Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

QSA

Guest blog: PCI audits and how to recognize a good QSA auditor and partner

Many organizations approach a PCI audit with fear and trepidation. There are a lot of stories out there about how difficult, expensive and disruptive a PCI audit can be, but I want to see if I can add some balance to this view. I believe that when it comes to a PCI auditor it matters a great deal who you are working with. We just completed a PCI audit of our Alliance Key Manager for VMware solution and it gave me a whole new perspective and attitude about the audit process. Our PCI work was conducted by Coalfire, a security company that provides PCI audit services as well as audit services for the health and financial communities. Most of my remarks will reflect on the great experience we had with Coalfire and some of the lessons we learned.

As is true of financial auditors, the QSA auditor has a duty to accurately assess the security of your IT systems to insure that they meet or exceed the PCI Data Security Standards (PCI DSS) as outlined by the PCI Security Standards Council (PCI SSC). They have a professional responsibility to tell you where you meet the PCI DSS standard, and where you fall short. That “falling short” part is the thing most people dread hearing about.

I would suggest that this is exactly where a good security audit can be very helpful. We need to know where our security is weak, and we need to know how to fix the problems. A good QSA auditor will be more than a gatekeeper for the PCI security standards – they will be a trusted advisor on how to get things right from a security perspective. That practical advice is exactly what we need to protect our sensitive data.

Finding problems and fixing them is less expensive than suffering a data breach and then scrambling to fix the problems.

Another often overlooked benefit of having a good QSA auditor is that you get a get a trusted advisor in the process. It is one thing to have an auditor point out the faults in your security strategy, it is another to find an auditor who can advise you on the security strategies and potential solutions that can help you. While there must be an arms-length relationship between an auditor and a solution provider, your QSA auditor should be able to point you to a number of solutions that can help you mitigate security weaknesses. An experienced auditor is going to help you navigate towards a good solution.

It is hard to quantify the benefit of this type of guidance, but I personally think it is invaluable.

The take-away is that you should set high expectations for the relationship you develop with your QSA auditor. You can walk away from the experience with checks in boxes, or you can meet PCI compliance AND achieve a credible security strategy and trusted advisor. I found the latter in my relationship with Coalfire.

Patrick Townsend

Townsend Security

P2Pe, Pseudo-P2Pe, End-2-End Encryption, Linked Encryption, they are all good

This week’s Vendorcom Secure Payments Special Interest Group (SIG) met to discuss P2Pe and it became clear that there are many ways to achieve a compliant outcome.

My first impression was the large number of attendees at the SIG, 50+, only one of them was a Merchant. The rest were a mixed bag of Acquirers, PSPs, QSAs, Vendors and Consultants making it more of a Vested Interest Group than a Special one.

The Logic Group (TLG) started the presentations and covered their listed P2Pe solutions and how they achieved compliance. They explained all the hard work getting all the elements through the audits and the 970 P2Pe Controls (more than double that of PCI DSS).

TLG cited the issues of key custody and management and how once during the development period it required 6 people to cover the physical as well as the logical security requirements.

The Q&A session before lunch was mostly aimed at John Elliot of VISA Europe who handled even the most difficult questions very well and delivered the answers with humour. He even confirmed that next week there is a gathering in the US to ratify the much discussed Tokenization standard and some clarifications to the PCI DSS version 3.0. He however was wrong on one prediction that the new Self Assessment Questionnaires (SAQ) would be out on Thursday and they weren’t but to be fair to John almost everyone associated with PCI has tried to predict the arrival of the new SAQs and got it wrong. They finally came out today (28th February 2014).

After lunch Spire Payments and MagTek presented on their device solutions and their compatibility with the PCI PTS SRED and how they could fit into a P2Pe compliant solution.

Next up were Vodat International with their alternative to P2Pe. The Vodat solution is a managed end to end solution with encryption and resilience. Ian Martin’s presentation was supported by VISA Europe as a way to achieve PCI DSS compliance.

Some other discussion point

  • Linked Encryption combined with EMV could make a significant security improvement for the US market
  • Some merchants think switching to Ingenico gives them P2Pe
  • Some merchants and the PCI SSC are concerned that there are only two listed P2Pe solutions
  • PCI SSC would like to make P2Pe modular e.g. if you want to do your own key management or choose your own PEDs, etc.
  • An April deadline for moving to TLS 1.1 or above is not true, maintaining secure software is always required.
  • All mobile payments are mandated to have P2Pe
  • P2Pe will probably never be mandatory, except for mobile
  • If you have a certified P2Pe solution you can complete an SAQ no matter what size of merchant you are

It was an interesting day and after all the presentations and discussions what became clear is there are many ways to achieve PCI DSS compliance; Point to Point Encryption (P2Pe), Pseudo-P2Pe, End-2-End Encryption and Linked Encryption or a combination of them.

What is not in doubt is the chosen solutions must meet the business profile of the merchant and help them achieve PCI DSS compliance. The solution itself will not achieve compliance because there is more to compliance than installing a solution for example there is the on going maintenance of compliance and the human element.

Whichever solution you represent or are looking to buy lets hope it is installed and maintained well enough to meet and maintain continuous security and PCI DSS compliance.

PA DSS and PCI DSS version 3.0 now available in 9 languages

The PCI Security Standards Council (PCI SSC), have announced that the PCI Data Security Standard (PCI DSS) and the Payment Application Data Security Standard (PA-DSS) 3.0 are now available in nine languages.

“It’s important that organizations around the globe have the resources they need to protect card data,” said Bob Russo, general manager, PCI Security Standards Council. “We’re happy to make the PCI Standards available in a number of languages to assist organizations as they work to make payment security part of their business-as-usual practices.”

PCI DSS and PA-DSS 3.0 were published in November 2013, with updates made based on feedback from the Council’s global constituents and response to market needs.

Over 50% of this feedback came from outside of the U.S., emphasizing the Council’s active international membership base.

The PCI SSC website supports translated pages and PCI materials including the new PCI DSS v3.0 and PA-DSS v3.0 in the following languages:

  • Chinese
  • French
  • German
  • Italian
  • Japanese
  • Portuguese
  • Russian
  • Spanish

“We continue to be encouraged by the growing participation from global stakeholders in PCI Standards development, said Jeremy King, international director, PCI Security Standards Council. “We’re optimistic that these translations will increase awareness and adoption of the standards and drive improved payment security.”

Merchants and Aquirers to Share PCI Lessons Learned at PCI SSC Community Meetings

The PCI Security Standards Council (PCI SSC), have announced PCI in Practice sessions for the 2013 PCI Community Meetings in Las Vegas, Nevada; Nice, France; and Kuala Lumpur, Malaysia. Case studies from members of the PCI community will share best practices in implementing payment card security programs.

PCI in Practice sessions for the North American and European Community Meetings will feature Chase Paymentech, Southwest Airlines and Time Warner Cable, Reliant Security, BT PLC and the Pan-Nordic Card Association. Australia Post will discuss its PCI journey at the Asia-Pacific Community Meeting:

  • The Importance of Merchant and Acquirer Communications Chase Paymentech, David Wallace, vice president of global merchant compliance; Southwest Airlines, Shawn Irving, senior manager of information security systems; Time Warner Cable, Erika Root, director, internal controls compliance, PCI Professional (PCIP) and Internal Security Assessor (ISA)
  • Secure Payment Systems Implementation – QIR in practice Reliant Security, Mark Weiner, managing partner, PCI Qualified Integrator & Reseller (QIR)
  • Successful Acquirer Collaboration on PCI – A Nordic case study Pan-Nordic Card Association, Mats Henriksson
  • QSAC Engagement – Tracing the PCI compliance journey of a multi-national corporation BT PLC, Sarah Nicholson, security policy & compliance manager; Candice Pressinger, head of group PCI-DSS compliance
  • Achieving and Maintaining Compliance – One approach to the PCI DSS journey Australia Post, Janelle Bull, risk manager, CardSafe program; Sharon Jokic, program director, CardSafe program

To register for the 2013 Meetings:

The Community Meetings are about sharing experiences and best practices with a large audience of peers for improved payment security,” said Bob Russo, general manager, PCI Security Standards Council. “And learning from one another is one of the best ways we as a community can continue to work together to increase payment card data protection globally. We’re looking forward to this year’s PCI in Practice sessions to hear about how these organizations representing different industries and geographies are effectively addressing PCI security within their unique business

Sometimes it is a good idea to have in-house skills

After many discussions with people responsible for achieving and maintaining PCI DSS compliance within their organisation and hearing about their problems and pains, I often think about the skills they need and where they can get them. They could recruit, outsource or train with training being the most cost effective.

I noticed on the PCI SSC website the details of their “PCI SSC Internal Security Assessor (ISA) Program” and the benefits it can deliver to large or complex merchants so I decided to promote it as a way of achieving some of the required in-house skills.

Knowing many highly skilled QSAs I would always say that their extensive knowledge of different scenarios and industries makes them the back-bone of the PCI DSS, not just from an audit perspective but their advisory and guidance skills.

The ISA programme gives candidates the opportunity to build their PCI Security Standards expertise and strengthen their approach to payment data security, as well as increase their efficiency in compliance with the PCI Data Security Standards. 

About the Training

Employee Education is the Best Defense for protecting your Organization’s Data Assets.

To address concerns about PCI compliance and card data security, the PCI Security Standards Council operates the Internal Security Assessor Program to assist firms seeking to educate their employees on PCI compliance regulations.  The program trains, tests, and certifies organizations and individuals to assess and validate adherence to PCI Security Standards. 

Who Should Attend?

ISA training is intended primarily for individuals who already possess significant relevant security audit and assessment experience (including but not limited to Network Security, Application Security and Consultancy, System Integration, and Auditing). 

The Benefits:

  • Improve your understanding of PCI DSS and how it can help protect your customer data and your business
  • Help your organization build internal expertise
  • Facilitate interaction with a QSA for your organization
  • Enhance payment card data security and manage compliance costs
  • Earn CPE credits 

The Format: The Council recognizes that students may prefer different learning environments and offers ISA training in two formats: Instructor-led (ILT) and online ELearning. Same content. Same qualification. You decide what’s best for you. 

The ISA Training Program, for internal security assessment staff at ISA Sponsor Companies, is comprised of a four hour online pre-requisite course and exam called PCI Fundamentals followed by either an instructor-led course and exam or eLearning course and exam. Successful completion results in ISA qualification and PCI ISA certificate. 

Pre-Requisite Course Curriculum: This portion of the training assures that all participants attending the ISA Training Course have the same baseline understanding of the PCI SSC, card data environment, and the related terminology along with the industry relationships within the credit card transaction flow. It concludes with a multiple choice test.

  • Understanding the Payment Card Industry Security Standards Council and its role
  • Defining the processes involved in card processing
  • PCI roles and responsibilities
  • Understanding cardholder data
  • Defining network segmentation
  • PCI DSS assessments

ISA Course Curriculum Covers:

The ISA course is the next step for those students who have successfully completed the pre-requisite PCI Fundamentals course. This course builds on the knowledge gained in PCI Fundamentals and delves into the actual PCI DSS requirements and testing procedures. In addition it addresses topics such Report on Compliance (ROC) documentation, QA ROC review, and compensating controls to name just a few. Also included in the instructor-led course are case studies that provide the ISA candidate with a simulation of assessment scenarios that may aid them in solving common problems found in their own environments. A multiple choice exam immediately follows the instructor-led course.  The exam may be conveniently scheduled at a Pearson VUE Testing Center for students that take the eLearning course.

  • What is PCI and what does it mean to companies that must meet compliance with the DSS?
    • Industry overview
    • Terminology
    • Transaction data flow
    • Relationships between various organizations in the process
  • How the credit card brands differ in their validation and reporting requirements
  • PCI Data Security Standard (DSS)
    • Overview of 2.0
    • Testing procedures
    • What constitutes compliance
  • PCI Hardware and Communications Infrastructure
  • PCI Reporting
  • Real world examples
    • Overview of compliance issues and mitigation strategies
    • Compensating controls
    • Creating policies
    • Modifying cardholder data environment

How to Register. Three Steps to Join as a Sponsor Company and Have your Employees Attend ISA training

Step 1 Submit required Sponsor Company documentation by mail.

  1. Original signed agreement, page 13 of the Validation Requirements document
    • The representative noted as your company primary contact should be prepared to receive all PCI SSC related communications
    • It is not required that your primary contact be an officer of your company
  2. Copy of your company business license (Articles of Incorporation are also acceptable)
  3. A fully completed Individual Certification page for each employee you wish to send to training

Step 2 An invoice will be issued via email to the primary contact listed on the agreement page once the application is received. Applications are reviewed within 5 business days of receipt.

The fees for the ISA training will be based on whether or not your company is a member of the PCI SSC Participating Organization Program.

The Participating Organization Program is a separate program and membership is not based on your company compliance to PCI DSS or the submission of the Sponsor Company documents outlined above.

Step 3 Upon receipt of payment, the designated primary contact will receive instructions for the online pre-requisite portion of the training. Once the PCI Fundamentals training and test have been passed successfully, the primary contact will receive the location details for the instructor-led class or login credentials for the eLearning class. This will not be released until online PCI Fundamentals training has been taken and the test passed.

2013 ISA Training Course Schedule

Date Location Time Participating   Organization Price Non-Participating   Organization Price
15-16 April London, UK 09:00-17:30 $2250 USD $3595
3-4 May New Orleans, LA, USA 09:00-17:30 $1495 USD $2595
20-21 May Denver, CO, USA 09:00-17:30 $1495 USD $2595
10-11 June Orlando, FL, USA 09:00-17:30 $1495 USD $2595
14-15 July Toronto, Canada 09:00-17:30 $1495 USD $2595
21-22 August Boston, MA, USA 09:00-17:30 $1495 USD $2595
22-23 September Las Vegas, NV, USA 09:00-17:30 $1495 USD $2595
October Nice, France 09:00-17:30 $2250 USD $3595
November Kuala Lumpur, Malaysia 09:00-17:30 $1495 USD $2595

Full details can be found here.

.

Want to be PCI DSS compliant? Here are 5 mistakes to avoid.

Charles Denyer a QSA with NDB has produced a list of 5 Mistakes all people striving for PCI DSS compliance must avoid. 

  1. Not conducting a formal Readiness Assessment.  It’s important with PCI DSS compliance to truly understand all facets of the Payment Card Industry Data Security Standards (PCI DSS) provisions, which essentially means answering the “who, what, when, where, and why” of PCI with a comprehensive Readiness Assessment. And by no means should it be looked upon as yet another added cost to the engagement, rather, a proactive and necessary measure for properly defining and understanding many important facet of PCI, which by the way, is always a moving target, to say the least. A competent, well-skilled PCI-QSA, such as Charles Denyer of NDB Advisory, can provide your organization with a PCI DSS Readiness Assessment. Knowing what you are getting into is important! 
  2. Having no buy in from senior management and others. “Going it alone” as the saying goes, can have its risks and rewards – but in the case of PCI DSS compliance – it’s not only a bad idea, but one that creates real challenges for organizations. Sure management may very well be aware of their organization undertaking PCI compliance, but have they provided true operational and financial support, have they taken the time to really understand the commitment and effort needed? If not, then it’s time to make them aware of this, and soon.  Remember, setting expectations for PCI compliance is a must, no questions about it. 
  3. Failing to understand PCI Scope.  Organizations struggle with this immensely – after all – determining the actual scope for purposes of PCI compliance can be challenging, and it’s not always a black and white answer? Do you have a “flat” network? What is the true definition of the cardholder data environment (CDE)? What third-party providers are in scope? These, and many, many other questions, often require thoughtful consideration for PCI compliance. 
  4. Not conducting Remediation efforts.  As a PCI-QSA, I’m amazed at the lack of remediation efforts by companies pursuing PCI compliance.  What I find more troubling is that these remediation efforts – when even conducted – are only undertaken for a sample of system components, not the entire population of in-scope items. Being compliant with the Payment Card Industry Data Security Standards means meeting all the stated requirements for ALL in-scope systems components, not just a chosen few.  A PCI-QSA with true independence and professionalism will always tell their clients that, and that’s exactly what I’m doing here!  Simply put, remediate, and remediate all items that are in-scope for an actual PCI DSS assessment. 
  5. Failing to recognize the importance of policies and procedures.  Here’s an issue that seems to go unnoticed many times regarding PCI compliance – after all – how challenging and time-consuming can it really be to develop PCI policies and procedures?  Very challenging and time-consuming, just look at the amount of documents that’s required by PCI – policies for this, procedures for that – get the point?  Sure, PCI compliance is technical in nature, but don’t lose sight of one of the most important requirements, and that’s developing a comprehensive set of PCI policies and procedures.  As a PCI-QSA, my advice is to hire an expert consultant to develop a customized set of these policies (which is part of the services offered by NDB Advisory) or to use the high-quality PCI security policies from pcipolicyportal.com.

Supporting point 3 there is a good white paper “8 ways to reduce the scope of PCI DSS” here.

PCI Security Standards Council Internal Security Assessor (ISA) training now available as an eLearning course

The new self-paced eLearning course is an online version of the Council’s existing instructor-led ISA training.

ISA training provides businesses the opportunity to educate qualifying employees responsible for managing their PCI DSS security programs on how to assess and validate their company’s adherence to PCI Security Standards.

The curriculum is comprised of a four-hour online pre-requisite course and exam called PCI Fundamentals, followed by the ISA training session and exam. Now candidates have the option to attend the two-day instructor-led session or complete the eLearning training course online. eLearning candidates can then schedule to take the exam locally at one of more than 4,000 Pearson VUE Testing Centers worldwide.

Since 2010 when the ISA programme was launched there have been over 500 people gain the qualification

“We benefited from the interaction with fellow delegates taking the course, said PCI DSS Manager and ISA Parminder Lall, Everything Everywhere. “The ISA training provided a different spin on how to reduce cost when it comes to PCI efforts. We also gained insight into working with a Qualified Security Assessor (QSA) and seeing their side of things.”

The new eLearning option complements the Council’s already available online PCI Awareness training offering, a four-hour introductory PCI course. Businesses can take advantage of ISA training for their security professionals to ensure consistency in understanding their PCI DSS compliance efforts across their organization.

“The ISA program was developed in response to feedback from the PCI community requesting a course that would help organizations in training their own internal PCI experts,” said Bob Russo, general manager, PCI Security Standards Council. “We’re excited to be able to offer this popular session in a new online format, along with our PCI Awareness training, so more companies can take advantage of these resources to improve their PCI security efforts.”

For those who would like to attend an instructor lead course there are two available this year

  1. Orlando, Florida, USA on September 6-7; 10-11
  2. Dublin, Ireland on October 18-19.

For more information visit the PCI SSC website here.

For more information on PCI DSS, PA DSS, etc visit my PCI Resources page here.

.

PCI SSC announces formal training in Europe (London)

The Payment Card Industry Security Standards Council (PCI SSC) has announced three formal courses in London.

The three courses are:

Qualified Security Assessor (QSA) Training

The PCI Security Standards Council operates an in-depth program for security companies seeking to become Qualified Security Assessors (QSAs), and to be re-certified each year. The five founding members of the Council recognize the QSAs certified by the PCI Security Standards Council as being qualified to assess compliance to the PCI DSS standard.

  • PCI SSC QSA Date(s):  April 28 2012 – April 29 2012
  • Location:  London, United Kingdom
  • Fee:  3,000.00 USD

Payment Application Qualified Security Assessor (PA-QSA) Training

The PCI Security Standards Council operates an in-depth program for security companies seeking to become Payment Application Qualified Security Assessors (PA-QSAs), and to be re-certified each year. The five founding members of the Council recognize the PA-QSAs certified by the PCI Security Standards Council as being qualified to assess compliance to the PCI PA-DSS standard.

  • PCI SSC PA-QSA Date(s):  April 22 2012 – April 23 2012
  • Location:  London, United Kingdom
  • Fee:  2,000.00 USD

Internal Security Assessor (ISA) Training

The PCI SSC Internal Security Assessor Program (”ISA Program”) provides an opportunity for eligible internal security audit professionals of qualifying organizations to receive PCI DSS training and certification to improve the organization’s understanding of the PCI DSS, facilitate the organization’s interactions with QSAs, enhance the quality, reliability, and consistency of the organization’s internal PCI DSS self-assessments, and support the consistent and proper application of PCI DSS measures and controls.

  • PCI SSC ISA Date(s):  April 26 2012 – April 27 2012
  • Location:  London, United Kingdom
  • Fee:  3,595.00 USD

Find the details here.

.

Only 21% of merchants were compliant and other startling PCI DSS facts from the coal face

Image representing Verizon as depicted in Crun...
Image via CrunchBase

Verizon have recently launched their 2011 Payment Industry Compliance Report, which draws on their experiences as a Qualified Security Advisor (QSA) company, and their previous annual reports.

Below are exerts from their report:-

Unchanged from last year:-

  • 21 % of organizations were fully compliant at the time of their Initial Report on Compliance (IROC)
  • 78% of organisations met all test procedures at the IROC stages
  • 20% of organizations passed less than half of the PCI DSS requirements
  • 60% scored above the 80% mark

Organizations struggled most with the following PCI requirements:

  • 3 (protect stored cardholder data)
  • 10 (track and monitor access)
  • 11 (regularly test systems and processes)
  • 12 (maintain security policies)

The PCI Requirements showed the highest implementation levels:

  • 4 (encrypt transmissions over public networks)
  • 5 (use and update anti-virus)
  • 7 (restrict access to need to know)
  • 9 (restrict physical access)

Verizon concluded that organizations do not appear to be prioritising their compliance efforts against the PCI DSS Prioritized Approach (The Prioritized Approach is a free spreadsheet that can be download from the PCI Security Standards Council site, find it here).

Organizations that suffered data breaches were less likely to be compliant than a normal population of Verizon PCI clients.

In the pool of assessments performed by Verizon QSAs included in this report:

  • 21% were fully compliant at the completion of their IROC
  • This is just 1% less than in their last report, and effectively the same number

The lack of change disappoints Verizon, as many in the industry were hoping to see an increase in overall compliance as PCI DSS became more familiar to an increasing number of organizations.

79% of organizations were not sufficiently prepared for their initial assessment

Having established that only 21% “passed the test” the next question becomes “what was their score?”

  • 78% met of all test procedures defined in the DSS at the time of their IROC
  • This is down 3% from Verizon’s last report

Verizon deduce that another common Achilles heel of merchants and service providers in the PCI assessment process is overconfidence. “It was painful, but we made it through last year, so this year should be a breeze,” is a typical sentiment with which many organizations approach the yearly assessment. That can be a costly mistake.

When the QSA arrives on-site, a mere 1/5th of businesses are found to be compliant, even when given the extra time between the on-site visit and completion of the IROC.

Verizon believe that complacency and fatigue are two additional drags that make maintaining compliance year over year difficult.

Too many businesses approach PCI from the point of view that “what was good enough last year will be good enough this year.”

When examining the percentage of organizations passing each requirement at the IROC phase

  • Some requirements show percentages dipping below 40%, while others exceed the 70% range
  • Six of the twelve show an increase over last year, and the average is up two points
  • However, the average number of test procedures met within each requirement is down 4%
  • None of these numbers is indicative of a clear change given the size and makeup of the dataset, but it certainly reinforces the notion that organizations continue to struggle (at varying degrees) in all areas of the DSS

How do organisations perform against the 12 Requirement? The four highest rated Requirements are:

  • 4 (encrypt transmissions)
  • 5 (AV software)
  • 7 (logical access)
  • 9 (physical access)

Requirement 10 (tracking and monitoring) boasted the highest gain+13 %

Requirement 5 (AV software) may lose its place in the top three, which is an odd development, since AV software has for so long been among the most basic and widespread of security controls.

The improvement in compliance to Requirement 4 (encrypt transmissions) may indicate that administrators are deciding it is easier to direct all Internet traffic containing credit card data over SSL.

The small improvement in Requirement 7 (logical access) if significant at all could mean more strict attention is being paid to who is given access to cardholder data.

Requirements 3 (stored data) and 11 (regular testing) are once again in the bottom tier, while Requirement 12 (security policies) ousted 10 (tracking and monitoring) from the bottom. This suggests that the encryption of data at rest continues to be a major headache for organizations, especially the more detailed portions, such as annual key rotations.

Requirement 1 remains virtually unchanged since last year

  • 44% were compliant
  • 46% in the last report
  • Only 63% of companies met Requirement 1.1.5 regularly

The entire report can be found on the Verizon web site here.

.

Blog at WordPress.com.

Up ↑

%d bloggers like this: