Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

Qualified Security Assessor

Want to be PCI DSS compliant? Here are 5 mistakes to avoid.

Charles Denyer a QSA with NDB has produced a list of 5 Mistakes all people striving for PCI DSS compliance must avoid. 

  1. Not conducting a formal Readiness Assessment.  It’s important with PCI DSS compliance to truly understand all facets of the Payment Card Industry Data Security Standards (PCI DSS) provisions, which essentially means answering the “who, what, when, where, and why” of PCI with a comprehensive Readiness Assessment. And by no means should it be looked upon as yet another added cost to the engagement, rather, a proactive and necessary measure for properly defining and understanding many important facet of PCI, which by the way, is always a moving target, to say the least. A competent, well-skilled PCI-QSA, such as Charles Denyer of NDB Advisory, can provide your organization with a PCI DSS Readiness Assessment. Knowing what you are getting into is important! 
  2. Having no buy in from senior management and others. “Going it alone” as the saying goes, can have its risks and rewards – but in the case of PCI DSS compliance – it’s not only a bad idea, but one that creates real challenges for organizations. Sure management may very well be aware of their organization undertaking PCI compliance, but have they provided true operational and financial support, have they taken the time to really understand the commitment and effort needed? If not, then it’s time to make them aware of this, and soon.  Remember, setting expectations for PCI compliance is a must, no questions about it. 
  3. Failing to understand PCI Scope.  Organizations struggle with this immensely – after all – determining the actual scope for purposes of PCI compliance can be challenging, and it’s not always a black and white answer? Do you have a “flat” network? What is the true definition of the cardholder data environment (CDE)? What third-party providers are in scope? These, and many, many other questions, often require thoughtful consideration for PCI compliance. 
  4. Not conducting Remediation efforts.  As a PCI-QSA, I’m amazed at the lack of remediation efforts by companies pursuing PCI compliance.  What I find more troubling is that these remediation efforts – when even conducted – are only undertaken for a sample of system components, not the entire population of in-scope items. Being compliant with the Payment Card Industry Data Security Standards means meeting all the stated requirements for ALL in-scope systems components, not just a chosen few.  A PCI-QSA with true independence and professionalism will always tell their clients that, and that’s exactly what I’m doing here!  Simply put, remediate, and remediate all items that are in-scope for an actual PCI DSS assessment. 
  5. Failing to recognize the importance of policies and procedures.  Here’s an issue that seems to go unnoticed many times regarding PCI compliance – after all – how challenging and time-consuming can it really be to develop PCI policies and procedures?  Very challenging and time-consuming, just look at the amount of documents that’s required by PCI – policies for this, procedures for that – get the point?  Sure, PCI compliance is technical in nature, but don’t lose sight of one of the most important requirements, and that’s developing a comprehensive set of PCI policies and procedures.  As a PCI-QSA, my advice is to hire an expert consultant to develop a customized set of these policies (which is part of the services offered by NDB Advisory) or to use the high-quality PCI security policies from pcipolicyportal.com.

Supporting point 3 there is a good white paper “8 ways to reduce the scope of PCI DSS” here.

The average cost of a breach event is $7.2 million or $214 per compromised record

In promoting their Internal Security Assessor Training in Dublin the Payment Card Industry Security Standards Council (PCI SSC) sent an email quoting the Verizon Data Breach Investigation Report 2011 statistics:

  • The average cost of a breach event is $7.2 million
  • The average cost per compromised record is $214

The reason they were using the statistics in their promotional email was because they believe in the value of their Internal Security Assessors qualification and with the PCI SSC’s European community meeting in Dublin next month they are encouraging people to register and learn the skills required to improve PCI DSS compliance.

The promotional wording for the course is “Enhance your organization’s data security with an investment in training this year – and realize these benefits:”

  • Improve your organization’s understanding of PCI DSS
  • Facilitate interaction with a QSA for your organization
  • Enhance payment card data security and manage compliance costs
  • Simplify year-round compliance efforts

The Dublin dates are 18-19 October 2012.

For more information on the course and to register click here, or email training@pcisecuritystandards.org with questions.

.

PCI Security Standards Council Internal Security Assessor (ISA) training now available as an eLearning course

The new self-paced eLearning course is an online version of the Council’s existing instructor-led ISA training.

