Payment Card Industry Data Security Standard: PCI DSS
Secure Shell is one of those unseen workhorses in IT infrastructure. It is the tool of choice for application developers and systems administrators to remotely connect to operating system and privileged accounts. Secure Shell is also used by thousands of automated processes that drive IT operations, including moving card holder data within and between enterprises that are subject to PCI DSS.
Secure Shell in the Card Data Environment
Requirements within PCI DSS Version 3 make it clear that QSA’s and ISA’s need to include Secure Shell within the scope of their audits. Up to 50 specific PCI DSS controls are impacted by Secure Shell. SSH Communications Security provides guidance, tools, services and solutions that help auditors and their clients achieve compliance.
- PCI Controls Secure Shell Guidance
- Build and Maintain a Secure Network and Systems (1,2)
Document Secure Shell data flows and trust relationships in and out of CDE. Establish configuration standards and policies for Secure Shell use.
- Protect Cardholder Data (3,4)
Documented processes, controls and management of Secure Shell user and host keys. Ensure only secure versions of Secure Shell are deployed.
- Maintain a Vulnerability Management Program (5,6)
Ensure best practices and change control for Secure Shell use and deployment are in place. Remove keys when moving images from test to production.
- Implement Strong Access Control Measures (7,8,9)
Review onboarding, offboarding and governance procedures over Secure Shell authorized access to CDE for both interactive and automated use.
- Regularly Monitor and Test Networks (10,11)
Implement logging, monitoring and change detection mechanisms for Secure Shell software and keys. Ensure Secure Shell traffic is scanned by IDS/IPS.
- Maintain an Information Security Policy (12)
The risk assessment process should consider the state of Secure Shell key management and loss of defense in depth resulting from unmanaged Secure Shell keys (e.g., risk of attack spread into disaster recovery systems and backup systems).