Small-town street scene in Illinois American flag flapping in breeze by huge painted American flag fading from brick wall

Episode #33: PCI Compliance - Do's and Don'ts

This week, the guys talk about a topic that everyone loves, PCI (Payment Card Industry) Compliance! They rant about PCI-DSS compliance levels and standards, plus what first timers need to consider when preparing for a PCI audit. PCI DSS Legal Compliance can be tricky, but the team is ready to share tips about how to make your PCI compliance process simpler throughout the year and how to deal with the QSA (auditor), especially when the auditor doesn't understand your environment.

Pick up your copy of Cyber Rants on Amazon.
Looking to take your Cyber Security to the next level? Visit us at
Be sure to rate the podcast, leave us a review, and subscribe!

Mike's Headlines: 

Fake DarkSide Campaign Targets Energy and Food Sectors

Attackers Take Advantage of New Google Docs Exploit

Hit by a Ransomware Attack? Your Payment May Be Deductible

Mysterious Ransomware Payment Traced to a Sensual Massage Site

USB-Based Malware Is a Growing Concern for Industrial Firms, New Honeywell Findings Show

Fake Text File can Load Malware on Computers

Hackers Are Trying to Attack Big Companies. Small Suppliers Are the Weakest Link


welcome to the cyber rants podcast where we're all  about sharing the forbidden secrets and slightly  
embellished truths about corporate cyber security  programs we're ranting we're raving and we're  
telling you the stuff that nobody talks about on  their fancy website and trade show giveaways all  
to protect you from cyber criminals and now here's  your hosts mike rotondo zach fuller and lauro  
chavez hello and welcome to the cyber ants podcast  once again this is your co-host zach fuller joined  
by mike rotondo and lauro chavez and today we  are talking about the payment card industry  
data security standards or pci dss compliance  which is a topic that everybody loves  
and everybody loves to deal with pci compliance  so we're going to talk about that today but before  
we do mike would you tell us about your spirit  animal and why you chose that animal or kick us  
off with the news whatever whatever you prefer  would that be the honey badger what is it i was  
going to say the banana slug but you know that's  kind of personal for a podcast we don't want to  
share okay well we'll settle for the news dark  side is from people from the colonial plat ponyo  
pipeline hacked long story short there's companies  out there pretending to be dark side now sending  
threatening emails saying that we have your data  please pay us now 100 bitcoins if it's not paid  
we're going to release it so now since imitation  is a sincerest form of flattering apparently  
darkseid's being flattered by a bunch of posers  so be careful out there and you know verify with  
your dark side customer service rep that you're  actually been hacked i can't believe you brought  
this story up you're going to blow my whole cover  of trying to get money off everybody sorry man i  
know you need to pay for the ranch you're you're  dim side or or uh very lightly lit side yeah it's  
not quite a dark side yeah it's a lot of dark  side there you go it's like having a night light  
a new hack from google attackers take  advantage of new google docs exploit  
according to avidon which is a security research  firm analysts have recently discovered an exploit  
vector in google docs that attackers use are using  to deliver malicious phishing websites to victims  
google docs page looks familiar to those who  share google docs outside the organization however  
it isn't that page it's a custom html page made  to look like the familiar google docs share page  
they want you to click on the download the  document and once they do bad stuff happens  
be careful how many google docs do you share  with a bunch of people i mean that's what i'm  
thinking it's like how many i mean i know  google docs i get from everybody so i mean  
how many google docs do you have to get to where  this actually works i don't know i don't know  
what they do is they redirect you to another  login site and then steal your credentials so  
i don't know this is all new we'll have to  see what happens so be careful out there  
here's bad news for those of us in the cyber  security industry hit by ransomware attack your  
payment may be deductible yep the fbi is doubling  down on its guidance to effective business saying  
don't pay cyber credit loans but the us government  and infinite wisdom is also saying these ransomers  
are now tax deductible uh deductions are usually  allowed under law and established guidance as  
it's a silver lining ransomware victims but  those looking to discourage payments are less  
happy about this they fear the deduction is a  potentially problematic incentive for no kidding  
that can entice businesses to pay ransoms against  the advice of law enforcement at minimum they say  
the deductibility sends a discordant message to  businesses under duress officials warn it's common  
sense that payments lead to more ransomware  attacks once you're a victim you're always  
a victim according to stephen nix of the the  secret service this is just a bad idea but yep  
you can write off your ransom good to know is  the irs colluding with russia now is that what's  
going on how could this possibly happen this is  no idea this is absurd it's a business loss yeah  
i mean that's what they're calling it it is  it is but i mean i think it should be i think  
it should be penalized you know not not great  that shouldn't be deductible you got to pay more  
yeah the next one i i have this because you know  sex sells and this is an interesting story so  
mysterious ransomware payment trust essential  massage site uh ransomware targeting israeli  
company has led researchers to track a portion of  the ransom payment to a website promoting sensual  
massages researchers discovered after they used  ciphertrace to track the ransomware payments as  
it flowed through different bitcoin wallets  into a tip jar at the website  
rub ratings is a website that allows you to  tip massage and body rep providers in the u.s  
each masseuse's profile includes a tip jar button  that allows customers to leave bitcoin tip for  
their recent massage next researchers assume that  this is most likely a way to launder a ransomware  
payment i would agree with that and i gotta assume  that these guys are that's pretty smart creative  
interesting it's better than your usual you know  buying xbox games ratings though that's pretty  
genius us-based malware is growing concern  for industrial firms according to honeywell  
the new number of cyber threats designed to use  usb sticks and other external media devices are  
as launching pads doubled in 2021 uh those threats  79 percent can be used to disrupt operational  
technology systems that are generally shielded  from the internet another piece of malware fake  
text mail file can load malware on computers  attackers are now using notepad icons with  
right to left over right also known as rtlo to  trick users into opening malicious attachments  
with the unicode character that informs windows  operating systems to switch letters from left to  
right the latest threats use rtlo and the encode  character u plus 202e to make a text file into  
an advanced attack this is generally a malicious  powershell script so be careful with notepad and  
lastly hackers are trying to attack big companies  soft small suppliers are the weakest link and this  
is something that solid sector has been preaching  for a while but defense companies are a prime  
target for cyber attackers and sometimes  poor security of smbs which is the small  
business or supply chain could be giving them an  easy weigh-in and one according to researchers  
at blue voyage they examine hundreds of smb  defense companies subcontractor firms and found  
that over half had severe vulnerabilities with  their networks including unsecured ports on  
supported patch software and which basically all  makes it vulnerable to data breaches of ransomware  
so that's some news for today lauro  awesome awesome thanks for that mike  
a lot of good stuff out there uh or bad  stuff i guess depends on how you see it  
speaking of bad stuff yeah interesting one way or  the other so this this week for exploitables i i  
don't want to talk about it but wordpress plugins  again so there's one for a survey questionnaire  
it's a blind blind sql injection so if you're  if you're running the pull survey questionnaire  
voting system make sure you you update that  plug-in and then there's also another one for  
word wordpress the google maps plugin so there's  a there's a stored cross-site scripting so if if  
if people are visiting your sites and they're  hovering over that google maps you can  
be led led astray so if you're running if you're  running any wordpress stuff make sure you're  
checking out those that was the google maps  plugin and then the poll survey questionnaire  
and then i think i think another one that is  kind of kind of interesting is the vmware vcenter  
there's a remote code execution for versions six  five through seven oh um and that's been validated  
um in a poc so if you're if you've got vcenter  and you're relying on that virtualization make  
sure you're not running six five six seven  or seven oh that you've upgraded off those  
platforms because that's uh an injectable  then the module is available for metastoid  
for all of us to use and that's uh that  includes the exploits want even more cyber ants  
be sure to subscribe to the cyber rants podcast  get your copy of our best-selling book cyber  
rants on amazon today this podcast is brought  to you by silent sector a firm dedicated to  
building world-class cyber security programs for  mid-market and emerging companies across the us  
silent sector also provides industry-leading  penetration tests and cyber risk assessments  
visit and contact us today zach  are we going to talk about my favorite topic today  
we are pci compliance and you both happen to be  pci professional certified and have done a lot of  