ISA training provides businesses the opportunity to educate qualifying employees responsible for managing their PCI DSS security programs on how to assess and validate their company’s adherence to PCI Security Standards.

The curriculum is comprised of a four-hour online pre-requisite course and exam called PCI Fundamentals, followed by the ISA training session and exam. Now candidates have the option to attend the two-day instructor-led session or complete the eLearning training course online. eLearning candidates can then schedule to take the exam locally at one of more than 4,000 Pearson VUE Testing Centers worldwide.

Since 2010 when the ISA programme was launched there have been over 500 people gain the qualification

“We benefited from the interaction with fellow delegates taking the course, said PCI DSS Manager and ISA Parminder Lall, Everything Everywhere. “The ISA training provided a different spin on how to reduce cost when it comes to PCI efforts. We also gained insight into working with a Qualified Security Assessor (QSA) and seeing their side of things.”

The new eLearning option complements the Council’s already available online PCI Awareness training offering, a four-hour introductory PCI course. Businesses can take advantage of ISA training for their security professionals to ensure consistency in understanding their PCI DSS compliance efforts across their organization.

“The ISA program was developed in response to feedback from the PCI community requesting a course that would help organizations in training their own internal PCI experts,” said Bob Russo, general manager, PCI Security Standards Council. “We’re excited to be able to offer this popular session in a new online format, along with our PCI Awareness training, so more companies can take advantage of these resources to improve their PCI security efforts.”

For those who would like to attend an instructor lead course there are two available this year

  1. Orlando, Florida, USA on September 6-7; 10-11
  2. Dublin, Ireland on October 18-19.

For more information visit the PCI SSC website here.

For more information on PCI DSS, PA DSS, etc visit my PCI Resources page here.

.

PCI Point-to-Point Encryption Solution Requirements and Testing Procedures v1.1

The Payments Security Standards Council (PCI SSC) have released their solutions Requirements and Testing Procedures version 1.1 for Point-to-Point Encryption (P2PE).

The press release can be found here.

The main document is 210 pages long but for those who have looked into this before there is a short four page summary of changes from version 1.0 to version 1.1 here.

The document covers many things but the five main scope assessments for P2PE Solutions are

  1. Network Segmentation
  2. Third Parties/Outsourcing
  3. Sampling of System Components
  4. Multiple Acquirers
  5. P2PE Program Guide

Scope of Assessment for P2PE Solutions

The first step of a P2PE solution assessment is to accurately determine the scope of the solution. At least annually and prior to each assessment, the solution provider should confirm the accuracy of their solution scope by identifying all devices, P2PE data flows and processes, key-management functions and account-data stores, and ensure they are included in the solution scope. To ensure the accuracy of the solution scope is maintained on an on going basis, the solution provider must have processes in place that ensure the following:

  • Any changes are implemented in a manner that ensures continued adherence to P2PE requirements for the entire solution.
  • Any new rollouts/additions adhere to all P2PE solution requirements.
  • Any new rollouts/additions are included in the next P2PE assessment.

Network Segmentation

The solution provider must ensure that network segmentation is in place between any systems owned or managed by the solution provider that are used in the P2PE solution, and any that are not included in their PCI DSS compliant environment. The QSA (P2PE) must validate that the network segmentation is adequate to isolate the P2PE environment from out-of-scope networks and systems.

Third Parties/Outsourcing

A given P2PE solution may be entirely performed and managed by a single solution provider, or the solution provider may outsource certain functions (for example, loading keys into POIs) to third parties who perform these functions on behalf of the solution provider. All third parties that perform P2PE functions on behalf of the assessed P2PE solution provider, including POI vendors, KIFs, CAs, etc., must be validated per P2PE solution requirements.

There are two options for third-party entities performing functions on behalf of solution providers to validate compliance:

  1. They can undergo a P2PE assessment of relevant P2PE requirements on their own and provide evidence to their customers to demonstrate their compliance; or
  2. If they do not undergo their own P2PE assessment, they will need to have their services reviewed during the course of each of their solution provider customers’ P2PE assessments.

