, we live in in an era where the hackers are really good at stuff. And so chances are good that if you don't adequately meet all of these things and understand them so you can meet them, you're gonna open yourself up for, breach.
Definitely.
And if you don't want to, if you don't wanna answer any of question two if you don't wanna answer any of question one or question two, spend the money and get a P2PE device.
Now that that helps reduce a lot of the technical security controls.
And a lot of people are going, oh, great.
What's that?
Point to point encryption. Right? Yeah.
So it's a it's a device that has fall has met a lot of standards.
It encrypts things at swipe and it can't be unencrypted until it meets the the processor.
A lot of people don't choose it. Why?
Expense.
Expense.
Yes. And and if you do try to use a P2P device, make sure that you work with your, hiring bank to get a validated P2P device.
Oh, yes. That's I think that's one of my biggest frustrations is when, an organization spends the money and the time to put in PDPE only to find out that whoever their service provider was that provided that system wasn't being entirely forthcoming.
And it was actually close to p two p e but never validated.
Yeah.
Well, since if a third party hasn't validated, how do you know if it's encrypting properly from end to end? How do you know they haven't missed something in whatever they're selling you?
And according to PCI, if it's a non validated solution, it doesn't qualify for that reduce in scope.
You can't reduce the scope unless you use p two p e. They used there used to be a little bit of wiggle room there, and they're just not allowing that wiggle room anymore.
So moving on to section three. And section three is all about?
Stored cardholder data.
Yeah. You know what I would love? What would you like? If nobody stored cardholder.
Like That's my number one recommendation. Do you need it? Do you really need it?
Do you real but but really, for reals, do you need it?
So this one is three point two point c. Do you delete cardholder data after processing in a way that makes the data unrecoverable?
But you you said, there's a point here. And as people are filling out the SAQ, this isn't entirely accurate. And I wanted to I wanted to point that out because you made a good point here, which is what is this really about?
Sensitive authentication data. Yeah. Yeah. The the this specific requirement is saying if I like, if you've ever shopped online, you've probably entered that three digit CVV or CVC Yeah.
Card code on on that site. And that's sensitive authentication data. If you have a a card swiping machine or a chip reader or a tap reader Mhmm. The data from that swipe is strip or tracked data.
Yeah.
And that tracked data cannot be stored after you have completed that authorization.
Yeah. Exactly. And so sometimes and not just in our in our solution, but in a lot of solutions out there where that help, you know, here's the question for the to fill out the SAQ and answer it. They don't put the full language from the standard in there.
Mhmm. So one of the things that I recommend to people is get the standard. It's free. You just download it.
PCI, wait.
It's p c I s s c dot org?
That's right.
Yeah. Yeah.
I also don't know my kids' phone number, so don't be surprised that I don't know URLs. It's just saved here.
Go and get it. You go to the resource section. There's documents. You can download the full standard.
Not only does it have the language of the of the requirement and how to test for it, but it also gives guidelines Yes.
Which helps you understand even more what it's asking about. Right?
I I think that the reason for shortening this is to help people, have the simplest way of understanding it. Delete it if you don't need it. When you're done with it, get rid of it.
Yeah.
And that's generally the best practice. Right. Get rid of it once you're done with it.
Unfortunately, for some of the smaller merchants, the grandma that runs her business on Main Street in the middle of Alabama, not nobody's searching Alabama here.
I love Alabama.
I actually But, some of the smaller states like Arkansas, Little Rock, Arkansas is one of the most underrated cities I've ever visited.
Really?
Yeah. I I love that place, but that's neither here nor there.
Okay.
But this this simplification is there to help someone like that understand. Delete it when you're done with it. But if you have her read the guidance, she's gonna get a lot more confused than just reading something like this. So I think there's a a good and a bad behind simplification and having that guidance, and I think that's why we have both options there.
That's I think you're right. So people who wanna know more, you can go find out more. And people who just want a little bit of support, honestly, four hours of consulting to help you understand these things and and get them not that I'm trying to sell things.
I'm just trying to say sometimes getting somebody to explain things to you in detail means that year and every year thereafter, you're in good shape because you know what it means in terms of your environment.
Definitely.
You know where where I sometimes see, it stored in in small businesses small businesses especially is where people are being really helpful or in small towns where everybody knows people or or in situations where they're like, I am trying to help out this person.
Yeah.
They gave me their card number. They don't wanna give it to me again. I'm just gonna save it for them in this little Excel spreadsheet.
Yes. That's that's the worst.
So we we don't recommend that because it's easy for somebody to steal that information.
And hard to encrypt and secure properly.
Yeah. Absolutely. Okay. Section four. Section four is all about transmitting data. Right?
Yes. Another technical control.
It is. And so let's let's look at four point one point a, our strong cryptography and security protocols.
And, you know, most people start reading that and they're like, oh, I'm so done.
Cryptography? Are we talking about some crypto?
Like, what what are we talking about?
Cryptocurrency?
Are we talking about crypto? What are we you know? And security protocols, used to safeguard sensitive cardholder data during transmission over open public networks. There is so much there. What does that even mean?
Well, I think the first thing we have to define is what is an open or a public network. Right? And to to make sure that the audience out here understands, an open public network is anything that is not managed by you. So the second it leaves the the the Internet or your your modem, you're now on the public Internet.
Yeah. Another interpretation of this is wireless. We were talking about wireless earlier and how that's easily accessible. Mhmm.
Any traffic coming from my laptop on Wi Fi is readable by anyone else with a sniffer nearby. And so that would also be considered open and public.
Yeah. You know, just a side point. Some people think, you know, sniffers and that are are like deep dark hacker secrets. But the you can get them on Amazon now. Like, everybody can get those. The last I just had to laugh the last time The last time I flew to India, I get dysentery every time I go because I'm so dumb.
I love the food over there and I love the streets.
I would do the same thing.
And I make my it's a problem for me. And so but as I got off the plane and I'm walking out the airport, there were people standing out there with sniffers out in the public doing their thing, you know, trying to gather, people's information as they got off the plane and got connected.
And what a I mean, what a target rich environment.
Yeah.
First of all Airports are notorious for stuff like that.
But the fact that they were just doing it out in the open, I just thought that always struck me as as funny, but it happens everywhere.
Like, and and anytime you're in a public area, coffee shops, that's why we say, you know, make sure that you have certain protections in place like VPN?
Yep. I knew you would know that. Yeah.
I had a feeling you were going.
Uh-huh.
So our strong cryptography and security protocol is used to safeguard sensitive cardholder data. And so here we have merchants and they're in their shops. What does this mean to them?
So I think it depends on how they're processing debt, the the the credit card information. Right? So if they have a credit card machine or if they're using their computer, right, those are probably the two most common in small businesses.
If you're using a credit card machine, that should be configured to send encrypted credit card information from that machine to the payment provider. Mhmm. We were talking about P2PE earlier. And what those validated P2PE systems do is it sends a direct connection to the, payment provider so they can send encrypted data directly to them.
Right.
When we're talking about those computers that are using a virtual terminal, so if you log in to your your payment processing website to enter the credit card number there, oftentimes, you wanna make sure that you're in connecting over a secure connection there. One easy way to it's not a perfect way, but one easy way is in the upper left hand corner of your browser window, there's usually that lock symbol. Mhmm. And that's a good way to tell, am I using an encrypted connection or am I not?
Do you ever, get on some other Wi Fi or and you're trying to connect to it and it says, caution. Yes. Do not proceed.
Or if you're going to a website and it says, I wouldn't go to this website and you're like, would you like to go? And you click yes and you click yes.
But I want to.
But I want to. And we all do this. It's a bad idea. Don't do that.
Do it. Yeah. Especially on systems in your cardholder data environment.
Yeah. Moving on to section five. Section five is all about, malware protections. We used to call it antivirus, but it's more than just viruses.
Yeah.
And so people who name things were like, we can't just call it antivirus. We need to call it something more expensive. So that's why we call it anti malware because malware takes in things besides viruses like trojans and Yeah.
And your your traditional off the shelf antivirus is also looking for that. Right? Like if you bought the McAfee antivirus, a very popular one that comes sometimes pre installed on some computers you buy off the shelf.
Unknowingly, yes.
Yeah. Unfortunately, I I don't like bloatware. But oftentimes, merchant, businesses will have preinstalled antivirus.
It's better than not having any antivirus at all. But, I think they're still calling are they still calling it antivirus in PCI?
I I believe it's malware they reference antivirus or malware in different versions.
Alright. So is antivirus software deployed on all systems commonly affected by malicious software? How do they answer this?
So I guess the question you would have to ask yourself as a merchant is, do I have antivirus software installed on every computer system in my environment?
Exactly.
I guess well well, probably What about Apple?
What about Apple systems?
Apple also needs it. Are you sure?
I promise you.
My MacBook needs I promise you.
Okay. You guys, I'm kinda being sarcastic here, but some people still argue with that.
There's been a long discussion. It's it's been probably fifteen, twenty years Yeah. Since that was true. Because that for a long period of time, Apple systems were not as popular. And when they weren't popular, they were a smaller target. So the common belief was that Apple doesn't get viruses.
But now that they're more popular, they've become a larger target and we've come to realize that Apple, just like every other computer system out there, is susceptible to any kind of malware.
Yep. Absolutely.
So, you need to make sure that that's on all of your systems. I don't care what kind it is.
Okay. Five point three.
Are all antivirus mechanisms actively running and unable to be disabled or altered by users?
I think this is a hard one sometimes.
Let's talk about the actively running portion. That part, I think, is the easy one to answer, right? Is it running on your computer? You can open your computer up right now and click on your antivirus and see is it actively running. Yeah.
If it's on and it's scanning, it's actively running. Yeah.
But that second portion, unable to be disabled and altered.
Sorry. It doesn't have to be actively scanning right then.
There are some that are constantly scanning.
Constantly, but some are regular scans.
Regular frequent scans.
Is it actively running means is it configured properly so that it's going to scan? Correct.
Yes.
Yeah. Okay. Sorry. Just wanted to clarify that, and then I interrupted you.
Go ahead. No. I think that second half though, unable to be disabled or altered by users Yeah. Is really that hard part. Yeah. The the intent behind this and based on my understanding is that you only want administrators to be able to turn on or off the antivirus in situations where it's necessary.
You don't want the the general user, the the accountant that's entering credit card information or the salesperson that's entering credit card information to be able to turn off antivirus at their own, decision making, which may not follow their standards that we were talking about in the the section two.
Right.
And so this kind of presupposes that you have standards, that you have policies, that you have procedures, that you have documented when these cases are gonna be on, off, when when you're going to allow people to do things that are a little more risky Yeah.
Or what you're going to expect from people to reduce that that risk. And so in in a lot of smaller organizations, everybody's an admin because you have, like, three people.
Yeah.
In which case, are they able to turn it off? Yeah.
If if you define that person as as an administrator Yeah. I would say sure.
Yeah.
But don't.
Alright. Moving on to section six. And a lot of the a lot of smaller businesses are are have just a few, questions in section six because a lot of it's about software development.
Yes.
But not all of it is about software development.
No. There's some change control requirements in there. There's some patching requirements in there.
Alright. So six point one says, is there a process to identify security vulnerabilities, including the following: using reputable outside sources for vulnerability information and assigning risk ranking to vulnerabilities that includes identification of all high risk and critical vulnerabilities. What does that mean?
It means you have to be paying attention, I think, is really what it is. Having something set up to get alerted whenever there's a vulnerability that applies to your environment.
Mhmm.
So if you have Mac or Windows computers, you might wanna reach out to those vendor subscription emails where you get us email from them whenever there's a critical security path that you should install as soon as possible.
Right.
You should be paying attention to all of the security issues out there, especially those that are critical to your environment. But, in general, just be security minded.
Yeah. The thing about patches that a lot of people don't know is they're, you know, it's okay. It's high risk or or it's a critical security patch. But, patching sometimes comes with a little frustration level.
I don't wanna patch right now. I'll put it off till later. I'll put it off till later. Put it off till the next day.
But what people don't understand is that as soon as a patch is released, it's because there is a known vulnerability, the patch fixes that vulnerability, and then the bad guys can take that patch, reverse engineer it, and suddenly, they know how to get past that vulnerability and cause a breach in your system. So the last thing you wanna do is if there is a known patch, to ignore it.
Yeah.
Because it's because the the bad guys already have have ways to get out there, and they don't have to be even in your physical space or anywhere near you. They can be on the other side of the world Yep. Scanning for systems that have these vulnerabilities.
Mhmm.
And so patching is super important, and you have to be able to do it, based on, you know, your understanding of the ranking that that these have.
Oftentimes, these, vendors will send out patch lists, and and they'll other other security organizations will send out, Notifications?
Yeah.
A notification where where they tell you this is a vulnerability, and they'll give you a rank for that vulnerability.
Right.
Sometimes it'll be critical, high, medium, or low. But sometimes, you'll just receive a a critical security patch update, and you don't know if if that's critical to you or not.
Right. Here's a security update, and you get the little pop up on your machine. And and first of all, sometimes you see the update and don't even know that some of them are feature updates and some of them are security updates.
Yes.
So let's say that you're in the middle of running payroll or something or you're in you're doing year end accounting and something pops up. You need to know based on how it's ranked.
So you need to be able to understand what a security ranking is Yes. To make the decision, am I gonna stop everything right now and install that Mhmm.
Which could possibly delay payroll? Or am I gonna say, oh, this is a feature update. We're gonna put a pause on that. Yeah. Go ahead and finish this other more critical thing right now and then maybe reevaluate it later.
Definitely.
And so that's why having that risk ranking, I think, is so important because it's not just about security. It's about balancing, the needs of the organization against security issues that come up.
Yeah.
And in larger, more sophisticated security environments, I often find that they have their own risk ranking process Yes.
Where they will see these notifications and vendor updates and and they will rank them based on their own criteria. Yep.
I what I commonly find in compliance smaller environments is they just use whatever ranking comes with that notification Mhmm. Or a vulnerability or that, vendor update.
And that is a perfectly good way to do it.
Yeah. And and I think both ways are are are acceptable. It's just you have to decide as the business manager, as the IT manager, what is most, reasonable for your business.
And if you decide those things ahead of time and have them documented, then when you're in the middle of a higher stress situation, you don't have to come up with the rules at that point.
Yeah. And if the rules are written down and it has to interrupt someone's work day Yeah. At least you have something to fall back on. So you can say, I blame the rules. Don't blame me.
This is the way we have decided to handle this. Sorry.
Okay. So moving on to section seven. Okay. Section seven and section eight are very similar because they're about access and authorization.
Access and authorization go hand in hand. They mean slightly different things. Don't get hung up on that. Just understand that they're kind of closely related.
I generally, when I'm performing an audit for a company, I generally clump these two together as the access control requirements because they're they're so closely related that I barely separate them in my mind.
Yeah. Exactly. And so and some people, you know, want to understand why this is seven and why this is eight and how do I understand it. It's it's okay to understand that that they're they're just closely related. Don't don't stress about it. Okay. 7.1.8.
Is there a written written policy?
More writing.
I know.
So I I tell my clients all the time, PCI is probably about fifty percent documentation.
Yep. It stinks that it has to be that way. Yep. But it's very important.
And it's hard the first time.
That first time. And then whenever there's an update. Yep. Now we're coming up on PCI four point o, and so a lot of my clients that I work with are having to update all their policies to this new terminologies and or the new standards that are coming.
Yep. And I I a lot of people have heard me say it. I spent over twenty years in IT operations before jumping over to security.
We hate, and I don't use that term lightly, documenting.
IT folks are like, why are you making me write things? I don't wanna do this. Yep. But it is important. It's necessary, and it actually helps your security stance. So is there a written policy for access control that incorporates the following?
Defining access needs, restriction of access to privileged user IDs, assignment of access based on individual personnel's job lack classification.
Okay. So there's a lot of of kind of specific rules around access control.
Tell me why.
How how do people look at access control in a smaller business, people who are using the SAQ?
What does what does access control in a small to medium business look like?
In in very small environments where you have only, let's say, under ten employees sometimes, what I often find in these smaller environments is that you have people that need access to credit card information or they need access to, the the systems to process payments Mhmm. And then you have those that don't.
Yeah.
And I generally see STEM separated into two separate groups.
Mhmm.
Those that need it and those that don't. Right. Sometimes I'll see a third group for, like, IT administrators if they're large enough to have an IT team or maybe an IT person. Mhmm.
They might have a third group where that IT administrator maybe doesn't have access to credit card information, but he has access to the administrative settings on those systems.
Right. And so, a lot of times, the struggle that I see in in especially in smaller businesses is, well, I'm the boss. I should have access to everything.
Yeah. Unfortunately, that's not how it works.
No. For a lot of good reasons.
Definitely.
Like, what if that if you have all the keys to the kingdom in a in a an an account that doesn't need access and then this person gets phished and the username password gets sent along to the bad guys, all of a sudden, they have access to way too many things.
Yes.
So if you can segment off access to different important things, it's going to slow them down.
You know, one of my favorite things a client has ever told me, and and I've heard this a couple times, is when the person in charge says, I don't want that level of access. I don't want that level of responsibility. Because they're they're they're hired other people to take care of that for a reason and they don't wanna deal with it.
Yeah.
And and I think that's hard for a smaller business because that's their baby. That that business, that organization, they've started that from scratch. It was their their mind child Yeah. That they created into something that can potentially be a multimillion dollar organization. Yeah.
And sometimes you just have to be willing to to give up that level of power.
Absolutely. And so this is closely related to eight one one. Are all users assigned a unique ID before allowing them to access system components or cardholder data?
I have a hard time with this one. A lot of the time, people will use generic IDs like IT admin Mhmm.
Or, tech support Mhmm.
Or sales. Yeah.
And they, understandably so, they don't want to have so much bloat in their administration of these computer systems.
Yeah.
But what ends up happening and part of the reasoning behind this based on my understanding is that you want to be able to track who did what and when they did it. Mhmm. And and if IT group is sharing an IT username and password or sales is all using the same username and password, you can't really track who did something.
Right. And you need to know that, especially in a forensic situation.
Definitely.
And and, but before we even get to that point, another way that we can prevent breaches is through eight point two. In addition to assigning a unique ID, is one or more of the following methods employed to authenticate all users, something you know, such as a password, something you have, such as a token device or smart card, and something you are, such as a biometric.
Yeah.
So talk to me about this. I I really love, this this doesn't say that you have to have multifactor authentication in everywhere, but you should.
I I would recommend it to everyone. If you're not using multifactor authentication, please do it. If it's available to you, please do it.
But this specific requirement, I think, may not be as difficult as it once was.
I think most of us that are probably watching on YouTube right now Mhmm.
Have a username and password to access YouTube. Yeah. They have a username and password for their email. They have a username and password to access www.securitymetrics.com. Yeah. For everything out there, Netflix, Hulu, all of these different companies have usernames and passwords. Yep.
So the the concept of eight point two having a unique ID or a username that's assigned to you as well as a password Yeah.
That's only usable by you, only known to you.
Known to you. Mhmm.
Is something that, is is common enough to be relatively easy to understand.
Right. And and so and yet it's one of the biggest questions that we get. Really? These are all FAQs. These are the most common questions from customers. And so I like that you said it should be it should be easy. This should be easy.
I think it's only easy when people don't wanna do it. And I get it. It slows you down a little bit, but it slows the bad guys down a lot more. Alright. Let's jump into section nine. I love section nine because it's all about physical security.
And smaller businesses oftentimes either are completely in the cloud Mhmm. Or they're completely physical. Yeah. And there's usually not much of a a mix in these smaller organizations.
Right. And so nine point one so a lot of small organizations are like, I don't have anything. It's all in the cloud. Great. Then you put NA.
NA. Or if you're using a service provider to meet it on your behalf, you can mark yes. You can mark yes.
Because Amazon AWS is securing your server for you.
Actually, that was a better answer. He did a better answer. Okay.
That's a nice question.
Nine point nine point one are appropriate facility entry controls in place to limit and monitor physical access to systems in the CDE. So if you have systems that are taking cardholder data, do you have locks on your doors?
That's a very simple, easy way to explain it.
Yeah.
Have you physically secured your store? If you're a storefront and you just use a credit card terminal, did you lock that?
Alright. So then this one, I think people get confused about because often, often this is NA in their environment. Nine one two are physical and or logical controls in place to restrict access to publicly accessible network jacks. I think a lot of people get hung up on the phrase publicly accessible network jacks.
I get hung up on that phrase. Especially the publicly accessible. What is the definition of public publicly accessible?
You have an Ethernet cable you can stick into a network jack and get on the network.
Definitely.
Yeah.
I I when I do some of the consulting and or audit projects with smaller businesses, oftentimes, what I help them, what I use as my definition of publicly accessible is is it behind the employees only area, or is it in the the entry area of your business? So if you're a store or restaurant, for example, if you have network jacks out available for people, I've seen it at, not gas stations, at, coffee shops, actually. Oh, really? Where occasionally, it's, some of the older ones will have, like, a little stand up counter where you can do work for businesses. Right? And they have a little network jack there.
And older, airports.
Yeah. They they have those available too because Wi Fi wasn't always either reliable or, some computers didn't really have good Wi Fi connections.
But most small businesses do not have publicly well, most.
I I would say go into a a doctor's office or a dental let's say you go to a dental office.
Because this is where I'll see it more often. And you've got Wi Fi you've got network checks everywhere.
Yeah. I would say that's publicly accessible if it's in that first room before you have to walk past a locked door.
Right? Just think about that. If you could sit with your machine and and get on the network by plugging into something in a public area, that's a publicly accessible network chat. Definitely.
Glad we sorted that one out. Okay. Moving on to, section ten. Section ten is hard for a lot of groups because it's all about logging.
Logging, monitoring, alerting. And this infers tools and abilities that a lot of small, medium businesses don't have. You're probably sending it off to a third party.
If at all.
If hopefully sending it off to a third party. So this first one, ten dot one dot a, are audit trails enabled and active for system components?
What does that mean?
So I I think the first thing that a business owner, if you're unfamiliar with this section, you have to understand what audit trails or logs are.
Yes.
A log is when I log into my computer, my computer creates a record that Marcus logged in using his password at this date and time.
An audit trail is essentially just tracking who did what and where. Yeah. And it may not have why, but it'll tell you what happened and when.
You have to go shake them down for the why later.
Yeah. If they did something wrong, that's that's the forensics action you were talking about earlier. Right?
So, ten dot two dot two builds on that. All actions taken by any individual with root or administrative privileges.
So once again, we're talking about these actions that are being taken by an individual person. Right? Mhmm. And if that person is an admin on the computer earlier, we were talking about people that could turn off the antivirus. Right?
Right.
So if I was an admin on my computer, because we define that in our policies Mhmm. And I turned off my antivirus solution or my malware solution, It should create a record on my computer Mhmm. And hopefully forwarding that to a centralized logging solution or a third party logging company.
Mhmm.
But that needs to be logged.
And and I think it's important for people to know that the logs aren't just, you know, we go into it and look at forensically. It also is a good way to detect things. If you're sending it to a third party, they're looking at patterns that are called indicators of compromise.
And they can tell you if there's a potential breach Yeah.
Action happening.
That behavioral analysis. Right? They're they're gonna tell, hey. Somebody normally doesn't do this. This person is doing some anomalous behavior here.
Right.
And then they're going to notify you as the business owner or as the IT department manager. Hey, the SOC company has identified that Mhmm. Something wrong could be happening, and hopefully you can catch something bad happening before it actually happens.
Exactly. Okay. And then 10.6.1. A is all about written policies and procedures.
Man, these numbers.
I know.
Ten dot six dot one dot a.
I think that's half the trouble.
It's like, this is exhausting. I can't even remember.
I I love my job, but that's some of the hardest parts is remembering how many different periods I have to have in a recording.
Exactly. And where is this located?
Are written policies and procedures defined for reviewing the following at least daily, which is changing Yes.
Either manually or via log tools. Don't do this nobody can do this manually successfully.
Especially anymore. There's too many logs. There's too there's too much information. So you need a login tool that is daily, actually, continuously looking at security events, system common, logs of logs of things that are important that could tell you if a problem's happening. Right?
Yeah.
So, why do you need a written policy and procedure about it?
Well, I think with PCI, they wanna have everything written down as these are the rules that our organization will follow. Right? Mhmm. And so if you don't have a rule or a policy in place that says that manual log reviews or automated log reviews will occur at this regularity Yeah. Then there's nothing to hold you accountable towards.
Okay.
In addition to that, I think that one thing I wanna recommend all of our viewers is PCI four point o is coming out soon.
Do not do manual log reviews.
With PCI four point o, it's no longer allowed.
That's correct.
And so if you start today, if you're working on your PCI compliance program today and you start working on manual log reviews, maybe you hire an employee specifically just to do log reviews. Please don't.
Don't do that.
But what I recommend is is either outsourcing it to a third party or invest in a log monitoring solution.
Both of those options are are readily available. There's so many solutions out there. Please do that.
So let's quickly go through, eleven and twelve.
Eleven dot one dot a are processes implemented for detection and identification of both authorized and unauthorized wireless access points. You know what I get here the most? We don't have wireless, so this is NA.
Yes. That is the same for me.
And is that accurate? No. Okay. We're not. What are we supposed to do here?
This conversation on Friday.
So, this is probably one of the most misunderstood requirements because most often, when almost all of the other wireless related requirements in PCI, if it says wireless and you don't have wireless, it's most likely not applicable Yep. With the exception of this one requirement. And the reason is is because it's telling you are you checking for unauthorized wireless? Yeah.
So if we were talking about earlier a Ethernet cable and I plug that Ethernet cable into maybe not even a publicly accessible area, but then I plug it into my, cubicle. Yeah. And now I have wireless network that's not approved for our business. That would be a rogue or unauthorized wireless access point.
Yep. So, and I get that one all the time too, by the way. Not not just from small businesses, but from big ones. Yes.
So it now we all know. Eleven dot two dot one dot c are quarterly internal scans performed by a qualified internal resource or qualified external third party? And if applicable, does organizational independence exist? So and it's not required to be a QSA or an ASV.
So tell me a little bit about internal scans.
So we talked about ASVs. Right? So external scans are something that you could you might have them through SecurityMetrics or another organization as an ASV, an approved scanning vendor. But internal scans are similar to those, but they're performed internally.
Yeah. They're not publicly accessible. So my computer, if it was a CDE computer Mhmm. It would need to be scanned by one of these internal vulnerability scanners.
Right. Fun fact, you don't always have a scope for an internal scan.
It's very possible that depending on the nature of your CDE, you don't have to have that.
And it really comes back to what is the scope of your CDE.
Yes.
All comes back to that original question.
Alright. What about are penetration testing procedures defined to test all segmentation methods to confirm that they're operational and effective? What does this one mean? It's eleven dot three dot four dot a.
Well, I think the first step to understanding this one is understanding, is there segmentation used in the first place? Yes. In a small environment, oftentimes, you're on what we call as a a flat network Mhmm. Where all of the computers are on the same network segment. They can talk to each other, they can send messages back and forth, and unless you have actively segmented a segment of your network or a portion of your network to be designated as your CDE, this might not apply.
Right. Again, it comes back to the scoping question, which is the big one. And I I get a lot of people in large organizations asking me about this also because segmentation means so many things in the IT world.
Yes.
And so it's important to remember if you do segment your network so that you say, this is my CDE. This is kind of, you know, maybe connected to systems. But I have this over here that is declared out of scope. Mhmm. That declared out of scope, we're not even gonna look at it. We're not going to test anything. Never.
You have to have your segmentation tested Yeah.
So that you can allow that to be out of scope. Correct. So that's that's really what it's about.
And and a penetration test, there's other requirements that help you define more on who's capable of doing that. Mhmm. But I think, really, what's what's important about this one is understanding, is it applicable to me or not?
Mhmm.
And then once you understand if it is applicable, then you can look at those other requirements to make sure you're doing it correctly.
So our last section is section twelve. Twelve point eight point one is a list of service providers maintained, including a description of the services provided. Well, a small business might say, well, I have a lot of service providers. What do you mean?
That that, I mean, you technically your city that provides water is a service provider. Right?
Right.
So, like, depending on how you define service provider, you could be in a situation where service provider means a lot of organizations, or you could be in a position where it means very little to none.
Yeah.
The absolute minimum of a service provider list that I typically see is your payment processor or your acquiring bank. The company that you're going to, if it's a virtual terminal, that is a service provider. If you have a P2PE provider, there's your service provider.
But then it can go beyond that. So if you're doing something in the cloud, who is your cloud hosting service provider?
Any the one way one question you can ask yourself is, does this service provider have a way to impact the security of my cardholder data environment?
Right. Because if they do, then then you need to have them on that list, and you need to have an AOC from them and an agreement on data protection. You know, there's some follow on requirements. Right? Okay. So our last most commonly asked question is about this one, twelve dot ten dot one dot a. Do you have an incident response plan in the event that a cardholder data has been compromised?
What does that mean?
So we've heard a lot of breaches in the news recently. Right? Like, you've heard of ransomware. We've heard of all these different attacks for small businesses.
I've seen we I I work on a on a team that's really close to our forensics team, and we get to see a lot of these breaches occur. Right?
The incident response plan is if something bad happens, what do we do? Yeah. I think that's the simplest way to describe it is what would you do in the event that something bad happens?
Yeah. And and so a lot of the especially small merchants are saying, look. All I have is this p two p e device. What do you mean I need an incident response plan?
And and I'll usually say, okay.
What could happen reasonably? Let's do a little threat modeling.
What's gonna happen that causes you a problem? Oh, somebody could steal that. Okay. What do you do if someone steals it?
Well, I mean, I guess one of the items I've seen personally on the list would be we call the police. We call our bank Right. To disable that machine.
And that's an incident response plan. There you go. It doesn't have to be we get on our computers and try and find a hacker. That's one kind of incident response plan.
But but if you look at what is actually gonna happen in my environment Yeah.
Then you can kinda come up with a reasonable incident response plan. Yeah.
I think I think that's the hard part for a lot of people is is thinking outside of the box initially. Right? Because what people like us, us, security minded individuals that work in security, we have to think like criminals regularly.
All the time.
Now business owners are probably never thinking like criminals or trying never to think like criminals. Yeah. Because they're trying to do everything within the rules. Yeah.
Wanna follow the rules so they don't get in trouble. Right? They wanna pay their taxes on time. They wanna they they have all these other things on their mind.
Thinking like a criminal and say, what could what bad could happen in my cardholder data environment to get credit card information stolen is not something they typically think about.
Yeah. It's kinda like a reverse, escape room.
Yes. Yes. How can I steal credit card information in my business? And that's a good question to ask yourself.
And that's the way you protect is if you know how that can happen, then you can protect against it.
Yeah.
And that's what these SAQs are really about. They shortcut that because somebody's already put thought into how would that work in your environment, what are the protections that you need.
Mhmm.
So this is while it might feel like this is a lot of words, this is a lot of concepts, it it really is geared around what's known to protect cardholder data in in your environment. So well, thank you for joining me today. I hope people find this helpful.
I hope so too. If you have any questions, we're always available. If you're filling out your SAQ through SecurityMetrics' website, we have a where I started, we have a technical support team available to help you all the time, and they're so readily trained. I I can promise you we'd be able to help you out.
Well, excellent. Thank you. And I hope everyone takes advantage of that opportunity if they need it. Awesome. Alright.
Thank you. See you. Bye.
Thanks for watching. To watch more episodes of SecurityMetrics podcast, click on the box on the left. If you prefer to listen to this podcast, it's available on all your favorite podcast platforms. See you on the slopes.
.svg)
