I have a web application running in an off-site secure data center. It is online accounting software. I am primarily considering PCI compliance in order to process payments from customers, but at a later date our software may allow them to send transactions to their merchant account as well (so I may have to store credit card #'s for our clients).

This is a hosted solution running on a virtualized high-availability "grid" with each server running in its own VM where inbound communication is controlled by a hardware router/firewall and a software firewall with all the ports appropriately locked down. The databases are running on their own VM accessible only from the web servers or via SSH. We process a pretty small volume of transactions right now. The application could be restarted at any time if there is a hardware failure.

I do the software development and apply upgrades directly from my home office, and our IT managers access and monitor the grid from their home offices.

When I read through the PCI DSS or try to fill out the compliance wizard on hackerguardian.com I seem to get stuck on these issues (just to start):

1. There's a lot of talk about DMZs, but is the DMZ requirement relevant with an off-site hosting facility? Isn't the whole grid in a "DMZ" because it is off-site?

2. I recognize that the card #'s must be encrypted, but I get the feeling that if I reboot the server I'm expected to have myself and someone else pull a hex string out of a safe and enter it into the system before I'll be able to decrypt any cards, since I can't store the key anywhere accessible to the webserver. Is there a more convenient, high-availability, and cost-effective method that is acceptable for PCI DSS?

3. For audit logging, do I need to log when users log in, become root, etc.. or log every single command they run?

4. If I were able to store the decryption key somewhere accessible to the webserver, would I now have to disallow everyone (including IT) from accessing that machine as "root" because they may have the ability to decrypt passwords, or are the IT and software developers allowed to have decryption powers, just not "regular" employees accessing the application over the web?

It would be nice to see some examples somewhere of how people managed to comply with the spec - a story about how they managed keys, encryption, backup, and audit logging and an example information security policy for a SaaS website like mine would go a long way to helping me (and others like me) figure out how to get this implemented without become PCI DSS "lawyers" first.

I 'll take a stab at a couple of these.
PCI is reasonably technology independent.
1. PCI requires a perimeter firewall boundary, and card data stored in another network zone, protected by firewall rules.
This applies in a virtualised or physical server environment
2. storage encryption is tricky, depending on the solution framework. There are various ways to store the keys on different media/systems to the card data and have the key available for application restarts, depending on your budget and programming/integration skills. Some idea of your framework would help.
3. Think in terms of being able to tell 'who did what, when and how'. Certainly session start/end is required, as well as activities that provide access to unencrypted card data, system changes, network changes and similar.
4. Developer and support roles must be separate, somehow - and developers must never develop of production machines.. Certainly, limiting access to keys via file permissions helps as will forcing 'sudo' or similar so that all users have their own login ID, and a record of commands issued as root.

To start your own policy, read the PCI DSS requirements and make a policy statement fit every requirement where a policy or documentation requirement is stated. About 2 years ago, Scanalert had such a 'free' document, but have no idea on it's availability, copyright issues etc today.

lyalc

Thanks, lyalc!

1. Each component of the system has a software firewall that filters connections from the other components, does that count?

2. The application is written in Java EE, and I'm an experienced programmer so I should be able to overcome technical hurdles if they are can be overcome in a Java environment. Are there any examples I could see how to implement this?

Maybe there is storage encryption software out there (or one could be created using any appropriate technology) that runs its own mini-web-service and with its own firewall rules that I could run on another box and talk to it to request and store card numbers? It could use an HSQL database ... if none exists perhaps I should make one and sell it (once I have figured out how to implement those rules).

The strongkey suite is open source, but you need to integrate it into your application.
There are various 'host security modules' that do key storage in tamper-resistant hardware, again needing integration.
Safenit, Ingrian, Thales and I think, nCipher (don't see them much in this part of the world) etc are some vendors.

Part of your challenge may be whether the security and key management coding + responsibilities needs to be in the development team, or if the key management should only be done in the security or platform owner team - internal politics etc.

lyalc

Hi lyalc, thanks for your continued help!

There are no internal politics here - this is a small business and I am "the team", as it were, with nobody else to argue with about who is responsible for what. Without question I am responsible for all of the coding, setup, and administration.

It looks like StrongKey would require a hardware add-on, like an HSM or USB smart-card. Is that correct? Is this hardware "dongle" the alternative to having humans enter the key, because it can be set up so that nobody has access to its internal key? Is the application considered "authorized" for use of the keys stored on the hardware device by merit of being physically connected to it?

Since our high-availability technology (3tera AppLogic) uses multiple redundant servers with automatic failover, it might not make sense to hook up such a device to any one server (my host may have some objections to this anyway since they have probably already filled their rack with hardware and have no room for anything extra). This requirement for either hardware or human intervention to keep the encryption key could be a killer for any PCI compliance plans I might have ... :-(

@dobesv you have many questions about the PCI DSS that are rather difficult to answer without stating the requirements and then many paragraphs of caveats. If you're interested, the SPSP offers a CPISM/A certificaiton class and bootcamp which will bring you up to speed on every aspect of PCI compliance and validation. I would recommend this if you have the need to really understand this stuff.
https://www.paymentsecuritypros.com/certifications/

Otherwise, @lyalc is right that PCI DSS is technology independent. The fact that you are using a virtualized system is not pertinant to the PCI discussion other than how you plan to segment the systems, especially the web server from the database server.

Also, you mentioned remote access and it sounds like someone can remote directly into the database using SSH, which is not 2-factory authentication (unless configured that way). Feel free to post other questions here, as I'm sure you'll get more good feedback.