Call out for more Twitter Followers

Start following us @Sysnetgs on Twitter for useful links to up to date industry related news!!

New Facebook Company Page - Sysnet Global Solutions

Just launched our new company page on FB - Would REALLY appreciate some 'Likes' for our FB page. Thanks in advance!! http://www.facebook.com/pages/Sysnet-Global-Solutions/244306142246419

PCI DSS in the Retail Sector

The 6 leading worldwide major payment card brands established the Payment Card Industry Data Security Standards (PCI DSS) as a standard to protect cardholder data from malicious attacks. Due to the numerous ways the retail sector processes card payments; it is not surprising that they are a prime target for attack from the criminal fraternity. Retail merchants vary in size ranging from individual self-employed traders that may use a single payment terminal, to the larger retail giants such as supermarkets with networked estates of 30,000+ terminals. Additionally, Retailers often provide mail and telephone order delivery channels, where call centre staff will have access to large amounts of cardholder data.

Furthermore, with the Internet being the fastest growing retail sector, many merchants are turning to this sales channel to attract a wider audience for their goods and services – however if systems are not fully secure, they could find themselves vulnerable to remote attacks from anywhere in the world.


‘If the scope is not complete it could result in a breach of cardholder data’


PCI DSS compliance in practice
The following are some critical areas that are typical for a retail environment, but may be overlooked:



  • Merchant Receipts: Although many new terminals now print the PAN truncated (displaying the first 6 and last four digits), older terminals may print the full PAN on merchant receipts. Therefore, merchant receipts are in scope. Furthermore, other physical media such as chargeback forms and physical faxes may be present. Any media containing the PAN must be handled, stored and disposed of in a secure manner. Ensure your organisation does not simply leave transaction receipts in public areas or place them in plastic bin bags to be thrown away; they should be treated the same as cash.


  • Sales/Customer Services Team: If the merchant maintains an electronic point of sale system, the equipment may be vulnerable to ‘keyloggers’ either by hardware (connected to the keyboard and hidden from view behind the PC) or by malicious software (installed deliberately or accidentally) may capture keystrokes.


  • Call Recordings: If calls are recorded. Storing the PAN in an encrypted format is permitted, however the storage of any CVV (sensitive authentication value) is prohibited by PCI DSS and must not be recorded.


  • Post-authorisation: Storing sensitive authentication data post-authorisation is strictly prohibited by PCI DSS. Ensure sensitive authentication data is not stored after authorisation.


  • Video Monitoring: Most CCTV footage is destroyed after a month, however under PCI DSS requirements access mechanism logs should be retained for at least 3 months.


  • Indirectly Connected Devices: Any machines not involved in cardholder data processes, but are logically connected to devices that do process, store or transmit cardholder data will be in scope.


  • Terminal/POS Responsibility: POS systems usually are mounted on underlying operating systems such as Windows 98, 2000, XP or later and should be included within an organisations PCI DSS project scope . However, this is often not considered.


  • Private Networks: ‘Private’ networks provisioned by a service provider may actually be shared. Ensure that the perimeter device to the private network is not connecting out over the Internet.

‘PCI DSS is achievable with guidance and an effective roadmap’



Achieving PCI DSS compliance
Sysnet recommends that rather than taking the ‘traditional’ route and performing a gap analysis as the first step to achieving PCI DSS compliance, it would be more beneficial to conduct an initial scoping exercise – this will review all systems, which will shape the extent of the PCI DSS project.

A scoping exercise offers options to manage the size of the project by offering ‘as is’ and ‘what if’ scenarios to clearly demonstrate how change to the process impacts the scope. The organisation then has the opportunity to choose the option they feel is most appropriate to their situation and their business.

By adopting this approach, a significant reduction in the overall cost of the compliance exercise can be achieved, simply by reducing the number of systems, locations and employees who are subject to PCI DSS requirements. This will also make compliance review a more manageable process.

Sysnet have often achieved ten-fold reduction in the costs of an organisation’s initial and on-going compliance due to the adoption of this methodology. Although PCI DSS may seem a long and daunting process, with good planning and a clear road map supported by a experienced and pragmatic QSA partner, compliance can be achieved.

This will also put the business in a stronger position as there will be a greater understanding of how systems work within the organisation, and also the identified potential risk areas. Business should also consider that the financial and reputational costs of a data breach could be far higher than the implementation of a PCI project.


‘A commitment to protecting customer’s cardholder data 24/7 365 days a year’

Maintaining PCI DSS compliance
Once the people, processes and technology are in place, re-assessment should become far easier. Many businesses use PCI DSS as an opportunity to introduce new hardware and operating systems, and merge disparate business processes – it is therefore essential that a full scoping review is undertaken prior to engaging in any major project development. A commitment to PCI DSS is a commitment to protecting customer’s cardholder data 24/7, 365 days a year.