Multiple Acquirers

The P2PE standard outlines the technology and processes needed to ensure the security of a solution that protects account data from the point of interaction to the solution provider. In some instances, multiple acquirers or multiple solution providers may manage one or more P2PE solutions on the same merchant POI device. P2PE does not preclude these scenarios, as the business processes which govern this shared environment are outside the responsibility of the PCI SSC.

P2PE Program Guide

Please refer to the P2PE Program Guide for information about the P2PE program, including the following topics:

  • P2PE Report on Validation submission and acceptance processes
  • Annual renewal process for solutions included on the list of Validated P2PE Solutions
  • Notification responsibilities in the event a listed P2PE solution is determined to be at fault in a compromise

Third Parties/Outsourcing

A given P2PE solution may be entirely performed and managed by a single solution provider, or the solution provider may outsource certain functions (for example, loading keys into POIs) to third parties who perform these functions on behalf of the solution provider. All third parties that perform P2PE functions on behalf of the assessed P2PE solution provider, including POI vendors, KIFs, CAs, etc., must be validated per P2PE solution requirements.

There are two options for third-party entities performing functions on behalf of solution providers to validate compliance:

  1. They can undergo a P2PE assessment of relevant P2PE requirements on their own and provide evidence to their customers to demonstrate their compliance; or
  2. If they do not undergo their own P2PE assessment, they will need to have their services reviewed during the course of each of their solution provider customers’ P2PE assessments.

At-a-Glance – Steps Required to Create and Validate a P2PE Solution

The process for developing and validating a P2PE solution that uses SCDs for encryption, decryption, and cryptographic key management is provided below. This flow chart and the following table illustrate the parties responsible for implementing requirements and validating compliance with each domain, the high-level purpose of controls for each domain, and how validation of each domain can ultimately lead to a P2PE solution validation.

Like a lot of people I shall be looking into the details to see where existing and planned solutions meet the standard. The full 210 page document can be found here.

.

The PCI SSC has opened its registration for the 2012 PCI Community Meetings

PCI North American Community Meeting will be held on September 12-14, 2012 in Orlando, Florida

PCI European Community Meeting will be held this year in Dublin, Ireland, October 22-24, 2012

This year’s meetings offer Council Participating Organizations and PCI stakeholders access to three days of knowledge sharing, networking and learning, including keynote presentations from industry experts, PCI case studies, and technical sessions.

“2012 is a critical year in the standards development process that hinges on feedback from the PCI community. At this year’s meeting, we’ll focus on discussing stakeholder feedback on the standards in preparation for release of the next versions of the PCI DSS and PA-DSS in 2013, as well as share our successes and challenges, ideas and suggestions as a community,” said Bob Russo, general manager, PCI Security Standards Council. “We’ll discuss Council initiatives, including the Point-to-Point Encryption (P2PE) program, mobile payment acceptance security and other technology areas, as well as the work being done through our Special Interest Groups. Attendees will also have the opportunity to take advantage of our PCI SSC Training offerings.”

New to this year’s agenda, the Community Meetings will also feature:

  • Increased networking opportunitie
  • Targeted breakout sessions for different stakeholder groups
  • More industry case studies delivered by members of the PCI community
  • Expanded opportunities to meet with card brands
  • Two-day vendor showcase
  • Event mobile app to help make the most of attendees’ time

Special sessions for Qualified Security Assessors (QSAs) and Approved Scanning Vendors (ASVs) will be held at the meetings.

Several training courses will also be available. These offerings provide participants the opportunity to combine the value of peer to peer education at the Community Meeting with more formal training sessions, maximizing their time in Orlando and Dublin.

“The record attendance at last year’s meeting is a strong testament to the work that together we as a community are doing to drive payment security forward globally, but especially within Europe,” said Jeremy King, European Regional Director. “I’m thrilled about the growing involvement of the PCI community in Europe and look forward to coming together in Dublin to continue this momentum.”

Attendance fees:

  • Participating Organization: First two registrants are free; $395 for additional registrants
  • Qualified Security Assessor (QSA)/Approved Scanning Vendor (ASV)/Internal Security Assessor (ISA)/PIN Transaction Security (PTS) members: First registrant is free; $695 for additional registrants

For more information, or to register

See you in Dublin.

.

