Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

Merchant

PCI Security Standards Council releases Point-to-Point encryption (P2PE) resources

The PCI Security Standards Council (PCI SSC), has announced availability of the Point-to-Point Encryption (P2PE) Program Guide and Self-Assessment Questionnaire (SAQ) to support implementation of hardware-based point-to-point encryption (P2PE) solutions. They are downloadable from the PCI SSC website in an MS Word format.

The resources follow the Council’s release of updated Solution Requirements and Testing Procedures for hardware-based P2PE solutions in April, (find the link in my resources page)which provide a method for vendors to validate their P2PE solutions and for merchants to reduce the scope of their PCI DSS assessments by using a validated P2PE solution for accepting and processing payment card data.

Eligible merchants using these P2PE hardware solutions may be able to reduce the scope of their PCI DSS assessments and validate to a reduced set of PCI DSS requirements. To help with this validation process, the Council has developed a new Self-Assessment Questionnaire (SAQ P2PE-HW).

SAQ P2PE-HW is for merchants who process cardholder data via hardware terminals included in a validated P2PE solution and consists of the following components:

  • Merchant eligibility criteria
  • SAQ completion steps
  • Self-Assessment Questionnaire (validation of PCI DSS Requirements)
  • Attestation of Compliance, including Attestation of PIM Implementation

Merchants should refer to their acquirer and/or payment brand to determine if they are eligible to use this new SAQ.

The Council has also updated the PCI DSS SAQ Instructions and Guidelines document to provide additional guidance on use of the SAQ P2PE-HW.

The PCI P2PE Program Guide is designed to help solution providers, application vendors, and P2PE assessors understand how to complete a P2PE assessment and submit it to the Council for acceptance and listing on the PCI SSC website.

The document includes:

  • Overview of P2PE solution validation processes
  • Considerations for P2PE Solution providers preparing for assessment
  • Reporting considerations for P2PE assessors
  • Considerations for managing validated P2PE Solutions
  • Listing of applications used in P2PE solutions

Solution providers, application vendors, and P2PE assessors can use this document immediately to plan for their P2PE assessments.

The Council will shortly be providing templates and Reporting Instructions for P2PE validation reports, as well as new Attestations of Validation (AOVs) and vendor release agreement (VRA).

P2PE assessors, solution providers and application vendors can then complete their assessments of P2PE Solutions and applications and submit their reports and validation documentation to the Council for acceptance and listing. The Council will list the validated solutions on the PCI SSC website for merchants to use.

“These resources are a critical part of rolling out this program,”

said Bob Russo, general manager, PCI Security Standards Council

“The program guide outlines the submission and listing process for P2PE solution providers and application vendors who want to validate their products, while the SAQ will help simplify PCI DSS validation efforts for merchants taking advantage of this process to minimize the amount of cardholder data in their environments.”

.

Last chance to review your PCI readiness before the holiday season

As we enter the busiest period of credit card spending it is probably a good time for a bit of last minute house keeping to ensure your business is meeting the Payment Card Industry Data Security Standard (PCI DSS), or as much of it as you can.

First things first, DO NOT STORE CREDIT CARDS unless you really really have to.

  • If you know you are un-necessarily storing credit cards, delete them and delete them with a deletion tool so there is no way they can come back to haunt you.
  • If you have to retain credit card data make sure they are encrypted and never ever store the CVV/CV2/etc. As a short term fix, to get you through the next couple of weeks encrypt hard drives and put in a plan to have effective credit card encryption and tokenization in place for early 2012. For a better understanding of how tokenization can help you reduce the risks and the scope of PCI DSS download a white paper called  “Eight Ways to Reduce PCI DSS Audit Scope by Tokenizing Cardholder Datahere.
  • Check to see if there are cards being stored that you do not know about. In a recent survey SecurityMetrics found an “8 Percent Increase of Unencrypted Cards”, read the press release here. There are some excellent scanning tools that will scan your network and devices for the existence of credit cards so you can then decide to delete or secure.

You now need to revisit the Payment Card Industry Data Security Standard’s Version 2 to ensure you are meeting as much of the standard as possible. The best place to start is with the PCI DSS Prioritized Approach (find it here). The Prioritized Approach will ensure the efforts you make are directed towards the most important areas with the quickest wins.

The Prioritized approach consists of 6 key milestone and Merchants are advised to start with number 1.

  1. Milestone 1 Remove Sensitive Authentication Data and limit data retention
  2. Milestone 2 Protect the perimeter, internal, and wireless networks
  3. Milestone 3 Secure payment card applications (e.g. PA DSS approved)
  4. Milestone 4 Monitor and control access to your systems
  5. Milestone 5 Protect stored cardholder data
  6. Milestone 6 Finalize remaining compliance efforts, and ensure all controls are in place

Another reason to revisit your PCI DSS posture are revealed in Verizon‘s 2011 Global report which reports that many organisations lose sight of compliance after their initial compliance activity. Some specific findings from the report are below:-

  • 21 % of organizations were fully compliant at the time of their Initial Report on Compliance (IROC)
  • 78% of organisations met all test procedures at the IROC stages
  • 20% of organizations passed less than half of the PCI DSS requirements
  • 60% scored above the 80% mark

The full review of the Verizon report is here.

If you want to look at a range of other documents and guides have a visit to my PCI Resources page here.

Good luck with your Christmas and the New Year business and compliance activities.

.

Exactly how many Merchants are PCI DSS compliant?

Credit cards
Image via Wikipedia

The number of Merchants who are compliant to the Payment Card Industry Data Security Standard (PCI DSS) vary from continent to continent, country to country but the figures released by VISA for the US make interesting reading.

The table below shows the results for the US up to the 30th June 2011 as per the VISA.com website.

Cardholder Information Security Programme (CISP) Category (Visa Transactions per year) Estimated Population Size Estimated % of
Visa Transactions
PCI DSS
Compliance Validated
Validated Not  storing Prohibited Data
Level 1   Merchant (>6M) 377 50% 97% 100%
Level 2 Merchant (1-6M) 881 13% 96% 100%
Level 3 Merchant (e-commerce only 20,000-1M) 3,024 <5% 60% N/A
Level 4 Merchant (<1M) ~5,000,000 32% Moderate * TBD
VisaNet Processor (Direct Connection) 62 100% 94% High
Agent (Downstream) 1,262 N/A 83% High

*Level 4 compliance is moderate among stand-alone terminal merchants, but lower among merchants using integrated payment applications

Since the PCI DSS standard was released and enforced the Level 1 Merchants has been the main focus of the Card Issuing companies and of course, the QSAs because, as the table above shows, they represent the largest percentage of transactions for a single group and are a small enough number to easily manage. This focus is why Visa can report a near 100% validation rate for Level 1 Merchants.

The largest risk group by number of business are the Level 4 Merchants with over 5,000,000 in the US alone.

Level 4 Merchants have not yet achieved a % on the Visa chart. This is probably because they do not need to have their Self Assessment Questionnaire (SAQ) validated by and external party e.g. a QSA, except in rare circumstances. Reliance on the Merchants ability to understand the requirements of PCI DSS and to be able to put in place the processes, policies and protections required to protect Credit Card Data requires a lot of “faith” by Visa.

The majority of credit card breaches happen in Level 4 Merchants, e.g. restaurants and hotels, which is why Visa is pushing EMV on a world-wide basis.

All in all it looks like the majority of Merchants are PCI DSS compliant, which means the programme is doing some good…

.

PCI Compliance Cost Calculator for Level 1-4 Retailers

StillSecure have produced the “StillSecure PCI Calculator”, a free online tool designed to help Level 1 though 4 retailers examine, and potentially significantly reduce, the costs and complexities associated with PCI compliance. It is a very interesting approach to calculating the cost of compliance.

From the StillSecure press release:

Gartner issued its Retail Security & Compliance survey 2011, which examined security processes used by organizations subject to PCI, including current level of PCI compliance, spending on PCI compliance, and security threats. Among the key findings, the survey revealed that the costs associated with PCI security and compliance for merchants — excluding the cost of assessors — is an average of $1.7 million over 2.35 years. Over the same time period, Level 1 retailers spent an average of $2.1 million on PCI compliance, with Level 2-4 retailers spending an average of $1.1 million.

Based on the Gartner research StillSecure claim that by using their PCI Complete security solution, Level 1 merchants would save approximately $750,000 by utilizing StillSecure’s solution, and Levels 2-4 would save over $400,000 over the same period.

“Gartner’s Retail Security & Compliance Survey 2011 data clearly shows that organizations are spending significant amounts to become PCI compliant,” said Avivah Litan, VP Distinguished Analyst, Gartner, Inc. “The data further shows that it’s not easy to become compliant and many retailers may be overwhelmed with the complex and numerous steps involved in the process. In fact, security breaches are common. Our assessment underscores the importance of exploring all available options for compliance and security.”

The Gartner report also tracked overall PCI compliance investments and PCI-related security risks. While 28 percent of respondents believed that their organization had to spend too much money to comply with PCI standards, 43 percent of respondents had experienced at least one type of security incident.

“StillSecure has been intensely focused on helping organizations achieve PCI compliance through our fully managed, independently approved solution, PCI Complete,” said Rajat Bhargava, CEO of StillSecure. “These solutions are certified by one of the world’s most stringent qualified security assessors (QSAs) and include PCI monitoring, scanning, as well as reporting and evidence creation capabilities that will save organizations as much as 30 to 50 percent on PCI compliance and auditing. Our PCI Calculator allows organizations to compare their current PCI compliance expenditures with other merchants of similar size, while also informing them on steps to reduce the costs of compliance.”

Download the PCI Calculator for yourself here, registration is required.

.

CyberSource Brings World’s Largest Fraud Detection Radar to Online Merchants

CyberSource, a Visa company (NYSE: V), today announced availability of the world’s largest real-time fraud detection radar, empowering online merchants to pinpoint fraud faster, more accurately, and with less manual intervention.

This advance enables merchants to conduct more accurate analyses of their inbound orders, including comparison of those orders to the over 60 billion transactions Visa and CyberSource process annually, including orders that were confirmed to be fraudulent.

Data insight derives from transactions across multiple payment types and from merchants worldwide, spanning online, call center, mobile and POS sales channels. The transaction data is supplemented by 200 validation and correlation tests. This solution effectively expands the depth and breadth of transaction pattern visibility.

The new development comes at an opportune time.  

  • eCommerce merchants say fraud became more sophisticated and harder to detect in 2010, and this challenge is likely to grow. Download the CyberSource 2011 Fraud Report here 
  • 90% of online thieves are now associated with organized crime. Details of Fraud patterns can be found here
  • botnet” infections are growing at a rate of approximately 200,000 per day.  Download “10 Botnet Questions” White Paper here

The ability to accurately detect fraud in such a sophisticated criminal environment requires correlating vast amounts of information to detect subtle anomalies.

Data is the lifeblood of fraud detection,” said Michael Walsh, CyberSource President and CEO. “When Visa acquired CyberSource, one of the stated goals was to deliver a new level of fraud prevention to online merchants, enabled by our end-to-end view of electronic transactions, worldwide. We are now delivering exactly that.”

Read the full PRnewswire press release here

Benefits of PCI Compliance – direct and indirect

Credit cards
Image via Wikipedia

Many Merchants see the Payment Card Industry’s Data Security Standard (PCI DSS) as an expense they could do without. 

The counter argument is most businesses would struggle if nothing was done to tackle Credit Card Fraud because the Credit Card companies would need to charge Merchants a higher transaction rate to cover their losses. 

So, what other reasons could there be for becoming PCI Compliant? 

The answer very much depends on your business type and the loyalty of your customers and prospective customers. 

Some very good reasons for becoming PCI compliant are listed below.

Continue reading “Benefits of PCI Compliance – direct and indirect”

Where do security breaches occur? What type of data is stolen and who makes the discovery?

Credit card
Image via Wikipedia

Trustwave has published its Global Security Report 2011 and it has some very interesting research.

The research is from incidents investigated by the company. Specifically, a total of 220 investigations, undertaken against suspected breaches, 85% were confirmed with 90% resulted in data theft.

The headline statistics are:

Industry breakdown of where the incident happened

  • Food and beverage   57%
  • Retail   18%
  • Hospitality   10%
  • Government   6%
  • Financial   6%
  • Education   1%
  • Entertainment   1%
  • Construction   1%

 Types of Data stolen

  • Payment Card Data   87%
  • Sensitive company data   8%
  • Trade Secrets   3%
  • Authentication Credential   2%
  • Customer records   2%

It could be that Trustwave is a Payment Card Industry Forensics and Incident Investigator or it is further proof, if we needed it, that the bad guys are after the money.

Who found out that there had been an incident?

  • Regulatory detection   60%
  • Self detection   20%
  • Public detection   13%
  • Law enforcement   7%

Is it any wonder why the credit card issuers are strictly enforcing Payment Card Industry Data Security Standards (PCI DSS) when Merchants find 1 in 5 Account Data Compromises (ADC), also known as a breach.

Previous research found that the majority of cards are used in multiple frauds.

Merchants come out on top in the time to detect a breach

  • Regulatory detection  156.5 days
  • Public Detection   87.5days
  • Law Enforcement   51.5 days
  • Self Detection   28 days

This is interesting, 1 in 5 breaches were found first by a Merchant which means the majority of breaches take over 100 days to be discovered.

Trustwave www.trustwave.com

PCI fines could put merchants out of business

Sample American Express-type credit card featu...
Image via Wikipedia

An interesting interview with Bob Russo, general manager of the PCI Security Standards Council and Practical e-Commerce, an online resource for merchants.

This part of the interview concerns the rarely discussed issues of fines

Practical e-Commerce asked the question “although there is a lot of talk about having to comply with PCI standards, there don’t seem to have been any real ramifications for non-compliant merchants to date.

Bob Russo replied “I totally disagree. You’re playing Russian roulette here with your business. While there might not be a validation requirement (which is to say that you may not have to prove to anyone that you are PCI compliant), if in fact you suffer a breach and you are found not to be compliant at the time of this breach, then there are tremendous ramifications.

“There are fines, and for a small business, a fine could literally put them out of business. There is the specter of customers walking away because they’ve either figured out, or  with our breach notification laws  someone has told them that the breach occurred at the merchant’s site. There’s the specter that they will not shop with the merchant anymore because they feel like you [the merchant] are not keeping their information safe, whether it be credit card information or personal information. It’s a really big issue. Are your readers willing to play Russian roulette? They’re the only ones who can answer that question.”

Read the full interview at http://www.practicalecommerce.com/articles/2565-PCI-Council-General-Manager-on-Non-Compliance-Russian-Roulette-

Create a free website or blog at WordPress.com.

Up ↑

%d bloggers like this: