Terms Used in This Post
· I/O – Input/Output
· SHP – Shared Hosting Providers
· ACL – Access Control List
· MSP – Managed Service Provider
· POS – Point Of Sale
The first 3 parts of this series covered the base requirements associated with PCI DSS. Part 4 covers the appendix requirements that aren’t covered in the base requirements. The first section is geared specifically to shared hosting providers. The second section outlines the requirements for eliminating early SSL and TLS encryption protocols from the PCI environment.
Additional PCI DSS Requirements for Shared Hosting Providers
Shared hosting providers host PCI data for multiple customers. This addition to the PCI DSS standard is required for PCI systems hosted by all SHPs.
All SHPs must meet the following requirements
· For each individual entity hosted by the SHP, processes that access the entity’s PCI data must only be able to access the data for that entity. Processes that can access data across entities is strictly prohibited.
o For example, each entity in a SQL Server system would have its own database with unique user IDs that access only that database for that entity. Other entities would also have their own unique database with different user IDs that access the database.
· For each resource or PCI data component in a PCI system, each entity’s access must be limited to its own PCI data only.
o Application processes cannot be privileged users.
o Each entity must only be able access files and filesystems that it owns.
o Entity’s user accounts cannot have access to shared system binaries.
o Log data can only be viewed for an entity that owns and generated the log activity.
o Restrictions must be in place to ensure that no single entity can consume all resources related to disk space, network bandwidth, memory, or CPU
· For SQL Server restrictions can be made by using resource governor to limit a single entity’s ability to consume all host resources. See https://msdn.microsoft.com/en-us/library/bb933866.aspx.
· Auditing and audits must be unique to each individual entity’s PCI environment.
o Audit logs must be enabled for third-party applications.
o Audit logs must be active by default.
o Audit logs are available for the owning entity to review.
o Audit log locations must be communicated to the owning entity.
· In the event PCI data is compromised, processes must allow for immediate analysis and investigation of the event so that an individual entity’s audit investigation may occur.
Additional PCI Requirements for Entities using SSL/Early TLS
Entities using SSL and TLS 1.0 must migrate their cryptographic protocols to stronger protocols. This requirement does provide guidance around when these protocols must be removed from use. SQL Server has upgraded its cryptographic protocols to use TLS 1.2. See https://blogs.msdn.microsoft.com/markweberblog/2015/12/01/sql-server-support-for-pci-dss-3-1/
· No new implementations can use SSL or TLS 1.0 protocols.
· All MSPs must provide secure offerings effective June 30, 2016
· Effective June 30, 2018, all entities must stop the use of SSL or TLS 1.0.
· Prior to June 30, 2018 existing implementations that use SSL or TLS 1.0 protocols just have risk mitigation and risk management plans created and in place.
· Effective June 30, 2018, all POS terminals must be validated that they are subject to any known exploits from SSL or TLS 1.0. or have a formal risk management plan in place.
o If exploits are found in the early versions of SSL or TLS 1.0, then the POS device will have to be reevaluated and possibly replaced/updated to avoid the risk.
Completely Off Topic:
Obscure Item of History
The first pillar type fire hydrant patent holder is widely accepted to be Frederick Graff, Sr., Chief Engineer of the Philadelphia Water Works around the year 1801. It is believed that Mr. Graff held the first patent for the hydrant, but verification of this fact is not possible because the U.S. Patent Office burned to the ground in 1836, therefore destroying the patent.