Thursday, September 29, 2011

Lessons learned from recent PA/DSS audit

The following are some tips/hints and lessons learned during our recent PA/DSS audit.   Everyone's mileage will vary. 

Our application runs on both Windows and Linux.   We support JBoss and Weblogic for the application server.  We support Oracle, SQL Server and  MySQL for the database.  We have three client applications which are all WebStart clients, so this is NOT a web application.  Our EJBs are EJB 2.1 Session Beans.

  • Determine exact software stacks needed including all software levels, build levels and whatever else you need.  Collect all of this in one safe place.
  • Get the hardware ready and any scripts that may be needed to use those devices.  Our application is a POS, so we had a collection of pin pads that we were required to test with during the audit.
  • Get any utility software needed
    • Ghost for Win* images (or Win 7 provides a Backup/Restore feature)
      • We ran into some problems with Windows Server 2008 and had to use one of the  Acronis tools to create the backup image.
    • PartImage for Linux images
    • Darik's Boot and Nuke
    • anything else you might need
  • Wipe the hard drives before loading any software, including the OS, using Darik's Boot and Nuke to be absolutely sure that the drive does contain anything that might match a credit/debit card number.
  • Install the OS and any 'base' software, which isn't the software to be verified by the audit
    • Keep the partition sizes as small as possible without causing disk output problems.  The larger the disk, the longer the forensic scans will take to run.
    • On Windows - you can have a page file, just don't allow it to grow and shrink.   Set the min and max file size to the same value.   
      • Problem here is that if card holder data is written to the page file then later the page file size is shrunk, some of that card holder data MAY be inside freespace, which is NOT cleaned up by the OS.   This can cause some instances of card holder data to be found during a forensic scan and NO ONE wants card holder data found during the scans.
    • On Window - you should also set the Windows Update setting to be Notification because you don't want Windows Updates being applied to a machine during the audit.
    • Our auditor also recommended we turn off the Windows Restore points.  Again, you don't want Windows doing any extra work that could impact the audit results.
  • Take images of all boxes.  These may be needed to reset a machine back to a 'clean' state for ad additional set of tests.
  • Talk to each of your authorization providers
    • let them know when your audit is scheduled and ensure you will have connectivity to their test servers
    • Verify that each provider can supply 'magic authorization values' that will help your trigger the following responses:
      • approvals
      • declines
      • referrals
      • timeouts
      • void
      • split tenders
      • partial auths
    • If any of the authorization providers encrypt their communications, then you may need to ensure you have whatever is needed for that.   We needed to download and install the JCE .
    • If you support multiple authorization providers, you will have to run tests against each provider so be ready to do whatever it takes to switch your application from one provider to the next.
  • Practice taking images and restoring images on all boxes
    • The Linux tools are not as user friendly as the Windows tools, so you need to be ready and able to make and restore your images in a timely manner.
  • Now you can install your software and you should be ready for the audit.
  • If you do any testing before the auditor arrives, be ready to restore the machines back to a 'clean' state because you don't want to take a chance that your early testing wrote any card holder data somewhere on the hard drive.
  • Our auditor previously used WinHex to do the forensic scans.  We used the evaluation version to try and double-check ourselves.  The problem with that version is that it is slow and can only scan for one card number at a time.  This time the auditor had a new set of software for the scans and unfortunately I didn't get the name of the package, although I know it was a purchased product.
Good luck - hope this helps!

No comments:

Post a Comment