PCI Compliance

the_Grinch · March 2011

Thought I would post about completing my first PCI Compliance Audit! My company is an managed service provider and one of the companies we support began accepting credit cards. With that came the all time fun of getting a PCI Compliance Audit. Obviously, since we are their IT support company (we manage the servers, network, and desktops) we shouldn't be the choice to do the audit (we also aren't an ASV) so they signed up with another company to perform the audit. Two weeks ago we received a ticket asking for all the public IP's they currently had. After that, we got the ticket saying they had failed and that we needed to work on the issues found. I assumed it would go to a senior engineer, but given my security education it landed on my desk.

All the servers passed except their mail server. I began to review the documentation and saw it failed for the pretty standard reasons: Use of SSLv2, use of medium strength ciphers, and use of weak ciphers. To be compliant would require the use of TLS 1.0 or SSLv3, plus ciphers of 128bit encryption or higher. Within a day I had the steps to correct the issues documented. It was at that point that my CTO said he wanted me to run a scan using our software to confirm the findings. Apparently during our audit there were false positives discovered and confirmed using our SAINT scan. So I sat with one of our network engineers to get a rundown on SAINT. That night I scheduled a scan to run, only to find the next morning that it basically failed instantly. Running through the help files I found that we hadn't entered the correct site login information for serial keys to validate our SAINT.

I worked with the needed parties to get the correct information and configured the proper information for the serials. From there I ran the scan and confirmed the findings of the outside company. I began working with the customer to let them know our plan of action, times we'd like to do the work then test (so not to have any adverse effects during business hours), and when we would run the rescans. Today (with an Exchange engineer to back me up just in case) I made about 5 registry edits and rebooted the server. It came back up (thank you God) and everything was working properly (another thank you God). Ran our scan while watching tv and got the all clear. Logged onto the Vendors website and ran the scan....site is now PCI compliant!

Technically, they are still in a failed state until we complete the survey, basically a nice size list of yes and no questions about the infrastructure at the company. I have completed just about all of it, but had to make a number of changes to security at the company. The nice part of the PCI audit is it was a very great way of getting the companies higher ups to make security changes that were needed. Overall it was a great experience and let me see that maybe auditing could be a future venture. Plus got to see all the magical paperwork and procedures that were involved!

JDMurray · March 2011

An excellent accounting; thanks for the post!

Are you doing anything to go "above and beyond" the security requirements of PCI? If so, how do you justify the additional needs in your budget to the executive level?

powerfool · March 2011

The interesting thing about PCI-DSS is that it is essentially optional and provides a real ROI for management, as the more compliant you become the lower the rate the organization is charge for credit card transactions.

the_Grinch · March 2011

I am going above the baseline for this customer, but there is a reason that I can for them. Basically, we have three level of service: monitoring only, monitoring/all remote work on selected devices, and the all you can eat plan of monitoring/remote on all devices/onsite for all devices. So this customer expects that we do whatever is necessary to get them in compliance and to secure their company. Plus they are in the healthcare related business, so they know what could happen if there are issues. As far as justifying other changes to my management I have three courses of action: A. they are one of the few clients with the all you can eat plan (they pay a lot of month for the service and don't abuse it) B. Seeing as we do all their IT work we can be held responsible if something goes wrong C. The customer is very good about accepting our recommendations and plans. Also, the other changes that I saw that were needed presented no cost to the customer as they were configuration changes. Besides trying to get them to purchase a wireless network adapter for wireless audits I don't see them needing to purchase anything at this point.

bertieb · March 2011

Nice one!

I had the pleasure of helping a Level 1 merchant conform to the PCI DSS (v1) standards a while back and was in a similar position (managed services provider hosting a system that processed millions of credit card payments per year). I certainly learned an awful lot during the process thats for sure

the_Grinch · March 2011

Couldn't agree with you more bertieb, as I started looking at the guidelines I couldn't believe what was involved. That being said, it was nice to see that it was pretty standard security configs. They keep asking me at work if I like this sort of thing and I tell that it's tedious, but it is enjoyable. Look at the flaws in the system and actually being able to fix them is pretty interesting. The other part I enjoy is seeing the systems that we have configured correctly. Either way it is a nice change of pace that's for sure!

PCI Compliance

Comments