Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

Payment card industry

PCI Security Standards Council publishes card production security requirements

The PCI Security Standards Council (PCI SSC), has announced the publication of a standard for secure payment card production.

The standard consists of two sets of requirements:

  1. PCI Card Production Physical Security Requirements
  2. PCI Card Production Logical Security Requirements

Together, these documents provide card vendors with a comprehensive source of information describing the security requirements to follow for card production activities including card manufacture, chip embedding, magnet-stripe encoding, embossing, card personalization, chip initialization, chip personalization.

Formerly managed as separate requirements by each payment card brand, the Council aligned these requirements and solicited feedback from the PCI community to produce one set of criteria recognized across the industry. The resulting standard is designed to secure the components and sensitive data involved in the production of payment cards and protect against the fraudulent use of card materials.

It’s broken down into two core areas:

  1. Physical security requirements – for all card vendors, these requirements address the presence, movement, and accountability of a card, including tangible features such as the security of the premises, personnel access to secure areas, and CCTV surveillance.
  2. Logical security requirements – for card personalization vendors, these requirements address threats to the confidentiality of personalization data during data transfer, access, storage, and destruction; and all aspects associated with cryptographic key management, including the protection of issuer keys used in the personalization process.

The security requirements are available for immediate download here. Vendors should work with the individual card brands to confirm timing for when future security reviews must be performed against the new PCI Card Production Security Requirements.

In line with other PCI Standards, the requirements will be updated on a three-year lifecycle, based on feedback from the PCI community.

There are a lot of pieces involved in securely producing payment cards, from design all the way through delivery,” said Bob Russo, general manager, PCI Security Standards Council. “The publication of these requirements gives card vendors one set of criteria to follow, and as we’ve seen with our other standards, will help drive improved security across the payments chain

Want to be PCI DSS compliant? Here are 5 mistakes to avoid.

Charles Denyer a QSA with NDB has produced a list of 5 Mistakes all people striving for PCI DSS compliance must avoid. 

  1. Not conducting a formal Readiness Assessment.  It’s important with PCI DSS compliance to truly understand all facets of the Payment Card Industry Data Security Standards (PCI DSS) provisions, which essentially means answering the “who, what, when, where, and why” of PCI with a comprehensive Readiness Assessment. And by no means should it be looked upon as yet another added cost to the engagement, rather, a proactive and necessary measure for properly defining and understanding many important facet of PCI, which by the way, is always a moving target, to say the least. A competent, well-skilled PCI-QSA, such as Charles Denyer of NDB Advisory, can provide your organization with a PCI DSS Readiness Assessment. Knowing what you are getting into is important! 
  2. Having no buy in from senior management and others. “Going it alone” as the saying goes, can have its risks and rewards – but in the case of PCI DSS compliance – it’s not only a bad idea, but one that creates real challenges for organizations. Sure management may very well be aware of their organization undertaking PCI compliance, but have they provided true operational and financial support, have they taken the time to really understand the commitment and effort needed? If not, then it’s time to make them aware of this, and soon.  Remember, setting expectations for PCI compliance is a must, no questions about it. 
  3. Failing to understand PCI Scope.  Organizations struggle with this immensely – after all – determining the actual scope for purposes of PCI compliance can be challenging, and it’s not always a black and white answer? Do you have a “flat” network? What is the true definition of the cardholder data environment (CDE)? What third-party providers are in scope? These, and many, many other questions, often require thoughtful consideration for PCI compliance. 
  4. Not conducting Remediation efforts.  As a PCI-QSA, I’m amazed at the lack of remediation efforts by companies pursuing PCI compliance.  What I find more troubling is that these remediation efforts – when even conducted – are only undertaken for a sample of system components, not the entire population of in-scope items. Being compliant with the Payment Card Industry Data Security Standards means meeting all the stated requirements for ALL in-scope systems components, not just a chosen few.  A PCI-QSA with true independence and professionalism will always tell their clients that, and that’s exactly what I’m doing here!  Simply put, remediate, and remediate all items that are in-scope for an actual PCI DSS assessment. 
  5. Failing to recognize the importance of policies and procedures.  Here’s an issue that seems to go unnoticed many times regarding PCI compliance – after all – how challenging and time-consuming can it really be to develop PCI policies and procedures?  Very challenging and time-consuming, just look at the amount of documents that’s required by PCI – policies for this, procedures for that – get the point?  Sure, PCI compliance is technical in nature, but don’t lose sight of one of the most important requirements, and that’s developing a comprehensive set of PCI policies and procedures.  As a PCI-QSA, my advice is to hire an expert consultant to develop a customized set of these policies (which is part of the services offered by NDB Advisory) or to use the high-quality PCI security policies from pcipolicyportal.com.

Supporting point 3 there is a good white paper “8 ways to reduce the scope of PCI DSS” here.

65% of businesses do not protect their customers’ private data

According to a survey by GreenSQL more than 65% of businesses do not protect their customers’ private data from unauthorised employees and consultants.

The results are interesting because every day we hear of another data breach or another form of malware which can steal data or at least damage data and you would think that with this amount of coverage business would sit up and start protecting their livelihood because that is what customer information is, their livelihood.

For an idea of the scale of the UK’s problem have a look at my post “Who has breached the Data Protection Act in 2012? Find the complete list here“.

Maybe it is bad news fatigue? Maybe the constant flow of horror stories makes them think that they cannot do anything about it so why bother.

I can understand the sentiment because on a personal level I do not wear a Kevlar jacket and carry pepper spray when I walk my dogs on a cold dark winter evening on the distant chance I might be mugged.

However, business cannot escape their contractual commitment to protect credit card data under the Payment Card Industry’s Data Security Standards (PCI DSS) and they cannot escape the legislative requirements to protect Personally identifiable Information (PII) for example the Data Protection Act and the pending European Wide Data Protection Act.

The survey results fall into three categories

  1. Ignore. 65% take no preventative measures
  2. Think about it. 23% use masking techniques only in non-production environments, such as dummy data and scrambling
  3. Try. 12% deploy dynamic data masking solutions on their production environments

I suspect that those who indicated that they deploy technologies to mask data are talking about credit card data where all payment applications are governed by the Payment Card Industry’s PA DSS but it should be applied to all sensitive data that could cause financial or reputational damage to anyone; customer, employee or contractor.

“Most companies would say protecting customer data is critical to maintaining their business and reputation,” said GreenSQL CEO, Amir Sadeh. “However, something is wrong when we discover that many IT departments are making no masking efforts whatsoever, and others are taking tepid approaches.”

GreenSQL surveyed “hundreds of IT managers and developers at large organizations” about the measures they took to prevent developers, QA, DBAs, consultants, outsourced employees, suppliers and application users from having access to sensitive data.

In summary adding protection to data bases and sensitive data is not hard and with current market trends moving towards cloud based solutions the costs are no longer prohibitive compared to becoming one of those horror stories people keep ignoring.

.

PCI Security Standards Council’s Qualified Integrators and Resellers program is now live

The PCI SSC’s the Qualified Integrators and Resellers (QIR)™ Program will train and qualify integrators and resellers that sell, install and/or service payment applications on the secure installation and maintenance of PA-DSS validated payment applications to support merchant PCI DSS security efforts.

Eligible organizations can now register for the QIR program by visiting the PCI SSC website. Training will be available beginning October 1, 2012.

“Integrators and resellers play a key role in securing the payment ecosystem as merchants depend on these providers to install, configure, and maintain their PA-DSS validated applications in a way that facilitates their PCI DSS compliance. Industry reports point to errors being made during the implementation and maintenance process as a significant risk to the security of cardholder data. The QIR program provides integrators and resellers with highly specialized training to help address these risks, such as ensuring that remote access is used securely and that all vendor default accounts and values are disabled or removed before the customer uses the application.

Merchants will benefit from a global list of QIRs on the PCI SSC website, providing them with a trusted resource for selecting PCI approved implementation providers. The program also includes a feedback loop for merchants to evaluate a QIR’s performance.”

QIR customers will have the opportunity to submit a formal feedback form online, which the Council will review as part of its quality assurance process.

The QIR training curriculum is comprised of an eight-hour self-paced eLearning course made up of three modules covering:

  • PCI DSS awareness overview and understanding industry participants
  • QIR roles and responsibilities
  • PA-DSS and key considerations for QIRs when applying expertise to installing and configuring the PA-DSS application
  • Guidance for preparing and implementing a qualified installation

After taking the eLearning course, participants will be eligible to schedule the 90-minute exam at one of more than 4,000 Pearson VUE Testing Centers worldwide. Once a company has two employees complete the training and pass the exam, the company and QIRs will be listed on the PCI SSC website for merchants to use as a resource for choosing a PCI SSC approved provider. The training course and exam will be available October 1, 2012.

The Council will also host a webinar for those interested in learning more about the QIR program, followed by a live question and answer session with PCI SSC experts:

  • To register for the Thursday, August 16, 2012 session, click here.
  • To register for the Wednesday, August 29, 2012 session, click here.

“Although the merchant community continues to accept and adopt PCI, small merchants are increasingly being targeted as opportunities to steal card data,” said PCI SSC Chair and Vice President of Global Data Security Policies and Process for American Express, Mike Mitchell.

“This new and exciting PCI program will continue to close the gap from implementation, to ongoing compliance and in the assessment processes. Merchants should start to feel better about having a “hard-hitting” partner in their fight to prevent fraud.”

.

PCI Security Standards Council releases Point-to-Point encryption (P2PE) resources

The PCI Security Standards Council (PCI SSC), has announced availability of the Point-to-Point Encryption (P2PE) Program Guide and Self-Assessment Questionnaire (SAQ) to support implementation of hardware-based point-to-point encryption (P2PE) solutions. They are downloadable from the PCI SSC website in an MS Word format.

The resources follow the Council’s release of updated Solution Requirements and Testing Procedures for hardware-based P2PE solutions in April, (find the link in my resources page)which provide a method for vendors to validate their P2PE solutions and for merchants to reduce the scope of their PCI DSS assessments by using a validated P2PE solution for accepting and processing payment card data.

Eligible merchants using these P2PE hardware solutions may be able to reduce the scope of their PCI DSS assessments and validate to a reduced set of PCI DSS requirements. To help with this validation process, the Council has developed a new Self-Assessment Questionnaire (SAQ P2PE-HW).

SAQ P2PE-HW is for merchants who process cardholder data via hardware terminals included in a validated P2PE solution and consists of the following components:

  • Merchant eligibility criteria
  • SAQ completion steps
  • Self-Assessment Questionnaire (validation of PCI DSS Requirements)
  • Attestation of Compliance, including Attestation of PIM Implementation

Merchants should refer to their acquirer and/or payment brand to determine if they are eligible to use this new SAQ.

The Council has also updated the PCI DSS SAQ Instructions and Guidelines document to provide additional guidance on use of the SAQ P2PE-HW.

The PCI P2PE Program Guide is designed to help solution providers, application vendors, and P2PE assessors understand how to complete a P2PE assessment and submit it to the Council for acceptance and listing on the PCI SSC website.

The document includes:

  • Overview of P2PE solution validation processes
  • Considerations for P2PE Solution providers preparing for assessment
  • Reporting considerations for P2PE assessors
  • Considerations for managing validated P2PE Solutions
  • Listing of applications used in P2PE solutions

Solution providers, application vendors, and P2PE assessors can use this document immediately to plan for their P2PE assessments.

The Council will shortly be providing templates and Reporting Instructions for P2PE validation reports, as well as new Attestations of Validation (AOVs) and vendor release agreement (VRA).

P2PE assessors, solution providers and application vendors can then complete their assessments of P2PE Solutions and applications and submit their reports and validation documentation to the Council for acceptance and listing. The Council will list the validated solutions on the PCI SSC website for merchants to use.

“These resources are a critical part of rolling out this program,”

said Bob Russo, general manager, PCI Security Standards Council

“The program guide outlines the submission and listing process for P2PE solution providers and application vendors who want to validate their products, while the SAQ will help simplify PCI DSS validation efforts for merchants taking advantage of this process to minimize the amount of cardholder data in their environments.”

.

PCI Point-to-Point Encryption Solution Requirements and Testing Procedures v1.1

The Payments Security Standards Council (PCI SSC) have released their solutions Requirements and Testing Procedures version 1.1 for Point-to-Point Encryption (P2PE).

The press release can be found here.

The main document is 210 pages long but for those who have looked into this before there is a short four page summary of changes from version 1.0 to version 1.1 here.

The document covers many things but the five main scope assessments for P2PE Solutions are

  1. Network Segmentation
  2. Third Parties/Outsourcing
  3. Sampling of System Components
  4. Multiple Acquirers
  5. P2PE Program Guide

Scope of Assessment for P2PE Solutions

The first step of a P2PE solution assessment is to accurately determine the scope of the solution. At least annually and prior to each assessment, the solution provider should confirm the accuracy of their solution scope by identifying all devices, P2PE data flows and processes, key-management functions and account-data stores, and ensure they are included in the solution scope. To ensure the accuracy of the solution scope is maintained on an on going basis, the solution provider must have processes in place that ensure the following:

  • Any changes are implemented in a manner that ensures continued adherence to P2PE requirements for the entire solution.
  • Any new rollouts/additions adhere to all P2PE solution requirements.
  • Any new rollouts/additions are included in the next P2PE assessment.

Network Segmentation

The solution provider must ensure that network segmentation is in place between any systems owned or managed by the solution provider that are used in the P2PE solution, and any that are not included in their PCI DSS compliant environment. The QSA (P2PE) must validate that the network segmentation is adequate to isolate the P2PE environment from out-of-scope networks and systems.

Third Parties/Outsourcing

A given P2PE solution may be entirely performed and managed by a single solution provider, or the solution provider may outsource certain functions (for example, loading keys into POIs) to third parties who perform these functions on behalf of the solution provider. All third parties that perform P2PE functions on behalf of the assessed P2PE solution provider, including POI vendors, KIFs, CAs, etc., must be validated per P2PE solution requirements.

There are two options for third-party entities performing functions on behalf of solution providers to validate compliance:

  1. They can undergo a P2PE assessment of relevant P2PE requirements on their own and provide evidence to their customers to demonstrate their compliance; or
  2. If they do not undergo their own P2PE assessment, they will need to have their services reviewed during the course of each of their solution provider customers’ P2PE assessments.

Multiple Acquirers

The P2PE standard outlines the technology and processes needed to ensure the security of a solution that protects account data from the point of interaction to the solution provider. In some instances, multiple acquirers or multiple solution providers may manage one or more P2PE solutions on the same merchant POI device. P2PE does not preclude these scenarios, as the business processes which govern this shared environment are outside the responsibility of the PCI SSC.

P2PE Program Guide

Please refer to the P2PE Program Guide for information about the P2PE program, including the following topics:

  • P2PE Report on Validation submission and acceptance processes
  • Annual renewal process for solutions included on the list of Validated P2PE Solutions
  • Notification responsibilities in the event a listed P2PE solution is determined to be at fault in a compromise

Third Parties/Outsourcing

A given P2PE solution may be entirely performed and managed by a single solution provider, or the solution provider may outsource certain functions (for example, loading keys into POIs) to third parties who perform these functions on behalf of the solution provider. All third parties that perform P2PE functions on behalf of the assessed P2PE solution provider, including POI vendors, KIFs, CAs, etc., must be validated per P2PE solution requirements.

There are two options for third-party entities performing functions on behalf of solution providers to validate compliance:

  1. They can undergo a P2PE assessment of relevant P2PE requirements on their own and provide evidence to their customers to demonstrate their compliance; or
  2. If they do not undergo their own P2PE assessment, they will need to have their services reviewed during the course of each of their solution provider customers’ P2PE assessments.

At-a-Glance – Steps Required to Create and Validate a P2PE Solution

The process for developing and validating a P2PE solution that uses SCDs for encryption, decryption, and cryptographic key management is provided below. This flow chart and the following table illustrate the parties responsible for implementing requirements and validating compliance with each domain, the high-level purpose of controls for each domain, and how validation of each domain can ultimately lead to a P2PE solution validation.

Like a lot of people I shall be looking into the details to see where existing and planned solutions meet the standard. The full 210 page document can be found here.

.

The PCI SSC has opened its registration for the 2012 PCI Community Meetings

PCI North American Community Meeting will be held on September 12-14, 2012 in Orlando, Florida

PCI European Community Meeting will be held this year in Dublin, Ireland, October 22-24, 2012

This year’s meetings offer Council Participating Organizations and PCI stakeholders access to three days of knowledge sharing, networking and learning, including keynote presentations from industry experts, PCI case studies, and technical sessions.

“2012 is a critical year in the standards development process that hinges on feedback from the PCI community. At this year’s meeting, we’ll focus on discussing stakeholder feedback on the standards in preparation for release of the next versions of the PCI DSS and PA-DSS in 2013, as well as share our successes and challenges, ideas and suggestions as a community,” said Bob Russo, general manager, PCI Security Standards Council. “We’ll discuss Council initiatives, including the Point-to-Point Encryption (P2PE) program, mobile payment acceptance security and other technology areas, as well as the work being done through our Special Interest Groups. Attendees will also have the opportunity to take advantage of our PCI SSC Training offerings.”

New to this year’s agenda, the Community Meetings will also feature:

  • Increased networking opportunitie
  • Targeted breakout sessions for different stakeholder groups
  • More industry case studies delivered by members of the PCI community
  • Expanded opportunities to meet with card brands
  • Two-day vendor showcase
  • Event mobile app to help make the most of attendees’ time

Special sessions for Qualified Security Assessors (QSAs) and Approved Scanning Vendors (ASVs) will be held at the meetings.

Several training courses will also be available. These offerings provide participants the opportunity to combine the value of peer to peer education at the Community Meeting with more formal training sessions, maximizing their time in Orlando and Dublin.

“The record attendance at last year’s meeting is a strong testament to the work that together we as a community are doing to drive payment security forward globally, but especially within Europe,” said Jeremy King, European Regional Director. “I’m thrilled about the growing involvement of the PCI community in Europe and look forward to coming together in Dublin to continue this momentum.”

Attendance fees:

  • Participating Organization: First two registrants are free; $395 for additional registrants
  • Qualified Security Assessor (QSA)/Approved Scanning Vendor (ASV)/Internal Security Assessor (ISA)/PIN Transaction Security (PTS) members: First registrant is free; $695 for additional registrants

For more information, or to register

See you in Dublin.

.

Eight Ways to Reduce PCI DSS Audit Scope by Tokenizing Cardholder Data

Credit card
Image via Wikipedia

Eight Ways to Reduce PCI DSS Audit Scope by Tokenizing Cardholder Data

Merchants are constantly seeking ways to simplify and reduce the scope of the Payment Card Industry’s Data Security Standard (PCI DSS) compliance by shrinking the footprint where cardholder data is located throughout their organization.

By reducing the scope, these Merchants can dramatically lower the cost and anxiety of PCI DSS compliance and significantly increase the chance of compliance be that an audit or a Self Assessment Questionnaire (SAQ).

The White Paper “Eight Ways to Reduce PCI DSS Audit Scope by Tokenizing Cardholder Data” explores the use of tokenization as a best practice in improving the security of credit card transactions, while at the same time minimising the cost and complexity of PCI DSS compliance by reducing audit scope.

The 8 Ways are

  1. Centralized data vault
  2. Tokens as data surrogates
  3. Tokens as surrogates for masked data
  4. No mathematical relationship between tokens and data values
  5. One-to-one or one-to-many token/data relationships
  6. Format Preserving Tokenization™
  7. Centralized key management
  8. Tokenization as a Service™ (TaaS)

For the full description of the 8 methods simply download the white paper here

Registration is required, some personal email accounts do not work e.g. Hotmail and Gmail. If you are having a problem please leave a comment and I will try to email the paper directly to you.

Also see a Free eBook  “Tokenization for Dummies” here.

.

PCI Security Standards Council announces winners of Special Interest Group elections

The PCI PCI SSC today announced the results of the PCI Council election for Special Interest Groups (SIGS).

Special Interest Groups (SIG) leverage the expertise of more than 600 PCI SSC Participating Organizations and provide a vehicle for incorporating their ideas and input into the work of the Council.

Almost 500 votes were cast by merchants, financial institutions, service providers and associations for the initiatives they want to prioritize in 2012.

The three elected groups will focus on:

  • Cloud
  • eCommerce Security
  • Risk Assessment

Participating Organizations were allowed three votes on a shortlist of seven topics that were the result of 13 proposals by the community.

Successful project proposals represent a cross section of the PCI SSC community from around the globe and include active participants from CyberSource, HyTrust, Sense of Security Pty Ltd., SISA Information Security, The UK Cards Association, Trend Micro and TSYS.

This is our first SIG election and I’m really pleased with the turnout, with a quarter of all of our Participating Organizations voting. Most impressively, a third of our votes came from outside North America showing that involvement in the Council’s activity and development of PCI Standards and resources to help secure the payment chain is truly a global endeavor,” said Jeremy King, European director, PCI Security Standards Council.

I’m looking forward to close collaboration between the Council and SIG membership.”

Special Interest Groups are a critical forum for industry participation in Council initiatives to increase payment card security. SIGs focus on providing recommendations to the Council which often results in guidance for interpreting and implementing the PCI Standards. To date SIG participants have made significant contributions to Council resources on topics such as wireless security, EMV chip, point-to-point encryption and virtualized environments.

The Council invites any members of the PCI SSC community interested in participating in one of these SIG projects to indicate their interest by emailing sigs@pcisecuritystandards.org before November 30th. Following this, Council SIG leads will convene each group to formalize the group charter and precise scope of work project. This will be shared with the Community by the end of the year, with SIGs anticipated to start work in the beginning of 2012.

We’re delighted that risk assessment has been selected by our peers to move forward as a 2012 SIG project. I’d like to encourage anyone with expertise or interest in this topic area or the other final selections to get involved,” said Dharshan Shanthamurthy, chief consultant at SISA Information Security.

 “Council SIGs are a great opportunity for professional development, networking, and contributing to something that will benefit the entire industry.”

.

Blog at WordPress.com.

Up ↑

%d bloggers like this: