Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

PCI SSC

PCI Security Standards council announces 2016 special interest group election results

The Payment Card Industry Security Standards Council (PCI SSC), has announced the election results for its 2016 Special Interest Group (SIG) project. 

Special Interest Groups are community-led initiatives that address important security challenges related to PCI Security Standards. One new Special Interest Group is selected every year, but groups may run for more than 12 months in order to complete the agreed-upon goals. 

PCI member organizations, including merchants, financial institutions, service providers and associations, voted on five proposed Special Interest Group topics submitted by their peers. The winning topic selected for 2016 was, “Best Practices for Safe E-Commerce 

The new Special Interest Group is slated to kick off in January 2016

The Council invites PCI member organizations and assessors interested in getting involved in this SIG project to register on the PCI SSC website by 4 January 2016.  

The community choose from among five strong proposals, so it was certainly not an easy decision,” said Jeremy King, International Director, PCI SSC. “We are encouraged by how many Participating Organizations were involved in the submission and election process this year. SIGs continue to be an excellent vehicle for putting their expertise to work to improve payment card security globally

 

Payment Card Industry issues new guidance to help organizations respond to data breaches

For any organization connected to the internet, it is not a question of if but when their business will be under attack, according to a recent cybersecurity report from Symantec, which found Canada ranked No. 4 worldwide in terms of ransomware and social media attacks last year. These increasing attacks put customer information, and especially payment data at risk for compromise.

When breaches do occur, response time continues to be a challenge. In more than one quarter of all breaches investigated worldwide in 2014 by Verizon, it took victim organization weeks, or even months, to contain the breaches. It is against this backdrop that global cybersecurity, payment technology and data forensics experts are gathering in Vancouver for the annual PCI North America Community Meeting to address the ongoing challenge of protecting consumer payment information from criminals, and new best practices on how organizations can best prepare for responding to a data breach. 

A data breach now costs organizations an average total of $3.8 million. However, research shows that having an incident response team in place can create significant savings. Developed in collaboration with the Payment Card Industry (PCI) Forensic Investigators (PFI) community, Responding to a Data Breach: A How-to Guide for Incident Management provides merchants and service providers with key recommendations for being prepared to react quickly if a breach is suspected, and specifically what to do contain damage, and facilitate an effective investigation. 

The silver lining to high profile breaches that have occurred is that there is a new sense of urgency that is translating into security vigilance from the top down, forcing businesses to prioritize and make data security business-as-usual,” said PCI SSC General Manager Stephen W. Orfei. “Prevention, detection and response are always going to be the three legs of data protection. Better detection will certainly improve response time and the ability to mitigate attacks, but managing the impact and damage of compromise comes down to preparation, having a plan in place and the right investments in technology, training and partnerships to support it

This guidance is especially important given that in over 95% of breaches it is an external party that informs the compromised organization of the breach,” added PCI SSC International Director Jeremy King. “Knowing what to do, who to contact and how to manage the early stages of the breach is critical

At its annual North America Community Meeting in Vancouver this week, the PCI Security Standards Council will discuss these best practices in the context of today’s threat and breach landscape, along with other standards and resources the industry is developing to help businesses protect their customer payment data. Keynote speaker cybersecurity blogger Brian Krebs will provide insights into the latest attacks and breaches, while PCI Forensic Investigators and authors of the Verizon Data Breach Investigation Report and PCI Compliance Report, will present key findings from their work with breached entities globally. Canadian organizations including City of Calgary, Interac and Rogers will share regional perspectives on implementing payment security technologies and best practices. 

Download a copy of Responding to a Data Breach: A How-to Guide for Incident Management here 

The original PCI SSC press release can be found here.

P2Pe, Pseudo-P2Pe, End-2-End Encryption, Linked Encryption, they are all good

This week’s Vendorcom Secure Payments Special Interest Group (SIG) met to discuss P2Pe and it became clear that there are many ways to achieve a compliant outcome.

My first impression was the large number of attendees at the SIG, 50+, only one of them was a Merchant. The rest were a mixed bag of Acquirers, PSPs, QSAs, Vendors and Consultants making it more of a Vested Interest Group than a Special one.

The Logic Group (TLG) started the presentations and covered their listed P2Pe solutions and how they achieved compliance. They explained all the hard work getting all the elements through the audits and the 970 P2Pe Controls (more than double that of PCI DSS).

TLG cited the issues of key custody and management and how once during the development period it required 6 people to cover the physical as well as the logical security requirements.

The Q&A session before lunch was mostly aimed at John Elliot of VISA Europe who handled even the most difficult questions very well and delivered the answers with humour. He even confirmed that next week there is a gathering in the US to ratify the much discussed Tokenization standard and some clarifications to the PCI DSS version 3.0. He however was wrong on one prediction that the new Self Assessment Questionnaires (SAQ) would be out on Thursday and they weren’t but to be fair to John almost everyone associated with PCI has tried to predict the arrival of the new SAQs and got it wrong. They finally came out today (28th February 2014).

After lunch Spire Payments and MagTek presented on their device solutions and their compatibility with the PCI PTS SRED and how they could fit into a P2Pe compliant solution.

Next up were Vodat International with their alternative to P2Pe. The Vodat solution is a managed end to end solution with encryption and resilience. Ian Martin’s presentation was supported by VISA Europe as a way to achieve PCI DSS compliance.

Some other discussion point

  • Linked Encryption combined with EMV could make a significant security improvement for the US market
  • Some merchants think switching to Ingenico gives them P2Pe
  • Some merchants and the PCI SSC are concerned that there are only two listed P2Pe solutions
  • PCI SSC would like to make P2Pe modular e.g. if you want to do your own key management or choose your own PEDs, etc.
  • An April deadline for moving to TLS 1.1 or above is not true, maintaining secure software is always required.
  • All mobile payments are mandated to have P2Pe
  • P2Pe will probably never be mandatory, except for mobile
  • If you have a certified P2Pe solution you can complete an SAQ no matter what size of merchant you are

It was an interesting day and after all the presentations and discussions what became clear is there are many ways to achieve PCI DSS compliance; Point to Point Encryption (P2Pe), Pseudo-P2Pe, End-2-End Encryption and Linked Encryption or a combination of them.

What is not in doubt is the chosen solutions must meet the business profile of the merchant and help them achieve PCI DSS compliance. The solution itself will not achieve compliance because there is more to compliance than installing a solution for example there is the on going maintenance of compliance and the human element.

Whichever solution you represent or are looking to buy lets hope it is installed and maintained well enough to meet and maintain continuous security and PCI DSS compliance.

Increasing Security and Reducing Fraud with EMV Chip and PCI Standards an Infographic

When data is exposed, it puts your customers and your reputation as a business at serious risk. EMV chip technology combined with PCI Security Standards offer a powerful combination for increasing card data security and reducing fraud.

PA DSS and PCI DSS version 3.0 now available in 9 languages

The PCI Security Standards Council (PCI SSC), have announced that the PCI Data Security Standard (PCI DSS) and the Payment Application Data Security Standard (PA-DSS) 3.0 are now available in nine languages.

“It’s important that organizations around the globe have the resources they need to protect card data,” said Bob Russo, general manager, PCI Security Standards Council. “We’re happy to make the PCI Standards available in a number of languages to assist organizations as they work to make payment security part of their business-as-usual practices.”

PCI DSS and PA-DSS 3.0 were published in November 2013, with updates made based on feedback from the Council’s global constituents and response to market needs.

Over 50% of this feedback came from outside of the U.S., emphasizing the Council’s active international membership base.

The PCI SSC website supports translated pages and PCI materials including the new PCI DSS v3.0 and PA-DSS v3.0 in the following languages:

  • Chinese
  • French
  • German
  • Italian
  • Japanese
  • Portuguese
  • Russian
  • Spanish

“We continue to be encouraged by the growing participation from global stakeholders in PCI Standards development, said Jeremy King, international director, PCI Security Standards Council. “We’re optimistic that these translations will increase awareness and adoption of the standards and drive improved payment security.”

PCI-DSS and PA-DSS Version 3.0 – the full highlights and changes

Brian Pennington

The PCI SSC considered many things when drafting Version 3.0 of the PCI DSS and PA DSS standards including:

  • What will improve payment security?
  • Global applicability and local market concerns
  • Appropriate sunset dates for other standards or requirements
  • Cost/benefit of changes to infrastructure
  • Cumulative impact of any changes

The nature of the changes reflects the growing maturity of the payment security industry since the Council’s formation in 2006, and the strength of the PCI Standards as a framework for protecting cardholder data. Cardholder data continues to be a target for criminals.

Lack of education and awareness around payment security and poor implementation and maintenance of the PCI Standards leads to many of the security breaches happening today.

The updates address these challenges by building in additional guidance and clarification on the intent of the requirements and ways to meet them. Additionally, the changes in PCI DSS and PA-DSS 3.0 focus…

View original post 1,770 more words

PCI DSS Version 3, what does it have in store for you?

The PCI Security Standards Council (PCI SSC), have published PCI Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) 3.0 Change Highlights as a preview of the new version of the standards coming in November 2013.

 Version 3.0 to focus on flexibility, education and awareness, and security as a shared responsibility

The changes will help companies make PCI DSS part of their business-as-usual activities by introducing more flexibility, and an increased focus on education, awareness and security as a shared responsibility.

The seven-page document is part of the Council’s commitment to provide as much information as possible during the development process and eliminate any perceived surprises for organizations in their PCI security planning. Specifically, the summary will help PCI Participating Organizations and the assessment community as they prepare to review and discuss draft versions of the standards at the 2013 Community Meetings in September and October.

Changes to the standards are made based on feedback from the Council’s global constituents per the PCI DSS and PA-DSS development lifecycle and in response to market needs.

Key drivers for version 3.0 updates include:

  • lack of education and awareness
  • weak passwords and authentication challenges
  • third party security challenges
  • slow self-detection in response to malware and other threats
  • inconsistency in assessments

Today, most organizations have a good understanding of PCI DSS and its importance in securing card data, but implementation and maintenance remains a struggle – especially in light of increasingly complex business and technology environments,” said Bob Russo, PCI SSC general manager

The challenge for us now is providing the right balance of flexibility, rigor and consistency within the standards to help organizations make payment security business-as-usual. And that’s the focus of the changes we’re making with version 3.0

Based on feedback from the industry, in 2010 the PCI SSC moved from a two-year to a three-year standards development lifecycle. The additional year provides a longer period to gather feedback and more time for organizations to implement changes before a new version is released. Version 3.0 will introduce more changes than version 2.0, with several new sub-requirements.

Proposed updates include:

  • Recommendations on making PCI DSS business-as-usual and best practices for maintaining ongoing PCI DSS compliance
  • Security policy and operational procedures built into each requirement
  • Guidance for all requirements with content from Navigating PCI DSS Guide
  • Increased flexibility and education around password strength and complexity
  • New requirements for point-of-sale terminal security
  • More robust requirements for penetration testing and validating segmentation
  • Considerations for cardholder data in memory
  • Enhanced testing procedures to clarify the level of validation expected for each requirement
  • Expanded software development lifecycle security requirements for PA-DSS application vendors, including threat modeling

 These updates are still under review by the PCI community. Final changes will be determined after the PCI Community Meetings and incorporated into the final versions of the PCI DSS and PA-DSS published in November.

PCI DSS and PA-DSS 3.0 will provide organizations the framework for assessing the risk involved with technologies and platforms and the flexibility to apply these principles to their unique payment and business environments, such as e-commerce, mobile acceptance or cloud computing,” added Troy Leach, PCI SSC chief technology officer

Merchants and Aquirers to Share PCI Lessons Learned at PCI SSC Community Meetings

The PCI Security Standards Council (PCI SSC), have announced PCI in Practice sessions for the 2013 PCI Community Meetings in Las Vegas, Nevada; Nice, France; and Kuala Lumpur, Malaysia. Case studies from members of the PCI community will share best practices in implementing payment card security programs.

PCI in Practice sessions for the North American and European Community Meetings will feature Chase Paymentech, Southwest Airlines and Time Warner Cable, Reliant Security, BT PLC and the Pan-Nordic Card Association. Australia Post will discuss its PCI journey at the Asia-Pacific Community Meeting:

  • The Importance of Merchant and Acquirer Communications Chase Paymentech, David Wallace, vice president of global merchant compliance; Southwest Airlines, Shawn Irving, senior manager of information security systems; Time Warner Cable, Erika Root, director, internal controls compliance, PCI Professional (PCIP) and Internal Security Assessor (ISA)
  • Secure Payment Systems Implementation – QIR in practice Reliant Security, Mark Weiner, managing partner, PCI Qualified Integrator & Reseller (QIR)
  • Successful Acquirer Collaboration on PCI – A Nordic case study Pan-Nordic Card Association, Mats Henriksson
  • QSAC Engagement – Tracing the PCI compliance journey of a multi-national corporation BT PLC, Sarah Nicholson, security policy & compliance manager; Candice Pressinger, head of group PCI-DSS compliance
  • Achieving and Maintaining Compliance – One approach to the PCI DSS journey Australia Post, Janelle Bull, risk manager, CardSafe program; Sharon Jokic, program director, CardSafe program

To register for the 2013 Meetings:

The Community Meetings are about sharing experiences and best practices with a large audience of peers for improved payment security,” said Bob Russo, general manager, PCI Security Standards Council. “And learning from one another is one of the best ways we as a community can continue to work together to increase payment card data protection globally. We’re looking forward to this year’s PCI in Practice sessions to hear about how these organizations representing different industries and geographies are effectively addressing PCI security within their unique business

PCI Security Standards Council announces new board of advisors

The PCI Security Standards Council (PCI SSC), announced election results for the 2013-2015 PCI SSC Board of Advisors.

The Board will represent the PCI community by providing counsel to SSC leadership.

The Council’s more than 690 Participating Organizations selected individuals from the following organizations to represent their industry’s unique perspectives in the development of PCI Standards and other payment security initiatives:

  • Bank of America N.A.
  • Bankalararasi Kart Merkezi
  • Barclaycard
  • British Airways PLC
  • Carlson
  • Cartes Bancaires Cielo S.A.
  • Cisco
  • Citigroup Inc.
  • European Payment Council AISBL
  • FedEx
  • First Bank of Nigeria
  • First Data Merchant Services
  • Global Payments Inc.
  • Ingenico
  • Micros
  • Middle East Payment Systems
  • PayPal Inc.
  • Retail Solutions Providers Association
  • RSA, The Security Division of EMC
  • Starbucks Coffee Company
  • VeriFone Inc.
  • Wal-Mart Stores, Inc
  • Woolworths Limited

Board of Advisor members provide strategic and technical input to PCI SSC on specific areas of Council focus. Past board members have provided reach into key industry verticals and geographies to help raise awareness and adoption of PCI Standards; have shared their experience with implementing PCI Standards in presentations at the annual Community Meetings; and have contributed guidance on training product development and led Special Interest Groups (SIGs).

Active involvement from our Participating Organization base is critical to ensuring the PCI Standards remain at the front line for protection against threats to payment card data. Once again I am impressed by the turn out in the election process. It’s particularly encouraging to see new markets looking towards open global standards like the PCI Standards to help secure payment card data worldwide,” said Bob Russo, general manager, PCI Security Standards Council.

The Council and wider stakeholder community will benefit from the breadth of experiences and perspectives that this new board represents.” The board will support the Council’s mission to raise awareness and drive adoption of PCI Standards worldwide and will kick off its work in June with its first face-to-face meeting with Council management. “This year saw more European involvement than ever in the Board of Advisors election process. Although Europe contains mature EMV markets, this level of involvement in the PCI SSC confirms that the combination of PCI Standards and EMV chip is a powerful force for protecting payment card data,” said Jeremy King, European director, PCI Security Standards Council. “Our new board is a truly global group, and the Council will benefit greatly from its input as we continue to drive awareness and adoption of PCI Standards worldwide.

.

PCI Security Standards Council publishes card production security requirements

The PCI Security Standards Council (PCI SSC), has announced the publication of a standard for secure payment card production.

The standard consists of two sets of requirements:

  1. PCI Card Production Physical Security Requirements
  2. PCI Card Production Logical Security Requirements

Together, these documents provide card vendors with a comprehensive source of information describing the security requirements to follow for card production activities including card manufacture, chip embedding, magnet-stripe encoding, embossing, card personalization, chip initialization, chip personalization.

Formerly managed as separate requirements by each payment card brand, the Council aligned these requirements and solicited feedback from the PCI community to produce one set of criteria recognized across the industry. The resulting standard is designed to secure the components and sensitive data involved in the production of payment cards and protect against the fraudulent use of card materials.

It’s broken down into two core areas:

  1. Physical security requirements – for all card vendors, these requirements address the presence, movement, and accountability of a card, including tangible features such as the security of the premises, personnel access to secure areas, and CCTV surveillance.
  2. Logical security requirements – for card personalization vendors, these requirements address threats to the confidentiality of personalization data during data transfer, access, storage, and destruction; and all aspects associated with cryptographic key management, including the protection of issuer keys used in the personalization process.

The security requirements are available for immediate download here. Vendors should work with the individual card brands to confirm timing for when future security reviews must be performed against the new PCI Card Production Security Requirements.

In line with other PCI Standards, the requirements will be updated on a three-year lifecycle, based on feedback from the PCI community.

There are a lot of pieces involved in securely producing payment cards, from design all the way through delivery,” said Bob Russo, general manager, PCI Security Standards Council. “The publication of these requirements gives card vendors one set of criteria to follow, and as we’ve seen with our other standards, will help drive improved security across the payments chain

Sometimes it is a good idea to have in-house skills

After many discussions with people responsible for achieving and maintaining PCI DSS compliance within their organisation and hearing about their problems and pains, I often think about the skills they need and where they can get them. They could recruit, outsource or train with training being the most cost effective.

I noticed on the PCI SSC website the details of their “PCI SSC Internal Security Assessor (ISA) Program” and the benefits it can deliver to large or complex merchants so I decided to promote it as a way of achieving some of the required in-house skills.

Knowing many highly skilled QSAs I would always say that their extensive knowledge of different scenarios and industries makes them the back-bone of the PCI DSS, not just from an audit perspective but their advisory and guidance skills.

The ISA programme gives candidates the opportunity to build their PCI Security Standards expertise and strengthen their approach to payment data security, as well as increase their efficiency in compliance with the PCI Data Security Standards. 

About the Training

Employee Education is the Best Defense for protecting your Organization’s Data Assets.

To address concerns about PCI compliance and card data security, the PCI Security Standards Council operates the Internal Security Assessor Program to assist firms seeking to educate their employees on PCI compliance regulations.  The program trains, tests, and certifies organizations and individuals to assess and validate adherence to PCI Security Standards. 

Who Should Attend?

ISA training is intended primarily for individuals who already possess significant relevant security audit and assessment experience (including but not limited to Network Security, Application Security and Consultancy, System Integration, and Auditing). 

The Benefits:

  • Improve your understanding of PCI DSS and how it can help protect your customer data and your business
  • Help your organization build internal expertise
  • Facilitate interaction with a QSA for your organization
  • Enhance payment card data security and manage compliance costs
  • Earn CPE credits 

The Format: The Council recognizes that students may prefer different learning environments and offers ISA training in two formats: Instructor-led (ILT) and online ELearning. Same content. Same qualification. You decide what’s best for you. 

The ISA Training Program, for internal security assessment staff at ISA Sponsor Companies, is comprised of a four hour online pre-requisite course and exam called PCI Fundamentals followed by either an instructor-led course and exam or eLearning course and exam. Successful completion results in ISA qualification and PCI ISA certificate. 

Pre-Requisite Course Curriculum: This portion of the training assures that all participants attending the ISA Training Course have the same baseline understanding of the PCI SSC, card data environment, and the related terminology along with the industry relationships within the credit card transaction flow. It concludes with a multiple choice test.

  • Understanding the Payment Card Industry Security Standards Council and its role
  • Defining the processes involved in card processing
  • PCI roles and responsibilities
  • Understanding cardholder data
  • Defining network segmentation
  • PCI DSS assessments

ISA Course Curriculum Covers:

The ISA course is the next step for those students who have successfully completed the pre-requisite PCI Fundamentals course. This course builds on the knowledge gained in PCI Fundamentals and delves into the actual PCI DSS requirements and testing procedures. In addition it addresses topics such Report on Compliance (ROC) documentation, QA ROC review, and compensating controls to name just a few. Also included in the instructor-led course are case studies that provide the ISA candidate with a simulation of assessment scenarios that may aid them in solving common problems found in their own environments. A multiple choice exam immediately follows the instructor-led course.  The exam may be conveniently scheduled at a Pearson VUE Testing Center for students that take the eLearning course.

  • What is PCI and what does it mean to companies that must meet compliance with the DSS?
    • Industry overview
    • Terminology
    • Transaction data flow
    • Relationships between various organizations in the process
  • How the credit card brands differ in their validation and reporting requirements
  • PCI Data Security Standard (DSS)
    • Overview of 2.0
    • Testing procedures
    • What constitutes compliance
  • PCI Hardware and Communications Infrastructure
  • PCI Reporting
  • Real world examples
    • Overview of compliance issues and mitigation strategies
    • Compensating controls
    • Creating policies
    • Modifying cardholder data environment

How to Register. Three Steps to Join as a Sponsor Company and Have your Employees Attend ISA training

Step 1 Submit required Sponsor Company documentation by mail.

  1. Original signed agreement, page 13 of the Validation Requirements document
    • The representative noted as your company primary contact should be prepared to receive all PCI SSC related communications
    • It is not required that your primary contact be an officer of your company
  2. Copy of your company business license (Articles of Incorporation are also acceptable)
  3. A fully completed Individual Certification page for each employee you wish to send to training

Step 2 An invoice will be issued via email to the primary contact listed on the agreement page once the application is received. Applications are reviewed within 5 business days of receipt.

The fees for the ISA training will be based on whether or not your company is a member of the PCI SSC Participating Organization Program.

The Participating Organization Program is a separate program and membership is not based on your company compliance to PCI DSS or the submission of the Sponsor Company documents outlined above.

Step 3 Upon receipt of payment, the designated primary contact will receive instructions for the online pre-requisite portion of the training. Once the PCI Fundamentals training and test have been passed successfully, the primary contact will receive the location details for the instructor-led class or login credentials for the eLearning class. This will not be released until online PCI Fundamentals training has been taken and the test passed.

2013 ISA Training Course Schedule

Date Location Time Participating   Organization Price Non-Participating   Organization Price
15-16 April London, UK 09:00-17:30 $2250 USD $3595
3-4 May New Orleans, LA, USA 09:00-17:30 $1495 USD $2595
20-21 May Denver, CO, USA 09:00-17:30 $1495 USD $2595
10-11 June Orlando, FL, USA 09:00-17:30 $1495 USD $2595
14-15 July Toronto, Canada 09:00-17:30 $1495 USD $2595
21-22 August Boston, MA, USA 09:00-17:30 $1495 USD $2595
22-23 September Las Vegas, NV, USA 09:00-17:30 $1495 USD $2595
October Nice, France 09:00-17:30 $2250 USD $3595
November Kuala Lumpur, Malaysia 09:00-17:30 $1495 USD $2595

Full details can be found here.

.

PCI SSC releases its Best practices to help prevent card data compromise at ATMs

The PCI SSC has released their latest supplement, the ATM Security Guidelines Information Supplement. 

The guidelines were developed to provide guidance to ATM manufacturers on how to prevent credit cards from being compromised. 

The ATM Industry Association’s (ATMIA) 2012 ATM Global fraud survey reveals that skimming remains the leading global threat to ATMs because criminals use stolen information to produce counterfeit cards for fraudulent transactions, primarily ATM cash withdrawals. 

Also see Europol reveals €1.5 Billion Euro in Credit Card Fraud, how it is stolen and why they struggle to catch the criminals  

Skimming and other types of attacks on ATMs continue to be top of mind for our constituents,” said Bob Russo, general manager, PCI Security Standards Council. “There are already some excellent resources out there that help with various pieces of ATM security. What this guidance does is pull together these different best practices into one comprehensive set, which is what our stakeholders have been asking for.

The guidance document provides an introduction to ATM security and outlines best practices around the following key areas and objectives:

  • Integration of hardware components to avert magnetic-stripe and other account data compromise and PIN stealing
  • Security of basic software to avert magnetic-stripe skimming and PIN stealing
  • Device management/operation to ensure adequate management of: ATM during manufacturing, ATM in storage of deployed ATM estates and ATM’s individual security configuration
  • ATM application management to address security aspects of the ATM application.

ATM manufacturers, hardware and software integrators, and deployers of ATMs can use this guidance to aid in the secure development, deployment and maintenance of ATMs. As with all PCI guidance documents the ATM Security Guidelines Information Supplement does not replace or supersede the PCI Standards, nor is it to be used as a set of security requirements for the formal certification of ATMs. The PTS POI security requirements provide for the testing and approval of encrypting PIN pads and secure readers used in ATMS for handling PIN and account data, and organizations should continue to use this standard to address these components of ATM security.

For a link to the full document please use my PCI Resources page here.

.

Feedback requested from PCI community on best practices to help prevent card data compromise at ATMs

The PCI SSC is seeking feedback from Participating Organizations (POs) on draft ATM security guidelines. The draft information supplement provides best practices to mitigate the effect of attacks to ATMs aimed at stealing PIN and account data, a direct response to stakeholder feedback for guidance on ATM security.

Participating Organizations have until November 13, 2012 to review and comment on the ATM Security Guidelines Information Supplement, which is slated for final publication later this year.

PIN and account data present in ATMs has become a growing target for criminals who use this stolen information to produce counterfeit cards for fraudulent transactions, primarily ATM cash withdrawals. Purchases with PIN at the point of sale and purchases without PIN in card-not-present environments are also other avenues of fraudulent card activity.

PCI Standards currently address ATM PIN pads, but not the ATM as a whole. In the absence of a global industry standard for securing ATMs, the Council has developed a set of compromise-prevention best practices based on existing standards from a number of industries, including IT, security, payment card and ATM that stakeholders can leverage in their ATM security efforts.

The draft ATM Security Guidelines Information Supplement provides an introduction to ATM security and outlines best practices that address the software, hardware and device components of the ATM. The intent is for the final document to guide ATM manufacturers, hardware and software integrators, and deployers of ATMs in the secure development, deployment and maintenance of ATMs.

We rely on industry feedback to develop PCI Standards and resources, said Bob Russo, general manager, PCI Security Standards Council. By sharing an early version of the guidelines with the PCI community, we re aiming to ensure these best practices reflect the key challenges and areas of concerns when it comes to addressing ATM security. Specifically, we encourage ATM manufacturers and software vendors to provide their input, as experts in the space and as those will be applying these guidelines in their everyday business.

.

PCI Security Standards Council releases best practices for mobile software developers

During this week’s PCI SSC US Community meeting a demonstration of a Mobile attack highlighted the need for more secure development practices in the mobile payments space.

The demonstration coincided and supported the release of the new guidelines the PCI Mobile Payment Acceptance Security Guidelines which offer software developers and mobile device manufacturer’s guidance on designing appropriate security controls to provide solutions for merchants to accept mobile payments securely.

The demonstration of the top mobile attacks was done by Nicholas J. Percoco, senior vice president of Trustwave’s SpiderLabs, and showed the threats to the security of payments over mobile acceptance devices, including malware and rootkits, jailbreaking vulnerabilities and SSL-man-in-the-middle attacks.

It is important that a best practice guide be developed, by the industry, to educate mobile app developers on methods of securing commerce transactions and risks of not doing so.” said Percoco.

The PCI SSC formed an industry taskforce in 2010 as part of a dedicated effort to address mobile payment acceptance security. Since then, the Council has released guidance on how merchants can apply its current standards to mobile payment acceptance by addressing mobile applications with the Payment Application Data Security Standard (PA-DSS), and leveraging the PIN Transaction Security (PTS) and Point-to-Point Encryption (P2PE) standards to accept payments on mobile devices more securely.

The guidance for developers is the next piece of the Council’s work in this area. The document organizes the mobile payment-acceptance security guidance into two categories: best practices to secure the payment transaction itself, which addresses cardholder data as it is entered, stored and processed using mobile devices; and guidelines for securing the supporting environment, which addresses security measures essential to the integrity of the broader mobile application platform environment.

Key recommendations include:

  • Isolate sensitive functions and data in trusted environments
  • Implement secure coding best practices
  • Eliminate unnecessary third-party access and privilege escalation
  • Create the ability to remotely disable payment applications
  • Create server-side controls and report unauthorized access

“Applications are going to market so quickly – anyone can design their own app today that can be used to accept payments tomorrow,” said PCI SSC Chief Technology Officer Troy Leach in his presentation to PCI CM attendees. “It’s our hope that in educating this new group of developers, as well as device vendors on what they can do to build security into their design process, that we’ll start to see the market drive more secure options for merchants to protect their customers’ data.”

The council has announced that in 2013 they will be releasing further guidance for merchants to help them leverage mobile payment acceptance securely, while continuing to collaborate with industry subject matter experts to explore how card data security can be addressed in an evolving mobile acceptance environment, and whether additional guidance or requirements must be developed.

.

The average cost of a breach event is $7.2 million or $214 per compromised record

In promoting their Internal Security Assessor Training in Dublin the Payment Card Industry Security Standards Council (PCI SSC) sent an email quoting the Verizon Data Breach Investigation Report 2011 statistics:

  • The average cost of a breach event is $7.2 million
  • The average cost per compromised record is $214

The reason they were using the statistics in their promotional email was because they believe in the value of their Internal Security Assessors qualification and with the PCI SSC’s European community meeting in Dublin next month they are encouraging people to register and learn the skills required to improve PCI DSS compliance.

The promotional wording for the course is “Enhance your organization’s data security with an investment in training this year – and realize these benefits:”

  • Improve your organization’s understanding of PCI DSS
  • Facilitate interaction with a QSA for your organization
  • Enhance payment card data security and manage compliance costs
  • Simplify year-round compliance efforts

The Dublin dates are 18-19 October 2012.

For more information on the course and to register click here, or email training@pcisecuritystandards.org with questions.

.

PCI Security Standards Council releases Point-to-Point encryption (P2PE) resources

The PCI Security Standards Council (PCI SSC), has announced availability of the Point-to-Point Encryption (P2PE) Program Guide and Self-Assessment Questionnaire (SAQ) to support implementation of hardware-based point-to-point encryption (P2PE) solutions. They are downloadable from the PCI SSC website in an MS Word format.

The resources follow the Council’s release of updated Solution Requirements and Testing Procedures for hardware-based P2PE solutions in April, (find the link in my resources page)which provide a method for vendors to validate their P2PE solutions and for merchants to reduce the scope of their PCI DSS assessments by using a validated P2PE solution for accepting and processing payment card data.

Eligible merchants using these P2PE hardware solutions may be able to reduce the scope of their PCI DSS assessments and validate to a reduced set of PCI DSS requirements. To help with this validation process, the Council has developed a new Self-Assessment Questionnaire (SAQ P2PE-HW).

SAQ P2PE-HW is for merchants who process cardholder data via hardware terminals included in a validated P2PE solution and consists of the following components:

  • Merchant eligibility criteria
  • SAQ completion steps
  • Self-Assessment Questionnaire (validation of PCI DSS Requirements)
  • Attestation of Compliance, including Attestation of PIM Implementation

Merchants should refer to their acquirer and/or payment brand to determine if they are eligible to use this new SAQ.

The Council has also updated the PCI DSS SAQ Instructions and Guidelines document to provide additional guidance on use of the SAQ P2PE-HW.

The PCI P2PE Program Guide is designed to help solution providers, application vendors, and P2PE assessors understand how to complete a P2PE assessment and submit it to the Council for acceptance and listing on the PCI SSC website.

The document includes:

  • Overview of P2PE solution validation processes
  • Considerations for P2PE Solution providers preparing for assessment
  • Reporting considerations for P2PE assessors
  • Considerations for managing validated P2PE Solutions
  • Listing of applications used in P2PE solutions

Solution providers, application vendors, and P2PE assessors can use this document immediately to plan for their P2PE assessments.

The Council will shortly be providing templates and Reporting Instructions for P2PE validation reports, as well as new Attestations of Validation (AOVs) and vendor release agreement (VRA).

P2PE assessors, solution providers and application vendors can then complete their assessments of P2PE Solutions and applications and submit their reports and validation documentation to the Council for acceptance and listing. The Council will list the validated solutions on the PCI SSC website for merchants to use.

“These resources are a critical part of rolling out this program,”

said Bob Russo, general manager, PCI Security Standards Council

“The program guide outlines the submission and listing process for P2PE solution providers and application vendors who want to validate their products, while the SAQ will help simplify PCI DSS validation efforts for merchants taking advantage of this process to minimize the amount of cardholder data in their environments.”

.

Guidance for merchants on how to securely accept mobile payments the PCI way

This has been coming for a while but finally the PCI SSC has published a fact sheet outlining how merchants can securely accept payments using mobile devices such as smartphones or tablets.

The “At a Glance: Mobile Payment Acceptance Security fact sheet” provides merchants with actionable recommendations on partnering with a Point-to-Point Encryption (P2PE) solution provider to securely accept payments and meet their PCI DSS compliance obligations.The ability to use smartphones and tablets as point-of-sale terminals to accept payments in place of traditional hardware terminals offers great flexibility. As mobile technology continues to change at a rapid pace, the Council continues to work with the industry to ensure data security remains at the forefront of mobile evolution.

This latest educational resource is the product of the Council’s Mobile Working Group and is the result of valuable input from leading merchants, vendors and organizations actively involved in the mobile payment acceptance industry. The document helps clarify and distill some of the more complex technology and security terminology into straightforward, practical guidance that can help merchants to:

  • Better understand their responsibilities under PCI DSS, and how they translate to mobile payment acceptance
  • Leverage the benefits of the Council’s recently published Point-to-Point Encryption (P2PE) standard and program
  • Choose a mobile payment acceptance solution that complements the merchant’s PCI DSS responsibilities, for example a P2PE solution provider

Using this resource to guide them in how PIN Transaction Security (PTS) and P2PE standards work together, merchants can better understand how to securely use external plug-in devices with smartphones or tablets to accept payment cards by first encrypting and securing the data at the point that the account data is captured. The smartphone or tablet has no ability to decrypt the data, thus simplifying PCI DSS scope for the merchant.

“We know merchants are eager to take advantage of their existing smartphones or tablets to accept payment cards,” said Bob Russo, general manager, PCI Security Standards Council. “And the Council and its stakeholders want to help the market to do this in a secure way. We’re excited about this easy-to-use reference that will help merchants understand how to use the suite of PCI Standards to enable their businesses while still keeping data security top of mind.”

As with all SSC fact sheets, this guidance does not replace or supersede any of the PCI Standards

The Council continues to work with the payments community to address mobile payment acceptance security and evaluate whether additional requirements are needed in this area. As part of this ongoing initiative, the Council plans to publish best practices for securing mobile transactions later this year.

“The PTS and P2PE standards are being leveraged by mobile solution providers today. With this fact sheet we hope to help merchants understand how these standards work and the options that are available to them for accepting mobile payments in a secure and PCI DSS compliant manner,” said Troy Leach, chief technology officer, PCI SSC.

The link to the At a Glance: Mobile Payment Acceptance Security fact sheet is here.

PCI Security Standards Council announces qualified integrators and resellers certification program

The PCI SSC quotes results from the Trustwave 2012 Global Security Report which states that 76% of the breaches they investigated were a result of security vulnerabilities introduced by a third party responsible for system support, development and/or maintenance of business environments.

Errors introduced during implementation, configuration and support of PA-DSS validated payment applications by third parties into merchant environments was identified as a significant risk to the security of cardholder data. Specifically, small businesses in the food and beverage industry that rely heavily on outsourcing are particularly vulnerable, as they made up the bulk of the compromises.

To help address this security challenge, merchants, acquirers, payment software vendors and card brands participated in a Council taskforce to evaluate market needs and make recommendations on how to address them. This included development of more guidance and best practices for integrators and resellers and a global list of PCI Council certified integrators and resellers.

The Qualified Integrators & Resellers (QIR) program will provide integrators and resellers that sell, install and/or service payment applications on behalf of software vendors or others the opportunity to receive specialized training and certification on the secure installation and maintenance of validated payment applications into merchant environments in a manner that supports PCI DSS compliance. The PCI SSC will maintain a global list of QIRs, ensuring merchants a trusted resource for selecting PCI approved partners. The PCI SSC will be offering training online in late summer 2012, and the validated list for merchants will be published on the PCI SSC website shortly thereafter. More details on the program, including eligibility requirements and training course information and costs will be made available soon. In the meantime, those interested in participating in the program can click here or email questions to qir@pcisecuritystandards.org.

“Product solutions that are a good fit for a PCI compliant organization need to be installed, configured, and managed properly to support PCI DSS,” said Diana Kelley, principal analyst at security IT research firm SecurityCurve. “Integrators and resellers need to understand what makes a solution effective for protecting cardholder data and the cardholder data environment in order to provide the most value to their customers. That’s why I think the new integrator and reseller certification and training for 2012 is a welcome addition to the Council’s comprehensive training offerings.”

“This program comes as a direct result of industry feedback and stakeholder requests for greater quality assurance and accountability around the secure installation of payment software,” said Bob Russo, general manager, PCI Security Standards Council. “Not only will it help integrators and resellers better understand how to address some of the basic security flaws we’re seeing that can be easily avoided, but it will also make it easier for merchants to have confidence in the services being provided to them. Retailers and franchise operators alike will have a go-to resource they can trust for making sure their applications and systems are being installed and maintained properly.”

Reproduced from the PCI SSC Press Release.

.

PCI DSS – updated guidelines for WiFi and new guidance on Bluetooth

wireless tower
Image via Wikipedia

The Wireless Special Interest Group (SIG) PCI Security Standards Council (PCI SSC) have released an Information Supplement for PCI DSS Wireless Guidelines.

The update updates the PCI DSS guidance to align to version 2 of the PCI Data Security Standard and incorporates guidance for Bluetooth.

All Merchants and Credit Card processors should read the document which can be found here.

The three main sections in the Information Supplement are:

  1. Wireless Guidance Overview
  2. Generally Applicable Wireless Requirements
  3. Applicable Requirements for In-scope Wireless Networks

For further information on the PCI Data Security Standard visit the PCI Resources page on my blog here.

.

PCI Security Standards Council Exceeds 100 Members in Europe

Credit card
Image via Wikipedia

In advance of annual PCI Community Meeting, Council celebrates more than 100 European companies as key contributors to the ongoing development of the PCI Standards.

The PCI Security Standards Council (PCI SSC), a global, open industry standards body providing management of the Payment Card Industry Data Security Standard (PCI DSS), PIN Transaction Security (PTS) requirements and the Payment Application Data Security Standard (PA-DSS), today announced a milestone in ongoing momentum and global participation – more than 100 European companies are now PCI Participating Organizations, promising a strong showing for this year’s PCI European Community Meeting on October 17-19, 2011, in London, England.

The Council is made up of more than 600 global Participating Organizations (POs) worldwide. Continual global involvement not only benefits stakeholder organizations but also the larger payment security community, by ensuring the diverse and unique industry and geographic perspectives of those across the payment chain are represented in the work of the Council.

European participation – including merchants, financial institutions and processors from around the continent – has been a key factor in the Council’s analysis and guidance on technologies in the payment environment, such as call center recording technologies and EMV, as well as the development of critical resources like the Prioritized Approach framework.

This year, Participating Organizations also elected a new Board of Advisors, with 7 of the 21 seats being represented by European companies, a testimony to the growing European involvement in the Council and the work and collaboration that is taking place in Europe to drive payment security forward.

”As a member of the Council since 2007, we are pleased to see the growing awareness around payment security in the UK and European regions over the last few years,” said PCI SSC Board of Advisors member Philip Morton, information security compliance manager, British Airways. “We are excited to bring our geographic and industry perspectives to the Council in serving on the Board this term and working with the PCI community to continue to drive increased protection of cardholder data in Europe and globally.”

Twenty-five percent of the growth among European POs has occurred in the last year, since the Council brought on European Director Jeremy King to concentrate PCI efforts in the region. This number has more than tripled since the first year of the Council’s existence.

“Counter to those who suggested that the issue of PCI Standards and global card security were U.S. centric initiatives, our ongoing growth in participation in Europe illustrates the increase in awareness, focus and feedback we are achieving globally,” said Jeremy King, European director, PCI Security Standards Council. “I am very excited about the growing number of European-based organizations who will join us at this year’s European Community Meeting. As we kick off our feedback period for the PCI Standards, I look forward to engaging this core group of stakeholders in our global standards lifecycle process. Together, these organizations will help influence the Council’s agenda and the direction and evolution of the PCI Standards in the coming years.”

.

Blog at WordPress.com.

Up ↑

%d bloggers like this: