PCI DSS 3.2 and SQL Server - By Grant Carter INTRODUCTION
Here is another suite of posts from Grant Carter. Enjoy.
The Payment Card Industry Data Security Standard (PCI DSS) was created to create and enforce data standards and processes for the secure processing of payment cards. PCI DSS provides technical requirements for protecting data used in card payments. PCI DSS 3.2 dated April 2016 is the most recent revision of this industry standard. The standard for this revision can be located at https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2.pdf
SQL Server has the fewest security vulnerabilities according to NIST for the last 6 years https://www.microsoft.com/en-us/cloud-platform/sql-server. SQL Server 2016 provides multiple options for the protection of PCI complaint data giving customers extreme flexibility in providing data protection. The following features provide flexible, configurable, secure options for meeting PCI DSS 3.2 requirements for data protection while providing traceability and accountability.
- Always Encrypted provides a complete end to end encryption that protects data from client to server. Administrators do not even have the ability to read encrypted data using this method. See https://msdn.microsoft.com/en-us/library/mt163865.aspx
- Transparent Data Encryption (TDE) protects data at rest so that data can’t be removed from a system and restored somewhere else for review. TDE is seamless to an application while protecting the underlying data. TDE can also be used with external EKM solutions for key management. See https://msdn.microsoft.com/en-us/library/bb934049.aspx
- Column Level Encryption has been around for quite some time and is a reliable method for encrypting specific columns of a database using strong encryption protocols. Access to this data is controlled via encryption keys that a user must have access to. See https://msdn.microsoft.com/en-us/library/ms179331.aspx
- Full over the wire encryption is fully supported on SQL Server. SQL Server can use trusted certificates to encrypt data over the wire between client and server. Even if full encryption isn’t used, login packets are encrypted. SQL Server 2016 fully supports TLS 1.2 which makes it fully compliant with the PCI DSS specification. https://technet.microsoft.com/en-us/library/ms189067(v=sql.105).aspx
- Dynamic Data Masking was introduced in SQL Server 2016 as a feature that limits the data exposed to end users by implementing masking processes that hide portions of sensitive data from the end user. For example, the mask may only allow the last 4 digits of a social security number. See https://msdn.microsoft.com/en-us/library/mt130841.aspx
Microsoft offers services specifically geared toward threat detection and analysis which can help at all levels of PCI compliant systems. On average intruders reside within a network 140 days before they are detected. Microsoft’s Advanced Threat Analytics program provides tools which are designed to prevent or detect threats sooner so an organization can respond quicker and reduce damage done. More information on the Advanced Threat Analytics program can be found at https://www.microsoft.com/en-us/cloud-platform/advanced-threat-analytics.
This blog will consist of a 4-part series covering each point of PCI DSS 3.2 Some points may not directly pertain to SQL Server technology, but are relevant for any information system that must meet PCI DSS 3.2 specifications.
Part 1
- Build & Maintain Secure Networks and Systems
- Protect Cardholder Data
Part 2
- Maintain a Vulnerability Management Program
- Implement Strong Access Control Measures
Part 3
- Monitor & Test Networks Regularly
- Maintain an Information Security Policy
Part 4
- Additional PCI DSS Requirements for Shared Hosting Providers
- Additional PCI Requirements for Entities using SSL/Early TLS
If you are interested in additional help with PCI DSS systems, Microsoft Services has a number of offerings which can assist with your needs. Contact Microsoft Support Services. If you need help reaching the right people, I will be glad to assist.
Grant Carter is a Senior Premier Field Engineer for Microsoft based in Boise, Idaho.
Email: grant.carter@microsoft.com