This is Part 1 of our Demystifying PCI DSS Compliance series.
The “cloud” service for Liberty is actually something you can do with any of the consignment software programs. The only problem is, it isn’t secure and it creates a new set of responsibilities @ properly maintaining and configuring a Windows Server 2008 system.
Want to do ConsignPro Cloud? You can do it right now. Want to do your own Liberty Cloud? You can do it right now. ConsignmentTill, Consignment Success, or any of the desktop-based consignment software programs, can all turn into this “cloud” service. That’s because it’s not the software that’s making this happen.
It’s a VPS (Virtual Private Server) running Windows Server 2008
from HostDime. You can get a VPS with the same configuration, from HostDime:
[button link=”http://www.hostdime.com/web-hosting/vps/windows/” size=”bigger” open_new_tab=”true”]HostDime Windows VPS[/button]
A few years ago, we considered offering a service to help store owners configure their own VPS to use with any of the consignment software programs. None of the consignment software programs support multiple locations, except for Traxia’s SimpleConsign. We signed-up for VPS hosting with HostDime and began testing. Before we even went past installing programs, it became painfully and glaringly clear – this is not a secure way to run consignment software.
To connect to your VPS, you’d be doing so via Remote Desktop (RDP). This is an inherently insecure protocol and data is not encrypted @ 256-bit AES as it is sent between your PC and the VPS. If you are planning on swiping credit cards at your store, you will fail PCI DSS Compliance. Yes, certain swipes can encrypt data, but having a HID device capturing credit card information and then sending it in plain text across RDP, is simply a bad idea.
Currently, the “cloud” service for Liberty is not utilizing Secure RDP Services. Most any of the VPS hosts out there, are not going to offer a secure connection out of the box. This alone, is reason enough to avoid Remote Desktop access for your consignment software database server.
The next issue, is Windows Server configuration. You simply cannot run a Windows Server
box VPS without deep configuration @ Group Policy. You can’t run “any” antivirus software, specifically not Microsoft Security Essentials. It fails PCI DSS Compliance and we have documented incident after incident, of systems running Microsoft Security Essentials, which have become deeply infected.
You just can’t get away with thinking you can run Microsoft Security Essentials. We have far too many documented cases of infected systems, not to mention MSE lost its certification from AV-Test.
If you’re currently running a VPS from your vendor, log in and check a few things:
- Is the connection secure?
- Which antivirus is installed and running?
- How much access to the system do you have? Can you view Control Panel?
- Is the server running system monitoring and patch management software?
The reality is, running a throttled VPS over insecure RDP connection as your consignment software infrastructure, is not something we would recommend to our worst enemy. Don’t take our word for it, ask around – this isn’t an opinion. All credit card data must utilize a secure connection. USB swipe over RDP, is not secure.
This also puts the burden of availability on the store owner, as this requires an Internet connection 100% of the time.
We’d love to see the consignment software vendors address the challenge of multiple locations, utilizing their software. Liberty has its RWX sync module. ConsignPro already uploads and downloads consignor + inventory data during the Shutdown process. Consignment stores do not need to be connected “all the time”. Data could be synchronized, keeping multiple locations in-sync. Consignment stores are really just looking for ways to allow consignors and customers to use store credit at multiple locations; or to receive a payout at “another” store. It’s not real-time data synchronization that’s needed.
We want store owners to be informed. Catch phrases are great for marketing, but there is a reality here that cannot be ignored. PCI DSS Compliance spells things out very clearly.
Updated 5/17/2013 @ 7:05 PM: Clarified RDP details.
Updated 5/20/2013 @ 5:57 PM: Clarified VPS host; clarified Secure RDP Services; added multiple, specific PCI DSS failure examples for Liberty “Cloud.”
To further clarify how the Liberty Cloud VPS is not PCI DSS Compliant:
- All non-console logins – e.g. Remote Desktop – must utilize TLS, SSL, or connect over a VPN (PCI DSS 2.3)
- Antivirus must store logs for 365 days (PCI DSS 5.1 & 10.7)
- Intrusion Detection System (IDS) must be in-place (PCI DSS 10.6)
- SSL must be in place when transmitting credit card data from your computer, across the Internet, to the server (PCI DSS 4.1)
- Two-factor authentication for remote access must be in-place (PCI DSS 8.3)
- Idle sessions must re-authenticate after 15 minutes (PCI DSS 8.5.15)
Stunnel, an application that provides secure ‘tunneling’ for commonly used, insecure protocols (e.g. SMTP, POP3, etc.) has issued a security bulletin. There is a known flaw that could be utilized to inject arbitrary code and ultimately control where the connection goes. Imagine the emails you’re trying to send to consignors and/or customers being intercepted.
If you think this is being hyper-sensitive, you don’t internets enough.
Any applications installed on your systems must be justified, as per the PCI DSS v2.0:
2.2.2 Enable only necessary and secure services, protocols, daemons, etc., as required for the function of the system.
2.2.2.b Identify any enabled insecure services, daemons, or protocols. Verify they are justified and that security features are documented and implemented.
2.2.3.a Interview system administrators and/or security managers to verify that they have knowledge of common security parameter settings for system components.
2.2.4 Remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers. Examples of insecure services, protocols, or ports include but are not limited to FTP, Telnet, POP3, IMAP, and SNMP.
If someone is going to install 3rd party software on your computer, be sure to ask them if they are going to maintain and patch that software on a daily basis. As a business bound by PCI DSS, applications must be patched on at least a monthly basis. For systems storing/processing/connected-to sensitive data, applications should be patched more-frequently – i.e. daily.
Without even considering PCI DSS, it’s common sense. An application installed with good intentions, can easily backfire on you if not properly maintained.
A handy website to let you know how many days its been since the last-known Java 0-day exploit.
[button link=”http://java-0day.com/” size=”bigger” open_new_tab=”true”]java-0day.com[/button]
With Java 0-day exploits appearing at the rate of one per day, it will probably come in handy. 🙂
Our booth is booked for Sourcemart at this year’s NARTS Conference 2013 in San Diego! We’re looking forward to seeing clients we’ve known for years, as well as meeting new clients. Whether you’re a new store owner, a store owner in need of a hardware upgrade, or a store owner looking for a professional website, The Computer Peeps are looking forward to showing you the level of service we provide.
Be sure to stop by and see us at our booth! The focus this year is to raise awareness @ PCI DSS Compliance. We’ll be offering some great deals at our booth, so before you buy any consignment hardware to go with your consignment software, stop by and see us. You’ll save a lot of money and headaches. 🙂 Just ask around!
We’re also going to be donating a great item for this year’s NARTS Auction! In previous years, we’ve donated consignment hardware and consignment software support services, as well as consultation. What will it be this year?!?! Keep an eye on the NARTS Auction Preview page to find out!
Heads-up, Evernote users. Evernote is reporting they have been hacked and have issued a Security Notice. As a safety measure, they have initiated password resets for all accounts. Evernote has stated that no user content appears to have been compromised.
I know it’s a very common thing for people to use the same password and email address across multiple sites. Do not do that. Think about it, if your Evernote account was compromised and your email + password were the same for Gmail, Amazon, eBay, iTunes, etc. you would risk losing access to everything and even incurring some real expenses or data loss.
Stay safe and if you have any questions or comments, feel free to post below!
According to Ars Technica, Java. Trojan. There’s nothing else to say.
What is PCI DSS?
The PCI DSS (Payment Card Industry Data Security Standard) v2.0 document is 75 pages long and details each item required of a business that accepts credit cards. It provides a set of rules and guidelines for properly securing cardholder data and personally identifiable information. If you process credit cards at your business, you are required to adhere to PCI DSS.
I Use A Credit Card Terminal, Not Software, So I Don’t Have To Be Compliant
False. If your business processes credit cards, you are bound to PCI DSS Compliance. And there’s no need to be defensive about any of this either. Just stop and think for a minute – how would you want someone to handle your credit card information + your personally identifiable information? Think about that next time you have to pay an antivirus bill or log in after 15 minutes of inactivity.
How Do I Get Compliant?
It’s actually easier than many people think, but there are a lot of pieces to it. We’re going to break this up into easier to digest chunks, because the goal here is to get every consignment and resale shop fully PCI DSS Compliant. It benefits you and your business to be on top of your game and that’s what the PCI DSS helps you accomplish.
I Want To Read The Entire PCI DSS Guide
It’s actually quite a good read. Securing systems, documenting processes, holding software vendors accountable for security issues, and covering your bases are all exciting and positive things. Your business can only benefit from scrutinizing every piece of your infrastructure, from usernames, to patch management; to internet usage policies and hardware/phone/device policies.
We have provided a convenient link to the PCI DSS v2.0 guide right here…
[button link=”http://thecomputerpeeps.com/wp/wp-content/uploads/2013/01/pci_dss_v2.pdf” open_new_tab=”true” size=”bigger”]PCI DSS v2.0[/button]
To obtain the most-recent copy, please visit the PCI Security Standards Council Documents page.
We’ve gone through every page of the PCI DSS guide and the majority of it, is best-practices that techs and system administrators have probably been
badgering you about recommending to you for years.
Below is a concise list of the core sections of the PCI DSS. We will post a new entry, specific to each requirement, over the coming weeks.
Consignment and resale stores – it’s time to get compliant. No more DIY, no more having a friend-of-a-friend-of-a-sister’s-boyfriend setup stolen software on your systems. Credit card transactions and personal information are serious business. Can you imagine if your consignment database was stolen and every consignor/customer started to receive spam links from you with viruses or phishing pages? o_O
Don’t feel overwhelmed by all of this though. It’s doable, it’s a clear path, and you have to start somewhere.
PCI DSS Compliance Requirements
[box title=”Build and Maintain a Secure Network”]
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
- Hardware router/firewall in-place
- Outline router config. information
- Network diagram (also show card data flow)
- Document and justify any open ports
- Strict firewall – e.g. SPI
- No public access – e.g. no in-store WiFi
- Do not disclose internal IP addresses, network setup, security measures, etc. to anyone
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
- All vendor-default passwords must be changed/disabled – e.g. routers, software, etc.
- Implement only one function for a server – e.g. database server.
- Prune system of all unnecessary software and services.
- Configure security parameters to prevent changes/misuse – e.g. restricted User accounts, password protect applications, etc.
- Document which programs and services are enabled and in-use
- Any non-console admin access (i.e. remote access) should be encrypted (e.g. TeamViewer or LogMeIn, not RDP or VNC)
- No cardholder data should enter a shared hosting environment and any portion of shared hosting involved in cardholder data should be reviewed for PCI-DSS
[box title=”Protect Cardholder Data”]
Requirement 3: Protect stored cardholder data
- Keep cardholder and personally identifiable information storage to a minimum and regularly review for any old/out-dated data which should no longer be retained.
- Do not store sensitive authentication data after swiping/entering – e.g. The cardholder‘s name, CC#, Expiration date, Service code, or CVV. Inspect all databases and files involved in processing payments.
Requirement 4: Encrypt transmission of cardholder data across open, public networks
- Ensure credit card transactions are sent over a secured/encrypted connection – e.g. SSL/TLS, SSH, etc.
- Ensure WiFi uses industry best-practices – WEP IS NOT ALLOWED as of June 2010.
- Never send cardholder data via email, instant message, chat, etc.
[box title=”Maintain a Vulnerability Management Program”]
Requirement 5: Use and regularly update anti-virus software or programs
- Install and maintain antivirus/anti-malware on all systems
- Ensure antivirus/anti-malware are capable of detecting, removing, and protecting against all known types of malicious software
- Ensure antivirus/anti-malware are always running, never disabled
- Ensure antivirus/anti-malware generate logs of all events are retained for a minimum of 365 days
Requirement 6: Develop and maintain secure systems and applications
- Ensure all programs have the latest patches and are updated no less than once per month. Higher-risk systems – e.g. databases, systems with Internet access, etc. should be patched more frequently.
- Ensure applications involved with processing credit cards (e.g. consignment software) adhere to PCI DSS.
- Test data and accounts must be removed on live systems.
- Documentation of antivirus, patching, etc.
[box title=”Implement Strong Access Control Measures”]
Requirement 7: Restrict access to cardholder data by business need to know
- Limit access to systems to only those authorized to do so.
- Restrict access based on User ID
Requirement 8: Assign a unique ID to each person with computer access
- Assign unique User IDs to each employee[info_box style=”notice”]Note: These requirements are applicable for all accounts, including point-of-sale accounts, with administrative capabilities and all accounts used to view or access cardholder data or to access systems with cardholder data. However, Requirements 8.1, 8.2 and 8.5.8 through 8.5.15 are not intended to apply to user accounts within a point-of-sale payment application that only have access to one card number at a time in order to facilitate a single transaction (such as cashier accounts).[/info_box]
- No blank passwords
- All outside network access (e.g. by employees, remote techs, etc) use two-factor authentication (e.g. ID AND password).
- Immediately revoke access for terminated employees.
- Disable inactive accounts after 90 days.
- Ensure vendors only have remote access during the time-period needed + monitor access at all times.
- Communicate login/authentication procedures to all users.
- Change passwords every 90 days
- Require passwords of at least 7 characters
- Use passwords containing letters and numbers
- If a session has been idle, require the user to re-authenticate
- Ensure databases which store cardholder or personally identifiable information, can only be accessed programatically and not directly by a user – i.e. authenticate all database access.
Requirement 9: Restrict physical access to cardholder data
- Ensure access to systems/databases is physically secured by lock, badge/swipe, etc.
- Use video cameras to monitor sensitve areas.
- Ensure any physical network jacks that are in public view, are disabled
- Restrict physical access to routers, gateways, networking hardware, etc.
- Physically secure all media
- Maintain strict control over any/all media and the accessibility to/storage of said media.
- Destroy media when no longer in-use
[box title=”Regularly Monitor and Test Networks”]
Requirement 10: Track and monitor all access to network resources and cardholder data
- Log and monitor all system events
- Review/monitor logs daily
- Ensure all system clocks are correct and synced by a time service
Requirement 11: Regularly test security systems and processes
- Test for the presence of WiFi networks at least quarterly
- Perform quarterly internal scans – not required to be a QSA or ASV.
- Perform quarterly external scans – required to be a QSA or ASV.
- Perform scans after significant changes – not required to be a QSA or ASV.
- Perform annual internal and external pen-testing for network-layer and application-layer – not required to be a QSA or ASV.
- Use intrusion detection with alerts
[box title=”Maintain an Information Security Policy”]
Requirement 12: Maintain a policy that addresses information security for all personnel
- Establish, publish, maintain, and disseminate a security policy
- Annual review
- Examine daily procedures
- Develop usage policies for email, internet, computers, mobile devices, WiFi, etc.
- Require explicit approval for usage of any/all devices
- A list of all devices and employees with access to which devices
- Acceptable location of devices
- List of company-approved devices/products
- Ensure policies clearly define responsibility
- Document incident response
- Implement a formal security awareness program
- Educate personnel upon hire and at-least annually
- Screen all potential hires – e.g. background checks.
- Data backup processes/procedures
As users have pointed out, spammers would have to get very lucky to guess such an email address, or the user email list was compromised.
Dropbox and users have suggested this might be part of last year’s breach, but users who registered after said breach have reported receiving messages.
This is as good a time as ever to mention security and online awareness. If you were utilizing an email address that you use for your consignment store and you signed-up for Dropbox with it, a spam email with a phishing link or other attack could find its way into your business systems.
Just be vigilant when it comes to the messages you receive and always think twice before opening messages or clicking links.