Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

Payment Card Industry Data Security Standard

ADVICE FROM AN ASSESSOR: DevOps, Automation, Security and Compliance

By Andrew Barratt, QSA, PCIP.  Managing Director, International/Managing Principal, Payments, Application Validation
Coalfire; Manchester, UK, http://www.coalfire.com

Phew, the title of this post alone sounds like it could be quite a lot to deal with!

So what is DevOps?  DevOps is simply the blending of infrastructure operations processes and software development to enable faster changes to business applications/technology.  These processes share a lot of ideology with the Agile & Lean camps but are more fundamentally trying to bridge the traditional divide between the development world and the IT operations/Service management teams.

In practice, DevOps can mean a lot of different things to different audiences and sometimes it can be difficult to apply compliance requirements without getting a good understanding of what DevOps is for your company.

Terms such as ‘treat your code as infrastructure’ can often scare the life out of traditional auditors along with the fear that with rapid release and change comes rapid loss of control. These shouldn’t be scary but should be embraced and understood. In audit parlance these processes can become embedded, configurable application controls that require less substantive audit testing and sampling when under scrutiny and allow the focus to be on how they are designed to be a security control.

DevOps environments typically make heavy(think obsessive!) use of automation tools to enable rapid change and release processes to be possible at large and frequent scale. This is typically where the confusion starts to begin when evaluating these environments for security and compliance purposes. Typical service management controls such as change management on the surface may appear to have been cast aside in the rush to ‘be DevOps’. This rush to implement tooling can often lead to the underlying processes being weak or ill conceived. However this is common in other disciplines too. Poor planning = poor performance.

DevOps done well can bring a great set of tools and capability for building secure, scalable and compliant environments. Building on modern source control, streamlining change control and building dependency on the tools authentication and access control can quickly be used to demonstrate the control requirements of many compliance frameworks including the PCI DSS. Just doing things faster or without lots of paper forms and signatures on doesn’t necessarily equate to non-compliance.

The implementation of PCI DSS requirements 2 and 6 can be rapidly transformed using a DevOps approach. If we look at requirement 2 as being primarily focused on hardened configuration management traditionally seen as an ‘Ops’ area, whilst Requirement 6 focuses on change management and software development.

There is nothing fundamentally in these requirements (or in other areas of the DSS) that prevents a DevOps environment being used to support and implement PCI compliance if done carefully. Whilst the security and compliance mandate might tweak certain implementation decisions most of the tools marketed for ‘DevOps’ support building workflows that can be used for approval / review decisions and capture/log the necessary approval processes to support compliance. As the level of automation increases so can the ease of which compliance requirements be met.

Recently I worked with a client that had invested heavily in building their dev-ops tooling but had built in PCI requirements as part of this process so also incorporated automation of documentation production too.  Their focus was, and still is, to automate as much as possible into the release process to minimize the failure of an activity. Every time a new release was pushed all configuration documentation was also updated automatically (supporting requirement 2) .

This particular client used a software issue and tracking tool that could be used to demonstrate management approval for changes as well as to show that code review processes had been followed. As they continued to improve they were investigating automation of their code review processes so that static analysis tools were orchestrated immediately after changes were approved as part of the build process.

One of the biggest challenges they faced initially was the size of their team, they were small and specialist and in the past had struggled with creating segregation of duties between their test/production systems.  Moving to DevOps helped with this significantly. No developers were required to have access to production systems in any manner as the build and release process was entirely orchestrated by tools with an approval workflow that the developers couldn’t authorize alone. The tools were the only thing with the ability to push to their production systems and the workflow done under management approval. These tools were treated the same way as other in-scope systems but the overhead from this was so minimal that it enabled them meet security requirements without complicated manual processes and multiple sets of access permissions.

Advertisements

100 Percent of Retailers Disclose Cyber Risks

According to BDO’s analysis of risk factors listed in the most recent 10-K filings of the 100 largest U.S. retailers, risk associated with a possible security breach was cited unanimously by retailers, claiming the top spot, up from the 18th spot in 2007.

Since major retail security breaches began making national headlines in 2013, retailers have become acutely aware of the growing cyber threat and cyber-related risks. Between new point-of-sale systems and evolving digital channels, the industry faces unique vulnerabilities: Retailers are responsible for safeguarding consumer data as well as their own, in addition to protecting against potential gaps in security related to third-party suppliers and vendors.

2016 marks the 10th anniversary of our retail risk factor analysis, and throughout the decade, we’ve seen the retail landscape undergo a dramatic evolution in response to the recession, new and maturing e-commerce channels and evolving consumer preferences,” said Doug Hart, partner in BDO’s Consumer Business practice. “Retailers over the years have proven to be in tune with the industry-wide issues and trends that could pose risks to their businesses, and they are clearly not tone deaf when it comes to reacting to the urgency of cybersecurity

The following chart ranks the top 25 risk factors cited by the 100 largest U.S. retailers:

Top 20 Risks for Retailers 2016 2015 2014
General Economic Conditions #1 100% #1 100% #1 100%
Privacy Concerns Related to Security Breach #1t 100% #4t 99% #8 91%
Competition and Consolidation in Retail Sector #3 98% #1t 100% #3 98%
Federal, State and/or Local Regulations #4 96% #1t 100% #2 99%
Natural Disasters, Terrorism and Geo-Political Events #5 94% #7 96% #13 87%
Implementation and Maintenance of IT Systems #6 93% #4 99% #7 92%
U.S. and Foreign Supplier/Vendor Concerns #6t 93% #6 98% #4 96%
Legal Proceedings #6t 93% #9t 95% #8t 91%
Labor (health coverage, union concerns, staffing) #9 91% #7t 96% #5 94%
Impediments to Further U.S. Expansion and Growth #10 90% #12t 92% #17 78%
Dependency on Consumer Trends #11 88% #9 95% #6 93%
Consumer Confidence and Spending #12 87% #15 89% #8t 91%
Credit Markets/Availability of Financing and Company Indebtedness #13 85% #11 94% #11 89%
Failure to Properly Execute Business Strategy #14 82% #12 92% #11t 89%
Changes to Accounting Standards and Regulations #15 76% #14 90% #13t 87%
International Operations #16 73% #17 86% #15 80%
Loss of Key Management/New Management #16t 73% #19 80% #16 79%
Marketing, Advertising, Promotions and Public Relations #18 66% #25 68% #24 64%
Consumer Credit and/or Debt Levels #19 62% #27 65% #23 65%
Joint Ventures #20 61% #21 76% #18 74%

Additional findings from the 2016 BDO Retail Risk Factor Report:

Cyber Risks Include Compliance Measures

As the cyber threat looms larger, retailers are bracing for new and emerging cybersecurity and data privacy legislation. Risks associated with cyber and privacy regulations were cited by 76 percent of retailers this year. This is in line with the findings from the 2016 BDO Retail Compass Survey of CFOs, in which nearly 7 in 10 retail CFOs said they expected cyber regulation to grow in 2016. These concerns have been highlighted by President Obama’s recently unveiled Commission on Enhancing National Cybersecurity and continued debate in Congress over information sharing between the government and private industry.

Retailers have not escaped regulatory scrutiny. The industry is also subject to Europay, Mastercard and Visa (EMV) standards that bolster credit card authentication and authorization. Industry analysts estimate that just 40 percent of retailers are compliant with EMV standards despite the Oct. 1, 2015 deadline.

“Mandating EMV chip-compliant payment systems is an important first step in shoring up the industry’s cyber defenses, but it’s just the tip of the iceberg,” said Shahryar Shaghaghi, National Leader of the Technology Advisory Services practice group and Head of International BDO Cybersecurity. “Online and mobile transactions remain vulnerable to credit card fraud and identity theft, and POS systems can still be hacked and provide an access point to retailers’ networks. New forms of malware can also compromise retailers’ IT infrastructure and disrupt business operations. Every retailer will experience a data breach at some juncture; the real question is what mechanisms have been put in place to mitigate the impact.”

E-Commerce Ubiquity Drives Brick & Mortar Concerns

Impediments to e-commerce initiatives also increased in ranking, noted by 57 percent of retailers in 2016, a significant contrast from 12 percent in 2007. In 2015, e-commerce accounted for 7.3 percent of total retail sales and is continuing to gain market share.

As e-commerce grows and businesses strive to meet consumers’ demand for seamless online and mobile experiences, retailers are feeling the effects in their physical locations. The recent wave of Chapter 11 bankruptcies and mass store closings among high-visibility retailers has raised concerns across the industry. Ninety percent of retailers are worried about impediments to growth and U.S. expansion this year. Meanwhile, risks associated with owning and leasing real estate jumped 14 percentage points to 54 percent this year.

Heightened worries over the impact of e-commerce on physical locations are far reaching, driving concerns over market competition for prime real estate and mall traffic to rise 19 percentage points to 46 percent. Meanwhile, consumer demand for fast shipping fueled an uptick in risks around the increased cost of mail, paper and printing, rising 10 percentage points from seven percent in 2015 to 17 percent this year.

General Economic Conditions Hold Weight

General economic risks have been consistently top of mind for retailers throughout all ten years of this survey. Even at its lowest percentage in 2008, this risk was still the second most cited, noted by 83 percent of companies.

Despite the fact that since 2013, general economic conditions have remained tied for the top risk, concerns about specific market indicators have receded.

For more information on the 2016 BDO Retail RiskFactor Report, view the full report here.

About the Consumer Business Practice at BDO USA, LLP

BDO has been a valued business advisor to consumer business companies for over 100 years. The firm works with a wide variety of retail and consumer business clients, ranging from multinational Fortune 500 corporations to more entrepreneurial businesses, on myriad accounting, tax and other financial issues.

PCI SSC revises date for migrating off vulnerable SSL and early TLS encryption

Following significant feedback from the global PCI community and security experts, the Payment Card Industry Security Standards Council (PCI SSC) has announced a change to the date that organizations who process payments must migrate to TLS 1.1 encryption or higher.

The original deadline date for migration, June 2016, was included in the most recent version of the PCI Data Security Standard, version 3.1 (PCI DSS 3.1), which was published in April of 2015. The new deadline date, June 2018, will be included in the next version of the PCI Data Security Standard, which is expected in 2016.

Early market feedback told us migration to more secure encryption would be technically simple, and it was, but in the field a lot of business issues surfaced as we continued dialog with merchants, payment processors and banks,” said Stephen Orfei, General Manager, PCI SSC. “We want merchants protected against data theft but not at the expense of turning away business, so we changed the date. The global payments ecosystem is complex, especially when you think about how much more business is done today on mobile devices around the world. If you put mobile requirements together with encryption, the SHA-1 browser upgrade and EMV in the US, that’s a lot to handle. And it means it will take some time to get everyone up to speed. We’re working very hard with representatives from every part of the ecosystem to make sure it happens as before the bad guys break in.

Some payment security organizations service thousands of international customers all of whom use different SSL and TLS configurations,” said Troy Leach, Chief Technology Officer, PCI SSC. “The migration date will be changed in the updated Standard next year to accommodate those companies and their clients. Other related provisions will also change to ensure all new customers are outfitted with the most secure encryption into the future. Still, we encourage all organizations to migrate as soon as possible and remain vigilant. Staying current with software patches remains an important piece of the security puzzle

In addition to the migration deadline date-change, the PCI Security Standards Council has updated:

  • A new requirement date for payment service providers to begin offering more secure TLS 1.1 or higher encryption
  • A requirement for new implementations to be based on TLS 1.1 or higher
  • An exception to the deadline date for Payment Terminals, known as “POI” or Points of Interaction.

Merchants are encouraged to contact their payment processors and / or acquiring banks for detailed guidance on upgrading their ecommerce sites to the more secure encryption offered by TLS 1.1 or higher.

PCI Security Standards Council announces new board of advisors

The PCI Security Standards Council (PCI SSC), announced election results for the 2013-2015 PCI SSC Board of Advisors.

The Board will represent the PCI community by providing counsel to SSC leadership.

The Council’s more than 690 Participating Organizations selected individuals from the following organizations to represent their industry’s unique perspectives in the development of PCI Standards and other payment security initiatives:

  • Bank of America N.A.
  • Bankalararasi Kart Merkezi
  • Barclaycard
  • British Airways PLC
  • Carlson
  • Cartes Bancaires Cielo S.A.
  • Cisco
  • Citigroup Inc.
  • European Payment Council AISBL
  • FedEx
  • First Bank of Nigeria
  • First Data Merchant Services
  • Global Payments Inc.
  • Ingenico
  • Micros
  • Middle East Payment Systems
  • PayPal Inc.
  • Retail Solutions Providers Association
  • RSA, The Security Division of EMC
  • Starbucks Coffee Company
  • VeriFone Inc.
  • Wal-Mart Stores, Inc
  • Woolworths Limited

Board of Advisor members provide strategic and technical input to PCI SSC on specific areas of Council focus. Past board members have provided reach into key industry verticals and geographies to help raise awareness and adoption of PCI Standards; have shared their experience with implementing PCI Standards in presentations at the annual Community Meetings; and have contributed guidance on training product development and led Special Interest Groups (SIGs).

Active involvement from our Participating Organization base is critical to ensuring the PCI Standards remain at the front line for protection against threats to payment card data. Once again I am impressed by the turn out in the election process. It’s particularly encouraging to see new markets looking towards open global standards like the PCI Standards to help secure payment card data worldwide,” said Bob Russo, general manager, PCI Security Standards Council.

The Council and wider stakeholder community will benefit from the breadth of experiences and perspectives that this new board represents.” The board will support the Council’s mission to raise awareness and drive adoption of PCI Standards worldwide and will kick off its work in June with its first face-to-face meeting with Council management. “This year saw more European involvement than ever in the Board of Advisors election process. Although Europe contains mature EMV markets, this level of involvement in the PCI SSC confirms that the combination of PCI Standards and EMV chip is a powerful force for protecting payment card data,” said Jeremy King, European director, PCI Security Standards Council. “Our new board is a truly global group, and the Council will benefit greatly from its input as we continue to drive awareness and adoption of PCI Standards worldwide.

.

PCI Security Standards Council publishes card production security requirements

The PCI Security Standards Council (PCI SSC), has announced the publication of a standard for secure payment card production.

The standard consists of two sets of requirements:

  1. PCI Card Production Physical Security Requirements
  2. PCI Card Production Logical Security Requirements

Together, these documents provide card vendors with a comprehensive source of information describing the security requirements to follow for card production activities including card manufacture, chip embedding, magnet-stripe encoding, embossing, card personalization, chip initialization, chip personalization.

Formerly managed as separate requirements by each payment card brand, the Council aligned these requirements and solicited feedback from the PCI community to produce one set of criteria recognized across the industry. The resulting standard is designed to secure the components and sensitive data involved in the production of payment cards and protect against the fraudulent use of card materials.

It’s broken down into two core areas:

  1. Physical security requirements – for all card vendors, these requirements address the presence, movement, and accountability of a card, including tangible features such as the security of the premises, personnel access to secure areas, and CCTV surveillance.
  2. Logical security requirements – for card personalization vendors, these requirements address threats to the confidentiality of personalization data during data transfer, access, storage, and destruction; and all aspects associated with cryptographic key management, including the protection of issuer keys used in the personalization process.

The security requirements are available for immediate download here. Vendors should work with the individual card brands to confirm timing for when future security reviews must be performed against the new PCI Card Production Security Requirements.

In line with other PCI Standards, the requirements will be updated on a three-year lifecycle, based on feedback from the PCI community.

There are a lot of pieces involved in securely producing payment cards, from design all the way through delivery,” said Bob Russo, general manager, PCI Security Standards Council. “The publication of these requirements gives card vendors one set of criteria to follow, and as we’ve seen with our other standards, will help drive improved security across the payments chain

Sometimes it is a good idea to have in-house skills

After many discussions with people responsible for achieving and maintaining PCI DSS compliance within their organisation and hearing about their problems and pains, I often think about the skills they need and where they can get them. They could recruit, outsource or train with training being the most cost effective.

I noticed on the PCI SSC website the details of their “PCI SSC Internal Security Assessor (ISA) Program” and the benefits it can deliver to large or complex merchants so I decided to promote it as a way of achieving some of the required in-house skills.

Knowing many highly skilled QSAs I would always say that their extensive knowledge of different scenarios and industries makes them the back-bone of the PCI DSS, not just from an audit perspective but their advisory and guidance skills.

The ISA programme gives candidates the opportunity to build their PCI Security Standards expertise and strengthen their approach to payment data security, as well as increase their efficiency in compliance with the PCI Data Security Standards. 

About the Training

Employee Education is the Best Defense for protecting your Organization’s Data Assets.

To address concerns about PCI compliance and card data security, the PCI Security Standards Council operates the Internal Security Assessor Program to assist firms seeking to educate their employees on PCI compliance regulations.  The program trains, tests, and certifies organizations and individuals to assess and validate adherence to PCI Security Standards. 

Who Should Attend?

ISA training is intended primarily for individuals who already possess significant relevant security audit and assessment experience (including but not limited to Network Security, Application Security and Consultancy, System Integration, and Auditing). 

The Benefits:

  • Improve your understanding of PCI DSS and how it can help protect your customer data and your business
  • Help your organization build internal expertise
  • Facilitate interaction with a QSA for your organization
  • Enhance payment card data security and manage compliance costs
  • Earn CPE credits 

The Format: The Council recognizes that students may prefer different learning environments and offers ISA training in two formats: Instructor-led (ILT) and online ELearning. Same content. Same qualification. You decide what’s best for you. 

The ISA Training Program, for internal security assessment staff at ISA Sponsor Companies, is comprised of a four hour online pre-requisite course and exam called PCI Fundamentals followed by either an instructor-led course and exam or eLearning course and exam. Successful completion results in ISA qualification and PCI ISA certificate. 

Pre-Requisite Course Curriculum: This portion of the training assures that all participants attending the ISA Training Course have the same baseline understanding of the PCI SSC, card data environment, and the related terminology along with the industry relationships within the credit card transaction flow. It concludes with a multiple choice test.

  • Understanding the Payment Card Industry Security Standards Council and its role
  • Defining the processes involved in card processing
  • PCI roles and responsibilities
  • Understanding cardholder data
  • Defining network segmentation
  • PCI DSS assessments

ISA Course Curriculum Covers:

The ISA course is the next step for those students who have successfully completed the pre-requisite PCI Fundamentals course. This course builds on the knowledge gained in PCI Fundamentals and delves into the actual PCI DSS requirements and testing procedures. In addition it addresses topics such Report on Compliance (ROC) documentation, QA ROC review, and compensating controls to name just a few. Also included in the instructor-led course are case studies that provide the ISA candidate with a simulation of assessment scenarios that may aid them in solving common problems found in their own environments. A multiple choice exam immediately follows the instructor-led course.  The exam may be conveniently scheduled at a Pearson VUE Testing Center for students that take the eLearning course.

  • What is PCI and what does it mean to companies that must meet compliance with the DSS?
    • Industry overview
    • Terminology
    • Transaction data flow
    • Relationships between various organizations in the process
  • How the credit card brands differ in their validation and reporting requirements
  • PCI Data Security Standard (DSS)
    • Overview of 2.0
    • Testing procedures
    • What constitutes compliance
  • PCI Hardware and Communications Infrastructure
  • PCI Reporting
  • Real world examples
    • Overview of compliance issues and mitigation strategies
    • Compensating controls
    • Creating policies
    • Modifying cardholder data environment

How to Register. Three Steps to Join as a Sponsor Company and Have your Employees Attend ISA training

Step 1 Submit required Sponsor Company documentation by mail.

  1. Original signed agreement, page 13 of the Validation Requirements document
    • The representative noted as your company primary contact should be prepared to receive all PCI SSC related communications
    • It is not required that your primary contact be an officer of your company
  2. Copy of your company business license (Articles of Incorporation are also acceptable)
  3. A fully completed Individual Certification page for each employee you wish to send to training

Step 2 An invoice will be issued via email to the primary contact listed on the agreement page once the application is received. Applications are reviewed within 5 business days of receipt.

The fees for the ISA training will be based on whether or not your company is a member of the PCI SSC Participating Organization Program.

The Participating Organization Program is a separate program and membership is not based on your company compliance to PCI DSS or the submission of the Sponsor Company documents outlined above.

Step 3 Upon receipt of payment, the designated primary contact will receive instructions for the online pre-requisite portion of the training. Once the PCI Fundamentals training and test have been passed successfully, the primary contact will receive the location details for the instructor-led class or login credentials for the eLearning class. This will not be released until online PCI Fundamentals training has been taken and the test passed.

2013 ISA Training Course Schedule

Date Location Time Participating   Organization Price Non-Participating   Organization Price
15-16 April London, UK 09:00-17:30 $2250 USD $3595
3-4 May New Orleans, LA, USA 09:00-17:30 $1495 USD $2595
20-21 May Denver, CO, USA 09:00-17:30 $1495 USD $2595
10-11 June Orlando, FL, USA 09:00-17:30 $1495 USD $2595
14-15 July Toronto, Canada 09:00-17:30 $1495 USD $2595
21-22 August Boston, MA, USA 09:00-17:30 $1495 USD $2595
22-23 September Las Vegas, NV, USA 09:00-17:30 $1495 USD $2595
October Nice, France 09:00-17:30 $2250 USD $3595
November Kuala Lumpur, Malaysia 09:00-17:30 $1495 USD $2595

Full details can be found here.

.

Merchant sues VISA. Biting the hand that feeds you?

I know that if there were no merchants there would be no credit card companies and I know that the “alternative” payments market is growing, such as PayPal and V.me, but at this time it is fair to say that consumers still favour credit cards when it comes to online payments.

This is why when I read about a merchant suing a credit card company I was surprised. Not surprised that VISA had fined a merchant, not surprised that a merchant was upset at being fined but surprised it had got to court because that means normal reasonable commercial communication channels had failed.

On the 7th March Sports retailer Genesco filed a lawsuit against Visa to recover nearly $13.3 million in fines that the credit card company issued in January 2013 following a breach of the retailer’s systems.

The lawsuit argues that

  • Visa is not allowed to require other companies to pay penalties citing Visa’s own operating regulations and California law.
  • That Genesco was never out of compliance with PCI DSS regulations, and so it should not have been fined.

In December 2010 Genesco confirmed that a breach had happened within its credit card processing environment and speculation at the time was the hackers used a packet sniffer to siphon card data as it passed through the network.

The initial VISA fines of $5,000 via each of Genesco’s two banks was issued in June 2011 which is a standard charge and depending on your location will be 5,000 of the local currency for example, $5,000, €5,000 or £5,000.

Irrespective of the currency 5,000 is nothing more than a formal acknowledgement that the merchant is non-compliant to PCI DSS or was at the time.

If a merchant has never successfully completed an Audit or Self Assessment Questionnaire (SAQ) then they are non-compliant, bearing in mind that the standards were issued almost 8 years ago I think it is about time they were compliant.

However, in the case of a merchant who was successfully audited but then had a breach or failed to maintain the standard it is not so black and white.

Merchant who suffers a Data Breach

A PCI DSS compliant merchant who has a data breach is normally discovered by clever algorithms used by the card schemes, which based on fraudulent activity find the centre of the breach. Once the merchant at the centre of the breach is established they are required to undertake data forensics by an approved forensic company who using extensive skills and tools will establish how the credit card data was stolen for example via packet sniffing. The forensic report is shared between the affected parties, the merchant, the bank and the credit card companies.

The results of the forensic investigation may or may not show that the merchant had or had not been compliant to the standard at the time of the breach. It is reasonable to assume that the bad guys installed software or broke into Genesco and almost all scenarios for such a break in are covered by the PCI DSS and therefore the company could not have been taking adequate steps and was by definition not adhering to the requirements of the standard which means they were not compliant.

Merchant who fails to maintain the standard

It is very difficult to find a merchant who has failed to maintain the required standards unless

  • There is a breach
  • There is a whistle blower
  • A customer or someone similar notices practise that do not appear secure

At this point the merchant will be required to prove there are still abiding by the standard which may take the form of a forensics investigation, an audit, a letter from their QSA or a letter from their directors.

The non-compliance fine is not the biggest problem for Genesco it is the $13.3 million fine levied by VISA via Genesco’s two banks (Wells Fargo $12 million and Fifth Third $1.3million) for the costs incurred by VISA whilst resolving the breach e.g. credit card replacement, fraud cover, etc.

Visa’s imposition of the (fines) is a violation of Visa’s contract (with the banks), because at the time of the intrusion and all other relevant times, Genesco was in compliance with the PCI-DSS requirements,” the lawsuit stated. It added later,

“Visa does not even pretend that the Non-Compliance Fines represent actual damages that Visa incurred by reason of the Acquiring Banks‘ alleged failure to cause Genesco to maintain compliance with the PCI-DSS requirements”

The interesting thing for me is the nature of the way Merchants use VISA, MasterCard and the other credit card providers. The credit card company provides the facilities for the merchant’s (retailer) customers to buy from them in a secure and efficient way. They pay a percentage of the transaction to cover the costs (and profits) of the credit card companies and this percentage is agreed in a contract. The same commercial contract that agrees the other terms and conditions including the security required to perform the transaction.

To avoid confusion and rogue traders the credit card companies created the Payment Card Industry Security Standards Council who took the best security practises from the five credit card company members to create the Data Security Standard (PCI DSS).

This standard is an extension of the contract as will be the agreements for fees.

However because the cost of a data breach could never be known until it has occurred it is impossible to quantify the cost of a breach in a contract which is where I do have a great deal of sympathy for merchants because they are agreeing to fines but have no idea how much it is going to be or could be.

I remember in a meeting with several of the card companies and the discussion centred on repeat offenders i.e. merchants who kept being breached or who refused to become compliant to PCI DSS and whilst fines were mentioned it was agreed merchants might be tempted to absorb small fines if it was cheaper than achieving the required security standards and then the ultimate sanction was raised… STOPPING THEM FROM TAKING CREDIT CARD PAYMENTS.

What a sanction that is, because for almost all e-commerce business and most consumer driven business that would mean going out of business in a matter of weeks or possibly months.

As a consumer all I care about is being safe from the costs of the fraudulent activity against my stolen credit card but increasingly we as consumers are worried about the threat to our identity and expect when credit card details are leaked to be covered for all identity based threats resulting from the possible loss of data which increases the cost to the breached company, possibly via the credit card company.

I have a huge amount of sympathy for Genesco and every other merchant affected by a breach because they do not know what the possible cost to them will be. They cannot take out cyber-insurance against a specific amount “just in case”, they have to hope that the loss to the credit card company is not too great.

That is not a great way for a merchant to mitigate its risk and that cannot benefit the card companies who want prosperous and secure merchant to help them grow their profits.

The solution is simple, the credit card companies have to introduce and publish a schedule of fines from which a merchant can calculate their risk.

If a merchant knows, based on their transaction rate, that they could be liable for fines of $13.3 million then they can invest greater resources into breach prevention or seek to undertake insurance against the cost of a breach either way they can make an informed risk assessment.

Similarly if merchants who have not yet completed their PCI DSS compliance process know they could be fined for non-compliance PLUS X or Y for a breach they can will very quickly run a risk assessment.

let’s hope a result of this action is a clearer picture on fines because clarity in business and risk is essential.

.

PCI SSC releases PCI DSS Cloud Computing Guidelines

The PCI Security Standards Council has published the PCI DSS Cloud Computing Guidelines Information Supplement, a product of the Cloud Special Interest Group (SIG).

The guide is an excellent introduction to the “cloud” and offers specific and helpful guidance on what to consider when processing payments involving the cloud as well as the storage of sensitive data.

One of cloud computing’s biggest strengths is its shared-responsibility model. However, this shared model can magnify the difficulties of architecting a secure computing environment,” said Chris Brenton, a PCI Cloud SIG contributor and director of security for CloudPassage. “One of this supplement’s greatest achievements is that it clearly defines the security responsibilities of the cloud provider and the cloud customer. With PCI DSS as the foundation, this guidance provides an excellent roadmap to crafting a secure posture in both private and public cloud. 

The PCI DSS Cloud Computing Guidelines Information Supplement builds on the work of the 2011 Virtualization SIG, while leveraging other industry standards to provide guidance around the following primary areas and objectives:

  • Cloud Overview – provides explanation of common deployment and service models for cloud environments, including how implementations may vary within the different types.
  • Cloud Provider/Cloud Customer Relationships– outlines different roles and responsibilities across the different cloud models and guidance on how to determine and document these responsibilities.
  • PCI DSS Considerations – provides guidance and examples to help determine responsibilities for individual PCI DSS requirements, and includes segmentation and scoping considerations.
  • PCI DSS Compliance Challenges– describes some of the challenges associated with validating PCI DSS compliance in a cloud environment.

The document also includes a number of appendices to address specific PCI DSS requirements and implementation scenarios, including: additional considerations to help determine PCI DSS responsibilities across different cloud service models; sample system inventory for cloud computing environments; sample matrix for documenting how PCI DSS responsibilities are assigned between cloud provider and client; and a starting set of questions that can help in determining how PCI DSS requirements can be met in a particular cloud environment.

Merchants who use or are considering use of cloud technologies in their cardholder data environment and any third-party service providers that provide cloud services or cloud products for merchants can benefit from this guidance. This document may also be of value for assessors reviewing cloud environments as part of a PCI DSS assessment.

At the Council, we always talk about payment security as a shared responsibility. And cloud is by nature shared, which means that it’s increasingly important for all parties involved to understand their responsibility when it comes to protecting this data,” said Bob Russo, general manager, PCI Security Standards Council. “It’s great to see this guidance come to fruition, and we’re excited to get it into the hands of merchants and other organizations looking to take advantage of cloud technology in a secure manner.

For a link to the full document please use my PCI Resources page here.

.

PCI SSC releases its PCI DSS E-commerce Security Guidelines

Hot on the heels of the ATM Guidelines the PCI SSC has released the PCI DSS E-commerce Guidelines Information Supplement. 

The guidelines are designed to help e-commerce merchants to decide on which technologies and third party service providers to choose.

The e-commerce Special Interest Groups (SIGs) helped put the guidelines together and that meant using their knowledge of the marketplace to produce an industry specific document. 

Take SQL injections as an example. This is not a new attack, and something we’ve known about in the industry for years. Yet it continues to be one of the most common methods by which e-commerce websites are compromised, said Bob Russo, general manager, PCI Security Standards Council. “This can be addressed through simple, prudent coding practices, but merchants often don’t know where to start. These guidelines will help them better understand their responsibilities and the kinds of questions they need to ask of their service providers. In the case of SQL injections, one of the most important items to request of an e-commerce service provider is a description of the security controls and methods it has in place to protect websites against these vulnerabilities.

The PCI DSS E-commerce Guidelines Information Supplement provides an introduction to e-commerce security and guidance around the following primary areas and objectives: 

  • E-commerce Overview – provides merchants and third parties with explanation of typical e-commerce components and common implementations and outlines high-level PCI DSS scoping guidance to be considered for each.
  •  Common Vulnerabilities in E-commerce Environments – educates merchants on vulnerabilities often found in web applications (such as e-commerce shopping carts) so they can emphasize security when developing or choosing e-commerce software and services.
  • Recommendations – provides merchants with best practices to secure their e-commerce environments, as well as list of recommended industry and PCI SSC resources to leverage in e-commerce security efforts.

 The document also includes two appendices to address specific PCI DSS requirements and implementation scenarios:

  1. PCI DSS Guidance for E-commerce Environments – provides high-level e-commerce guidance that corresponds to the main categories of PCI DSS requirements; includes chart to help organizations identify and document which PCI DSS responsibilities are those of the merchant and which are the responsibility of any e-commerce payment processor.
  2.  Merchant and Third-Party PCI DSS Responsibilities – for outsourced or “hybrid” e-commerce environments, includes sample checklist that merchants can use to identify which party is responsible for compliance and specify the details on the evidence of compliance.

E-commerce continues to be a target for attacks on card data, especially with EMV technology helping drive so much of the face-to-face fraud down in Europe and other parts of the world, said Jeremy King, European director, PCI Security Standards Council. “We are pleased with this guidance that will help merchants and others better understand how to secure this critical environment using the PCI Standards.

For a link to the full document please use my PCI Resources page here.

Want to be PCI DSS compliant? Here are 5 mistakes to avoid.

Charles Denyer a QSA with NDB has produced a list of 5 Mistakes all people striving for PCI DSS compliance must avoid. 

  1. Not conducting a formal Readiness Assessment.  It’s important with PCI DSS compliance to truly understand all facets of the Payment Card Industry Data Security Standards (PCI DSS) provisions, which essentially means answering the “who, what, when, where, and why” of PCI with a comprehensive Readiness Assessment. And by no means should it be looked upon as yet another added cost to the engagement, rather, a proactive and necessary measure for properly defining and understanding many important facet of PCI, which by the way, is always a moving target, to say the least. A competent, well-skilled PCI-QSA, such as Charles Denyer of NDB Advisory, can provide your organization with a PCI DSS Readiness Assessment. Knowing what you are getting into is important! 
  2. Having no buy in from senior management and others. “Going it alone” as the saying goes, can have its risks and rewards – but in the case of PCI DSS compliance – it’s not only a bad idea, but one that creates real challenges for organizations. Sure management may very well be aware of their organization undertaking PCI compliance, but have they provided true operational and financial support, have they taken the time to really understand the commitment and effort needed? If not, then it’s time to make them aware of this, and soon.  Remember, setting expectations for PCI compliance is a must, no questions about it. 
  3. Failing to understand PCI Scope.  Organizations struggle with this immensely – after all – determining the actual scope for purposes of PCI compliance can be challenging, and it’s not always a black and white answer? Do you have a “flat” network? What is the true definition of the cardholder data environment (CDE)? What third-party providers are in scope? These, and many, many other questions, often require thoughtful consideration for PCI compliance. 
  4. Not conducting Remediation efforts.  As a PCI-QSA, I’m amazed at the lack of remediation efforts by companies pursuing PCI compliance.  What I find more troubling is that these remediation efforts – when even conducted – are only undertaken for a sample of system components, not the entire population of in-scope items. Being compliant with the Payment Card Industry Data Security Standards means meeting all the stated requirements for ALL in-scope systems components, not just a chosen few.  A PCI-QSA with true independence and professionalism will always tell their clients that, and that’s exactly what I’m doing here!  Simply put, remediate, and remediate all items that are in-scope for an actual PCI DSS assessment. 
  5. Failing to recognize the importance of policies and procedures.  Here’s an issue that seems to go unnoticed many times regarding PCI compliance – after all – how challenging and time-consuming can it really be to develop PCI policies and procedures?  Very challenging and time-consuming, just look at the amount of documents that’s required by PCI – policies for this, procedures for that – get the point?  Sure, PCI compliance is technical in nature, but don’t lose sight of one of the most important requirements, and that’s developing a comprehensive set of PCI policies and procedures.  As a PCI-QSA, my advice is to hire an expert consultant to develop a customized set of these policies (which is part of the services offered by NDB Advisory) or to use the high-quality PCI security policies from pcipolicyportal.com.

Supporting point 3 there is a good white paper “8 ways to reduce the scope of PCI DSS” here.

PCI SSC’s insights on mobile, encryption and payment security following the North American community meeting

After the sixth annual North American Community Meeting in Orlando, Florida which was attended by over 1,000 stakeholders representing 460 organizations from 17 countries to discuss the PCI SSC summaries the key discussion topics as: –

  • Feedback on the standards in preparation for the release of the next version of the PCI DSS and PA-DSS in 2013
  • New guidance on secure mobile payment acceptance application development
  • Updates to the Council’s Point-to-Point Encryption (P2PE) program
  • Newly released guidelines for ATM security
  • The Council’s new training programs and professional qualifications
  • Updates from PCI Special Interest Groups on cloud, eCommerce and risk assessment

“The Community Meetings play an important part in bringing together PCI stakeholders to discuss the latest payment card security efforts, and we’re encouraged to see the continued growth of interest and participation in this initiative,” said Bob Russo, general manager, PCI Security Standards Council. “Gaining the feedback from our Participating Organizations is absolutely vital for us to develop new guidance on key topics such as mobile payment acceptance and ATM security, as well as in the on-going improvement of the PCI Standards. The input and discussion at this year’s meetings are especially important as we look to introduce the next version of the PCI Standards in 2013.”

“It is important for us to meet face-to-face with our stakeholders, not only to update them on the most recent developments, but also to have one-on-one interactions and personal conversations on the issues that matter most to them,” said Jeremy King, European director, PCI Security Standards Council. “We look forward to seeing more of our global counterparts in Dublin for the European Community Meeting on October 22-24, 2012.”

See you in Dublin next month.

PCI Security Standards Council releases best practices for mobile software developers

During this week’s PCI SSC US Community meeting a demonstration of a Mobile attack highlighted the need for more secure development practices in the mobile payments space.

The demonstration coincided and supported the release of the new guidelines the PCI Mobile Payment Acceptance Security Guidelines which offer software developers and mobile device manufacturer’s guidance on designing appropriate security controls to provide solutions for merchants to accept mobile payments securely.

The demonstration of the top mobile attacks was done by Nicholas J. Percoco, senior vice president of Trustwave’s SpiderLabs, and showed the threats to the security of payments over mobile acceptance devices, including malware and rootkits, jailbreaking vulnerabilities and SSL-man-in-the-middle attacks.

It is important that a best practice guide be developed, by the industry, to educate mobile app developers on methods of securing commerce transactions and risks of not doing so.” said Percoco.

The PCI SSC formed an industry taskforce in 2010 as part of a dedicated effort to address mobile payment acceptance security. Since then, the Council has released guidance on how merchants can apply its current standards to mobile payment acceptance by addressing mobile applications with the Payment Application Data Security Standard (PA-DSS), and leveraging the PIN Transaction Security (PTS) and Point-to-Point Encryption (P2PE) standards to accept payments on mobile devices more securely.

The guidance for developers is the next piece of the Council’s work in this area. The document organizes the mobile payment-acceptance security guidance into two categories: best practices to secure the payment transaction itself, which addresses cardholder data as it is entered, stored and processed using mobile devices; and guidelines for securing the supporting environment, which addresses security measures essential to the integrity of the broader mobile application platform environment.

Key recommendations include:

  • Isolate sensitive functions and data in trusted environments
  • Implement secure coding best practices
  • Eliminate unnecessary third-party access and privilege escalation
  • Create the ability to remotely disable payment applications
  • Create server-side controls and report unauthorized access

“Applications are going to market so quickly – anyone can design their own app today that can be used to accept payments tomorrow,” said PCI SSC Chief Technology Officer Troy Leach in his presentation to PCI CM attendees. “It’s our hope that in educating this new group of developers, as well as device vendors on what they can do to build security into their design process, that we’ll start to see the market drive more secure options for merchants to protect their customers’ data.”

The council has announced that in 2013 they will be releasing further guidance for merchants to help them leverage mobile payment acceptance securely, while continuing to collaborate with industry subject matter experts to explore how card data security can be addressed in an evolving mobile acceptance environment, and whether additional guidance or requirements must be developed.

.

The average cost of a breach event is $7.2 million or $214 per compromised record

In promoting their Internal Security Assessor Training in Dublin the Payment Card Industry Security Standards Council (PCI SSC) sent an email quoting the Verizon Data Breach Investigation Report 2011 statistics:

  • The average cost of a breach event is $7.2 million
  • The average cost per compromised record is $214

The reason they were using the statistics in their promotional email was because they believe in the value of their Internal Security Assessors qualification and with the PCI SSC’s European community meeting in Dublin next month they are encouraging people to register and learn the skills required to improve PCI DSS compliance.

The promotional wording for the course is “Enhance your organization’s data security with an investment in training this year – and realize these benefits:”

  • Improve your organization’s understanding of PCI DSS
  • Facilitate interaction with a QSA for your organization
  • Enhance payment card data security and manage compliance costs
  • Simplify year-round compliance efforts

The Dublin dates are 18-19 October 2012.

For more information on the course and to register click here, or email training@pcisecuritystandards.org with questions.

.

PCI Security Standard Council releases summary of feedback on PCI standards

The Payment Card Industry Security Standards Council releases a summary of feedback from the PCI community on the PCI Security Standards. The document highlights key themes coming out of the Council’s formal feedback period on version 2.0 of the PCI DSS and PA-DSS, in preparation for the next release of the standards in October 2013.

As part of the open standards development process for the PCI DSS and PA-DSS, the PCI Security Standards Council (PCI SSC) solicits input on the standards from its global stakeholders through a variety of avenues, including a formal feedback period. More than half the input received during the formal feedback period originated from organizations outside of the United States.

This industry feedback drives the on-going development of strong technical standards for the protection of cardholder data, providing more than 650 Participating Organizations, including merchants, banks, processors, hardware and software developers, Board of Advisors, point-of-sale vendors, and the assessment community the opportunity to play an active role in the improvement of global payment security. Payment security stakeholders can use the summary document to better understand the Council’s approach to reviewing and categorizing the feedback, key trends and themes, and how the feedback is being addressed.

The feedback was received by the Council across the following five categories:

  1. Request change to existing requirement/testing procedures (34%)
  2. Request for clarification (27%)
  3. Request for additional guidance (19%)
  4. Feedback only – no change requested (12%)
  5. Request for new requirement/testing procedure (7%)

Over 90% of the feedback was on the PCI DSS, the foundation for the Council’s standards, with more than half specific to the following topics:

  • PCI DSS Requirement 11.2 – Suggestions include prescribing use of specific tools, requiring ASVs to perform internal scans, and defining what constitutes a “significant change”.
  • PCI DSS Scope of Assessment – Suggestions for detailed guidance on scoping and segmentation.
  • PCI DSS Requirement 12.8 – Suggestions include clarifying the terms “service provider” and “shared,” and providing more prescriptive requirements regarding written agreements that apply to service providers.
  • PCI DSS SAQs – Suggestions for updating the SAQs; they are either too complex or not detailed enough.
  • PCI DSS Requirement 3.4 – Suggestions for further clarification and guidance since encryption and key management are complex requirements, and truncation/hashing & tokenization is not a convenient method to store and retrieve data
  • PCI DSS Requirement 8.5 – Suggestions for updating password requirements, including expanding authentication beyond just passwords; current password requirements are either too strict or not strict enough, be either less prescriptive or more prescriptive.

These trends and other highlights are provided in the summary document, including main PA-DSS feedback themes, breakdowns of the types of organizations that participated and geographic regions represented.

“Industry feedback is the lifeblood of the PCI Standards,” said Bob Russo, general manager, PCI Security Standards Council. “As the PCI community continues to expand across industries and geographies, the Council relies on its expertise to drive the evolution of the standards. I want to personally thank all who have contributed to the on-going development of these critical resources for payment security.”

.

65% of businesses do not protect their customers’ private data

According to a survey by GreenSQL more than 65% of businesses do not protect their customers’ private data from unauthorised employees and consultants.

The results are interesting because every day we hear of another data breach or another form of malware which can steal data or at least damage data and you would think that with this amount of coverage business would sit up and start protecting their livelihood because that is what customer information is, their livelihood.

For an idea of the scale of the UK’s problem have a look at my post “Who has breached the Data Protection Act in 2012? Find the complete list here“.

Maybe it is bad news fatigue? Maybe the constant flow of horror stories makes them think that they cannot do anything about it so why bother.

I can understand the sentiment because on a personal level I do not wear a Kevlar jacket and carry pepper spray when I walk my dogs on a cold dark winter evening on the distant chance I might be mugged.

However, business cannot escape their contractual commitment to protect credit card data under the Payment Card Industry’s Data Security Standards (PCI DSS) and they cannot escape the legislative requirements to protect Personally identifiable Information (PII) for example the Data Protection Act and the pending European Wide Data Protection Act.

The survey results fall into three categories

  1. Ignore. 65% take no preventative measures
  2. Think about it. 23% use masking techniques only in non-production environments, such as dummy data and scrambling
  3. Try. 12% deploy dynamic data masking solutions on their production environments

I suspect that those who indicated that they deploy technologies to mask data are talking about credit card data where all payment applications are governed by the Payment Card Industry’s PA DSS but it should be applied to all sensitive data that could cause financial or reputational damage to anyone; customer, employee or contractor.

“Most companies would say protecting customer data is critical to maintaining their business and reputation,” said GreenSQL CEO, Amir Sadeh. “However, something is wrong when we discover that many IT departments are making no masking efforts whatsoever, and others are taking tepid approaches.”

GreenSQL surveyed “hundreds of IT managers and developers at large organizations” about the measures they took to prevent developers, QA, DBAs, consultants, outsourced employees, suppliers and application users from having access to sensitive data.

In summary adding protection to data bases and sensitive data is not hard and with current market trends moving towards cloud based solutions the costs are no longer prohibitive compared to becoming one of those horror stories people keep ignoring.

.

PCI Security Standards Council’s Qualified Integrators and Resellers program is now live

The PCI SSC’s the Qualified Integrators and Resellers (QIR)™ Program will train and qualify integrators and resellers that sell, install and/or service payment applications on the secure installation and maintenance of PA-DSS validated payment applications to support merchant PCI DSS security efforts.

Eligible organizations can now register for the QIR program by visiting the PCI SSC website. Training will be available beginning October 1, 2012.

“Integrators and resellers play a key role in securing the payment ecosystem as merchants depend on these providers to install, configure, and maintain their PA-DSS validated applications in a way that facilitates their PCI DSS compliance. Industry reports point to errors being made during the implementation and maintenance process as a significant risk to the security of cardholder data. The QIR program provides integrators and resellers with highly specialized training to help address these risks, such as ensuring that remote access is used securely and that all vendor default accounts and values are disabled or removed before the customer uses the application.

Merchants will benefit from a global list of QIRs on the PCI SSC website, providing them with a trusted resource for selecting PCI approved implementation providers. The program also includes a feedback loop for merchants to evaluate a QIR’s performance.”

QIR customers will have the opportunity to submit a formal feedback form online, which the Council will review as part of its quality assurance process.

The QIR training curriculum is comprised of an eight-hour self-paced eLearning course made up of three modules covering:

  • PCI DSS awareness overview and understanding industry participants
  • QIR roles and responsibilities
  • PA-DSS and key considerations for QIRs when applying expertise to installing and configuring the PA-DSS application
  • Guidance for preparing and implementing a qualified installation

After taking the eLearning course, participants will be eligible to schedule the 90-minute exam at one of more than 4,000 Pearson VUE Testing Centers worldwide. Once a company has two employees complete the training and pass the exam, the company and QIRs will be listed on the PCI SSC website for merchants to use as a resource for choosing a PCI SSC approved provider. The training course and exam will be available October 1, 2012.

The Council will also host a webinar for those interested in learning more about the QIR program, followed by a live question and answer session with PCI SSC experts:

  • To register for the Thursday, August 16, 2012 session, click here.
  • To register for the Wednesday, August 29, 2012 session, click here.

“Although the merchant community continues to accept and adopt PCI, small merchants are increasingly being targeted as opportunities to steal card data,” said PCI SSC Chair and Vice President of Global Data Security Policies and Process for American Express, Mike Mitchell.

“This new and exciting PCI program will continue to close the gap from implementation, to ongoing compliance and in the assessment processes. Merchants should start to feel better about having a “hard-hitting” partner in their fight to prevent fraud.”

.

PCI Security Standards Council Internal Security Assessor (ISA) training now available as an eLearning course

The new self-paced eLearning course is an online version of the Council’s existing instructor-led ISA training.

ISA training provides businesses the opportunity to educate qualifying employees responsible for managing their PCI DSS security programs on how to assess and validate their company’s adherence to PCI Security Standards.

The curriculum is comprised of a four-hour online pre-requisite course and exam called PCI Fundamentals, followed by the ISA training session and exam. Now candidates have the option to attend the two-day instructor-led session or complete the eLearning training course online. eLearning candidates can then schedule to take the exam locally at one of more than 4,000 Pearson VUE Testing Centers worldwide.

Since 2010 when the ISA programme was launched there have been over 500 people gain the qualification

“We benefited from the interaction with fellow delegates taking the course, said PCI DSS Manager and ISA Parminder Lall, Everything Everywhere. “The ISA training provided a different spin on how to reduce cost when it comes to PCI efforts. We also gained insight into working with a Qualified Security Assessor (QSA) and seeing their side of things.”

The new eLearning option complements the Council’s already available online PCI Awareness training offering, a four-hour introductory PCI course. Businesses can take advantage of ISA training for their security professionals to ensure consistency in understanding their PCI DSS compliance efforts across their organization.

“The ISA program was developed in response to feedback from the PCI community requesting a course that would help organizations in training their own internal PCI experts,” said Bob Russo, general manager, PCI Security Standards Council. “We’re excited to be able to offer this popular session in a new online format, along with our PCI Awareness training, so more companies can take advantage of these resources to improve their PCI security efforts.”

For those who would like to attend an instructor lead course there are two available this year

  1. Orlando, Florida, USA on September 6-7; 10-11
  2. Dublin, Ireland on October 18-19.

For more information visit the PCI SSC website here.

For more information on PCI DSS, PA DSS, etc visit my PCI Resources page here.

.

Criminal logic; follow the money and find easy targets

Acceptance marks displayed on top left of this...Anecdotal information shows that small businesses are just as likely to become victims of an attack as large businesses.

Why?

  1. Criminals do not discriminate, a dollar is a dollar, a credit card is a credit card, no matter where it is stolen from.
  2. Small businesses cannot invest as much in protection, management, procedures and processes as larger businesses.
  3. Smaller businesses are often the last to discover, understand and therefore achieve compliance, for example PCI DSS. Compliance is described as a painful process but PCI DSS offers a detailed and defined set of requirements which will allow a business to secure all types of information and not just credit cards.
  4. Malware (Viruses, Trojan’s, etc.) does not know the difference between small and large business, in an automated attack malware tools just look for weaknesses.
  5. The hospitality industry is frequently targeted by criminals because they know there is a high level of staff attrition in an industry with a high proportion of smaller or franchised businesses. Read my article Fraud could be costing UK hotels over £2 billion a year.

Avivah Litan in her recent Gartner Blog recounts the story of a small restaurant in Winchester, Kentucky which had a data breach involving credit cards.

The story so far looks like the criminals gained access to the store’s systems remotely and siphoned off the cards’ magnetic stripe data and then creating counterfeit cloned cards which resulted in thousands of dollars in fraud and affected a high percentage of the town’s population, and significantly almost 25% of the local Police force.

The sad thing is from my own experience of running a small business it is customer loyalty that often makes the difference between being profitable and going bust and incidents like this always affect a customer’s perception of the business.

Large business can employ a PR Agency, send lots of letters, offer discounts and let a branch ride out the storm until people have forgotten about the breach, all of which a small business could not afford to do.

So what can small businesses do?

  • The first thing is to assume that you may become a target because the criminals use tools which try to find vulnerable business every minute and hour of the day.
  • Ensure that your payment devices; terminals, tills, e-commerce solution, etc. are all Payment Application Data Security Standard (PA DSS) approved. The PCI website has a list of approved products and version, find the link here.
  • Ensure you have the IT Security basics in place, Firewall, Anti-Virus, etc. and use the auto updates for the technology.
  • Make sure all your IT devices, not just your desktops and laptops but your tills and EPOS devices all have their software updated/patched regularly, if it is available turn on auto-updates.
  • Train your staff to understand what their responsibilities are and how to report issues and suspicions. A reward scheme might help.
  • I know it is difficult for small business owners to find the time but read the PCI DSS guidelines and the Self Assessment Questionnaire (SAQ) but it is an excellent start to a secure business. If you have any questions about which SAQ is needed or any other questions ask your bank they are as concerned about your security as you are.

.

PCI Security Standards Council releases Point-to-Point encryption (P2PE) resources

The PCI Security Standards Council (PCI SSC), has announced availability of the Point-to-Point Encryption (P2PE) Program Guide and Self-Assessment Questionnaire (SAQ) to support implementation of hardware-based point-to-point encryption (P2PE) solutions. They are downloadable from the PCI SSC website in an MS Word format.

The resources follow the Council’s release of updated Solution Requirements and Testing Procedures for hardware-based P2PE solutions in April, (find the link in my resources page)which provide a method for vendors to validate their P2PE solutions and for merchants to reduce the scope of their PCI DSS assessments by using a validated P2PE solution for accepting and processing payment card data.

Eligible merchants using these P2PE hardware solutions may be able to reduce the scope of their PCI DSS assessments and validate to a reduced set of PCI DSS requirements. To help with this validation process, the Council has developed a new Self-Assessment Questionnaire (SAQ P2PE-HW).

SAQ P2PE-HW is for merchants who process cardholder data via hardware terminals included in a validated P2PE solution and consists of the following components:

  • Merchant eligibility criteria
  • SAQ completion steps
  • Self-Assessment Questionnaire (validation of PCI DSS Requirements)
  • Attestation of Compliance, including Attestation of PIM Implementation

Merchants should refer to their acquirer and/or payment brand to determine if they are eligible to use this new SAQ.

The Council has also updated the PCI DSS SAQ Instructions and Guidelines document to provide additional guidance on use of the SAQ P2PE-HW.

The PCI P2PE Program Guide is designed to help solution providers, application vendors, and P2PE assessors understand how to complete a P2PE assessment and submit it to the Council for acceptance and listing on the PCI SSC website.

The document includes:

  • Overview of P2PE solution validation processes
  • Considerations for P2PE Solution providers preparing for assessment
  • Reporting considerations for P2PE assessors
  • Considerations for managing validated P2PE Solutions
  • Listing of applications used in P2PE solutions

Solution providers, application vendors, and P2PE assessors can use this document immediately to plan for their P2PE assessments.

The Council will shortly be providing templates and Reporting Instructions for P2PE validation reports, as well as new Attestations of Validation (AOVs) and vendor release agreement (VRA).

P2PE assessors, solution providers and application vendors can then complete their assessments of P2PE Solutions and applications and submit their reports and validation documentation to the Council for acceptance and listing. The Council will list the validated solutions on the PCI SSC website for merchants to use.

“These resources are a critical part of rolling out this program,”

said Bob Russo, general manager, PCI Security Standards Council

“The program guide outlines the submission and listing process for P2PE solution providers and application vendors who want to validate their products, while the SAQ will help simplify PCI DSS validation efforts for merchants taking advantage of this process to minimize the amount of cardholder data in their environments.”

.

Database security and SIEM are the top Risk and Compliance concerns

Image representing McAfee as depicted in Crunc...

The McAfee report Risk and Compliance Outlook: 2012, has been published and has discovered Database Security and Security Information and Event Management (SIEM) were among the top priorities due to an increase in Advanced Persistent Threats (APT).

Database hold the valuable data the criminals are searching for, it therefore follows that Database Security is a growing issue and one flagged as the biggest concern. The report indicates that over one quarter of those surveyed had either had a breach or did not have the visibility to detect a breach. This is a huge concern when considering that most compliance requirements are concerned with knowing if a breach could or has occurred for example Payment Card Industry Compliance (PCI DSS) and the pending European Wide Data Protection Act.

The other major was Security Information Event Management (SIEM) which correlates well with the fears over Database Security with approximately 40% of organizations planning on implementing or update their SIEM solution.

Key findings of the report:

  • Similar to the 2011 survey, there is a positive trend in security budgets for 2012 with 96% of the organizations indicating same or more expenditure on risk and compliance
  • Organization state ‘Compliance’ as the driver for almost 30% of IT projects
  • Software and Appliance are the top choices for Risk and Compliance products. On average, one-third of all organizations prioritized the upgrade/implementation of unique risk and compliance products to address vulnerability assessment, patch management, remediation, governance, risk management, and compliance
  • Survey data showed rapid uptake towards Hosted SaaS and Virtualization. Nearly 40% organizations claim to be moving towards these deployment models in 2012
  • Patch Management frequency is a challenge – almost half of the organizations patch on a monthly basis with one-third doing it on a weekly basis. Just like last year’s analysis, not all companies are able to pinpoint threats or vulnerabilities, as a result, 43% indicate that they over-protect and patch everything they can

“Managing risk through security and compliance continues to be a leading concern for organizations the world over,” said Jill Kyte, vice president of security management at McAfee. “Meeting the requirements of increasingly demanding regulations while reducing exposure to the new classes of sophisticated threats and having an accurate understanding of risk and compliance at any point in time — can be challenging. To address this issue, organizations are looking to ‘best-of-breed’ solutions to manage all aspects of their risk and compliance needs and reduce the amount of time spent managing multiple solutions.”

Some other headline findings of the survey show:

  • Visibility is a pervasive challenge organizations continually face in managing their IT risk posture. The issues revolve around having the visibility to see vulnerabilities within their processes and controlling the ever-changing internal and external threat vectors
  • 80% of the survey respondents recognize the importance of visibility; more than 60% have about the same visibility they had in 2010; 27% improved their visibility since 2010; and 8% now have less visibility compared to 2010
  • The top two controls that respondents have implemented to manage risk and subsequently their compliance postures are the monitoring of databases and of configuration changes for the entire enterprise environment/ infrastructure
  • Approximately 60% of surveyed organizations view SIEM solutions as an important solution to provide real-time visibility into their applications, databases, system performance, and event correlation

A summary of the whole report is below along with a link to the full report.

Risk and Compliance Posture

During 2011, over 60% of the respondents implemented and updated existing tools to improve the visibility and control of their IT processes in an effort to minimize organizational risk. Product groupings include:

  • Risk Management
  • Application, Database and Network Vulnerability Assessment
  • Log Management and Security Information Event Management (SIEM)
  • Database Activity Monitoring
  • Policy Compliance Assessment and Governance Risk and Compliance (GRC)

Respondents indicate that their 2012 implementation and upgrade priorities include

  • Risk Management at 19% and 18% respectively
  • Vulnerability Assessment at 18% and 19%
  • Patch Management at 16% and 21%
  • SIEM at 16% and 21%
  • Further, 48% of the respondents (an increase of 8% over last year) indicate that their organizations have updated/deployed a GRC solution in 2011 in an effort to aggregate and monitor organizational risk and compliance status

Overall it appears that enterprises recognize that they cannot efficiently address risk unless they understand what they are up against and can apply the appropriate controls. Without this knowledge and insight, the effectiveness of any security and compliance efforts cannot be effectively measured against the risks there are:

  • 39% of incidents involved a negligent employee or contractor
  • 37% concerned a malicious or criminal attack
  • 24% involved system glitches including a combination of both IT and business process failures

Mainline cybercriminals continued to automate and streamline their method du jour of high-volume, low-risk attacks against weaker targets. Most victims fell prey because they were found to possess an (often easily) exploitable weakness rather than because they were pre-identified for attack. Given this, it’s not surprising that most breaches were avoidable (at least in hindsight) without difficult or expensive countermeasures

Patch Management

At the time they wrote the report McAfee believed there are over 49,000 known common vulnerabilities and exposures (CVE’s) as reported by US-Cert National Vulnerability Database (NVD).

During 2011 the NVD reported 3,532 vulnerabilities, which translates to about ten new security vulnerabilities being discovered each day. While the rate of newly discovered vulnerabilities is impressive, the good news is that the trend is on a descending path: 4,258 vulnerabilities were reported in 2010 and the peak was in 2008, when almost 7,000 vulnerabilities were reported.

More than half of the surveyed companies indicated they know precisely which assets need to be patched when new threats materialize to prevent the threats from impacting their businesses. Conversely, 15% of the surveyed indicate they are not confident in their ability to know which assets to patch when new threats materialize.

Comparison of patch cycle (weekly, monthly, and quarterly) to confidence levels shows that that as the patching frequency declines so does an organization’s confidence. Specific analysis shows:

  • Organizations with weekly patching practice – 53% feel confident about patching of assets
  • Organizations with monthly patching practice – 49% feel confident about patching of assets
  • Organizations with quarterly patching practice – 43% feel confident about patching of assets

SIEM

Ever changing threats, data breaches, and IT complexity add additional burdens to the already difficult tasks associated with having the visibility necessary to monitor security events, detect attacks, and assess real and potential damage.

Near real-time visibility is critical to any risk management program in today’s complex and diverse computing environments. Without it, organizations are flying blind.

Similar to last year,

  • approximately half of the respondents spend 6 to 10 hours per month on risk management activities that assess and correlate the impact of threats on their organizations
  •  7% of small organizations (1,000 or less employees) spend 15-20 hours on risk and threat activities
  • 16% of organizations with more than 1,000 employees spent 15-20 hours on risk and threat activities

Policy Compliance and Configuration Challenges in Achieving Compliance

Regardless if an organization views industry standards and compliance mandates as a way to improve their practices or as a necessary evil, implementing standards is just the beginning of the road to compliance.

The real challenge often lies in maintaining compliance over time, especially as compliance standards and mandates evolve and increase in number. Organizations need to recognize:

  • Business and technology boundaries are constantly changing, expanding
  • New technology brings new risks, new processes and thus new compliance issues
  • Businesses require flexibility to maintain competitiveness – rigid controls can hinder flexibility, thus hurt operational effectiveness.

According to the Ponemon Institute

“True Cost of Compliance” study: “…while the average cost of compliance for the organizations in our study is $3.5 million, the cost of non-compliance is much greater. The average cost for organizations that experience non-compliance related problems is nearly $9.4 million.”

Database Security When asked about sensitive database breaches,

  • 12% of the organizations stated that they have experienced a breach
  • 15% “are not sure”

These results indicate weakness in security control effectiveness and a lack of visibility. Conversely, three-fourths of the respondents overall and in particular those from North America, Germany and the UK, indicate that their databases have never been breached.

According to Forrester Research analyst Noel Yuhanna in his most recent database security market overview report:

“The database security market is likely to converge with the overall data security market in the future, as DBMS vendors extend the security features that are bundled with their products”.

Mr Yuhanna’s market insight closely corresponds with our respondents’ use of database security solutions:

  • 49% of the organizations use dedicated database security solutions; McAfee, followed by Oracle, tops the list of database security solution providers
  • 42% of the organizations use DBMS vendor security features to protect their databases
  • As compared to 34% organizations from Brazil, a higher number of organizations from France (66%) and the UK (58%) have dedicated database security solutions. Regional analysis shows 61% of Brazil-based organizations use DBMS vendor security features compared to 36% of the North American organizations. IBM holds a strong market share in North America, France and Germany as compared to its share in APAC and the UK.

The link to the full McAfee report is here.

.

Create a free website or blog at WordPress.com.

Up ↑

%d bloggers like this: