Visa Europe revealed important stats about the usage of Contactless Cards. Poland, Spain and the UK use this payment methd the most, with UK usage growing by 300% year over year.
The Payment Card Industry Data Security Standard (PCI DSS) defines a series of physical, logical, and administrative controls for the protection of payment card data, with particular emphasis on the Primary Account Number (PAN).
In technical terms, PCI DSS includes explicit references to security controls such as firewalls, web application firewalls (WAF), anti-virus, file integrity monitoring (FIM), intrusion detection/ prevention systems (IDS/IPS), time synchronization services (NTP), event logs, use of secure versions of protocols (such as TLS, for example), etc. However, no specific controls are included in network architecture's critical components: The Domain Name System (DNS). And it is precisely in the DNS service where a "blind spot" in compliance with the standard can be found.
To get into context, the DNS is a distributed and hierarchical database using the client-server model that allows the association of a domain name (known as Fully Qualified Domain Name - FQDN) and other associated data (known as "records") with an IP address. The technical description of the concepts and criteria for implementing and specifying the name resolution system is described in RFC1034 and RFC1035.
In general terms, there are five main elements within a name resolution system:
Like many other services that were part of the origins of the Internet, the DNS was developed to be operational and scalable, but security was not part of these initial criteria: there was no authentication, the integrity of responses was not validated and data was transmitted in clear text, deficiencies that began to be exploited by attackers through the following techniques:
As noted above, the PCI DSS standard does not include any explicit reference to the use of security controls in the name resolution infrastructure, so during an implementation or formal compliance assessment the following questions may arise that can affect the security of the environment:
Currently, many of these questions have no official answer, so it is quite likely that the vast majority of PCI DSS compliant environments have minimal or insufficient controls in place to protect their name resolution infrastructure from attacks.
In that regard, the following are a series of recommendations to protect DNS services in the payment card environment, complementing the basic requirements of PCI DSS:
To implement a secure DNS service architecture, the following guidelines are recommended:
To replace and/or complement the traditional functionalities of the DNS protocol, it is recommended to use any of the following alternatives and/or secure extensions:
DNS traffic is traditionally sent in clear text, without any control to protect its confidentiality. Because of this, any attacker could have access to the name resolution traffic, making it easy to capture and manipulate (man-in-the-middle).
To avoid these problems, it is recommended to make use of the following security features for the protection of DNS traffic:
There are multiple alternatives at the software level to implement a DNS server, both commercial and Open Source. However, it is recommended that the chosen solution supports the security features described above.
These components must have a specific configuration standard associated with them, in accordance with PCI DSS requirement 2.2. As a reference, you can use the document NIST Special Publication 800-81-2 - Secure Domain Name System (DNS) Deployment Guide.
Because the DNS service architecture is hierarchical and recursive, the DNS server in the PCI DSS network must connect to a higher-level server (usually a DNS resolver) on the Internet.
As with the time synchronization service (NTP), the external servers providing the service must be industry-accepted and support the security features described above.
Some of these external name resolution services with security and privacy features are:
The use of an internal DNS service allows the implementation of additional controls such as content filtering, blocking traffic to untrusted domains.
Another major issue not addressed by the PCI DSS standard is the security management of domain registrations associated with PCI DSS environments conducted with external name registration providers, particularly for e-commerce services.
As described above, the DNS allows the linking of an IP address with a domain name (FQDN). When a user (an individual or an organization) wants to register a domain name under a specific TLD, they must contact an authorized entity called a "registrar". This registrar receives the user's registration request, validates that the domain is available and, if available, proceeds to add this new name to its DNS record database. From that moment on, any change required to be made to the registry (renewal, transfer or even editing of DNS records and zones if these tasks have been delegated to the registrar) must be done using the interfaces provided by this provider.
If a domain name is registered that points to an asset's IP address within a PCI DSS environment, the registrar automatically becomes a critical element within the organization's infrastructure, as the responsibility for the operation and management of that name rests with this entity. If an attacker compromises the registrar's network or gains unauthorized access to the domain management interface, traffic can be redirected to malicious servers without the end user being aware of the change.
According to the PCI SSC glossary, a service provider is defined as a “Business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. This also includes companies that provide services that control or could impact the security of cardholder data. Examples include managed service providers that provide managed firewalls, IDS, and other services as well as hosting providers and other entities.”.
Generally, a domain registrar is not included among the service providers that affect a PCI DSS environment - even though their services may affect the security of cardholder data - so there is no obligation on the part of these entities to comply with the standard or to add additional security controls to prevent the risks associated with domain management.
In that sense, it is recommended to follow these recommendations:
"A chain is only as strong as its weakest link." We have heard this phrase many times applied to the cyber security environment and it is still valid today.
An environment that processes, stores and/or transmits payment card data must comply with the controls of the PCI DSS standard, which adds an additional security layer to protect such data. However, one of the components of these environments that is generally not properly identified and protected is the name resolution service or DNS. Because of this, the organization may have a "blind spot" in its security strategy and it is essential to proceed with the deployment of preventive and corrective actions so that this does not become a vector of risk.
The use of secure architecture, the implementation of additional security functionalities, and the protection of DNS records exposed on the Internet, as well as the use of DNS services provided by trusted entities are part of this strategy to defend this "weak link". All of these recommendations should become a complementary part of PCI DSS controls in organizations affected by compliance with this standard.
I am the Senior Security Consultant in Advantio. I have more than 15 years of experience, working both in South America and Europe. My information security background includes consultancy and audit, training, implementation of security technologies and design and policy development among others.
Certifications: CISSP, CISM, CISA, CRISC, CEH, CHFI, PCI QSA, QSA (P2PE), 3DS Assessor