Thread: Requirement PA-DSS 1.1.4
Hi,
We've build a Payments Authorisation system (Box solution) on Postgresql database and now we are hitting following issue with our PA:DSS audit - requirement PA-DSS 1.1.4:
<>
1.1.4 Securely delete any track data (from the magnetic stripe or equivalent data contained on a chip), card verification values or codes, and PINs or PIN block data stored by previous versions of the payment application, in accordance with industry-accepted standards for secure deletion, as defined, for example by the list of approved products maintained by the National Security Agency, or by other State or National standards or regulations.
</>
All of these elements of sensitive authentication data are not permitted to be stored post-authorization. If older versions of payment applications stored this information, the payment application vendor is required to provide instructions in the PA-DSS Implementation Guide as well as a secure wipe tool or procedure. If not securely deleted, this data could remain hidden on customer systems, and malicious individuals who obtain access to this information could use it to produce counterfeit payment cards, and/or to perform fraudulent transactions.
At this stage our QSA was able to identify that data remain on a persistence device (DB files) even after deleting those from our application.
Checking SQLite database, it comes with pragma secure_delete - which is very much what we are looking for. https://www.sqlite.org/pragma.html#pragma_secure_delete
I would appreciate your input on this. Is there any solution already I haven't been able to find in documentation. If not, is there any way we can put this on a road map or even contribute to your code?
Thank you in advance & Kind Regards,
Jan
We've build a Payments Authorisation system (Box solution) on Postgresql database and now we are hitting following issue with our PA:DSS audit - requirement PA-DSS 1.1.4:
<>
1.1.4 Securely delete any track data (from the magnetic stripe or equivalent data contained on a chip), card verification values or codes, and PINs or PIN block data stored by previous versions of the payment application, in accordance with industry-accepted standards for secure deletion, as defined, for example by the list of approved products maintained by the National Security Agency, or by other State or National standards or regulations.
</>
All of these elements of sensitive authentication data are not permitted to be stored post-authorization. If older versions of payment applications stored this information, the payment application vendor is required to provide instructions in the PA-DSS Implementation Guide as well as a secure wipe tool or procedure. If not securely deleted, this data could remain hidden on customer systems, and malicious individuals who obtain access to this information could use it to produce counterfeit payment cards, and/or to perform fraudulent transactions.
Unfortunately, description is too ambiguous and our QSA claims that stored is stored regardless of form. Tokens he can live with, but encryption not. But we do encryption (regardless it is happening with a key stored on HSM).
Actual trouble comes with forensics:
<>
1.1.4.c Verify, through the use of forensic tools and/or methods, that the secure wipe tool or procedure provided by vendor securely removes the data, in accordance with industry-accepted standards for secure deletion of data.
</>
Similar with:
<>
2.6 Provide a mechanism to render irretrievable any cryptographic key material or cryptogram stored by the payment application, in accordance with industry-accepted standards.
Actual trouble comes with forensics:
<>
1.1.4.c Verify, through the use of forensic tools and/or methods, that the secure wipe tool or procedure provided by vendor securely removes the data, in accordance with industry-accepted standards for secure deletion of data.
</>
Similar with:
<>
2.6 Provide a mechanism to render irretrievable any cryptographic key material or cryptogram stored by the payment application, in accordance with industry-accepted standards.
</>
These are cryptographic keys (Host stored HSM keys) used to encrypt or verify cardholder data.
These are cryptographic keys (Host stored HSM keys) used to encrypt or verify cardholder data.
At this stage our QSA was able to identify that data remain on a persistence device (DB files) even after deleting those from our application.
Checking SQLite database, it comes with pragma secure_delete - which is very much what we are looking for. https://www.sqlite.org/pragma.html#pragma_secure_delete
I would appreciate your input on this. Is there any solution already I haven't been able to find in documentation. If not, is there any way we can put this on a road map or even contribute to your code?
Thank you in advance & Kind Regards,
Jan
--
EFTlab CTO
Hi team,
anyone? Please let me know if this is not a correct group to ask, I'll move it somewhere else.
Thank you in advance & Kind Regards,
anyone? Please let me know if this is not a correct group to ask, I'll move it somewhere else.
Thank you in advance & Kind Regards,
Jan
On 2019-06-04 08:56:47+10:00 Jan Bilek wrote:
Hi,
We've build a Payments Authorisation system (Box solution) on Postgresql database and now we are hitting following issue with our PA:DSS audit - requirement PA-DSS 1.1.4:
<>
1.1.4 Securely delete any track data (from the magnetic stripe or equivalent data contained on a chip), card verification values or codes, and PINs or PIN block data stored by previous versions of the payment application, in accordance with industry-accepted standards for secure deletion, as defined, for example by the list of approved products maintained by the National Security Agency, or by other State or National standards or regulations.
</>
All of these elements of sensitive authentication data are not permitted to be stored post-authorization. If older versions of payment applications stored this information, the payment application vendor is required to provide instructions in the PA-DSS Implementation Guide as well as a secure wipe tool or procedure. If not securely deleted, this data could remain hidden on customer systems, and malicious individuals who obtain access to this information could use it to produce counterfeit payment cards, and/or to perform fraudulent transactions.Unfortunately, description is too ambiguous and our QSA claims that stored is stored regardless of form. Tokens he can live with, but encryption not. But we do encryption (regardless it is happening with a key stored on HSM).
Actual trouble comes with forensics:
<>
1.1.4.c Verify, through the use of forensic tools and/or methods, that the secure wipe tool or procedure provided by vendor securely removes the data, in accordance with industry-accepted standards for secure deletion of data.
</>
Similar with:
<>
2.6 Provide a mechanism to render irretrievable any cryptographic key material or cryptogram stored by the payment application, in accordance with industry-accepted standards.</>
These are cryptographic keys (Host stored HSM keys) used to encrypt or verify cardholder data.
At this stage our QSA was able to identify that data remain on a persistence device (DB files) even after deleting those from our application.
Checking SQLite database, it comes with pragma secure_delete - which is very much what we are looking for. https://www.sqlite.org/pragma.html#pragma_secure_delete
I would appreciate your input on this. Is there any solution already I haven't been able to find in documentation. If not, is there any way we can put this on a road map or even contribute to your code?
Thank you in advance & Kind Regards,
Jan
--EFTlab CTO
Hi
čt 6. 6. 2019 v 1:23 odesílatel Jan Bilek <jan.bilek@eftlab.com.au> napsal:
Hi team,
anyone? Please let me know if this is not a correct group to ask, I'll move it somewhere else.
this question, proposal is much more related to pgsql-hackers forum.
Currently Postgres doesn't support any feature like this. I think so can be hard to implement it to be absolutely safe. Modification of VACUUM statement probably is not problem. Harder work can be index cleaning.
Unfortunately this feature cannot be implemented as extension. It should be implemented in core.
Postgres has not road map - has only ToDo list - but it is mostly unimportant. If you need some feature in core, you should to contribute code.
More informations https://wiki.postgresql.org/wiki/Developer_FAQ
Regards
Pavel
Thank you in advance & Kind Regards,JanOn 2019-06-04 08:56:47+10:00 Jan Bilek wrote:
Hi,
We've build a Payments Authorisation system (Box solution) on Postgresql database and now we are hitting following issue with our PA:DSS audit - requirement PA-DSS 1.1.4:
<>
1.1.4 Securely delete any track data (from the magnetic stripe or equivalent data contained on a chip), card verification values or codes, and PINs or PIN block data stored by previous versions of the payment application, in accordance with industry-accepted standards for secure deletion, as defined, for example by the list of approved products maintained by the National Security Agency, or by other State or National standards or regulations.
</>
All of these elements of sensitive authentication data are not permitted to be stored post-authorization. If older versions of payment applications stored this information, the payment application vendor is required to provide instructions in the PA-DSS Implementation Guide as well as a secure wipe tool or procedure. If not securely deleted, this data could remain hidden on customer systems, and malicious individuals who obtain access to this information could use it to produce counterfeit payment cards, and/or to perform fraudulent transactions.Unfortunately, description is too ambiguous and our QSA claims that stored is stored regardless of form. Tokens he can live with, but encryption not. But we do encryption (regardless it is happening with a key stored on HSM).
Actual trouble comes with forensics:
<>
1.1.4.c Verify, through the use of forensic tools and/or methods, that the secure wipe tool or procedure provided by vendor securely removes the data, in accordance with industry-accepted standards for secure deletion of data.
</>
Similar with:
<>
2.6 Provide a mechanism to render irretrievable any cryptographic key material or cryptogram stored by the payment application, in accordance with industry-accepted standards.</>
These are cryptographic keys (Host stored HSM keys) used to encrypt or verify cardholder data.
At this stage our QSA was able to identify that data remain on a persistence device (DB files) even after deleting those from our application.
Checking SQLite database, it comes with pragma secure_delete - which is very much what we are looking for. https://www.sqlite.org/pragma.html#pragma_secure_delete
I would appreciate your input on this. Is there any solution already I haven't been able to find in documentation. If not, is there any way we can put this on a road map or even contribute to your code?
Thank you in advance & Kind Regards,
Jan
--EFTlab CTO
Postgres has spent several decades creating a data store that does its best to make sure data is accessible and never accidentally lost. The cobc8of a secure forensic wipe is anathama to the product goals. To have any hope of implementing such a thing with confidence you'd need to drop most of those resilience features and write directly to block storage avoiding any file system that uses journals or copy on write semantics (like btrfs).
I've built some of the early leading forensic discovery and decommissioning software so I know what's involved. You should never store such information in a database product unless you plan of decommissioning ALL of the media that stores the information once you're supposed to lose custody.
If you're allowed to do this on a periodic basis (say monthly or quarterly) you could, as a policy, make a logical dump of the database and then restore it on a fresh server periodically and then fully decommission the data stores on the prior server. If you have a clustered system for resiliency then round robbin this in an N+1 configuration would work.
Outside of the above - if your custody latency allowences are too short then never store this information in a database product of any sort or even a modern file system. I'd write block storage in fixed sizes to a dedicated partition and then write over the data securely multiple times when you release custody.
Hope this helps,
- - Ben Scherrey
On Tue, Jun 4, 2019, 5:57 AM Jan Bilek <jan.bilek@eftlab.com.au> wrote:
Hi,
We've build a Payments Authorisation system (Box solution) on Postgresql database and now we are hitting following issue with our PA:DSS audit - requirement PA-DSS 1.1.4:
<>
1.1.4 Securely delete any track data (from the magnetic stripe or equivalent data contained on a chip), card verification values or codes, and PINs or PIN block data stored by previous versions of the payment application, in accordance with industry-accepted standards for secure deletion, as defined, for example by the list of approved products maintained by the National Security Agency, or by other State or National standards or regulations.
</>
All of these elements of sensitive authentication data are not permitted to be stored post-authorization. If older versions of payment applications stored this information, the payment application vendor is required to provide instructions in the PA-DSS Implementation Guide as well as a secure wipe tool or procedure. If not securely deleted, this data could remain hidden on customer systems, and malicious individuals who obtain access to this information could use it to produce counterfeit payment cards, and/or to perform fraudulent transactions.Unfortunately, description is too ambiguous and our QSA claims that stored is stored regardless of form. Tokens he can live with, but encryption not. But we do encryption (regardless it is happening with a key stored on HSM).
Actual trouble comes with forensics:
<>
1.1.4.c Verify, through the use of forensic tools and/or methods, that the secure wipe tool or procedure provided by vendor securely removes the data, in accordance with industry-accepted standards for secure deletion of data.
</>
Similar with:
<>
2.6 Provide a mechanism to render irretrievable any cryptographic key material or cryptogram stored by the payment application, in accordance with industry-accepted standards.</>
These are cryptographic keys (Host stored HSM keys) used to encrypt or verify cardholder data.
At this stage our QSA was able to identify that data remain on a persistence device (DB files) even after deleting those from our application.
Checking SQLite database, it comes with pragma secure_delete - which is very much what we are looking for. https://www.sqlite.org/pragma.html#pragma_secure_delete
I would appreciate your input on this. Is there any solution already I haven't been able to find in documentation. If not, is there any way we can put this on a road map or even contribute to your code?
Thank you in advance & Kind Regards,
Jan
--EFTlab CTO
On Thu, Jun 06, 2019 at 11:41:40AM +0700, Benjamin Scherrey wrote: > You should never store such information > in a database product unless you plan of decommissioning ALL of the media > that stores the information once you're supposed to lose custody. Use a tablespace on a dedicated disk. Move the tablespace when requirements ask for deletion. Wipe the storage medium after moving the tablespace. Karsten -- GPG 40BE 5B0E C98E 1713 AFA6 5BC0 3BEA AC80 7D4F C89B
Thank you all - Karsten, Benjamin, Pavel, PostgreSql team,
I've discussed all your inputs with our developers and they came with a solution for this problem, which was already agreed (on a high level) by our auditor.
I am adding it here so it can inspire the others, when potentially getting in a same situation.
<>
@page { margin: 2cm } p { margin-bottom: 0.25cm; direction: ltr; line-height: 115%; text-align: left; orphans: 2; widows: 2 }
I've discussed all your inputs with our developers and they came with a solution for this problem, which was already agreed (on a high level) by our auditor.
I am adding it here so it can inspire the others, when potentially getting in a same situation.
<>
Process For Managing Secure Data With PostgreSQL
This sets out the process we have developed for managing secure data with PostgreSQL; firstly for any technique to work we are going to assume that you are using a filesystem and media compliant with NIST 800-88 in the sense that:
Your disk can be cleaned by using multi-writes (if you have a platter disk)
Your disk can be cleaned by trimming (if using SSD)
That once the disks are finished with being removed from use as secure storage they are destroyed in line with NIST 800-88.
So the problem that must be solved is data that’s not used any more must be securely erased even if it was encrypted. So imagine you have a transaction log used for settling transactions with batch entities overnight (standard UK processing); once you’ve finished with those card numbers being held encrypted they must be securely erased from the system. Another use case is expiry of keys that are no longer used in an application. Here we don’t want to destroy the entire table or database but simply a partition of the data.
We propose that data is stored in two ways:
Tables that are deleted when the data is no longer wanted (insert then drop only tables)
Rows that are deleted when the data is no longer wanted
For scenario 1 where data is finished with this table is sent to the “Secure Delete” process. For scenario 2 where data is finished with the remaining rows are copied to a new instance of the table (imagine a view sitting over tables active and inactive so for example key_store view sits over key_store_active and key_store_inactive) so you’d send inactive to the “Secure Delete” process and then recreate inactive by select * into inactive from active then finally swap active and inactive and then “Secure Delete” the new inactive table.
The secure dropping of a table would operate as follows:
Drop all FKs from my_table_to_delete
Drop all PKs from my_table_to_delete
My_new_uuid is a new v4 uuid
Rename my_table_to_delete -> my_new_uuid
Insert into pending_secure_erase values (my_new_uuid, filenameof(my_new_uuid)) (the filename can be determined by performing various functions on the OID of the table)
Another process running with permissions to access the underlying data is then running (probably running as postgres user):
Run the following forever:
Wait for pending_secure_erase to contain something
Foreach table_name, filename in pending_secure_erase
If filename exists use secure erase tool on the file such as the shred app
Drop table if exists table_name
Delete from pending_secure_erase where table_name = table_name
In this way we have enabled:
Row deletes with the data to be completely purged from disk
The database to be available for use even when the application is moving data (you can user more tricks in the view to insert/update both active and inactive when copying to make it “more” online)
The limitation is that data isn’t securely erased until the above process is run where the data is row based rather than table based expiry and your exposure is then limited to how often the process is run to cutover data.
</>
Disclaimers:
- All credits to our principal architect (CD) who put this together, I am just a messenger here, where he prefers to stay behind.
- Feel free to comment, but implementation on our side is already commenced.
Kind Regards,
Jan
CTO - EFTlab
On 2019-06-06 18:14:39+10:00 karsten.hilbert@gmx.net wrote:
On Thu, Jun 06, 2019 at 11:41:40AM +0700, Benjamin Scherrey wrote: &gt; You should never store such information &gt; in a database product unless you plan of decommissioning ALL of the media &gt; that stores the information once you're supposed to lose custody. Use a tablespace on a dedicated disk. Move the tablespace when requirements ask for deletion. Wipe the storage medium after moving the tablespace. Karsten -- GPG 40BE 5B0E C98E 1713 AFA6 5BC0 3BEA AC80 7D4F C89B
On 2019-06-06 23:51:02 +0000, Jan Bilek wrote:
> Process For Managing Secure Data With PostgreSQL
[...]
> Another process running with permissions to access the underlying data is then
> running (probably running as postgres user):
>
> 1. Run the following forever:
>
> a. Wait for pending_secure_erase to contain something
>
> b. Foreach table_name, filename in pending_secure_erase
>
> i. If filename exists use secure erase tool on the file such as the
> shred app
>
> ii. Drop table if exists table_name
Is this safe? You are overwriting the file while it still belongs to the
database. Renaming the table should have gotten rid of all transactions
accessing it, but what about the background writer or autovacuum? I'm
not convinced that nothing would access the file between i. and ii.
hp
--
_ | Peter J. Holzer | we build much bigger, better disasters now
|_|_) | | because we have much more sophisticated
| | | hjp@hjp.at | management tools.
__/ | http://www.hjp.at/ | -- Ross Anderson <https://www.edge.org/>