Tuesday, October 12, 2010

PCI DSS for Database Professionals

The Payment Card Industry Data Security Standard (PCI DSS) sets forth the security requirements for organizations that store, process and/or transmit credit or debit card transactions. These requirements stem from a series of significant security incidents affecting databases of consumer credit information over the past decade.

Few important points to consider in terms of PCI DSS for Databases:
  • Place the database in an internal network zone, segregated from the DMZ. PCI requires that you place your database server on your internal network and that you deny attempts to directly access the database from untrusted networks. Additionally, you must use private IP addresses for the database server.
  • Change vendor-supplied default passwords. You must ensure that your database uses strong passwords for all user accounts and that you change the passwords for any default accounts supplied by your database vendor.
  • Encrypt all non-console administrative access. You’re required to use encryption technology (e.g. VPN, SSL, ssh) to encrypt any administrative connections to the database. This reduces the risk of an eavesdropper obtaining administrative credentials to the database.
  • Keep cardholder data storage to a minimum. You should never store cardholder data that you no longer need. If you don’t need to store it, don’t. If you’re finished with it, purge it from your database. In all cases, you may never store data from the card’s magnetic stripe or the three digit security code on the back of the card.
  • Encrypt card numbers that you do store. If your business requirements dictate that you store card numbers, you must encrypt them using a strong encryption algorithm. Furthermore, you must use sound key management practices to limit access to the encryption keys.
  • Ensure that you patch your database regularly. A recent study revealed that many DBAs seldom, if ever apply security patches. PCI requires that you apply security updates within one month of their release.
  • Develop web applications securely. Granted, DBAs seldom have control over the code written by developers, but it's important that we act as security evangelists, educating developers about the risk posed by database attacks such as SQL injection.
  • Practice secure user management. In addition to the controls you'd expect, such as requiring individual user accounts with strong passwords, you also need to manage database roles and rights in a fashion that limits access to those with a need to know.
  • Log everything. PCI requires that you record the name of the user, type of event, timestamp, and other technical information about any individual user access to cardholder data, administrator actions and failed authentication attempts.
This is just a high level overview. The entire standard document is available at: https://www.pcisecuritystandards.org/index.shtml.