this so let's talk about it let's dive deep into  pci or as deep as we can in a handful of minutes  
but talk about that and really for the benefit of  those people that are have to become pci compliant  
you know especially for the first time or they  are pci compliant but are struggling to maintain  
compliance so first of all when we're  talking about pci how of course it's it's  
payment card industry standards right if you're  processing credit card data handling storing data  
on their compliance requirements along with  that right and the merchant banks enforce  
this now how does somebody know the question for  both of you is you know how does somebody really  
know if they have to follow uh pci compliance  requirements and once they know that they do  
how do they know what level they're at good good  question you want me to go mike yeah let's take  
that i will take that question okay so so good so  here's the thing is it if you know first off the  
the the terminology used is store process transmit  so if you're doing anything with credit card data  
even if you're busting it out in an iframe to  a peanut processor if you're in that in that  
security supply chain of that processing storing  or transmitting of that data then you're gonna  
you're gonna fall under pci also if you're  a service provider so maybe you're just um  
providing a service maybe you're translating um  imagery right to for accessibility or something  
like that so that the blind and the deaf may be  able to get their bills too right so they they're  
services like that and so if you fall under that  supplier kind of paradigm you're also going to be  
kind of susceptible to pci dss but but to  find your levels out processing the payments  
you're going to have a payment gateway and you've  probably got a merchant bank already that you're  
doing business with or a couple of them those  merchant banks are going to have representatives  
for pci they're more than likely going to reach  out to some aspect of your business or have  
already to basically relate to you that you're  funneling so many you know transactions and it's  
going to put you in a certain level right but  you can find those levels out each payment card  
provider each each credit card company writes  to discovery american express visa mastercard  
they're gonna um have different requirements for  level one level two level three and level four  
i think all of them are consistent mike except  for like mastercard right now they aren't didn't  
massacre the weird winners of discovery i don't  know anyways one of them's like the oddball i  
think it's just going i think it is yeah one of  them's like kind of an oddball that just kind of  
wants you into certain millions for certain things  but yeah it's like over six millions like a level  
one and then somewhere between one and two is like  a level two and those are going to require those  
level ones are gonna require you to have that  on-site assessment but uh yeah your bank should  
tell you your merchant bank should say hey this  is where you're at well a lot of them a lot of now  
i'm sorry let me cut you off but there's a lot of  like the smaller companies now if you just sign up  
to process credit cards you're gonna get an email  from you know trustwave or somebody like that  
saying congratulations you've been signed  up to do pci with us fill out these forms  
it's it's becoming automatic um where you  don't really even have a choice so if you  
sign up with a payment processor you're getting  that notification the bank is turning you over to  
them the question becomes is when can i do a sac  a and then move on to the different sacks right so  
and then you know get to the granddaddy of all  sac d's which are painful to say the least big d  
yeah the d we used to refer to that as that's  what we call detroit when i looked in michigan  
but that's another story altogether  anyway the sag d is the monster and uh  
and so what you need to do so basically the  easiest thing to do for pci compliance is you know  
what i think actually let me step back the biggest  trap that most people run into is they spend all  
this time they get pci compliant and then they  don't follow through after they achieve compliance  
it needs to be an operationalized activity  where it is continually done where evidence  
is continually gathered where vulnerabilities are  continually tracked because we don't want to have  
a nightmares like we lauro and i have both  experienced at companies where it's you have  
the audits due in january and you start the audit  process in november and you are working christmas  
eve reconciling vulnerability relate vulnerability  and documentation and all sorts of things because  
your internal resources that manage your audit is  completely income competent and you know that's  
just kind of a nightmare so you want to avoid it  at all i'm speaking of a specific person but i  
will not name names now we don't name those people  they are the unnamed mike they knew who they are  
though because they probably listened to this  and they're like i used to work with that guy and  
yeah we know you are but he who shall not be named  the he who shall not be named still have dreams
dreams they're more like  nightmares always up in cold sweat
okay here's the thing is that pci is  going to require you to take evidence  
as an example if you're proving segmentations  in place okay you're going to have you're maybe  
going to open up a command terminal you're going  to run you're going to write traceroute command  
try to go to that network and you're going  to run a icmp ping command try and go to that  
network right to demonstrate that the firewall  is blocking packets you're going to have to have  
those screenshots taken to demonstrate that you've  done that right or the assessor is going to want  
to want you to do it while they're while they're  shoulder surfing you here's the thing is you can  
make these evidence profiles and farm them out  to all your teams and now they're collecting the  
stuff throughout the year and like mike said that  operationalized approach is what's going to save  
you and you're two and three and beyond because  like everything else these are forever machines  
i mean as long as you're in the supply chain of  storing processing or transmitting you're you're  
in for this forever right i mean you can't put  the cap back in the box yeah and the other thing  
is that you need to keep your operational  people aware of how to do it because i can  
you know i can personally attest to how many times  i've gotten questions well how do i provide that  
evidence again i didn't you know i did it last  year but i don't remember how if you keep them in  
the mode of providing it every quarter they know  what to provide you you know it's defined and you  
know the other thing that i have to say drives  me nuts is create an actual evidence library  
based on the criterion required all right number  one here's the data for number one here's the  
data for number two and then just put it all in  an organized format put it by quarter put it by  
date put it by requirement and that way it's easy  to find instead of that same person who shall not  
be named putting it all in one giant folder with  no particular rhyme or reason or naming convention  
that made it fun to look through yeah at least  name at least name the screenshots for crying out  
loud yeah for cheese and rice please please just  name your screenshots what else can we talk about  
that's that's good for starting companies well  i'm glad you asked because i'm just asking what  
what people ask us right um people generally ask  what are the requirements at the various different  
levels in other words and and the way i see it of  course is like when do you need to bring in a qsa  
when do you need an actual asv to do the scans  versus you know you can do them yourself or  
whatever the case may be but let's talk a little  bit about the requirements at the lowest level  
and the highest level and the difference between  the two gross okay i'm kidding i'm just i'm just  
the messenger here i'm just semester no i  just joke for everybody out there anyway so  
um good so i guess the rule to live by with pci  is that if you're processing more than i'd say  
a million or two million a year you're gonna  want to be you're probably gonna be in that  
in that level one level two situation where your  merchant banks gonna require you two things are  
gonna require you to have that asv which is an  authorized scanning vendor means i've paid money  
to pci and taking a little class and how to run a  vulnerability scanner i'm just saying it's not it  
doesn't mean anything it's just they're on  the list they've paid to be on the list of  
authorized vendors to do your scanning for  you okay on that list they get you got to  
pay a lot to be on that list okay we're  i'm in flat i said we're not on that list  
like cause we just get a lot of money for it yeah  yeah a ridiculous amount of money to be on their  
list that's okay i don't care about lists i still  get in the club you know what i mean anyway so  
here's the thing to remember about the asb is that  you the the scans required for the level one and  
level twos right there are one clean scan recorder  okay what that means is that like our scanner has  
a pci template in it that you run against a set  of targets it's not going to give you all of the  
detailed information that other type of scan  templates might use okay now this may vary by  
scanning vendor but essentially what you don't  want is you don't want any criticals or highs to  
show up on that report that you give to the bank  because you're going to do this once a quarter  
and that scan's got to go to your representative  at your your acquiring bank right your merchant  
bank and they're going to they're going to take  that they're going to file it away and you've got  
to provide four of those a year and then at the  end of the year you're going to have to submit  
your um sac d typically is what it's going to be  with uh what they call an executive summary on top  
which is the report on compliance as a whole the  rock the big thing the big d the big sac d right  
with from uh from a from an authorized vendor  qsa right another thing that you pay to be on  
the list for of qsas but they'll they'll charge  you to come in and write all this documentation  
up for you and you're gonna have to submit that  to your acquiring bank with the q for scan at  
the end of the year and so that that's like  the requirement for if you're processing a lot  
of credit cards if you're not if you're just you  know onesie twosie you're little then you can do  
a sake right i mean so there's a lot of sacks and  maybe we should have another show just to talk  
about the differences between the a the c the  aev you know all of these different variations  
that they have depending on what yeah exactly what  part you play so that if you go to their website  
they have a very clear chart that tells you the  differences of where you fall but but to be honest  
we typically see two things people are doing  a sac a self-assessment no scanning walking  
through it's a limited subset of the pci dss so  a sake is i'm going to guess probably like 50  
of the 400 requirements that are in there some  odd right 380 some odd requirements so it's a  
small subset so the a is the littlest one  and that's where we see everybody start  
and then if you really want to if you really  want to be mature about it then you do a  
self-assessment d you do the big d the big sack d  on yourself come on see where you fall the monster
sexy monster with that have a dungeon raid to get  the sack d monster yeah the side d has full 329  
controls on it is that what it is yeah feels  like 400 whatever well i'm looking at their  
site so that's what that's what they're saying  they're heavy controls though they should count  
1.3 controls or so well the amount of work you  got to do and i guess real quick you have any  
other questions to throw out zach because i've  got a course like of course share your wisdom  
please okay so for everybody starting out with  pci this is something that that is a pitfall  
trap for everyone especially if you have a not  a very good assessor i don't want to say they're  
i just i want to use the term lucy okay there's  not all assessment firms are treated equal and in  
the struggle to find qualified individuals today  those those certain individuals may lessen their  
oh they may lessen their their needs right to get  people to just do the job right so be careful of  
the assessor you get because you may get contest  okay so there are two pitfalls that pci put into  
their framework that they rely on you the  organization or you the the individual who  
owns the business to to figure out two things  one is what network segmentation is to you  
inside of your organization seriously pci will  tell you that you can use network segmentation  
to limit scope we will never recommend that you  limit scope it's a bad idea it makes you weak in  
spaces that you don't focus these frameworks in  okay so we don't recommend that you limit scope  
but if you're going to do it you're going to have  to use network segmentation most organizations  
already have a lot of network segmentation for  dmz and other sorts of things pci doesn't explain  
what network segmentation is they are not the  fortified body right they're not the standard for  
what segmentation is and so you have to define  the type of segmentation how you've done vlans  
and network segmentation inside of your  infrastructure in a one-page dock and what  
this is going to do is this is going to provide  your methodology of segmentation for your business  
so if an assessor comes in and tries to argue  typically they're not a technical individual  
they may come in um misguided and try  to argue a fact about the segmentation  
and you'll be able to deliver  that and show that it's there  
the other thing is a significant change pci is  going to tell you that you need to do things  
like penetration test after significant changes  they don't define what a significant change  
is and north can they for every organization  right so again this is a place where i've seen  
not not competent incompetent assessors come in  and challenge who did what for a pen test based  
on what the change was and they're basically  making decisions on what they consider as  
significant changes for your business you don't  want to give them that opportunity so you want to  
you want to take the opportunity ahead of time to  define what you consider significant changes that  
would warrant things like a penetration test okay  for your infrastructure and your architecture not  
all architectures not all businesses are deployed  to the same architecture right we're all using a  
classic computing i get that unless you you've  got some cool quantum computer thing now but  
probably not we're all on classic computing so  there's so many there's only so many architectural  
designs that you can go to but they're not all  created the same and so you need to define what  
those significant changes are for your specific  architecture your specific applications and those  
are two absolute places that are going to get that  an assessor will come in and have i guess wiggle  
room to misbehave is the term i'll use mike is  that fitting yeah i mean here here's the thing and  
i'll be a little more blunt tomorrow qsa assessors  are not gods okay you can argue with them you can  
tell them they're wrong you just have to be able  to back it up with data that shows that they're  
wrong and why they are not allowed to dictate to  you how your infrastructure works it just does  
it they do not have that power they think they  do but i mean i i feel back to an assessor that  
i dealt with who was asking me how a software  package worked when i point blank said how have  
you never installed software and he said no i've  never installed a piece of software so that's the  
level that sometimes you're dealing with and you  really need to push back sometimes on these guys  
or girls or whatever yeah you need to  support but you need to have an informed  
reason why you're making that decision you need  to have it documented you need to have it well  
thought out and you need to have just strength and  confidence you need data that you can push back  
um or the way that you do things that you can  push back another thing is you know not to  
dub talent lauro saying says don't segment  or don't don't limit scope i will say this  
there is a case where you do limit scope when  you are first doing pci because of the amount  
of lift that is required to become get a whole  organization especially a larger organization pci  
compliant you can start out with limited scope  then expand out from there well not to not to  
dovetail on your dovetail in my dovetail but  how many organizations have we seen that have  
actually finished that out once they've got their  scope in place and certified right very very few  
yeah they so don't so certainly certainly that's  uh the one case but you know go through with it  
after you've limited the scope yeah well that's  the thing is that you have to follow up right um  
but i mean you know large organizations where the  sales guys are telling people oh yeah we're 100  
pci compliant altogether and then the technical  side of it does not have the ability to get that  
way because of an internal business structures  that are preventing them from doing these things  
you got to have coordinated messaging and it needs  to be driven from the top if the intent is to be  
fully pci compliant the sales arm is not the  one that's going to drive that it should not  
be driving it should be the security arm the  cfo the cso cio whatever should be driving that  
effort because of the lift required in it you  can't have sales people out there saying yeah  
we'll be 100 pci comply in six months and go from  ground zero so oh gosh you know we well we've run  
into that right i mean we have promises right  it's always the sales person's fault no matter  
what happens in a business just just put it on  just delay it on sales always sales always sales
excellent point so pick a qsa that has a technical  background if you can uh get somebody that knows  
about the environment that you're working with  and that way you probably will have less headache  
but uh you know you might not get to choose who  it is so if that's the case have your evidence  
back it up collect it continuously throughout  the year don't make it a one time lift  
before we wrap up what are your any final  words of wisdom well it's just a heads up  
is that pcidss3 dot whatever is out right  now four comes out in march so of 2022 so  
beware if you are already pci compliant that there  are changes coming there are changes every three  
years right yes always to pci yeah um let's  see last thought words wisdom oh yeah so if if  
if you really want to be uh get ahead of  this then have a print out of all your users  
what permission status they have or print out of  all your assets you know who owns them um have a  
printout of all your document libraries ready  to go right all those things will need to go  
inside the report on compliance at the top and a  nice diagram of your infrastructure if you don't  
if you don't have that already so and and if you  don't want to do any of that then you know don't  
don't take payments there you go there you go okay  cows and chickens for payment instead of credit  
cards it works it works in some parts of the world  so yeah i use guineas yeah there you go thank  
you all for listening hope you learned something  about pci compliance hope this is helpful for you  
if you are faced with that and just keep in  mind a lot of the same principles here in pci  
apply to other compliance requirements as well so  you don't have to reinvent the wheel every time  
but hopefully this helped if you like podcast  subscribe reach out let us know your comments let  
us know topics you want us to to talk about and  we were happy to share the information that we've  
learned along the way so thank you for joining  us and we will connect again next week take care