Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

Conventional PCI

PCI Security Standards Council announces winners of Special Interest Group elections

The PCI PCI SSC today announced the results of the PCI Council election for Special Interest Groups (SIGS).

Special Interest Groups (SIG) leverage the expertise of more than 600 PCI SSC Participating Organizations and provide a vehicle for incorporating their ideas and input into the work of the Council.

Almost 500 votes were cast by merchants, financial institutions, service providers and associations for the initiatives they want to prioritize in 2012.

The three elected groups will focus on:

  • Cloud
  • eCommerce Security
  • Risk Assessment

Participating Organizations were allowed three votes on a shortlist of seven topics that were the result of 13 proposals by the community.

Successful project proposals represent a cross section of the PCI SSC community from around the globe and include active participants from CyberSource, HyTrust, Sense of Security Pty Ltd., SISA Information Security, The UK Cards Association, Trend Micro and TSYS.

This is our first SIG election and I’m really pleased with the turnout, with a quarter of all of our Participating Organizations voting. Most impressively, a third of our votes came from outside North America showing that involvement in the Council’s activity and development of PCI Standards and resources to help secure the payment chain is truly a global endeavor,” said Jeremy King, European director, PCI Security Standards Council.

I’m looking forward to close collaboration between the Council and SIG membership.”

Special Interest Groups are a critical forum for industry participation in Council initiatives to increase payment card security. SIGs focus on providing recommendations to the Council which often results in guidance for interpreting and implementing the PCI Standards. To date SIG participants have made significant contributions to Council resources on topics such as wireless security, EMV chip, point-to-point encryption and virtualized environments.

The Council invites any members of the PCI SSC community interested in participating in one of these SIG projects to indicate their interest by emailing sigs@pcisecuritystandards.org before November 30th. Following this, Council SIG leads will convene each group to formalize the group charter and precise scope of work project. This will be shared with the Community by the end of the year, with SIGs anticipated to start work in the beginning of 2012.

We’re delighted that risk assessment has been selected by our peers to move forward as a 2012 SIG project. I’d like to encourage anyone with expertise or interest in this topic area or the other final selections to get involved,” said Dharshan Shanthamurthy, chief consultant at SISA Information Security.

 “Council SIGs are a great opportunity for professional development, networking, and contributing to something that will benefit the entire industry.”

.

Only 21% of merchants were compliant and other startling PCI DSS facts from the coal face

Image representing Verizon as depicted in Crun...
Image via CrunchBase

Verizon have recently launched their 2011 Payment Industry Compliance Report, which draws on their experiences as a Qualified Security Advisor (QSA) company, and their previous annual reports.

Below are exerts from their report:-

Unchanged from last year:-

  • 21 % of organizations were fully compliant at the time of their Initial Report on Compliance (IROC)
  • 78% of organisations met all test procedures at the IROC stages
  • 20% of organizations passed less than half of the PCI DSS requirements
  • 60% scored above the 80% mark

Organizations struggled most with the following PCI requirements:

  • 3 (protect stored cardholder data)
  • 10 (track and monitor access)
  • 11 (regularly test systems and processes)
  • 12 (maintain security policies)

The PCI Requirements showed the highest implementation levels:

  • 4 (encrypt transmissions over public networks)
  • 5 (use and update anti-virus)
  • 7 (restrict access to need to know)
  • 9 (restrict physical access)

Verizon concluded that organizations do not appear to be prioritising their compliance efforts against the PCI DSS Prioritized Approach (The Prioritized Approach is a free spreadsheet that can be download from the PCI Security Standards Council site, find it here).

Organizations that suffered data breaches were less likely to be compliant than a normal population of Verizon PCI clients.

In the pool of assessments performed by Verizon QSAs included in this report:

  • 21% were fully compliant at the completion of their IROC
  • This is just 1% less than in their last report, and effectively the same number

The lack of change disappoints Verizon, as many in the industry were hoping to see an increase in overall compliance as PCI DSS became more familiar to an increasing number of organizations.

79% of organizations were not sufficiently prepared for their initial assessment

Having established that only 21% “passed the test” the next question becomes “what was their score?”

  • 78% met of all test procedures defined in the DSS at the time of their IROC
  • This is down 3% from Verizon’s last report

Verizon deduce that another common Achilles heel of merchants and service providers in the PCI assessment process is overconfidence. “It was painful, but we made it through last year, so this year should be a breeze,” is a typical sentiment with which many organizations approach the yearly assessment. That can be a costly mistake.

When the QSA arrives on-site, a mere 1/5th of businesses are found to be compliant, even when given the extra time between the on-site visit and completion of the IROC.

Verizon believe that complacency and fatigue are two additional drags that make maintaining compliance year over year difficult.

Too many businesses approach PCI from the point of view that “what was good enough last year will be good enough this year.”

When examining the percentage of organizations passing each requirement at the IROC phase

  • Some requirements show percentages dipping below 40%, while others exceed the 70% range
  • Six of the twelve show an increase over last year, and the average is up two points
  • However, the average number of test procedures met within each requirement is down 4%
  • None of these numbers is indicative of a clear change given the size and makeup of the dataset, but it certainly reinforces the notion that organizations continue to struggle (at varying degrees) in all areas of the DSS

How do organisations perform against the 12 Requirement? The four highest rated Requirements are:

  • 4 (encrypt transmissions)
  • 5 (AV software)
  • 7 (logical access)
  • 9 (physical access)

Requirement 10 (tracking and monitoring) boasted the highest gain+13 %

Requirement 5 (AV software) may lose its place in the top three, which is an odd development, since AV software has for so long been among the most basic and widespread of security controls.

The improvement in compliance to Requirement 4 (encrypt transmissions) may indicate that administrators are deciding it is easier to direct all Internet traffic containing credit card data over SSL.

The small improvement in Requirement 7 (logical access) if significant at all could mean more strict attention is being paid to who is given access to cardholder data.

Requirements 3 (stored data) and 11 (regular testing) are once again in the bottom tier, while Requirement 12 (security policies) ousted 10 (tracking and monitoring) from the bottom. This suggests that the encryption of data at rest continues to be a major headache for organizations, especially the more detailed portions, such as annual key rotations.

Requirement 1 remains virtually unchanged since last year

  • 44% were compliant
  • 46% in the last report
  • Only 63% of companies met Requirement 1.1.5 regularly

The entire report can be found on the Verizon web site here.

.

PCI SSC updates PTS program for Encryption and Mobile

The PCI Security Standards Council have provided and update to the PIN Transaction Security Program for secure point-to-point encryption (P2PE) and mobile payment acceptance.

PTS 3.1 adds two new approval classes that facilitate the deployment of P2PE technology in payment card security efforts, building on the Secure Reading and Exchange of Data (SRED) module previously introduced in version 3.0 to support the secure encryption of account data at the point of interaction. Until now, the PIN Transaction Security program has applied to PIN acceptance devices only. With the release of version 3.1, requirements will expand for the first time to include protection of account data on devices that do not accept PIN, meaning any card acceptance device can now be PTS tested and approved and eligible to deploy point-to-point encryption technology.

Additionally, the requirements have been updated to address secure (encrypting) card readers (SCR), further facilitating the deployment of P2PE technology and the use of open platforms, such as mobile phones, to accept payments. Merchants looking to use magnetic stripe readers (MSRs) or MSR plug-ins now can ensure these devices have been tested and approved to encrypt data on the reader before it reaches the device.

The Council published a roadmap outlining its approach to point-to-point encryption technology in the cardholder data environment late last year and recently released the PCI Point-to-Point Encryption Requirements, the first set of validation requirements in its P2PE program. Findings from its initial examination of mobile payment acceptance applications in light of the PA-DSS were published in June, and in collaboration with industry experts in an SSC-led Mobile Taskforce, the Council aims to deliver further guidance by year’s end.

“We know how eager the market is to implement P2PE, said Bob Russo, general manager, PCI Security Standards Council.― By releasing these updated requirements now, merchants using any type of card acceptance device will have the ability to encrypt data at the point of interaction and ensure its protection. Additionally, we・ve opened the standard up to address mobile devices ・ another area of great interest to our stakeholders.”

The updated PTS Security program requirements and detailed listing of approved devices are available on the Council’s website.

There will be a session devoted to PTS program updates, including a dedicated question and answer forum, at the PCI Community Meeting taking place in London, England on October 17-19.

Additionally, the Council will host a Webinar for Participating Organizations and the public outlining the newest updates to the PIN Transaction Security program, followed by a live Q&A session.

To register for the November 8 session, please visit here.

To register for the November 10 session, please visit here.

For more details on PCI visit the PCI Resources page here.

.

Merchants are complacent about PCI DSS, report reveals.

Verizon logo
Image via Wikipedia

Verizon have launched their 2011 Payment Industry Compliance Report which draws on their experiences as a QSA company and previous annual reports.

Extracts from the report are below.

Unchanged from last year, only 21 % of organizations were fully compliant at the time of their Initial Report on Compliance (IROC). Verizon commented with “This is interesting, since most were validated to be in compliance during their prior assessment”.

  • Organizations met an average of 78% of all test procedures at the IROC stage
  • 20% of organizations passed less than half of the DSS requirements
  • 60 % scored above the 80 % mark

Organizations struggled most with the following PCI requirements:

  • 3 (protect stored cardholder data)
  • 10 (track and monitor access)
  • 11 (regularly test systems and processes)
  • 12 (maintain security policies).

The PCI Requirements showed the highest implementation levels were:

  • 4 (encrypt transmissions over public networks)
  • 5 (use and update anti-virus)
  • 7 (restrict access to need-toknow)
  • 9 (restrict physical access)

Organizations do not appear to be prioritizing their compliance efforts based on the PCI DSS Prioritized Approach published by the PCI Security Standards Council even less so than in the previous year.

A mini-study comparing governance practices to the initial compliance score suggests that the way organizations approach compliance significantly factors into their success.

Once again, organizations that suffered data breaches were much less likely to be compliant than a normal population of PCI clients. Analysis of the top threat actions leading to the compromise of payment card data continues to exhibit strong coverage within scope of the PCI DSS. For most of them, multiple layers of relevant controls exist across the standard.

In the pool of assessments performed by Verizon QSAs included in this report

  • 21% were found fully compliant at the completion of their IROC
  • This is just 1% less than in their last report, and effectively the same number

The lack of change is a disappointing, as many in the industry were hoping to see an increase in overall compliance as the PCI DSS became more familiar to an increasing number of organizations.

79% of organizations were not sufficiently prepared for their initial assessment

Having established that only 21% “passed the test” the next question becomes “what was their score?”

  • On average, organizations met 78% of all test procedures defined in the DSS at the time of their IROC.
  • Down 3% from Verizon’s last report; but again, the difference is nominal.

Therefore, the baseline set by the PCI DSS must not reflect the baseline set by the companies themselves. For most organizations, to achieve compliance they must do things they were not previously doing (or maintaining).

Another common Achilles heel of merchants and service providers in the PCI assessment process is over confidence

 “It was painful, but we made it through last year, so this year should be a breeze”

is a typical sentiment with which many organizations approach the yearly assessment. That can be a costly mistake. When the QSA arrives on-site, a mere 1/5th of businesses are found to be compliant, even when given the extra time between the on-site visit and completion of the IROC.

Complacency and fatigue are two additional drags that make maintaining compliance year over year difficult. Too many businesses approach PCI from the point of view that “what was good enough last year will be good enough this year.” But unless someone’s been babysitting a process, such as documenting and justifying all services allowed through the firewalls, things can easily be forgotten in the haste to get business done.

When examining the percentage of organizations passing each requirement at the IROC phase.

  • Some requirements show percentages dipping below 40%, while others exceed the 70% range.
  • Six of the twelve show an increase over last year, and the average is up two points.
  • However, the average number of test procedures met within each requirement is down 4%.
  • None of these numbers is indicative of a clear change given the size and makeup of the dataset, but it certainly reinforces the notion that
  • organizations continue to struggle (at varying degrees) in all areas of the DSS.

How do organisations perform against the 12 Requirement? The four highest rated Requirements are:

  • 4 (encrypt transmissions)
  • 5 (AV software)
  • 7 (logical access)
  • 9 (physical access)

Requirement 10 (tracking and monitoring) boasted the highest gain+13 %

Requirement 5 (AV software) may lose its place in the top three, which is an odd development, since AV software has for so long been among the most basic and widespread of security controls.

Requirement 4 (encrypt transmissions) showed a marked improvement which may indicate that administrators are deciding it’s easier to direct all Internet traffic containing credit card data over SSL.

Requirement 7 (logical access) showed a slight improvement, which could mean more strict attention is being paid to who is given access to cardholder data.

Requirements 3 (stored data) and 11 (regular testing) are once again in the bottom tier, while Requirement 12 (security policies) ousted 10 (tracking and monitoring) from the bottom. This suggests that the encryption of data at rest continues to be a major headache for organizations, especially the more detailed portions, such as annual key rotations.

Requirement 11’s low showing reminds us why ‘set and forget is a very bad bet’ should be a core mantra of the security profession. The fact that security policies rank among the lowest of the low is not a good sign since policy drives practice.

Requirement 1 remains virtually unchanged since last year, at 44% compliance, compared to the 46% in the last report. Only 63% of companies met Requirement 1.1.5 regularly

Compliance is the continuous state of adhering to the regulatory standard. In the case of the PCI DSS there are daily (log review), weekly (file integrity monitoring), quarterly (vulnerability scanning), and annual (penetration testing) activities that an organization must perform in order to maintain this continuous state of compliance

The entire report can be found on the Verizon web site here.

.

Good news for Merchants as the PCI Security Standards Council releases Tokenization guidance

Information Security Wordle: PCI Data Security...
Image by purpleslog via Flickr

On August the 12th The Payment Card Industry Security Standards Council (PCI SSC) published guidelines to help Merchants and credit card processors take advantage of “Tokenization“.

The PCI SSC definition of Tokenization:  “Tokenization technology replaces a Primary Account Number (PAN) with a surrogate value called a “token”. Specific to PCI DSS, this involves substituting sensitive PAN values with non-sensitive token values, meaning a properly implemented Tokenization solution can reduce or remove the need for a merchant to retain PAN in their environment once the initial transaction has been processed.

Merchants are ultimately responsible for the proper implementation of any Tokenization solution they use, including its deployment and operation, and validation of its Tokenization environment as part of their annual Payment Card Industry Data Security Standard (PCI DSS) compliance assessment.

Organizations should carefully evaluate any solution before implementation to fully understand the potential impact to their CDE (Cardholder Data Environment). The paper helps guide merchants through this process by:

  • Outlining explicit scoping elements for consideration
  • Providing recommendations on scope reduction, the tokenization process itself, deployment and operation factors
  • Detailing best practices for selecting a tokenization solution Defining the domains, or areas that specific controls need to be applied and validated, where tokenization could potentially minimize the card data environment

This additional guidance also benefits tokenization service providers and assessors by informing them on how the technology can help their merchant customers limit or eliminate system components that process, store, or transmit Cardholder data, and reduce the scope of the CDE and thus the scope of a PCI DSS assessment.

“We’ve continued the process to investigate these technologies and ways that the community can use them to potentially increase the security of their PCI DSS efforts” said Bob Russo, general manager of the PCI Security Standards Council. “These specific guidelines provide a starting point for merchants when considering tokenization implementations. The Council will continue to evaluate tokenization and other technologies to determine the need for further guidance and/or requirements.”

Jeremy King, European director of the PCI SSC, said the process is challenging because not all cards have a 16-digit primary account number (PAN). Some Tokenization methods are more applicable than others according to the card in question. Some tokens try to preserve the format of the original PAN in order to maintain compatibility with internal processing applications, while other approaches may generate a new truncated or randomised number, King said.

Systems that allow you to get back to the PAN need to be properly protected, and are in scope,” King said.

Tokenisation can have a dramatic reduction on the requirements of PCI DSS. In simple terms if a Merchant has no credit card data stored the scope of PCI DSS is reduced.

For the majority of Merchants reducing the scope of PCI DSS by not storing Credit Card Data can mean the difference between a relatively simple Self Assessment Questionnaire (SAQ) e.g. SAQ A and the highly complex and extremely difficult SAQ D.

The PCI SSC Tokenization Information Supplement can be downloaded here.

.

Call Centre Security and PCI Compliance

An Indian call center
Image via Wikipedia

Credit Card data is the Crown Jewels for hackers and the financial lifeblood of many companies. An Account Data Compromise, also known as a breach can lead to bad press and a bad reputation, you only need to Google Play.com or Lush to see the impact.

With the 18th March 2011 launch of the PCI Councils “Protecting Telephone Based Payment Card Data” on Call Centres it is worth noting that, according to research from Connected World 36.7% of contact Centres claimed to be fully compliant with the Payment Card Industry Data Security Standard (PCI DSS).

However, the majority (89%) admitted to not understanding PCI DSS, the requirements nor penalties.

There are many business and regulatory requirements that impact Call Centres, especially the recording of telephone calls, for example in the United Kingdom, the Financial Services Act.

The act of recording a call can break the rules of PCI DSS as most calls will involve the recording of ALL the data. Data such as, CAV2, CVC2, CVV2 or CID, which should never be recorded. Storing the PAN and Expiry data is acceptable so long as the data is encrypted and the Merchant has acted on all the questions within SAQ D or undertaken a formal Audit if they are a level 1 Merchant.

The number one piece of advice for Call Recording is DO NOT DO IT unless you really have to.

However, the recording of the calls and storing of Credit Card Data in an encrypted format are small parts of the issue facing Call Centres.

By considering the following points and reviewing the documents on the PCI Resource page  you can go a long way towards achieving a PCI compliant Call Centre.

  • Employee vetting is the first step in ensuring a secure Call Centre.
  • There needs to be a formal employee induction programme where employees learn about the company’s policies (rules) and the ramifications of breaching the policies.
  • Specifically, there needs to be a documented Policy on how employees handle Calls and Data resulting from the Calls, especially Credit Card Data?
  • The Merchant needs to communicate the Policy to all employees that have access to Credit Card Data.
  • Do employees regularly receive training on the Policy and its importance? They should do.
  • Are employees made aware of their IT Security responsibilities?
  • Security Awareness training needs to be provided, for example, how to deal with the threat of computer viruses, how to report suspicious activity, etc
  • Security Awareness has to be promoted, for example, on posters and in newsletters.
  • Do supervisors/managers enforce a clear desk Policy? For example, no MP3 players, no note pads or any other methods to record information.
  • Access to photocopiers and scanners needs to be restricted.
  • Restricting physical access to the Call Centre should be considered.
  • Call Centres should be restricted to employees only and visitors need to be escorted.
  • All paperwork leaving the Call Centre should be shredded to avoid the unnecessary risk or Personally Identifiable Information (PII) finding its way into the public domain.
  • Consideration should be made to CCTV
  • Do all employees have unique logon identities?
  • Are strong passwords enforced?
  • Are passwords changes enforced every 30 days, or less?
  • Are password changes significantly different after every change? For example, not simply adding a 1 or a 2 at the end of previous password.
  • Home and remote workers need to have local security installed, for example, personal Firewalls and Anti Virus.
  • Do systems and servers that store credit card data, for example, CRMs and Databases, have access restricted on a need to know basis?
  • Are logs taken and stored for system and networks where data is stored?
  • Is the Merchant’s network and systems attached to the network adequately protected against viruses, hackers and other threats?
  • Are these systems regularly scanned and patched for vulnerabilities. PCI DSS requires that all systems and networks with the scope of the card data environment be scanned by an Approved Scanning Vendor at least quarterly.
  • Is the Merchant’s security regularly tested? For example, by having Penetration Tests.
  • Does the Merchant have a plan on how to deal with a breach and is this plan tested? This is often called an Incident Response Plan and can be tuned to deal with all types of breaches for example, the Epsilon Email Breach.

In summary, PCI DSS is not the only area on compliance affecting the Call Centre but PCI DSS does help focus the business on what security, processes and procedures are required to achieve best practice.

.

PCI SSC Board of Advisors 2011 elections are now open

The PCI SSC Board of Advisors elections for 2011 to 2013 are now open.

All Participating PCI SSC organisations can vote. Votes close 08 April 2011. The votes will decide the composition of the Board of Advisors for the next 2 years.   A complete list of the candidates is below:

Financial Institution – 3 votes

  • Australia and New Zealand Banking Group Limited (ANZ)
  • Bank of America
  • Bank of America Merchant Services
  • Banrisul S.A.
  • BARCLAYCARD
  • Citi
  • JPMorgan Chase & Co.
  • SIX Multipay
  • WorldPay (UK) Ltd 

Merchant – 3 votes

  • Allstate Insurance Company
  • British Airways
  • CHS Inc.
  • CVS Caremark
  • Exxon Mobil Corporation
  • FedEx
  • Hawaiian Airlines
  • HMSHost
  • Intuit Inc.
  • Loves Travel Stops & Country Stores, Inc.
  • McDonald’s Corporation
  • National Association of College and University Business Officers
  • Starbucks Coffee Company
  • Tesco Stores Limited
  • The Walt Disney Company
  • VF Corporation
  • Wal-Mart Stores, Inc.
  • Woolworths Limited 

Processor – 3 votes

  • Cielo
  • DirectCash Payments Inc.
  • Elavon
  • First Data Corporation
  • Fiserv
  • Global Payments Inc. (NYSE:GPN)
  • Heartland Payment Systems
  • Litle & Co.
  • Merchant Warehouse
  • Mercury Payment Systems
  • Moneris Solutions
  • Payment Processing Inc
  • Point International (Point Group)
  • Sage Payment Solutions
  • The SHAZAM Network
  • TSYS 

Vendor – 3 votes

  • Agilysys
  • ATX Innovation
  • Cisco
  • Citrix Systems, Inc.
  • Convergys
  • Datapipe
  • Fico
  • Hypercom Corporation
  • Ingenico
  • Mako Networks
  • MICROS Systems, Inc.
  • nuBridges, Inc.
  • Panasonic Avionics Corporation
  • Reliant Security
  • RSA
  • Shift4 Corporation
  • Vanguard Integrity Professionals
  • VeriFone Systems, Inc.
  • Voltage Security 

Other – two votes

  • Apriva
  • CARTES BANCAIRES
  • Envision Telephony Inc.
  • European Payments Council
  • IATA
  • Interac Association
  • Network Frontiers (the Unified Compliance Framework)
  • Payment Alliance International
  • Paypal
  • RSPA – Retail Solutions Providers Association
  • The UK Cards Association
  • Vendorcom
  • VigiTrust Ltd
  • Wright Express

 Data supplied by VeriTape.

Blog at WordPress.com.

Up ↑

%d bloggers like this: