PCI-DSS 3 requires that in-scope devices, like cash register computers or payment processing servers, accept only trusted certificates. Specifically, it states:
Protect Cardholder Data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
4.1(b) Are only trusted keys and/or certificates accepted?
Sensitive information must be encrypted during transmission over public networks, because it is easy and common for a malicious individual to intercept and/or divert data while in transit. Secure transmission of cardholder data requires using trusted keys/certificates, a secure protocol for transport, and proper encryption strength to encrypt cardholder data. Connection requests from systems that do not support the required encryption strength, and that would result in an insecure connection, should not be accepted. Verifying that certificates are trusted (for example, have not expired and are issued from a trusted source) helps ensure the integrity of the secure connection.
So, how do you do this in Windows?
First, view the certificates of all payment processing services and document the trusted root certificate. Add to this list of trusted root certificates those that are required for Microsoft Windows to function. (This list is documented here: http://support2.microsoft.com/?id=293781). Create one master list of all certificates that should be accepted.
Second, open the local computer’s certificate store. (Control Panel > All Tasks > Administrative Tools > Manage computer certificates.) Under Trusted Root Certification Authorities, expand Certificates. Delete all certificate authorities not on the previously created master list.
Third, configure the computer’s Web browser to not allow the user to continue to Websites with untrusted certificates. This setting varies from browser to browser. In Internet Explorer, the settings are in Local Security Policy under:
Windows Components\Internet Explorer\Internet Control Panel
Prevent ignoring certificate errors
Windows Components\Internet Explorer\Internet Control Panel\Advanced Page
Turn on warn about certificate address mismatch
Check for server certificate revocation
The computer will now accept only those certificates accepted for business purposes. Any invalid certificates will stop the transaction and not allow the user to inadvertently continue. This configuration reduces the likelihood of Man-in-the-middle (MITM) attacks, signed malware, and other attacks against certificate infrastructure. In addition, the computer’s configuration is now in compliance with PCI-DSS 3’s 4.1.b requirement.
Some additional thoughts:
- When making configuration changes, always snapshot or backup the computer first
- PowerShell can be used to export the root certificates to disk
- Fully test the changes before putting the above recommendations into production
- Use group policy to deploy the settings to multiple domain computers