How can Sysnet help?
Sysnet QSA consultants have significant experience with helping organisations attain and remain compliant with the PCI DSS. We have worked closely with many high profile organisations and have a wealth of experience in dealing with a varied range of payment applications that are currently being used.

Due to the challenges faced in this area Retail merchants should find the most time and cost effective route to compliance. Sysnet can assist with this by reducing the number of systems, locations and employees subject to PCI DSS compliance which will ultimately reduce the overall cost of achieving and maintaining compliance.

For further information on our PCI compliance services, please contact one of our Sales representatives by calling +353 (0)1 495 1300 or by completing our Online Enquiry Form or Request a Call Back Form.


PCI DSS compliance challenges for the Hospitality Sector

PCI DSS requirements are a confusing array of demands that take time, resource and money to meet. Within the hospitality sector there are numerous challenges to be faced, some of which can have straight forward answers whereas others may require more innovative solutions.


The hospitality sector is particularly vulnerable to cardholder data breach due to the various mechanisms used to facilitate bookings and payments. In an industry where customer service is of the utmost importance there have been a number of high profile data compromises which have seriously affected the brand credibility of the organisations involved.


PCI DSS compliance in practice
Businesses trading in the hospitality arena, and falling within the scope of PCI DSS should be aware of the following critical areas:-



  • Call recordings which include cardholder data are within the scope of PCI DSS. This must be addressed in any compliance project;


  • Storage of the Primary Account Number (PAN) on paper is still within the scope of compliance. Is your organisation taking steps to protected card data on paper or remove it all together? Have you confirmed whether your payment applications in use are PA DSS certified or have any plan to become certified?


  • Does your company use pre-authorisation for incidental charges, or are you storing sensitive authentication data? This is strictly prohibited by PCI DSS;


  • Storage of cardholder data within a booking and/or room management system often significantly increases the number of systems within the scope of PCI DSS.
    It might sound strange but the key to PCI DSS compliance is not meeting the requirements. In fact, direct remediation of issues in order to achieve compliance is often the most complex and costly way of getting there! Companies seeking compliance should first seek to reduce their compliance scope to the smallest possible footprint. Sysnet have often achieved ten-fold reduction in the costs of a n organisation’s initial and on-going
    compliance.

Sysnet recommends that rather than taking the ‘traditional’ route and performing a gap analysis as the first step to achieving PCI DSS compliance, it would be more beneficial to conduct a scope reduction exercise. This would provide blueprints of how your card payment processing systems could look based upon different scope reduction options.

By adopting this approach, a significant reduction in the overall cost of the compliance exercise can be achieved, simply by reducing the number of systems, locations and employees who are subject to PCI DSS requirements. This will also make compliance review a more manageable process. Following on from the above exercise you will receive various options by which the scope of compliance could be reduced.

The recommendations will also provide insight as to how the scope of compliance may look once that solution, process or approach has been implemented. For example, on completion of the scope reduction exercise you would need to complete the appropriate Self Assessment Questionnaire (SAQ). This provides you with the flexibility of choosing the solution that fits your business.

Maintaining PCI DSS compliance
True information security can only be achieved through the implementation of a comprehensive data security programme. It needs to be continually updated to reflect industry best practices such as PCI DSS or ISO 27001 and accommodate the need for continuous workforce education and the implementation of proven technologies to protect data assets.

A comprehensive data security programme is one that involves all areas of the business with the aim of securing valuable business information from the moment it enters the organisation until it leaves or is destroyed. The three most vital business components that need to be addressed are people, processes and technology.

People: People are often viewed as the weak link in the information security chain. Education is critical to ensuring your employees are familiar with your business security policies and procedures and that they know exactly what is expected of them when it comes to protecting the information assets of the business.New employees should receive information security training on induction with mandatory periodic refresher courses for existing employees.

If your business is part of a wider group or franchise, take advantage of group training events and materials. Franchise owners should ensure consistency across all locations by providing such training aids and group policies.

Processes: Many security weaknesses manifest themselves in poor information security management processes and insure system architecture. A thorough analysis of policies and procedures is required to ensure that your business operates in a secure manner.

Simple steps that can be taken include the identification of information that isn’t required by the business as well as the reduction of the number of applications and systems that store or transmit sensitive data. Taking these steps can also go a long way towards reducing the scope and costs of compliance audits.

Technology: Poorly implemented technology solutions can pose significant risks to data security. A thorough analysis of existing as well as proposed systems and their implementation is critical to identifying how suitable and capable a technology for your organisation’s needs.

You can also reduce the burden of protecting information within your business by choosing appropriate partners who take on the responsibility of managing the data. However, the merchant retains compliance responsibility if functions are outsourced. Technologies such as tokenisation and end-to-end encryption greatly reduce the scope of information security requirements.

Merchants should be aware that as of July 2012, MasterCard has mandated that all European merchants and service providers using 3rd party payment applications must use PA DSS compliant applications. Full listings of compliant providers are available on the Security Standards Council’s website, http://www.pcisecuritystandards.org/.

How can Sysnet help?
Sysnet’s QSA consultants have significant experience with helping organisations attain and remain compliant with the PCI DSS. We have worked closely with many high profile organisations and have a wealth of experience in dealing with a varied range of payment applications that are currently being used.

Sysnet have taken this experience and built an extensive knowledge base which help us to better assist you with the challenges you face.

For further information on our PCI compliance services, please contact one of our Sales representatives by calling +353 (0)1 495 1300 or by completing our Online Enquiry Form or Request a Call Back Form.

PCI DSS compliance challenges for the E-commerce Sector

The Internet is the fastest growing retail sector, and it is therefore not surprising that many merchants are turning to this sales channel to maximise sales potential. Also barriers to entry are far lower, allowing many start-up and fledgling businesses an opportunity to commence trading with minimal capital outlay –however if systems are not fully secure, they could find themselves vulnerable to remote attacks from anywhere in the world. With a wider range of goods available, there has been a significant increase in the number of customers using their payment card online, with more card data being transmitted and stored via the Internet.

It is not surprising therefore, that the E-commerce sector faces numerous challenges in order to protect itself from the growing threats from malicious individuals and organised crime looking to identify and exploit weaknesses in the payment process. The 6 leading worldwide major payment card brands established the Payment Card Industry Data Security Standards (PCI DSS) as a standard to protect cardholder data from such attacks.

The PCI DSS contain 12 requirements that are grouped within 6 core principles. If an organisation processes, stores or transmits cardholder data they will be in scope for PCI DSS. All E-commerce systems will need to be considered. In many circumstances, business owners in this industry do not have the resources or the technical knowledge to help reduce the risk of a data breach. Nevertheless, even large E-commerce merchants with skilled personnel also suffer breaches, one merchant was responsible for the loss of over 50 million card numbers.



‘If the initial scope is not sufficiently detailed, it could result in a breach of cardholder data’

PCI DSS compliance in practice
The first part of any PCI DSS compliance assessment is scoping. Without a thorough analysis of cardholder data flows (physical or electronic), a PCI project could miss vital areas, for example legacy systems, or over-engineer systems upgrades because the process wasn’t fully understood. The following are some critical areas that are typical for E-commerce environments, but could be overlooked:




  • Log Files: Many E-commerce systems conduct online authorisations, with the full PAN being stored once the transaction has been completed. PCI DSS requires that PAN must be made unreadable (truncation, hashing, tokenised or by using strong encryption). Places that potentially could store this type of data, but are often overlooked include transaction files, debug files, back-up files, history files or application logs.


  • Software Development: Companies who have developed their own web applications should
    employ a developer who has experience in secure coding practices. It is essential that the coding is secure, as a line of insecure code could facilitate an entry point for a malicious user. An often overlooked area is the use of third party tools/libraries/scripts. Vulnerabilities in third party code may open a backdoor to E-commerce systems to drop malicious files or provide an entry point for an unauthorised user to steal database information containing cardholder data and/or other sensitive information.


  • Off-the-shelf packages: Organisations using third party payment applications are reliant on the security of these applications. Smaller retailers may purchase E-commerce systems which are in fact open source websites with minor modifications. These packages are often attacked as the underlying source code is publicly available and provides information on the security mechanism (or lack of) used. This may open holes within the E-commerce system to plant viruses, trojans or even worse, provide a malicious user with an opportunity to directly query databases that may contain a collection of cardholder and other sensitive customer information.


  • Third Parties: A merchant is responsible for any agent they engage on their behalf. If an organisation relies on a third party to collect cardholder data, the third party must undergo a PCI DSS assessment, and if the third party is not PCI DSS compliant then the merchant is not compliant either.


  • Post-authorisation: Storing sensitive authentication data (CVV/CV2) post-authorisation is strictly prohibited by PCI DSS. Indirectly Connected Devices: Any machines not involved in cardholder data processes but are logically connected to devices that do process, store or transmit cardholder data will be in scope. situation and their business. Although PCI DSS seems a long and daunting process with good planning and a clear road map, supported by an experienced and pragmatic QSA partner, compliance can be achieved. This will also put the business in a stronger position as there will be a greater understanding of how
    systems work within the organisation, and also the identified potential risk areas. Business should also consider that the financial and reputational costs of a data breach could be far higher than the implementation of a PCI project.


‘PCI DSS is achievable with guidance and an effective roadmap’



Achieving PCI DSS
Some companies may first conduct a gap analysis and then remediate the problems. Sysnet recommends an initial scoping exercise is undertaken - this will review all systems, which will shape the extent of the PCI DSS project. It will also highlight areas of current risk that potentially could be removed with replacement systems or secure enhancements.

A scoping exercise offers options to manage to the size of the project by offering ‘as is’ and ‘what if’ scenarios to clearly demonstrate how change to the process impacts the scope. The organisation then has the opportunity to choose the option they feel is most appropriate to their

‘A commitment to protecting customer’s cardholder data 24/7 365 days a year’

Maintaining PCI DSS compliance Once the people, processes and technology are in place, re-assessment should become far easier. Many businesses use PCI DSS as an opportunity to introduce new hardware and operating systems, and merge disparate business processes – it is therefore essential that a full scoping review is undertaken
prior to engaging in any major project development. A commitment to PCI DSS is a commitment to protecting
customer’s cardholder data 24/7, 365 days a year.

How can Sysnet help?
Sysnet’s QSA consultants have significant experience with helping organisations attain and remain compliant with the PCI DSS. We have worked closely with many high profile organisations and have a wealth of experience in dealing with a varied range of payment applications that are currently being used.

For further information on our PCI compliance services, please contact one of our Sales representatives by calling +353 (0)1 495 1300 or by completing our Online Enquiry Form or Request a Call Back Form.


Data Breaches – Compulsory Disclosure?

EU Justice Minister Viviane Reding, has recently announced that she is formulating a policy that will mandate any business trading in the EU or who targets EU residents, to notify their customers, and the regulatory authorities, if they suffer a data breach. The intention being to ensure that all businesses handling sensitive data take their obligations seriously.


This action follows the recent spate of attacks on some high profile organisations, where millions of personal data records were subject to data hacks.


Following the introduction of the EU e-privacy directive on 26th May 2011, Telecoms, and Internet Service Providers are already subject to mandatory data breach disclosure, and the Minister is now seeking to widen these powers to include all sectors.


The legislation has the power to impose penalties and legal sanctions for any infringement and it is expected that these strong ’incentives‘, will encourage businesses to conduct serious risk assessments regarding their storage of sensitive personal data, and implement appropriate security measures to protect the confidentially and integrity of this information.


It should also be noted that the UK Information Commissioner has regulatory powers to investigate and penalise in cases of deliberate and persistent misconduct.


With all of the increasing media and regulatory interest in data security, how does a business go about protecting its’ key assets, particularly customer databases and avoid a data breach?

How can Sysnet Global Solutions help?
Sysnet offers a Security Assessment service, which provides a unique and flexible approach encompassing Incident Response, Audit, Computer Forensics and Penetration testing.


The assessment will be tailored to the individual needs of the business, and can include reviews of encryption, wireless networking, portable device security, contingency plans, security awareness, system configuration and premises vulnerabilities.

If a business takes card payments, they will fall under the requirements of the Payments Card Industry – Data Security Standards (PCI-DSS) – However the Sysnet Security Assessment service goes into far more detail, so that the customer can feel confident that they are in control of their security position.


Additionally Sysnet offer an on-demand, computer incident response service, whereby in the event of an incident, Sysnet can be on call ready to provide advice and visit the affected site to help contain the incident, offer guidance and if required, conduct a forensic investigation. This service is pre-arranged and also includes an initial visit to the site to help assist in highlighting security vulnerabilities, and offering remediation planning to overcome these weaknesses.


Whilst no business can be wholly safe from a data incident, by following the guidance given by the Sysnet CFS team, businesses can reduce their exposure to receiving such an attack, but also will be in a far better position to respond in a positive and speedy manner, to ensure continuance of trading and minimisation of brand and reputational damage.


Another key area is the storage of unencrypted card data - under PCI-DSS all card data should be securely deleted from computer systems, or if deemed necessary for operational requirements, then the information needs to be stored in a suitable encrypted format. In all too many cases, when a forensic investigation is undertaken following a data breach, card information is located in clear text.


This can be due to a number of circumstances, forgotten databases, legacy systems deemed out of scope for PCI accreditation, or back-up files converting encrypted information into readable format. Whatever the reason, storing unencrypted data will heighten the risk, and invalidate any PCI compliance certification.

To mitigate operating with such vulnerability, Sysnet are able to offer their Cardholder Data Discovery Service, which can scan server, PCs, and storage media for unencrypted card numbers. Once the scan has been completed, and if any residual information has been identified, we can safely erase the data, help prevent it from being stored or if preferred, give guidance as to how the records can be held securely to conform to the PCI-DSS.


Sysnet bring the pragmatic mindset of a forensic investigator together with knowledge of real world hacking to give you the edge in security management. For more information please contact us by calling 0844 562 3147 (UK) or +353 (0)1 495 1300 (Rest of the World) or by completing our Online Enquiry Form or Request a Call Back Form