PCI SSC announces formal training in Europe (London)

The Payment Card Industry Security Standards Council (PCI SSC) has announced three formal courses in London.

The three courses are:

Qualified Security Assessor (QSA) Training

The PCI Security Standards Council operates an in-depth program for security companies seeking to become Qualified Security Assessors (QSAs), and to be re-certified each year. The five founding members of the Council recognize the QSAs certified by the PCI Security Standards Council as being qualified to assess compliance to the PCI DSS standard.

  • PCI SSC QSA Date(s):  April 28 2012 – April 29 2012
  • Location:  London, United Kingdom
  • Fee:  3,000.00 USD

Payment Application Qualified Security Assessor (PA-QSA) Training

The PCI Security Standards Council operates an in-depth program for security companies seeking to become Payment Application Qualified Security Assessors (PA-QSAs), and to be re-certified each year. The five founding members of the Council recognize the PA-QSAs certified by the PCI Security Standards Council as being qualified to assess compliance to the PCI PA-DSS standard.

  • PCI SSC PA-QSA Date(s):  April 22 2012 – April 23 2012
  • Location:  London, United Kingdom
  • Fee:  2,000.00 USD

Internal Security Assessor (ISA) Training

The PCI SSC Internal Security Assessor Program (”ISA Program”) provides an opportunity for eligible internal security audit professionals of qualifying organizations to receive PCI DSS training and certification to improve the organization’s understanding of the PCI DSS, facilitate the organization’s interactions with QSAs, enhance the quality, reliability, and consistency of the organization’s internal PCI DSS self-assessments, and support the consistent and proper application of PCI DSS measures and controls.

  • PCI SSC ISA Date(s):  April 26 2012 – April 27 2012
  • Location:  London, United Kingdom
  • Fee:  3,595.00 USD

Find the details here.

.

Only 21% of merchants were compliant and other startling PCI DSS facts from the coal face

Image representing Verizon as depicted in Crun...
Image via CrunchBase

Verizon have recently launched their 2011 Payment Industry Compliance Report, which draws on their experiences as a Qualified Security Advisor (QSA) company, and their previous annual reports.

Below are exerts from their report:-

Unchanged from last year:-

  • 21 % of organizations were fully compliant at the time of their Initial Report on Compliance (IROC)
  • 78% of organisations met all test procedures at the IROC stages
  • 20% of organizations passed less than half of the PCI DSS requirements
  • 60% scored above the 80% mark

Organizations struggled most with the following PCI requirements:

  • 3 (protect stored cardholder data)
  • 10 (track and monitor access)
  • 11 (regularly test systems and processes)
  • 12 (maintain security policies)

The PCI Requirements showed the highest implementation levels:

  • 4 (encrypt transmissions over public networks)
  • 5 (use and update anti-virus)
  • 7 (restrict access to need to know)
  • 9 (restrict physical access)

Verizon concluded that organizations do not appear to be prioritising their compliance efforts against the PCI DSS Prioritized Approach (The Prioritized Approach is a free spreadsheet that can be download from the PCI Security Standards Council site, find it here).

Organizations that suffered data breaches were less likely to be compliant than a normal population of Verizon PCI clients.

In the pool of assessments performed by Verizon QSAs included in this report:

  • 21% were fully compliant at the completion of their IROC
  • This is just 1% less than in their last report, and effectively the same number

The lack of change disappoints Verizon, as many in the industry were hoping to see an increase in overall compliance as PCI DSS became more familiar to an increasing number of organizations.

79% of organizations were not sufficiently prepared for their initial assessment

Having established that only 21% “passed the test” the next question becomes “what was their score?”

  • 78% met of all test procedures defined in the DSS at the time of their IROC
  • This is down 3% from Verizon’s last report

Verizon deduce that another common Achilles heel of merchants and service providers in the PCI assessment process is overconfidence. “It was painful, but we made it through last year, so this year should be a breeze,” is a typical sentiment with which many organizations approach the yearly assessment. That can be a costly mistake.

When the QSA arrives on-site, a mere 1/5th of businesses are found to be compliant, even when given the extra time between the on-site visit and completion of the IROC.

Verizon believe that complacency and fatigue are two additional drags that make maintaining compliance year over year difficult.

Too many businesses approach PCI from the point of view that “what was good enough last year will be good enough this year.”

When examining the percentage of organizations passing each requirement at the IROC phase

  • Some requirements show percentages dipping below 40%, while others exceed the 70% range
  • Six of the twelve show an increase over last year, and the average is up two points
  • However, the average number of test procedures met within each requirement is down 4%
  • None of these numbers is indicative of a clear change given the size and makeup of the dataset, but it certainly reinforces the notion that organizations continue to struggle (at varying degrees) in all areas of the DSS

How do organisations perform against the 12 Requirement? The four highest rated Requirements are:

  • 4 (encrypt transmissions)
  • 5 (AV software)
  • 7 (logical access)
  • 9 (physical access)

Requirement 10 (tracking and monitoring) boasted the highest gain+13 %

Requirement 5 (AV software) may lose its place in the top three, which is an odd development, since AV software has for so long been among the most basic and widespread of security controls.

The improvement in compliance to Requirement 4 (encrypt transmissions) may indicate that administrators are deciding it is easier to direct all Internet traffic containing credit card data over SSL.

The small improvement in Requirement 7 (logical access) if significant at all could mean more strict attention is being paid to who is given access to cardholder data.

Requirements 3 (stored data) and 11 (regular testing) are once again in the bottom tier, while Requirement 12 (security policies) ousted 10 (tracking and monitoring) from the bottom. This suggests that the encryption of data at rest continues to be a major headache for organizations, especially the more detailed portions, such as annual key rotations.

Requirement 1 remains virtually unchanged since last year

  • 44% were compliant
  • 46% in the last report
  • Only 63% of companies met Requirement 1.1.5 regularly

The entire report can be found on the Verizon web site here.

.

PCI Security Standards Council opens election for new Special Interest Groups

The PCI Security Standards Council (PCI SSC) opens election for new Special Interest Groups (SIG).

The Council developed Special Interest Groups (SIG) to leverage the expertise of more than 600 Participating Organizations and provide a vehicle for incorporating their ideas and input into the work of the Council. SIGs focus on providing recommendations to the Council which often results in guidance for the Community to interpret and implement the PCI Standards.

To date SIG participants have made significant contributions to Council resources on topics such as

  • Wireless security
  • EMV chip
  • Point-to-Point Encryption
  • Virtualized environments

Participating Organizations are invited to submit votes for their top three of the seven shortlisted proposals. The proposals were submitted by a cross-section of merchants, acquirers, industry associations, service providers, Qualified Security Assessors (QSA) and vendors. They cover the following topics:

  • Small ecommerce merchants
  • Effective patch management that is compliant with PCI DSS requirement 6.1
  • Administrative access to systems and devices
  • Cloud
  • Small businesses
  • Hosted, managed application and service providers
  • Risk assessments

“The Council is delighted at the level of input we’ve received from the community in the form of SIG proposals,” said Jeremy King, European director, PCI Security Standards Council. “I’m particularly pleased to see such broad global representation and perspectives in submissions. Securing payment card data is a global challenge and the Council’s worldwide stakeholders are uniquely positioned to partner with us in tackling this.”

The polls close on Friday November 4th 2011.Results will be announced following the election, together with next steps on how to volunteer for the Special Interest Groups.

.

Merchants are complacent about PCI DSS, report reveals.

Verizon logo
Image via Wikipedia

Verizon have launched their 2011 Payment Industry Compliance Report which draws on their experiences as a QSA company and previous annual reports.

Extracts from the report are below.

Unchanged from last year, only 21 % of organizations were fully compliant at the time of their Initial Report on Compliance (IROC). Verizon commented with “This is interesting, since most were validated to be in compliance during their prior assessment”.

  • Organizations met an average of 78% of all test procedures at the IROC stage
  • 20% of organizations passed less than half of the DSS requirements
  • 60 % scored above the 80 % mark

Organizations struggled most with the following PCI requirements:

  • 3 (protect stored cardholder data)
  • 10 (track and monitor access)
  • 11 (regularly test systems and processes)
  • 12 (maintain security policies).

The PCI Requirements showed the highest implementation levels were:

  • 4 (encrypt transmissions over public networks)
  • 5 (use and update anti-virus)
  • 7 (restrict access to need-toknow)
  • 9 (restrict physical access)

Organizations do not appear to be prioritizing their compliance efforts based on the PCI DSS Prioritized Approach published by the PCI Security Standards Council even less so than in the previous year.

A mini-study comparing governance practices to the initial compliance score suggests that the way organizations approach compliance significantly factors into their success.

Once again, organizations that suffered data breaches were much less likely to be compliant than a normal population of PCI clients. Analysis of the top threat actions leading to the compromise of payment card data continues to exhibit strong coverage within scope of the PCI DSS. For most of them, multiple layers of relevant controls exist across the standard.

In the pool of assessments performed by Verizon QSAs included in this report

  • 21% were found fully compliant at the completion of their IROC
  • This is just 1% less than in their last report, and effectively the same number

The lack of change is a disappointing, as many in the industry were hoping to see an increase in overall compliance as the PCI DSS became more familiar to an increasing number of organizations.

79% of organizations were not sufficiently prepared for their initial assessment

Having established that only 21% “passed the test” the next question becomes “what was their score?”

  • On average, organizations met 78% of all test procedures defined in the DSS at the time of their IROC.
  • Down 3% from Verizon’s last report; but again, the difference is nominal.

Therefore, the baseline set by the PCI DSS must not reflect the baseline set by the companies themselves. For most organizations, to achieve compliance they must do things they were not previously doing (or maintaining).

Another common Achilles heel of merchants and service providers in the PCI assessment process is over confidence

 “It was painful, but we made it through last year, so this year should be a breeze”

is a typical sentiment with which many organizations approach the yearly assessment. That can be a costly mistake. When the QSA arrives on-site, a mere 1/5th of businesses are found to be compliant, even when given the extra time between the on-site visit and completion of the IROC.

Complacency and fatigue are two additional drags that make maintaining compliance year over year difficult. Too many businesses approach PCI from the point of view that “what was good enough last year will be good enough this year.” But unless someone’s been babysitting a process, such as documenting and justifying all services allowed through the firewalls, things can easily be forgotten in the haste to get business done.

When examining the percentage of organizations passing each requirement at the IROC phase.

  • Some requirements show percentages dipping below 40%, while others exceed the 70% range.
  • Six of the twelve show an increase over last year, and the average is up two points.
  • However, the average number of test procedures met within each requirement is down 4%.
  • None of these numbers is indicative of a clear change given the size and makeup of the dataset, but it certainly reinforces the notion that
  • organizations continue to struggle (at varying degrees) in all areas of the DSS.

How do organisations perform against the 12 Requirement? The four highest rated Requirements are:

  • 4 (encrypt transmissions)
  • 5 (AV software)
  • 7 (logical access)
  • 9 (physical access)

Requirement 10 (tracking and monitoring) boasted the highest gain+13 %

Requirement 5 (AV software) may lose its place in the top three, which is an odd development, since AV software has for so long been among the most basic and widespread of security controls.

Requirement 4 (encrypt transmissions) showed a marked improvement which may indicate that administrators are deciding it’s easier to direct all Internet traffic containing credit card data over SSL.

Requirement 7 (logical access) showed a slight improvement, which could mean more strict attention is being paid to who is given access to cardholder data.

Requirements 3 (stored data) and 11 (regular testing) are once again in the bottom tier, while Requirement 12 (security policies) ousted 10 (tracking and monitoring) from the bottom. This suggests that the encryption of data at rest continues to be a major headache for organizations, especially the more detailed portions, such as annual key rotations.

Requirement 11’s low showing reminds us why ‘set and forget is a very bad bet’ should be a core mantra of the security profession. The fact that security policies rank among the lowest of the low is not a good sign since policy drives practice.

Requirement 1 remains virtually unchanged since last year, at 44% compliance, compared to the 46% in the last report. Only 63% of companies met Requirement 1.1.5 regularly

Compliance is the continuous state of adhering to the regulatory standard. In the case of the PCI DSS there are daily (log review), weekly (file integrity monitoring), quarterly (vulnerability scanning), and annual (penetration testing) activities that an organization must perform in order to maintain this continuous state of compliance

The entire report can be found on the Verizon web site here.

.

Create a free website or blog at WordPress.com.

Up ↑

%d bloggers like this: