Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

Qualified Security Assessor

Want to be PCI DSS compliant? Here are 5 mistakes to avoid.

Charles Denyer a QSA with NDB has produced a list of 5 Mistakes all people striving for PCI DSS compliance must avoid. 

  1. Not conducting a formal Readiness Assessment.  It’s important with PCI DSS compliance to truly understand all facets of the Payment Card Industry Data Security Standards (PCI DSS) provisions, which essentially means answering the “who, what, when, where, and why” of PCI with a comprehensive Readiness Assessment. And by no means should it be looked upon as yet another added cost to the engagement, rather, a proactive and necessary measure for properly defining and understanding many important facet of PCI, which by the way, is always a moving target, to say the least. A competent, well-skilled PCI-QSA, such as Charles Denyer of NDB Advisory, can provide your organization with a PCI DSS Readiness Assessment. Knowing what you are getting into is important! 
  2. Having no buy in from senior management and others. “Going it alone” as the saying goes, can have its risks and rewards – but in the case of PCI DSS compliance – it’s not only a bad idea, but one that creates real challenges for organizations. Sure management may very well be aware of their organization undertaking PCI compliance, but have they provided true operational and financial support, have they taken the time to really understand the commitment and effort needed? If not, then it’s time to make them aware of this, and soon.  Remember, setting expectations for PCI compliance is a must, no questions about it. 
  3. Failing to understand PCI Scope.  Organizations struggle with this immensely – after all – determining the actual scope for purposes of PCI compliance can be challenging, and it’s not always a black and white answer? Do you have a “flat” network? What is the true definition of the cardholder data environment (CDE)? What third-party providers are in scope? These, and many, many other questions, often require thoughtful consideration for PCI compliance. 
  4. Not conducting Remediation efforts.  As a PCI-QSA, I’m amazed at the lack of remediation efforts by companies pursuing PCI compliance.  What I find more troubling is that these remediation efforts – when even conducted – are only undertaken for a sample of system components, not the entire population of in-scope items. Being compliant with the Payment Card Industry Data Security Standards means meeting all the stated requirements for ALL in-scope systems components, not just a chosen few.  A PCI-QSA with true independence and professionalism will always tell their clients that, and that’s exactly what I’m doing here!  Simply put, remediate, and remediate all items that are in-scope for an actual PCI DSS assessment. 
  5. Failing to recognize the importance of policies and procedures.  Here’s an issue that seems to go unnoticed many times regarding PCI compliance – after all – how challenging and time-consuming can it really be to develop PCI policies and procedures?  Very challenging and time-consuming, just look at the amount of documents that’s required by PCI – policies for this, procedures for that – get the point?  Sure, PCI compliance is technical in nature, but don’t lose sight of one of the most important requirements, and that’s developing a comprehensive set of PCI policies and procedures.  As a PCI-QSA, my advice is to hire an expert consultant to develop a customized set of these policies (which is part of the services offered by NDB Advisory) or to use the high-quality PCI security policies from pcipolicyportal.com.

Supporting point 3 there is a good white paper “8 ways to reduce the scope of PCI DSS” here.

The average cost of a breach event is $7.2 million or $214 per compromised record

In promoting their Internal Security Assessor Training in Dublin the Payment Card Industry Security Standards Council (PCI SSC) sent an email quoting the Verizon Data Breach Investigation Report 2011 statistics:

  • The average cost of a breach event is $7.2 million
  • The average cost per compromised record is $214

The reason they were using the statistics in their promotional email was because they believe in the value of their Internal Security Assessors qualification and with the PCI SSC’s European community meeting in Dublin next month they are encouraging people to register and learn the skills required to improve PCI DSS compliance.

The promotional wording for the course is “Enhance your organization’s data security with an investment in training this year – and realize these benefits:”

  • Improve your organization’s understanding of PCI DSS
  • Facilitate interaction with a QSA for your organization
  • Enhance payment card data security and manage compliance costs
  • Simplify year-round compliance efforts

The Dublin dates are 18-19 October 2012.

For more information on the course and to register click here, or email training@pcisecuritystandards.org with questions.

.

PCI Security Standards Council Internal Security Assessor (ISA) training now available as an eLearning course

The new self-paced eLearning course is an online version of the Council’s existing instructor-led ISA training.

ISA training provides businesses the opportunity to educate qualifying employees responsible for managing their PCI DSS security programs on how to assess and validate their company’s adherence to PCI Security Standards.

The curriculum is comprised of a four-hour online pre-requisite course and exam called PCI Fundamentals, followed by the ISA training session and exam. Now candidates have the option to attend the two-day instructor-led session or complete the eLearning training course online. eLearning candidates can then schedule to take the exam locally at one of more than 4,000 Pearson VUE Testing Centers worldwide.

Since 2010 when the ISA programme was launched there have been over 500 people gain the qualification

“We benefited from the interaction with fellow delegates taking the course, said PCI DSS Manager and ISA Parminder Lall, Everything Everywhere. “The ISA training provided a different spin on how to reduce cost when it comes to PCI efforts. We also gained insight into working with a Qualified Security Assessor (QSA) and seeing their side of things.”

The new eLearning option complements the Council’s already available online PCI Awareness training offering, a four-hour introductory PCI course. Businesses can take advantage of ISA training for their security professionals to ensure consistency in understanding their PCI DSS compliance efforts across their organization.

“The ISA program was developed in response to feedback from the PCI community requesting a course that would help organizations in training their own internal PCI experts,” said Bob Russo, general manager, PCI Security Standards Council. “We’re excited to be able to offer this popular session in a new online format, along with our PCI Awareness training, so more companies can take advantage of these resources to improve their PCI security efforts.”

For those who would like to attend an instructor lead course there are two available this year

  1. Orlando, Florida, USA on September 6-7; 10-11
  2. Dublin, Ireland on October 18-19.

For more information visit the PCI SSC website here.

For more information on PCI DSS, PA DSS, etc visit my PCI Resources page here.

.

PCI Point-to-Point Encryption Solution Requirements and Testing Procedures v1.1

The Payments Security Standards Council (PCI SSC) have released their solutions Requirements and Testing Procedures version 1.1 for Point-to-Point Encryption (P2PE).

The press release can be found here.

The main document is 210 pages long but for those who have looked into this before there is a short four page summary of changes from version 1.0 to version 1.1 here.

The document covers many things but the five main scope assessments for P2PE Solutions are

  1. Network Segmentation
  2. Third Parties/Outsourcing
  3. Sampling of System Components
  4. Multiple Acquirers
  5. P2PE Program Guide

Scope of Assessment for P2PE Solutions

The first step of a P2PE solution assessment is to accurately determine the scope of the solution. At least annually and prior to each assessment, the solution provider should confirm the accuracy of their solution scope by identifying all devices, P2PE data flows and processes, key-management functions and account-data stores, and ensure they are included in the solution scope. To ensure the accuracy of the solution scope is maintained on an on going basis, the solution provider must have processes in place that ensure the following:

  • Any changes are implemented in a manner that ensures continued adherence to P2PE requirements for the entire solution.
  • Any new rollouts/additions adhere to all P2PE solution requirements.
  • Any new rollouts/additions are included in the next P2PE assessment.

Network Segmentation

The solution provider must ensure that network segmentation is in place between any systems owned or managed by the solution provider that are used in the P2PE solution, and any that are not included in their PCI DSS compliant environment. The QSA (P2PE) must validate that the network segmentation is adequate to isolate the P2PE environment from out-of-scope networks and systems.

Third Parties/Outsourcing

A given P2PE solution may be entirely performed and managed by a single solution provider, or the solution provider may outsource certain functions (for example, loading keys into POIs) to third parties who perform these functions on behalf of the solution provider. All third parties that perform P2PE functions on behalf of the assessed P2PE solution provider, including POI vendors, KIFs, CAs, etc., must be validated per P2PE solution requirements.

There are two options for third-party entities performing functions on behalf of solution providers to validate compliance:

  1. They can undergo a P2PE assessment of relevant P2PE requirements on their own and provide evidence to their customers to demonstrate their compliance; or
  2. If they do not undergo their own P2PE assessment, they will need to have their services reviewed during the course of each of their solution provider customers’ P2PE assessments.

Multiple Acquirers

The P2PE standard outlines the technology and processes needed to ensure the security of a solution that protects account data from the point of interaction to the solution provider. In some instances, multiple acquirers or multiple solution providers may manage one or more P2PE solutions on the same merchant POI device. P2PE does not preclude these scenarios, as the business processes which govern this shared environment are outside the responsibility of the PCI SSC.

P2PE Program Guide

Please refer to the P2PE Program Guide for information about the P2PE program, including the following topics:

  • P2PE Report on Validation submission and acceptance processes
  • Annual renewal process for solutions included on the list of Validated P2PE Solutions
  • Notification responsibilities in the event a listed P2PE solution is determined to be at fault in a compromise

Third Parties/Outsourcing

A given P2PE solution may be entirely performed and managed by a single solution provider, or the solution provider may outsource certain functions (for example, loading keys into POIs) to third parties who perform these functions on behalf of the solution provider. All third parties that perform P2PE functions on behalf of the assessed P2PE solution provider, including POI vendors, KIFs, CAs, etc., must be validated per P2PE solution requirements.

There are two options for third-party entities performing functions on behalf of solution providers to validate compliance:

  1. They can undergo a P2PE assessment of relevant P2PE requirements on their own and provide evidence to their customers to demonstrate their compliance; or
  2. If they do not undergo their own P2PE assessment, they will need to have their services reviewed during the course of each of their solution provider customers’ P2PE assessments.

At-a-Glance – Steps Required to Create and Validate a P2PE Solution

The process for developing and validating a P2PE solution that uses SCDs for encryption, decryption, and cryptographic key management is provided below. This flow chart and the following table illustrate the parties responsible for implementing requirements and validating compliance with each domain, the high-level purpose of controls for each domain, and how validation of each domain can ultimately lead to a P2PE solution validation.

Like a lot of people I shall be looking into the details to see where existing and planned solutions meet the standard. The full 210 page document can be found here.

.

The PCI SSC has opened its registration for the 2012 PCI Community Meetings

PCI North American Community Meeting will be held on September 12-14, 2012 in Orlando, Florida

PCI European Community Meeting will be held this year in Dublin, Ireland, October 22-24, 2012

This year’s meetings offer Council Participating Organizations and PCI stakeholders access to three days of knowledge sharing, networking and learning, including keynote presentations from industry experts, PCI case studies, and technical sessions.

“2012 is a critical year in the standards development process that hinges on feedback from the PCI community. At this year’s meeting, we’ll focus on discussing stakeholder feedback on the standards in preparation for release of the next versions of the PCI DSS and PA-DSS in 2013, as well as share our successes and challenges, ideas and suggestions as a community,” said Bob Russo, general manager, PCI Security Standards Council. “We’ll discuss Council initiatives, including the Point-to-Point Encryption (P2PE) program, mobile payment acceptance security and other technology areas, as well as the work being done through our Special Interest Groups. Attendees will also have the opportunity to take advantage of our PCI SSC Training offerings.”

New to this year’s agenda, the Community Meetings will also feature:

  • Increased networking opportunitie
  • Targeted breakout sessions for different stakeholder groups
  • More industry case studies delivered by members of the PCI community
  • Expanded opportunities to meet with card brands
  • Two-day vendor showcase
  • Event mobile app to help make the most of attendees’ time

Special sessions for Qualified Security Assessors (QSAs) and Approved Scanning Vendors (ASVs) will be held at the meetings.

Several training courses will also be available. These offerings provide participants the opportunity to combine the value of peer to peer education at the Community Meeting with more formal training sessions, maximizing their time in Orlando and Dublin.

“The record attendance at last year’s meeting is a strong testament to the work that together we as a community are doing to drive payment security forward globally, but especially within Europe,” said Jeremy King, European Regional Director. “I’m thrilled about the growing involvement of the PCI community in Europe and look forward to coming together in Dublin to continue this momentum.”

Attendance fees:

  • Participating Organization: First two registrants are free; $395 for additional registrants
  • Qualified Security Assessor (QSA)/Approved Scanning Vendor (ASV)/Internal Security Assessor (ISA)/PIN Transaction Security (PTS) members: First registrant is free; $695 for additional registrants

For more information, or to register

See you in Dublin.

.

PCI SSC announces formal training in Europe (London)

The Payment Card Industry Security Standards Council (PCI SSC) has announced three formal courses in London.

The three courses are:

Qualified Security Assessor (QSA) Training

The PCI Security Standards Council operates an in-depth program for security companies seeking to become Qualified Security Assessors (QSAs), and to be re-certified each year. The five founding members of the Council recognize the QSAs certified by the PCI Security Standards Council as being qualified to assess compliance to the PCI DSS standard.

  • PCI SSC QSA Date(s):  April 28 2012 – April 29 2012
  • Location:  London, United Kingdom
  • Fee:  3,000.00 USD

Payment Application Qualified Security Assessor (PA-QSA) Training

The PCI Security Standards Council operates an in-depth program for security companies seeking to become Payment Application Qualified Security Assessors (PA-QSAs), and to be re-certified each year. The five founding members of the Council recognize the PA-QSAs certified by the PCI Security Standards Council as being qualified to assess compliance to the PCI PA-DSS standard.

  • PCI SSC PA-QSA Date(s):  April 22 2012 – April 23 2012
  • Location:  London, United Kingdom
  • Fee:  2,000.00 USD

Internal Security Assessor (ISA) Training

The PCI SSC Internal Security Assessor Program (”ISA Program”) provides an opportunity for eligible internal security audit professionals of qualifying organizations to receive PCI DSS training and certification to improve the organization’s understanding of the PCI DSS, facilitate the organization’s interactions with QSAs, enhance the quality, reliability, and consistency of the organization’s internal PCI DSS self-assessments, and support the consistent and proper application of PCI DSS measures and controls.

  • PCI SSC ISA Date(s):  April 26 2012 – April 27 2012
  • Location:  London, United Kingdom
  • Fee:  3,595.00 USD

Find the details here.

.

Only 21% of merchants were compliant and other startling PCI DSS facts from the coal face

Image representing Verizon as depicted in Crun...
Image via CrunchBase

Verizon have recently launched their 2011 Payment Industry Compliance Report, which draws on their experiences as a Qualified Security Advisor (QSA) company, and their previous annual reports.

Below are exerts from their report:-

Unchanged from last year:-

  • 21 % of organizations were fully compliant at the time of their Initial Report on Compliance (IROC)
  • 78% of organisations met all test procedures at the IROC stages
  • 20% of organizations passed less than half of the PCI DSS requirements
  • 60% scored above the 80% mark

Organizations struggled most with the following PCI requirements:

  • 3 (protect stored cardholder data)
  • 10 (track and monitor access)
  • 11 (regularly test systems and processes)
  • 12 (maintain security policies)

The PCI Requirements showed the highest implementation levels:

  • 4 (encrypt transmissions over public networks)
  • 5 (use and update anti-virus)
  • 7 (restrict access to need to know)
  • 9 (restrict physical access)

Verizon concluded that organizations do not appear to be prioritising their compliance efforts against the PCI DSS Prioritized Approach (The Prioritized Approach is a free spreadsheet that can be download from the PCI Security Standards Council site, find it here).

Organizations that suffered data breaches were less likely to be compliant than a normal population of Verizon PCI clients.

In the pool of assessments performed by Verizon QSAs included in this report:

  • 21% were fully compliant at the completion of their IROC
  • This is just 1% less than in their last report, and effectively the same number

The lack of change disappoints Verizon, as many in the industry were hoping to see an increase in overall compliance as PCI DSS became more familiar to an increasing number of organizations.

79% of organizations were not sufficiently prepared for their initial assessment

Having established that only 21% “passed the test” the next question becomes “what was their score?”

  • 78% met of all test procedures defined in the DSS at the time of their IROC
  • This is down 3% from Verizon’s last report

Verizon deduce that another common Achilles heel of merchants and service providers in the PCI assessment process is overconfidence. “It was painful, but we made it through last year, so this year should be a breeze,” is a typical sentiment with which many organizations approach the yearly assessment. That can be a costly mistake.

When the QSA arrives on-site, a mere 1/5th of businesses are found to be compliant, even when given the extra time between the on-site visit and completion of the IROC.

Verizon believe that complacency and fatigue are two additional drags that make maintaining compliance year over year difficult.

Too many businesses approach PCI from the point of view that “what was good enough last year will be good enough this year.”

When examining the percentage of organizations passing each requirement at the IROC phase

  • Some requirements show percentages dipping below 40%, while others exceed the 70% range
  • Six of the twelve show an increase over last year, and the average is up two points
  • However, the average number of test procedures met within each requirement is down 4%
  • None of these numbers is indicative of a clear change given the size and makeup of the dataset, but it certainly reinforces the notion that organizations continue to struggle (at varying degrees) in all areas of the DSS

How do organisations perform against the 12 Requirement? The four highest rated Requirements are:

  • 4 (encrypt transmissions)
  • 5 (AV software)
  • 7 (logical access)
  • 9 (physical access)

Requirement 10 (tracking and monitoring) boasted the highest gain+13 %

Requirement 5 (AV software) may lose its place in the top three, which is an odd development, since AV software has for so long been among the most basic and widespread of security controls.

The improvement in compliance to Requirement 4 (encrypt transmissions) may indicate that administrators are deciding it is easier to direct all Internet traffic containing credit card data over SSL.

The small improvement in Requirement 7 (logical access) if significant at all could mean more strict attention is being paid to who is given access to cardholder data.

Requirements 3 (stored data) and 11 (regular testing) are once again in the bottom tier, while Requirement 12 (security policies) ousted 10 (tracking and monitoring) from the bottom. This suggests that the encryption of data at rest continues to be a major headache for organizations, especially the more detailed portions, such as annual key rotations.

Requirement 1 remains virtually unchanged since last year

  • 44% were compliant
  • 46% in the last report
  • Only 63% of companies met Requirement 1.1.5 regularly

The entire report can be found on the Verizon web site here.

.

PCI Security Standards Council opens election for new Special Interest Groups

The PCI Security Standards Council (PCI SSC) opens election for new Special Interest Groups (SIG).

The Council developed Special Interest Groups (SIG) to leverage the expertise of more than 600 Participating Organizations and provide a vehicle for incorporating their ideas and input into the work of the Council. SIGs focus on providing recommendations to the Council which often results in guidance for the Community to interpret and implement the PCI Standards.

To date SIG participants have made significant contributions to Council resources on topics such as

  • Wireless security
  • EMV chip
  • Point-to-Point Encryption
  • Virtualized environments

Participating Organizations are invited to submit votes for their top three of the seven shortlisted proposals. The proposals were submitted by a cross-section of merchants, acquirers, industry associations, service providers, Qualified Security Assessors (QSA) and vendors. They cover the following topics:

  • Small ecommerce merchants
  • Effective patch management that is compliant with PCI DSS requirement 6.1
  • Administrative access to systems and devices
  • Cloud
  • Small businesses
  • Hosted, managed application and service providers
  • Risk assessments

“The Council is delighted at the level of input we’ve received from the community in the form of SIG proposals,” said Jeremy King, European director, PCI Security Standards Council. “I’m particularly pleased to see such broad global representation and perspectives in submissions. Securing payment card data is a global challenge and the Council’s worldwide stakeholders are uniquely positioned to partner with us in tackling this.”

The polls close on Friday November 4th 2011.Results will be announced following the election, together with next steps on how to volunteer for the Special Interest Groups.

.

Merchants are complacent about PCI DSS, report reveals.

Verizon logo
Image via Wikipedia

Verizon have launched their 2011 Payment Industry Compliance Report which draws on their experiences as a QSA company and previous annual reports.

Extracts from the report are below.

Unchanged from last year, only 21 % of organizations were fully compliant at the time of their Initial Report on Compliance (IROC). Verizon commented with “This is interesting, since most were validated to be in compliance during their prior assessment”.

  • Organizations met an average of 78% of all test procedures at the IROC stage
  • 20% of organizations passed less than half of the DSS requirements
  • 60 % scored above the 80 % mark

Organizations struggled most with the following PCI requirements:

  • 3 (protect stored cardholder data)
  • 10 (track and monitor access)
  • 11 (regularly test systems and processes)
  • 12 (maintain security policies).

The PCI Requirements showed the highest implementation levels were:

  • 4 (encrypt transmissions over public networks)
  • 5 (use and update anti-virus)
  • 7 (restrict access to need-toknow)
  • 9 (restrict physical access)

Organizations do not appear to be prioritizing their compliance efforts based on the PCI DSS Prioritized Approach published by the PCI Security Standards Council even less so than in the previous year.

A mini-study comparing governance practices to the initial compliance score suggests that the way organizations approach compliance significantly factors into their success.

Once again, organizations that suffered data breaches were much less likely to be compliant than a normal population of PCI clients. Analysis of the top threat actions leading to the compromise of payment card data continues to exhibit strong coverage within scope of the PCI DSS. For most of them, multiple layers of relevant controls exist across the standard.

In the pool of assessments performed by Verizon QSAs included in this report

  • 21% were found fully compliant at the completion of their IROC
  • This is just 1% less than in their last report, and effectively the same number

The lack of change is a disappointing, as many in the industry were hoping to see an increase in overall compliance as the PCI DSS became more familiar to an increasing number of organizations.

79% of organizations were not sufficiently prepared for their initial assessment

Having established that only 21% “passed the test” the next question becomes “what was their score?”

  • On average, organizations met 78% of all test procedures defined in the DSS at the time of their IROC.
  • Down 3% from Verizon’s last report; but again, the difference is nominal.

Therefore, the baseline set by the PCI DSS must not reflect the baseline set by the companies themselves. For most organizations, to achieve compliance they must do things they were not previously doing (or maintaining).

Another common Achilles heel of merchants and service providers in the PCI assessment process is over confidence

 “It was painful, but we made it through last year, so this year should be a breeze”

is a typical sentiment with which many organizations approach the yearly assessment. That can be a costly mistake. When the QSA arrives on-site, a mere 1/5th of businesses are found to be compliant, even when given the extra time between the on-site visit and completion of the IROC.

Complacency and fatigue are two additional drags that make maintaining compliance year over year difficult. Too many businesses approach PCI from the point of view that “what was good enough last year will be good enough this year.” But unless someone’s been babysitting a process, such as documenting and justifying all services allowed through the firewalls, things can easily be forgotten in the haste to get business done.

When examining the percentage of organizations passing each requirement at the IROC phase.

  • Some requirements show percentages dipping below 40%, while others exceed the 70% range.
  • Six of the twelve show an increase over last year, and the average is up two points.
  • However, the average number of test procedures met within each requirement is down 4%.
  • None of these numbers is indicative of a clear change given the size and makeup of the dataset, but it certainly reinforces the notion that
  • organizations continue to struggle (at varying degrees) in all areas of the DSS.

How do organisations perform against the 12 Requirement? The four highest rated Requirements are:

  • 4 (encrypt transmissions)
  • 5 (AV software)
  • 7 (logical access)
  • 9 (physical access)

Requirement 10 (tracking and monitoring) boasted the highest gain+13 %

Requirement 5 (AV software) may lose its place in the top three, which is an odd development, since AV software has for so long been among the most basic and widespread of security controls.

Requirement 4 (encrypt transmissions) showed a marked improvement which may indicate that administrators are deciding it’s easier to direct all Internet traffic containing credit card data over SSL.

Requirement 7 (logical access) showed a slight improvement, which could mean more strict attention is being paid to who is given access to cardholder data.

Requirements 3 (stored data) and 11 (regular testing) are once again in the bottom tier, while Requirement 12 (security policies) ousted 10 (tracking and monitoring) from the bottom. This suggests that the encryption of data at rest continues to be a major headache for organizations, especially the more detailed portions, such as annual key rotations.

Requirement 11’s low showing reminds us why ‘set and forget is a very bad bet’ should be a core mantra of the security profession. The fact that security policies rank among the lowest of the low is not a good sign since policy drives practice.

Requirement 1 remains virtually unchanged since last year, at 44% compliance, compared to the 46% in the last report. Only 63% of companies met Requirement 1.1.5 regularly

Compliance is the continuous state of adhering to the regulatory standard. In the case of the PCI DSS there are daily (log review), weekly (file integrity monitoring), quarterly (vulnerability scanning), and annual (penetration testing) activities that an organization must perform in order to maintain this continuous state of compliance

The entire report can be found on the Verizon web site here.

.

PCI DSS – updated guidelines for WiFi and new guidance on Bluetooth

wireless tower
Image via Wikipedia

The Wireless Special Interest Group (SIG) PCI Security Standards Council (PCI SSC) have released an Information Supplement for PCI DSS Wireless Guidelines.

The update updates the PCI DSS guidance to align to version 2 of the PCI Data Security Standard and incorporates guidance for Bluetooth.

All Merchants and Credit Card processors should read the document which can be found here.

The three main sections in the Information Supplement are:

  1. Wireless Guidance Overview
  2. Generally Applicable Wireless Requirements
  3. Applicable Requirements for In-scope Wireless Networks

For further information on the PCI Data Security Standard visit the PCI Resources page on my blog here.

.

Exactly how many Merchants are PCI DSS compliant?

Credit cards
Image via Wikipedia

The number of Merchants who are compliant to the Payment Card Industry Data Security Standard (PCI DSS) vary from continent to continent, country to country but the figures released by VISA for the US make interesting reading.

The table below shows the results for the US up to the 30th June 2011 as per the VISA.com website.

Cardholder Information Security Programme (CISP) Category (Visa Transactions per year) Estimated Population Size Estimated % of
Visa Transactions
PCI DSS
Compliance Validated
Validated Not  storing Prohibited Data
Level 1   Merchant (>6M) 377 50% 97% 100%
Level 2 Merchant (1-6M) 881 13% 96% 100%
Level 3 Merchant (e-commerce only 20,000-1M) 3,024 <5% 60% N/A
Level 4 Merchant (<1M) ~5,000,000 32% Moderate * TBD
VisaNet Processor (Direct Connection) 62 100% 94% High
Agent (Downstream) 1,262 N/A 83% High

*Level 4 compliance is moderate among stand-alone terminal merchants, but lower among merchants using integrated payment applications

Since the PCI DSS standard was released and enforced the Level 1 Merchants has been the main focus of the Card Issuing companies and of course, the QSAs because, as the table above shows, they represent the largest percentage of transactions for a single group and are a small enough number to easily manage. This focus is why Visa can report a near 100% validation rate for Level 1 Merchants.

The largest risk group by number of business are the Level 4 Merchants with over 5,000,000 in the US alone.

Level 4 Merchants have not yet achieved a % on the Visa chart. This is probably because they do not need to have their Self Assessment Questionnaire (SAQ) validated by and external party e.g. a QSA, except in rare circumstances. Reliance on the Merchants ability to understand the requirements of PCI DSS and to be able to put in place the processes, policies and protections required to protect Credit Card Data requires a lot of “faith” by Visa.

The majority of credit card breaches happen in Level 4 Merchants, e.g. restaurants and hotels, which is why Visa is pushing EMV on a world-wide basis.

All in all it looks like the majority of Merchants are PCI DSS compliant, which means the programme is doing some good…

.

PCI DSS Compliance Trends Study, 2011

PB Visa Gold Credit Card
Image by liewcf via Flickr

Imperva and Ponemon 2011 PCI DSS Compliance Trends Study. Survey of IT & IT security practitioners in the U.S.

The Payment Card Industry Data Security Standard (PCI DSS) continues to be one of the most important regulations for all organizations that hold, process or exchange cardholder information.

In 2009, Ponemon Institute, with sponsorship from Imperva, conducted the first study to determine if IT and IT security practitioners believe PCI compliance improves organizational security and how it affects the ability to respond to security threats affecting payment account data.

In this study, 2011 PCI DSS Compliance Trends Study, we (Imperva and Ponemon) continue to examine how efforts to comply with PCI affects the organization’s strategy, tactics and approach to achieving enterprise data protection and security and how the state of PCI compliance has changed since the first study. We also consider the reactions of IT and IT security practitioners in different-sized organizations have about compliance with PCI.

A total of 670 US and multinational IT and IT security practitioners who are involved in their companies’ PCI compliance efforts were surveyed on the following topics:

  • What is the state of PCI DSS compliance in the organization?
  • Who is most responsible in an organization for ensuring compliance with PCI DSS requirements?
  • What technologies are preferred to achieve compliance with PCI DSS requirements?
  • Does PCI DSS contribute to a decline in data breaches?
  • Where are the greatest threats to the security of cardholder data located?
  • What is the value PCI DSS compliance provides to the organization?

 This year’s report shows that:

  • 55% of respondents say their organization’s data breach incident did not concern the loss or theft of cardholder data 
  • 39% say one of the data breach incidents involved cardholder data and 6% report two to five incidents involving cardholder data 
  • The percentage of respondents reporting that their organization had a data breach in the past 24 months increased from 79% in 2009 to 85% in 2011 
  • The majority of PCI compliant organizations suffer fewer or no breaches, most practitioners still do not perceive the mandate to have a positive impact on data security 
  • About 64% of PCI-DSS compliant organizations reported suffering no data breaches involving credit card data over the past two years, while only 38 percent of non-compliant organizations reported suffering no breaches involving credit card data over the same period 
  • Certain technologies are adopted more quickly than others to comply with PCI. For example, code review saw the biggest decline in adoption 
  • The percentage of non-compliant companies decreased from 25% to 16%. Correspondingly, the percentage of fully compliant companies increased from 22% to 33% 
  • 38% of the compliant organizations say their organizations had two or more breaches in the past 24 months versus 78% of respondents in the non-compliant group 
  • 66% of respondents say their organizations retain and store primary account numbers for various reasons 
  • 33% of respondents see PCI DSS compliance costs as adding more value than other IT security expenditures. Another 35% say these expenditures are at about the same level of value. Finally, 32% see PCI DSS compliance costs as adding less value than other IT security expenditures made
  • 58% of respondents say that their organization has conducted or is in the process of conducting an audit or assessment by a bona fide QSA professional. Of those who have completed such an audit or assessment, 68% say that it helped the organization achieve its PCI DSS compliance requirements

Download the Imperva and Ponemon Report here

.

How to Choose a QSA – SANS

The Quality Security Assessor (QSA) a Merchant chooses will dramatically impact on how the Merchant achieves compliance.

In simple terms the right advice and guidance saves time and money whilst reducing risk and achieving compliance. The wrong advice or guidance could prove extremely costly.

SANS: “The independent white paper in this security KnowledgeVault is just one of the resources to help you make the right decision. It details the top 5 questions to ask a prospective QSA firm and offers guidelines on everything from making sure they adequately handle compensating controls to assessing their expertise with virtualization”.

The 5 questions are

  1. For what types of organizations have you performed PCI DSS assessments?
  2. What is your background?
  3. Who will be performing the work?
  4. How do you validate and assess compensating controls?
  5. Are there examples of your assessments being used to improve security for clients?

Reading the white paper and asking these question could prove vital to the succesful completion of a PCI DSS project.

Download the white paper here. Registration is required.

Source: Dell and SANS

77% of Hospitality Sector Mistakenly Believe They Are PCI Compliant

Orthus Limited, on the 7th March 2011, released the results of a survey conducted of 1000 Level 4 Merchants in the United Kingdom hospitality sector to verify their PCI DSS compliance status. 

The survey indicates 77% of 1000 Level 4 Merchants were compliant to PCI DSS when in fact they were not compliant:

The rest of the survey and its finding are below:

  • Of the respondents claiming to be PCI compliant, 94% stated they had conducted the required vulnerability assessment scanning.
  • Of the respondents claiming to be PCI compliant, only 36% stated they had conducted required security penetration testing.
  •  Of the respondents claiming to be PCI compliant, only 9% stated they had security policies.
  • Of the respondents claiming to be PCI compliant, not 1 had conducted the required wireless scanning.
  • Only 24% of the respondents stated they had executed a self assessment questionnaire (SAQ).
  • Of the 24% who had executed a SAQ, less than 50% had stated they had submitted it to their Acquirer.

“The results of the survey are disturbing and indicate that businesses do not understand the PCI DSS requirements and what constitutes compliance. Almost all of the Level 4 Merchants surveyed who mistakenly believed they were compliant stated that they were told by a vendor that compliance entailed conducting vulnerability scanning. Upon completing the scanning, the Merchants understood themselves to be compliant and therein lay the problem. Merchants are getting their information primarily from vendors who have a vested interest in selling their product.”

“Misinformation is a significant problem in the market.  Vendors are selling their products as facilitating PCI compliance and buyers are not doing their homework” says Orthus Data Compliance Specialist, Courtney Bryan.  “If the vendors are affiliated with an Acquiring Bank their products are even perceived as required for compliance so after a Merchant purchases them, they naturally assume they are now compliant” states Bryan.  

“Something has to be done about this problem. Merchants need unbiased advice and assistance with implementing this risk management framework to prevent card data theft and fraud. There is a real knowledge void in the market about what constitutes PCI DSS compliance and until it’s addressed – vendors will continue to exploit it while the Merchants carry the risks” says Bryan.

Orthus can be found at http://www.orthusintel.com and the press release for the survey “PCI Compliant: Are You Really Sure?” has cathy.jacobs@orthus.com as the contact

PCI Awareness Training – official courses are now available

The PCI Council has announced that it is offering PCI Awareness Training to anyone interested in learning more about PCI DSS.

The dates of the official council courses are

  • 2 March 11, 2011 London, England 09:00-17:30 $995 USD plus local taxes
  • 3 April 1, 2011 Sydney, Australia 09:00-17:30 $1500 USD plus local taxes

 Course Description

  • What is PCI and what does it mean to companies that must meet compliance with the DSS?  An overview of the payment card industry, the terminology used within the industry, the flow of transaction data through the various components that make up the payment card industry, and the relationships between the various organizations in the process.
  • How the credit card brands differ in their validation and reporting requirements – Detailed coverage of the classifications and compliance requirements for merchants and service providers and details about the various card brands’ compliance programs.
  • Roles and Responsibilities – Descriptions of the key actors in the compliance process including high-level overviews of the Qualified Security Assessor (QSA), Internal Security Assessor (ISA), Payment Application Qualified Security Assessor (PA-QSA) and Approved Scanning Vendor (ASV) programs.
  • PCI Data Security Standard (DSS) – An overview of the current DSS (version 2.0), the testing procedures for validating compliance, and what constitutes compliance with the requirements.
  • PCI Hardware and Communications Infrastructure – Generalized overview of the types of devices used by organizations to accept payment cards and communicate with the verification and payment facilities.
  • PCI Reporting – An overview of the different types of reports that must be submitted to the card brands or their designated agents to demonstrate compliance (or non-compliance) of the organizations filing the reports.
  • Real world examples – An overview of compliance issues and mitigation strategies including defining compensating controls, creating policies and modifying the cardholder data environment.

 

PCI often fails because of an employee’s action so it is good to see the PCI Council has launched these courses. However, there is only one course in Europe and it is on a first come first served basis which means only a few of the millions of European Merchants will gain any advantage.

I have found “general” PCI Awareness courses fail to meet the needs of organisations because:

  • The course will be pitched at differing skill levels, from beginners (hopefully there are not too many left) to experts who may have been through external Audits by a QSA.
  • It is not specific to an industry type, the needs of an e-commerce merchant are very different to a mail order/telephone merchant.
  • The individual employee has the daunting task of taking the knowledge and rehashing it for the rest of their organisation. Even if they have the slide ware they never have the gravitas of an external trainer or QSA who can handle all the questions that will be fielded.

 

There are alternative sources of training who will deliver public or bespoke courses for an organisation.

In a recent client scenario, we provided a 1-day classroom based training for senior managers, a series of ½-day road trip stop local sites for branch workers and 1-hour web-based sessions for field-based staff.

This ensured the right people gained the right knowledge when and where the client required it.

Find the details of the PCI Council courses here or ping me an email for ideas on how you can make your employees more aware of PCI.

Create a free website or blog at WordPress.com.

Up ↑

%d bloggers like this: