Achieving PCI Compliance With Rackspace

Achieving PCI Compliance with Rackspace
Achieving PCI DSS Compliance with Rackspace
A Rackspace White Paper Spring 2010
Summary
The Payment Card Industry Data Security Standard (PCI DSS) is a global information security standard defined by the Payment Card Industry Security Standards Council (PCI SSC). The purpose of the standard is to reduce credit card fraud. This is achieved through increased controls around data and its exposure to compromise. The standard applies to all organizations which process, store, or transmit cardholder information. The purpose of this guide is to clearly explain which areas of PCI DSS Rackspace can assist with, and which responsibilities are solely those of the customer. For more information, please contact Rackspace the home of Fanatical Support
Rackspace Ltd
4 The Square, Stockley Park, Uxbridge UB11 1ET Tel +44 (0) 20 8734 2500 Fax +44 (0) 20 8606 6107 rackspace.co.uk
Introduction
Compliance with the Payment Card Industry Data Security Standard (PCI DSS) is mandatory to any ecommerce trader, and finding the right hosting partner is vital to success. While there are many areas of PCI compliance that Rackspace can assist with, customers should always consult with a Qualified Security Assessor (QSA) to ensure that they meet all the requirements relevant to their business. In June 2009, Rackspace was accredited by Visa as a Compliant Level 1 Payment Card Industry (PCI) Service Provider. Please note that although Rackspace is a PCI compliant service provider, this does not automatically make our customers PCI compliant - customers should consult with a Qualified Security Assessor to clarify any PCI obligations and steps to achieve customer compliance. This document will explain each area of PCI compliance that is relevant to a hosted solution at Rackspace, and outline where the responsibilities for each requirement lie whether with the hosting provider, the customer or if it is shared.
Rackspace Ltd
PCI Compliance Requirements

REQUIREMENT 1.1 TO 1.1.1
Formal Process for Approving and Testing all Network Connections and Change to the Network Configuration Overview Implement policies and processes for approving and testing all connections and changes to the network. The policy should list all network devices involved in the data flow. Responsibility Requirement can be achieved by incorporating the formal process into the customer security policy. Customers are responsible for implementing formal security controls, including a security policy and associated processes and procedures to adhere to the security policy.
REQUIREMENT 1.1.2
Current Network Diagram with All Connections to Cardholder Data, Including Wireless Networks Overview Network diagram and topology documents Responsibility Customer is responsible for mapping the data flow of card holder data across the network. Rackspace can provide network diagram upon request.
REQUIREMENT 1.1.3
Requirement for a Firewall at each Internet Connection and between DMZ Overview Minimise the risk of malicious access to the internal network by implementing a firewall at each internet connection and between DMZ. This should include restricting inbound and outbound traffic to that which is necessary for the cardholder data environment, secure and sync up firewall and router configurations, prohibit internal addresses from being passed to the internet, allow only the necessary protocols, stateful packet inspection, implementing NAT, security of mobile devices connecting to cardholder environment. Responsibility Customer is responsible for incorporating this requirement as a standard as part of the customer security policy. Rackspace will configure the firewall for this requirement, upon request from the customer.
REQUIREMENT 1.1.4
Description of Groups, Roles and Responsibilities for Logical Management of Network Components Overview Clear assignment of groups, roles and responsibilities can be incorporated into the customer security policy
Responsibility In a typical Rackspace PCI customer hosted environment, Rackspace manage the following devices: IDS Load Balancer Firewall (customer can make firewall access rule changes via the customer portal) Rackspace support team and selected customer personnel also have access to manage the following devices: Servers Any changes to the customer hosted environment should be initiated by the customer via phone or ticket. All changes to the customer environment should be recorded in a ticket by the Rackspace support team and by the customer. There may be occasions when Rackspace are required to make changes to the corporate infrastructure which may affect a customer hosted environment, however all changes are communicated prior to any changes being performed.
Rackspace Ltd

REQUIREMENT 1.1.5
Documentation and Business Justification for Use of All Services, Protocols and Ports Allowed Overview Customers should determine and clearly document and justify the services, protocols and ports necessary for the business. Responsibility Customer is responsible for incorporating this requirement as part of the customer security policy.
REQUIREMENT 1.1.6
Requirements to Review Firewall and Router Rule Sets at least Every Six (6) Months Overview Implementing a policy to review firewall and router rule sets and procedures for performing this task every 6 months as a minimum. Responsibility Customer is responsible for incorporating this requirement as part of the customer security policy. Rackspace can assist with the review process by providing a dump of the firewall configuration upon request.
REQUIREMENT 1.2 TO 1.4

Requirements 1.2 to 1.4, relating to firewall and DMZ configurations, can be achieved by successfully implementing requirement 1.1.3 Requirement 1.2.3 - Wireless networks are not permitted in the customer hosted environment. Rackspace are responsible for complying and regularly auditing this requirement.

Configuration Standards for All System Components Policy and Procedures Overview Configuration standards should address weaknesses with operating systems, databases and all installed applications and should be configured to fix any known vulnerabilities, employing industry best practises and recommendations for hardening systems, including patching and removal of unnecessary services and applications and changing vendor supplied defaults.
Responsibility Customer is responsible for incorporating a configuration standard in the customer security policy. Rackspace are able to assist customers by providing guidance and advice on hardening systems.
Requirement 2.1.1 Wireless environments Wireless networks are not permitted in the customer hosted environment. Rackspace are responsible for complying and regularly auditing this requirement.
Rackspace Ltd

Data Retention and Disposal Policy and Procedures Overview Description of data and scope for cardholder environment, description of key terms and phrases, types of data, electronic media, hardcopy format, procedures for obtaining data, procedures for protecting data, procedures for accessing, modifying or transferring cardholder data, provisions and procedures for retaining data, provisions and procedures for disposing of and destroying data, responsible parties for data retention activities, responsible parties for data disposal activities Types of data and retention periods for legal, regulatory and business requirements
Responsibility Customer should document description of data and scope for the cardholder environment, with appropriate controls for processing, transmitting and storing of data. This requirement should be incorporated into the customer security policy.

Primary Account Number (PAN) Policy and Procedures for Displaying the PAN Digits Overview Mask PAN when displaying on items such as computer screens, payment card receipts, faxes or paper reports. If PANs are stored on the server, they need to be encrypted to the level required to be compliant with PCI regulations using industry tested and accepted algorithms.
Responsibility Customer is responsible for ensuring that all card holder data that is processed, transmitted or stored is protected and the policies and procedures for protecting the cardholder data are documented and incorporated in the customer security policy.

Key Management Policy and Procedures Overview General description of system components that incorporate, key management procedures, generation of strong keys, secure key storage, periodic key changes at least annually, retirement and destruction of old keys, replacement of known or suspected comprised keys, key management compromise plan (KMCP), split knowledge and dual control of keys, prevention of unauthorized substitution of keys, key custodians to sign form specifying that they understand and accept their key custodian responsibilities
Responsibility Customer is responsible for documenting policies and procedures for key management which should be incorporated in the customer security policy.

Unencrypted Primary Account Numbers (PAN) Policy and Procedures Overview PANs must be encrypted when transmitting over the public network.
Responsibility Customer is responsible for ensuring card holder data is encrypted when transmitted over the public network. Rackspace are an authorised reseller with Thawte and Verisign Certificate Authorities and can facilitate the attainment and installation of an SSL Certificate.
Rackspace Ltd

Anti-Virus Policy and Procedures Overview Implementation of anti-virus software to protect against ALL types of malicious software. Implement an anti-virus policy for signature updates and procedures for auditing.
Responsibility Customer is responsible for incorporating an anti-virus policy in the customer security policy. Rackspace are resellers of Sophos and Symantec anti-virus software (dependent on if the customer is in the Managed or Intensive segment) and can facilitate the installation of an anti-virus software with scheduled signature updates. Customers can also choose to manage the updates and logging for their own requirements.

Security Patch Management Installation Policy and Procedures Overview Security patch management program, with a comprehensive inventory of all systems components directly and not directly associated with the Cardholder Environment. Establish a process for identifying newly discovered security vulnerabilities utilising industry-leading security sources and additional supporting resources to secure operating systems, firmware and applications. Implement test procedures for testing patches before deployment into production environments.
Responsibility Customer is responsible for implementing patching policies and incorporating into the customer security policy. Rackspace subscribes to and monitors operating system vulnerabilities and will implement critical updates as a matter of urgency using our WSUS or Red Hat Update server. Rackspace perform testing of all patches in a contained environment prior to deployment, however due to the varying nature of customer solutions, the testing does not cover all scenarios and against all services and applications. Customers have the option to opt out of the patching scheduled and perform their own patching. Customer is responsible for managing all other application vulnerabilities.

Software Development Life Cycle Processes Overview Ensure information security is incorporated throughout the software development life cycle process in accordance with the PCI DSS best practices, which including design, implementation, quality assurance, release for production, maintenance and patching (coding vulnerabilities). Responsibility Customer is responsible for implementing this requirement and incorporating into the customer security policy. Customer should liaise with developers to ensure information security is incorporated throughout the software development life cycle process.

Change Control Policy and Procedures Overview Implement change control management procedure which comprises a formal request for change, categorise and prioritise the change, justification and analysis of the change, approving and implementation of the change with rollback procedures in place. Responsibility Customer is responsible for implementing a change management process in accordance with the PCI DSS requirements.
Rackspace Ltd

Software Development Processes for any Web-Based Applications Overview Ensure information security is incorporated throughout the software development life cycle process in accordance with the PCI DSS best practices, which including design, implementation, quality assurance, release for production, maintenance and patching (coding vulnerabilities). Employ manual and automated vulnerability assessment tools and methods to review applications to ensure compliance.
Responsibility Customer is responsible for implementing this requirement and incorporating into the customer security policy. Customer should liaise with developers to ensure information security is incorporated throughout the software development life cycle process.

Data Control & Access Control Policy and Procedures Overview Implement data & access control policy and processes, restricting access to fewest privileges necessary to perform a job need to know or restricting access to fewest privileges for individuals based on job functions role based access control.
Responsibility Customer is responsible for implementing a data & access control policy which is incorporated as part of the customer security policy.

Unique I.D. & Authentication Methods Policy and Procedures Overview Assignment of unique I.D. and password, two-factor authentication, transmission and storage of passwords. Responsibility Customer is responsible for implementing authentication policies and incorporating as part of the customer security policy.

Proper Authentication & Password Management Policy and Procedures Overview Implementation of proper authentication and password management policy including: authorization form, password resets, first-time passwords, terminated employees, inactive accounts, vendor accounts, generic user I.D.s and shared user I.D.s and passwords, password parameters, familiarity and acknowledgement of password policy and procedures. Responsibility Customer is responsible for implementing an authentication and password management policy to incorporate as part of the customer security policy. Rackspace can assist with setting up local security policies including password complexity requirements, regular password changes and workstation/server lockout policies.
Rackspace Ltd

Restrict Physical Access to Cardholder Data Overview Appropriate physical controls should be in place to restrict unauthorised individuals to gain access to devices or data. Responsibility Rackspace is responsible for ensuring adequate physical controls are in place. Rackspace is Service Provider Level 1 PCI DSS certified and ISO 27001 certified. Both standards require strict physical controls, which are audited regularly under SAS70 requirements.

Media Distribution and Classification Policy and Procedures Overview Maintain strict control over the internal or external distribution of any kind of media that contains cardholder data.
Responsibility Customer is responsible for implementing controls around media distribution; this should be incorporated as part of the customer security policy. Rackspace is responsible for maintaining strict controls around backup media. All managed backup media is encrypted and moved to a security vault with security mechanisms in place throughout the transportation of backup media. All other media is prohibited in the data centre, unless otherwise authorised by the customer through the correct procedures. Rackspace also have a data destruction procedure in place, your account manager can provide further information about this.

Audit Trail History & Log Retention Policy and Procedures Overview Establish a process to log all access to system components and the retention and management of the logs.
Responsibility Customer is responsible to implementing a policy for the retention and management of log files. Rackspace can facilitate a log management solution; alternatively the customer can setup their own log management software/hardware.
REQUIREMENT 11.1
Test for Presence of Wireless Networks Overview Documented policies and procedures to detecting wireless networks Responsibility Wireless networks are not permitted in the customer hosted environment. Rackspace are responsible for complying and regularly auditing this requirement.

Regularly Test Security Systems and Processes Overview Implementation of policies and procedures for network and application layer penetration testing. Deployment of an IDS to monitor all traffic in the cardholder environment and alert personnel to suspected compromises. Deployment of file-integrity monitoring software. Responsibility Customer is responsible for implementing policy and procedures for performing penetration testing and deployment of appropriate measures to monitor and alert to suspected compromises. Rackspace can facilitate the deployment of IDS and provide referrals to partners or recommend third party software to achieve this requirement.
Rackspace Ltd

Information Security Policy Overview Establish a customer security policy which addresses all PCI DSS requirements. This should include a security awareness program, processes for performing background checks on all new employees, monitoring service providers compliance status, and implementation of an incident response plan.
Responsibility Customer is responsible for establishing an information security policy (customer security policy). Rackspace are Service Provider Level 1 PCI DSS certified. While customers drive PCI DSS compliance for their own respective solutions, Rackspace can assist with many aspects of the 12 PCI DSS requirements.
Rackspace Ltd

Achieving PCI Compliance With Rackspace

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Achieving PCI Compliance With Rackspace

Uploaded by

Copyright:

Available Formats

Achieving PCI Compliance with Rackspace

Achieving PCI DSS Compliance with Rackspace

A Rackspace White Paper Spring 2010